-
Notifications
You must be signed in to change notification settings - Fork 0
124 lines (121 loc) · 4.25 KB
/
docker.yaml
File metadata and controls
124 lines (121 loc) · 4.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: Build/Publish Docker Image
permissions: read-all
on:
release:
types:
- published
push:
branches:
- main
tags:
- v*
paths-ignore:
- "docs/**"
- "**/*.md"
pull_request:
paths-ignore:
- "docs/**"
- "**/*.md"
types: [labeled, unlabeled, opened, synchronize, reopened]
jobs:
buildAndPush:
strategy:
matrix:
image:
- name: dependency-controller
target: controller
- name: dependency-webhook
target: webhook
permissions:
contents: read
packages: write
id-token: write
attestations: write
name: Build and Publish Docker Image
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ok-to-image')) ||
(github.event_name == 'release' && github.event.action == 'published')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
id: meta
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=sha
flavor: |
latest=${{ github.ref == 'refs/heads/main' }}
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
with:
platforms: arm64
- name: Set up Docker Buildx
timeout-minutes: 5
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Login to GHCR
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
id: image
timeout-minutes: 20
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
target: ${{ matrix.image.target }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: Sign image with cosign
env:
COSIGN_EXPERIMENTAL: 1
run: |
IFS=',' read -ra TAGS <<< "${{ steps.meta.outputs.tags }}"
for tag in "${TAGS[@]}"; do
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "sha=${{ github.sha }}" \
--yes \
"$tag"@${{ steps.image.outputs.digest }}
done
- name: Extract first tag
id: first-tag
run: |
IFS=$'\n' read -ra TAGS <<< "${{ steps.meta.outputs.tags }}"
echo "tag=${TAGS[0]}" >> $GITHUB_OUTPUT
- name: Generate SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
image: ${{ steps.first-tag.outputs.tag }}
format: 'cyclonedx-json'
output-file: 'sbom.cyclonedx.json'
upload-release-assets: false
- name: Attest SBOM
uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
with:
subject-name: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
subject-digest: ${{ steps.image.outputs.digest }}
sbom-path: 'sbom.cyclonedx.json'
push-to-registry: true
- name: Attest provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
subject-digest: ${{ steps.image.outputs.digest }}
push-to-registry: true