ci: enhance Docker and Rust CI workflows

- update ghcr.yml to support multi-platform builds and add SBOM generation
- improve rust.yml with linting, security audit, and toolchain matrix testing
- add caching for faster builds and artifact attestations
- expand triggers for feature branches and semantic versioning tags
- optimize workflow steps for better error handling and performance

Signed-off-by: mingcheng <[email protected]>

Author: mingcheng

.dockerignore

@@ -13,10 +13,6 @@ docker-compose*
 # Documentation
 /docs
 
-# Project build files
-Cargo.lock
-**/.cargo-ok
-
 # Test artifacts
 **/*test-*
 **/*Test*

.github/workflows/ghcr.yml

@@ -1,11 +1,15 @@
-name: Create and publish a Docker image
+name: Build and Publish Docker Image
 
 on:
   push:
     branches:
       - main
+      - develop
     tags:
-      - "v*"
+      - "v*.*.*"  # Semantic versioning tags (v1.0.0, v1.2.3, etc.)
+  pull_request:
+    branches:
+      - main
   workflow_dispatch:
 
 env:
@@ -14,6 +18,7 @@ env:
 
 jobs:
   build-and-push-image:
+    name: Build & Push Docker Image
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -23,34 +28,90 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Log in to the Container registry
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            image=moby/buildkit:latest
+            network=host
+
+      - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-      - uses: benjlevesque/[email protected]
-        id: short-sha
-        with:
-          length: 7
+          tags: |
+            # Tag with branch name for branch pushes
+            type=ref,event=branch
+            # Tag with PR number for pull requests
+            type=ref,event=pr
+            # Tag with git tag for version releases
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            # Tag with short SHA
+            type=sha,format=short
+            # Tag latest only on main branch
+            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.title=aigitcommit
+            org.opencontainers.image.description=AI-powered Git commit message generator
+            org.opencontainers.image.vendor=Hangzhou Guanwaii Technology Co,.Ltd.
+
       - name: Build and push Docker image
         id: push
         uses: docker/build-push-action@v6
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.short-sha.outputs.sha }}
+          tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+            VCS_REF=${{ github.sha }}
+            VERSION=${{ steps.meta.outputs.version }}
+
       - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v2
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: false
+          push-to-registry: true
+
+      - name: Generate SBOM
+        if: github.event_name != 'pull_request'
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM as artifact
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ github.sha }}
+          path: sbom.spdx.json
+          retention-days: 90
+
+      - name: Image digest
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "Image pushed successfully!"
+          echo "Digest: ${{ steps.push.outputs.digest }}"
+          echo "Tags: ${{ steps.meta.outputs.tags }}"

.github/workflows/rust.yml

@@ -5,38 +5,170 @@
 # which is located in the LICENSE file in the source tree's root directory.
 #
 # File: rust.yml
-# Author: mingcheng ([email protected])
+# Author: mingcheng <[email protected]>
 # File Created: 2025-03-05 11:10:40
 #
-# Modified By: mingcheng ([email protected])
-# Last Modified: 2025-03-17 18:29:18
+# Modified By: mingcheng <[email protected]>
+# Last Modified: 2025-10-16 16:37:42
 ##
 
 name: Cargo Build & Test
 
 on:
   push:
+    branches:
+      - main
+      - master
+      - develop
+      - "feature/**"
   pull_request:
+    branches:
+      - main
+      - master
+      - develop
+  workflow_dispatch:
 
 env:
   CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
 
 jobs:
+  # Code quality checks (clippy and rustfmt)
+  lint:
+    name: Lint (clippy & rustfmt)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy, rustfmt
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: Cache target directory
+        uses: actions/cache@v4
+        with:
+          path: target
+          key: ${{ runner.os }}-target-lint-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-target-lint-
+
+      - name: Run cargo fmt check
+        run: cargo fmt --all -- --check
+
+      - name: Run cargo clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+  # Security audit
+  security_audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      - name: Run cargo audit
+        run: cargo audit
+
+  # Build and test on stable/beta/nightly
   build_and_test:
-    name: Rust project - latest
+    name: Build & Test (${{ matrix.toolchain }})
     runs-on: ubuntu-latest
+    needs: [lint]
     strategy:
+      fail-fast: false
       matrix:
         toolchain:
           - stable
           - beta
           - nightly
+    continue-on-error: ${{ matrix.toolchain == 'nightly' }}
     steps:
-      - uses: actions/checkout@v4
-      - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }}
-      - run: rustup component add clippy --toolchain ${{ matrix.toolchain }}
-      - run: rustup component add rustfmt --toolchain ${{ matrix.toolchain }}
-      - run: cargo clippy -- -D warnings
-      - run: cargo fmt --all -- --check
-      - run: cargo build --verbose
-      - run: cargo test --verbose
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain (${{ matrix.toolchain }})
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.toolchain }}
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: Cache target directory
+        uses: actions/cache@v4
+        with:
+          path: target
+          key: ${{ runner.os }}-target-${{ matrix.toolchain }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-target-${{ matrix.toolchain }}-
+
+      - name: Show Rust version
+        run: |
+          rustc --version
+          cargo --version
+
+      - name: Build project
+        run: cargo build --verbose --all-features
+
+      - name: Run tests
+        run: cargo test --verbose --all-features
+
+      - name: Build release
+        run: cargo build --release --verbose
+
+  # Check documentation builds
+  doc:
+    name: Documentation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: Build documentation
+        run: cargo doc --no-deps --all-features
+        env:
+          RUSTDOCFLAGS: -D warnings