@@ -93,25 +93,34 @@ jobs:
9393 restore-keys : ${{ runner.os }}-buildx-
9494
9595 # -------------------------------------------------------------
96- # 3️⃣ Build & tag image (timestamp + latest)
96+ # Build & push image (timestamp + latest)
9797 # -------------------------------------------------------------
98+
99+ - name : 🔑 Log in to GHCR
100+ uses : docker/login-action@v3
101+ with :
102+ registry : ghcr.io
103+ username : ${{ github.actor }}
104+ password : ${{ secrets.GITHUB_TOKEN }}
105+
98106 - name : 🏗️ Build Docker image
99107 env :
100108 DOCKER_CONTENT_TRUST : " 1"
101109 run : |
102110 TAG=$(date +%s)
103111 echo "TAG=$TAG" >> "$GITHUB_ENV"
104112 docker buildx build \
113+ --platform linux/amd64,linux/arm64 \
105114 --file Containerfile.lite \
106115 --tag $IMAGE_NAME:$TAG \
107116 --tag $IMAGE_NAME:latest \
108117 --cache-from type=local,src=${{ env.CACHE_DIR }} \
109118 --cache-to type=local,dest=${{ env.CACHE_DIR }},mode=max \
110- --load \
119+ --push \
111120 . # build context is mandatory
112121
113122# -------------------------------------------------------------
114- # 4️⃣ Image lint (Dockle CLI → SARIF)
123+ # Image lint (Dockle CLI → SARIF)
115124 # -------------------------------------------------------------
116125 - name : 🔍 Image lint (Dockle)
117126 id : dockle
@@ -133,7 +142,7 @@ jobs:
133142 sarif_file : dockle-results.sarif
134143
135144 # -------------------------------------------------------------
136- # 5️⃣ Generate SPDX SBOM with Syft
145+ # Generate SPDX SBOM with Syft
137146 # -------------------------------------------------------------
138147 - name : 📄 Generate SBOM (Syft)
139148 uses : anchore/sbom-action@v0
@@ -142,7 +151,7 @@ jobs:
142151 output-file : sbom.spdx.json
143152
144153 # -------------------------------------------------------------
145- # 6️⃣ Trivy, Grype CVE scan → SARIF
154+ # Trivy, Grype CVE scan → SARIF
146155 # -------------------------------------------------------------
147156 - name : 🛡️ Trivy vulnerability scan
148157 id : trivy
@@ -176,23 +185,7 @@ jobs:
176185 sarif_file : grype-results.sarif
177186
178187 # -------------------------------------------------------------
179- # 7️⃣ Push both tags to GHCR
180- # -------------------------------------------------------------
181- - name : 🔑 Log in to GHCR
182- uses : docker/login-action@v3
183- with :
184- registry : ghcr.io
185- username : ${{ github.actor }}
186- password : ${{ secrets.GITHUB_TOKEN }}
187-
188- - name : 🚀 Push image to GHCR
189- if : github.ref == 'refs/heads/main'
190- run : |
191- docker push $IMAGE_NAME:${{ env.TAG }}
192- docker push $IMAGE_NAME:latest
193-
194- # -------------------------------------------------------------
195- # 8️⃣ Key-less Cosign sign + attest (latest **and** timestamp)
188+ # Key-less Cosign sign + attest (latest **and** timestamp)
196189 # -------------------------------------------------------------
197190 - name : 📥 Install Cosign
198191 if : github.ref == 'refs/heads/main'
@@ -215,7 +208,7 @@ jobs:
215208 done
216209
217210# -------------------------------------------------------------
218- # 9️⃣ Single gate - fail job on any scanner error
211+ # Single gate - fail job on any scanner error
219212 # -------------------------------------------------------------
220213 - name : ⛔ Enforce lint & vuln gates
221214 if : |
0 commit comments