1+ name : Docker Build and Push
2+
3+ # This workflow uses actions that are not certified by GitHub.
4+ # They are provided by a third-party and are governed by
5+ # separate terms of service, privacy policy, and support
6+ # documentation.
7+
8+ on :
9+ push :
10+ tags : [ 'v*.*.*' ]
11+
12+
13+ env :
14+ # Use docker.io for Docker Hub if empty
15+ REGISTRY : ghcr.io
16+ # github.repository as <account>/<repo>
17+ IMAGE_NAME : ${{ github.repository }}
18+
19+
20+ jobs :
21+ build :
22+
23+ runs-on : [selfhosted-linux-amd64]
24+ env :
25+ GOPRIVATE : github.com/keploy
26+ permissions :
27+ contents : read
28+ packages : write
29+ # This is used to complete the identity challenge
30+ # with sigstore/fulcio when running outside of PRs.
31+ id-token : write
32+
33+ steps :
34+ - name : Checkout repository
35+ uses : actions/checkout@v3
36+
37+ # Install the cosign tool except on PR
38+ # https://github.com/sigstore/cosign-installer
39+ - name : Install Cosign
40+ uses : sigstore/cosign-installer@v3.4.0
41+
42+ # Set up BuildKit Docker container builder to be able to build
43+ # multi-platform images and export cache
44+ # https://github.com/docker/setup-buildx-action
45+ - name : Set up Docker Buildx
46+ uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
47+
48+ # Login against a Docker registry except on PR
49+ # https://github.com/docker/login-action
50+ - name : Log into registry ${{ env.REGISTRY }}
51+ if : github.event_name != 'pull_request'
52+ uses : docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
53+ with :
54+ registry : ${{ env.REGISTRY }}
55+ username : ${{ github.actor }}
56+ password : ${{ secrets.GITHUB_TOKEN }}
57+
58+ # Extract metadata (tags, labels) for Docker
59+ # https://github.com/docker/metadata-action
60+ - name : Extract Docker metadata
61+ id : meta
62+ uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
63+ with :
64+ images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
65+
66+ # Build and push Docker image with Buildx (don't push on PR)
67+ # https://github.com/docker/build-push-action
68+ - name : Build and push Docker image
69+ id : build-and-push
70+ uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
71+ with :
72+ context : .
73+ platforms : linux/arm64
74+ push : ${{ github.event_name != 'pull_request' }}
75+ tags : ${{ steps.meta.outputs.tags }}
76+ labels : ${{ steps.meta.outputs.labels }}
77+ cache-from : type=gha
78+ cache-to : type=gha,mode=max
79+
80+ # Sign the resulting Docker image digest except on PRs.
81+ # This will only write to the public Rekor transparency log when the Docker
82+ # repository is public to avoid leaking data. If you would like to publish
83+ # transparency data even for private images, pass --force to cosign below.
84+ # https://github.com/sigstore/cosign
85+ - name : Sign the published Docker image
86+ if : ${{ github.event_name != 'pull_request' }}
87+ env :
88+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
89+ TAGS : ${{ steps.meta.outputs.tags }}
90+ DIGEST : ${{ steps.build-and-push.outputs.digest }}
91+ # This step uses the identity token to provision an ephemeral certificate
92+ # against the sigstore community Fulcio instance.
93+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
0 commit comments