alys/.github/workflows/docker-publish.yml at adca36c578823af35110ba32ce5ca39cfdf66c8d · AnduroProject/alys · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Docker
on:
  push:
    branches:
      - main
      - development
      - 'feature/**'
      - 'AN-*'
    tags: [ 'v*.*.*' ]
  pull_request:
    branches: [ "main", "development", "feature/v2-network" ]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:
    # Select native arch runners per matrix entry
    strategy:
      fail-fast: false
      matrix:
        include:
          - arch: amd64
            runs_on: ubuntu-22.04
            platform: linux/amd64
          - arch: arm64
            runs_on: ubuntu-22.04-arm
            platform: linux/arm64
    runs-on: ${{ matrix.runs_on }}

    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Normalize image name to lowercase
        run: echo "IMAGE_NAME_LOWER=${IMAGE_NAME,,}" >> $GITHUB_ENV

      - name: Normalize image name to lowercase
        run: echo "IMAGE_NAME_LOWER=${IMAGE_NAME,,}" >> $GITHUB_ENV

      # Buildx is still used, but no emulation needed since runners are native
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Log into registry ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LOWER }}

      - name: Build and push by digest (${{ matrix.platform }})
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./etc/Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LOWER }},push-by-digest=true

      - name: Export digest
        if: ${{ github.event_name != 'pull_request' }}
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
          echo "PLATFORM_SLUG=$(echo '${{ matrix.platform }}' | tr '/' '-')" >> $GITHUB_ENV

      - name: Upload digest
        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_SLUG }}
          path: /tmp/digests/*

  merge:
    if: ${{ github.event_name != 'pull_request' }}
    needs: build
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Normalize image name to lowercase
        run: echo "IMAGE_NAME_LOWER=${IMAGE_NAME,,}" >> $GITHUB_ENV

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          pattern: digests-*
          path: /tmp/digests
          merge-multiple: true

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LOWER }}

      - name: Create and push multi-arch manifest
        run: |
          tags="${{ steps.meta.outputs.tags }}"
          for tag in $tags; do
            args=""
            for file in /tmp/digests/*; do
              args="$args ${tag}@sha256:$(basename "$file")"
            done
            docker buildx imagetools create -t "$tag" $args
          done

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.5.0

      - name: Sign the published Docker images
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}