1+ name : Docker
2+
3+ on :
4+ schedule :
5+ - cron : ' 15 21 * * *'
6+ push :
7+ branches : [ "main" ]
8+ # Publish semver tags as releases.
9+ tags : [ 'v*.*.*' ]
10+ pull_request :
11+ branches : [ "main" ]
12+
13+ env :
14+ # Use docker.io for Docker Hub if empty
15+ REGISTRY : ghcr.io
16+ # github.repository as <account>/<repo>
17+ IMAGE_NAME : ${{ github.repository }}
18+
19+
20+ jobs :
21+ build_dockerfile :
22+
23+ runs-on : ubuntu-latest
24+ permissions :
25+ contents : read
26+ packages : write
27+ # This is used to complete the identity challenge
28+ # with sigstore/fulcio when running outside of PRs.
29+ id-token : write
30+
31+ steps :
32+ - name : Checkout repository
33+ uses : actions/checkout@v4
34+
35+ # Install the cosign tool except on PR
36+ # https://github.com/sigstore/cosign-installer
37+ - name : Install cosign
38+ if : github.event_name != 'pull_request'
39+ uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
40+ with :
41+ cosign-release : ' v2.2.4'
42+
43+ # Set up BuildKit Docker container builder to be able to build
44+ # multi-platform images and export cache
45+ # https://github.com/docker/setup-buildx-action
46+ - name : Set up Docker Buildx
47+ uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
48+
49+ # Login against a Docker registry except on PR
50+ # https://github.com/docker/login-action
51+ - name : Log into registry ${{ env.REGISTRY }}
52+ if : github.event_name != 'pull_request'
53+ uses : docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
54+ with :
55+ registry : ${{ env.REGISTRY }}
56+ username : ${{ github.actor }}
57+ password : ${{ secrets.GITHUB_TOKEN }}
58+
59+ # Extract metadata (tags, labels) for Docker
60+ # https://github.com/docker/metadata-action
61+ - name : Extract Docker metadata
62+ id : meta
63+ uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
64+ with :
65+ images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
66+
67+ # Build and push Docker image with Buildx (don't push on PR)
68+ # https://github.com/docker/build-push-action
69+ - name : Build and push Docker image
70+ id : build-and-push
71+ uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
72+ with :
73+ context : .
74+ push : ${{ github.event_name != 'pull_request' }}
75+ tags : ${{ steps.meta.outputs.tags }}
76+ labels : ${{ steps.meta.outputs.labels }}
77+ cache-from : type=gha
78+ cache-to : type=gha,mode=max
79+
80+ # Sign the resulting Docker image digest except on PRs.
81+ # This will only write to the public Rekor transparency log when the Docker
82+ # repository is public to avoid leaking data. If you would like to publish
83+ # transparency data even for private images, pass --force to cosign below.
84+ # https://github.com/sigstore/cosign
85+ - name : Sign the published Docker image
86+ if : ${{ github.event_name != 'pull_request' }}
87+ env :
88+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
89+ TAGS : ${{ steps.meta.outputs.tags }}
90+ DIGEST : ${{ steps.build-and-push.outputs.digest }}
91+ # This step uses the identity token to provision an ephemeral certificate
92+ # against the sigstore community Fulcio instance.
93+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
94+
95+ test_dockerfile :
96+ runs-on : ubuntu-latest
97+
98+ steps :
99+ - name : Checkout repository
100+ uses : actions/checkout@v4
101+
102+ - name : Set up Docker Buildx
103+ uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
104+
105+ - name : Build Docker image
106+ uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
107+ with :
108+ context : .
109+ load : true
110+ tags : test-image:latest
111+
112+ - name : Run tests
113+ run : docker run --rm test-image:latest /path/to/your/test/script.sh
0 commit comments