👷 ci(cnb): 更新 Docker 镜像构建工作流配置。

eryajf · eryajf · commit dc03d68b6ce3 · 2026-02-05T09:34:22.000+08:00
- 移除旧的手动 Docker 构建步骤。
- 启用 rootlessBuildkitd 选项以支持无根构建。
- 优化 Docker 登录方式，使用 `--password-stdin` 提升安全性。

👷 ci(github): 新增同步到 CNB 仓库的工作流。

- 创建 `sync-to-cnb.yml` 工作流文件。
- 配置自动同步代码到 CNB 仓库。
- 使用 `tencentcom/git-sync` 容器进行同步操作。
diff --git a/.cnb/workflows/build-docker-images.yml b/.cnb/workflows/build-docker-images.yml
@@ -3,8 +3,11 @@ main:
     - runner:
         cpus: 8
       services:
-        - docker
         - git-clone-yyds
+        - name: docker
+          options:
+            rootlessBuildkitd:
+              enabled: true
       imports:
         - https://cnb.cool/eryajf/build-env/-/blob/main/env.yaml
       env:
@@ -23,14 +26,6 @@ main:
           timeout: 3h
           script: |
             echo ${ALIHUB_TOKEN} | docker login -u ${ALIHUB_USERNAME} --password-stdin ${ALIHUB_URL}
-            docker run -d --name buildkitd \
-              --security-opt seccomp=unconfined \
-              --security-opt apparmor=unconfined \
-              --security-opt systempaths=unconfined \
-              moby/buildkit:rootless
-            docker buildx create --use \
-              --name mybuilder \
-              --driver remote docker-container://buildkitd
             docker buildx build \
               -t ${ALIHUB_URL}/${ALIHUB_USERNAME}/${IMAGE_NAME} \
               -t ${ALIHUB_URL}/${ALIHUB_USERNAME}/${IMAGE_NAME}:${CNB_BRANCH}_`date "+%Y%m%d%H%M%S"` \
diff --git a/.cnb/workflows/release.yml b/.cnb/workflows/release.yml
@@ -3,8 +3,11 @@ $:
     - runner:
         cpus: 8
       services:
-        - docker
         - git-clone-yyds
+        - name: docker
+          options:
+            rootlessBuildkitd:
+              enabled: true
       env:
         IMAGE_NAME: "go-ldap-admin"
         DOCKERHUB_USERNAME: eryajf
@@ -29,15 +32,7 @@ $:
         - name: 🐋 推送镜像
           timeout: 3h
           script: |
-            docker login -u ${ALIHUB_USERNAME} -p ${ALIHUB_TOKEN} ${ALIHUB_URL}
-            docker run -d --name buildkitd \
-              --security-opt seccomp=unconfined \
-              --security-opt apparmor=unconfined \
-              --security-opt systempaths=unconfined \
-              moby/buildkit:rootless
-            docker buildx create --use \
-              --name mybuilder \
-              --driver remote docker-container://buildkitd
+            echo ${ALIHUB_TOKEN} | docker login -u ${ALIHUB_USERNAME} --password-stdin ${ALIHUB_URL}
             docker buildx build \
               -t ${ALIHUB_URL}/${ALIHUB_USERNAME}/${IMAGE_NAME} \
               -t ${ALIHUB_URL}/${ALIHUB_USERNAME}/${IMAGE_NAME}:${CNB_BRANCH} \
diff --git a/.github/workflows/sync-to-cnb.yml b/.github/workflows/sync-to-cnb.yml
@@ -0,0 +1,26 @@
+name: Sync to CNB
+
+on: [push]
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Sync to CNB Repository
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:${{ github.workspace }} \
+            -w ${{ github.workspace }} \
+            -e PLUGIN_TARGET_URL="https://cnb.cool/opsre/go-ldap-admin.git" \
+            -e PLUGIN_AUTH_TYPE="https" \
+            -e PLUGIN_USERNAME="cnb" \
+            -e PLUGIN_PASSWORD=${{ secrets.CNB_TOKEN }} \
+            -e PLUGIN_BRANCH="main" \
+            -e PLUGIN_GIT_USER="cnb" \
+            -e PLUGIN_GIT_EMAIL="cnb@cnb.cool" \
+            -e PLUGIN_FORCE="true" \
+            tencentcom/git-sync
