git.r.bdr.sh / rbdr / mobius / blame
| Commit | Line | Data |
|---|---|---|
| aa91955a JH |
1 | name: Docker |
| 2 | ||
| 3 | on: | |
| 4 | push: | |
| 5 | tags: | |
| 6 | - '*' | |
| 7 | ||
| 8 | env: | |
| 9 | # Use docker.io for Docker Hub if empty | |
| 10 | REGISTRY: ghcr.io | |
| 11 | # github.repository as <account>/<repo> | |
| 4d7abe62 | 12 | IMAGE_NAME: jhalter/mobius-hotline-server |
| aa91955a JH |
13 | |
| 14 | jobs: | |
| 15 | build: | |
| 16 | ||
| 17 | runs-on: ubuntu-latest | |
| 18 | permissions: | |
| 19 | contents: read | |
| 20 | packages: write | |
| 21 | # This is used to complete the identity challenge | |
| 22 | # with sigstore/fulcio when running outside of PRs. | |
| 23 | id-token: write | |
| 24 | ||
| 25 | steps: | |
| 26 | - name: Checkout repository | |
| 27 | uses: actions/checkout@v3 | |
| 28 | ||
| 29 | # Install the cosign tool except on PR | |
| 30 | # https://github.com/sigstore/cosign-installer | |
| 31 | - name: Install cosign | |
| 32 | if: github.event_name != 'pull_request' | |
| 33 | uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 #v3.4.0 | |
| 34 | with: | |
| 35 | cosign-release: 'v2.2.3' | |
| 36 | ||
| 37 | # Set up BuildKit Docker container builder to be able to build | |
| 38 | # multi-platform images and export cache | |
| 39 | # https://github.com/docker/setup-buildx-action | |
| 40 | - name: Set up Docker Buildx | |
| 41 | uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
| 42 | ||
| 43 | # Login against a Docker registry except on PR | |
| 44 | # https://github.com/docker/login-action | |
| 45 | - name: Log into registry ${{ env.REGISTRY }} | |
| 46 | if: github.event_name != 'pull_request' | |
| 47 | uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| 48 | with: | |
| 49 | registry: ${{ env.REGISTRY }} | |
| 50 | username: ${{ github.actor }} | |
| 51 | password: ${{ secrets.GITHUB_TOKEN }} | |
| 52 | ||
| 53 | # Extract metadata (tags, labels) for Docker | |
| 54 | # https://github.com/docker/metadata-action | |
| 55 | - name: Extract Docker metadata | |
| 56 | id: meta | |
| 57 | uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
| 58 | with: | |
| 59 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| 60 | ||
| 61 | # Build and push Docker image with Buildx (don't push on PR) | |
| 62 | # https://github.com/docker/build-push-action | |
| 63 | - name: Build and push Docker image | |
| 64 | id: build-and-push | |
| 65 | uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
| 66 | with: | |
| 67 | context: . | |
| 68 | platforms: linux/amd64,linux/arm64 | |
| 69 | push: ${{ github.event_name != 'pull_request' }} | |
| 70 | tags: ${{ steps.meta.outputs.tags }} | |
| 71 | labels: ${{ steps.meta.outputs.labels }} | |
| 72 | cache-from: type=gha | |
| 73 | cache-to: type=gha,mode=max | |
| 74 | ||
| 75 | # Sign the resulting Docker image digest except on PRs. | |
| 76 | # This will only write to the public Rekor transparency log when the Docker | |
| 77 | # repository is public to avoid leaking data. If you would like to publish | |
| 78 | # transparency data even for private images, pass --force to cosign below. | |
| 79 | # https://github.com/sigstore/cosign | |
| 80 | - name: Sign the published Docker image | |
| 81 | if: ${{ github.event_name != 'pull_request' }} | |
| 82 | env: | |
| 83 | # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| 84 | TAGS: ${{ steps.meta.outputs.tags }} | |
| 85 | DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| 86 | # This step uses the identity token to provision an ephemeral certificate | |
| 87 | # against the sigstore community Fulcio instance. | |
| 88 | run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} |