docker-json/.github/workflows/dockerhub.yml at 729d34c3bb0a330f5d8648a471eb2a86d9e1d9a0 · leplusorg/docker-json · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
---
name: Docker Hub

on:
  push:
  schedule:
    - cron: "0 0 * * 0"
  workflow_dispatch:

permissions: {}

jobs:
  pull:
    if: startsWith(github.ref, 'refs/heads/')
    runs-on: ubuntu-latest
    strategy:
      matrix:
        platform: ["linux/amd64", "linux/arm64"]
        tag: ["main", "latest"]
    steps:
      - name: Set IMAGE
        shell: bash
        run: echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Pull the ${{ matrix.tag }} ${{ matrix.platform }} image
        shell: bash
        run: docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}"
      - name: Pull the ${{ matrix.tag }} ${{ matrix.platform }} image SBOM
        shell: bash
        run: docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}"
      - name: Install cosign
        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
      - name: Verify the ${{ matrix.tag }} image signature
        shell: bash
        run: |
          cosign verify "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}" --certificate-identity-regexp "https://github\.com/${GITHUB_REPOSITORY}/\.github/workflows/.+" --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'