use node:24-slim #25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Push to ECR | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| DATABASE_URL: postgres://payload:payload@localhost:5432/payload | |
| AWS_SERVICE_REGION: ${{ vars.AWS_SERVICE_REGION }} | |
| AWS_ACCESS_KEY: ${{ vars.AWS_ACCESS_KEY }} | |
| EMAIL_DEFAULT_FROM_NAME: ${{ vars.EMAIL_DEFAULT_FROM_NAME }} | |
| EMAIL_DEFAULT_FROM_NO_REPLY: ${{ vars.EMAIL_DEFAULT_FROM_NO_REPLY }} | |
| EMAIL_DEFAULT_FROM: ${{ vars.EMAIL_DEFAULT_FROM }} | |
| EMAIL_DEFAULT_REPLY: ${{ vars.EMAIL_DEFAULT_REPLY }} | |
| NEXT_PUBLIC_SERVER_URL: ${{ vars.NEXT_PUBLIC_SERVER_URL }} | |
| S3_ENDPOINT: ${{ vars.S3_ENDPOINT }} | |
| S3_BUCKET: ${{ vars.S3_BUCKET }} | |
| S3_ACCESS_KEY_ID: ${{ vars.S3_ACCESS_KEY_ID }} | |
| S3_REGION: ${{ vars.S3_REGION }} | |
| AWS_ACCESS_SECRET: ${{ secrets.AWS_ACCESS_SECRET }} | |
| CRON_SECRET: ${{ secrets.CRON_SECRET }} | |
| PREVIEW_SECRET: ${{ secrets.PREVIEW_SECRET }} | |
| PAYLOAD_SECRET: ${{ secrets.PAYLOAD_SECRET }} | |
| S3_SECRET: ${{ secrets.S3_SECRET }} | |
| jobs: | |
| build: | |
| runs-on: ubuntu-24.04-arm | |
| environment: production | |
| env: | |
| BUILD_OUTPUT: standalone | |
| services: | |
| postgres: | |
| image: postgres:16 | |
| ports: | |
| - 5432:5432 | |
| env: | |
| POSTGRES_DB: payload | |
| POSTGRES_USER: payload | |
| POSTGRES_PASSWORD: payload | |
| options: >- | |
| --health-cmd="pg_isready -U payload" | |
| --health-interval=10s | |
| --health-timeout=5s | |
| --health-retries=5 | |
| steps: | |
| - name: Checkout source | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: true | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| cache: true | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Migrate database | |
| run: pnpm payload migrate | |
| - name: Print BUILD_OUTPUT | |
| run: echo "BUILD_OUTPUT=${{ env.BUILD_OUTPUT }}" | |
| - name: Build Next (standalone) | |
| run: pnpm build | |
| - name: Verify Build Artifacts | |
| run: | | |
| echo "==== [1/3] Standalone Directory ====" | |
| if [ -d ".next/standalone" ]; then | |
| ls -F .next/standalone | head -n 10 | |
| [ -f ".next/standalone/server.js" ] && echo "✅ server.js found" || echo "❌ server.js MISSING" | |
| else | |
| echo "❌ .next/standalone directory not found!" | |
| fi | |
| echo -e "\n==== [2/3] Static Assets ====" | |
| [ -d ".next/static" ] && echo "✅ .next/static exists" || echo "❌ .next/static MISSING" | |
| echo -e "\n==== [3/3] Public Assets ====" | |
| [ -d "public" ] && echo "✅ public exists" || echo "❌ public MISSING" | |
| echo -e "\n==== Build Context Summary ====" | |
| du -sh .next/standalone .next/static public 2>/dev/null | |
| - name: Configure AWS credentials (OIDC) | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::022948663888:role/github-ci-role | |
| aws-region: us-east-1 # Public ECR 固定这个 | |
| - name: Log in to Amazon ECR Public | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| registry-type: public | |
| - name: Check .dockerignore | |
| run: | | |
| if [ -f ".dockerignore" ]; then | |
| echo "==== .dockerignore content ====" | |
| cat .dockerignore | |
| else | |
| echo "No .dockerignore file found." | |
| fi | |
| - name: Build and Push Docker image (ARM64 only) | |
| run: | | |
| # 1. 提取 Short SHA | |
| SHORT_SHA=${GITHUB_SHA:0:7} | |
| REGISTRY=public.ecr.aws/umcai/xc2f/payload | |
| # 2. 构建镜像 | |
| docker build -f docker/Dockerfile.CI \ | |
| -t $REGISTRY:latest \ | |
| -t $REGISTRY:${SHORT_SHA} . | |
| # 3. 推送镜像 | |
| docker push $REGISTRY:latest | |
| docker push $REGISTRY:${SHORT_SHA} |