ci: add generating sboms in docker workflow

mac641 · mac641 · commit 87ec87b428d6 · 2025-06-04T12:34:52.000+02:00
diff --git a/.github/workflows/latest.yaml b/.github/workflows/latest.yaml
@@ -5,6 +5,10 @@ on:
     branches:
       - master
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -27,11 +31,20 @@ jobs:
     - name: Lint
       uses: golangci/golangci-lint-action@v7
 
-    - name: Docker Image
-      run: |
-        docker build -f Dockerfile -t ghcr.io/metal-stack/metal-console .
-        docker push ghcr.io/metal-stack/metal-console
-    
+    - name: Make tag
+      run: echo "tag=latest" >> $GITHUB_ENV || true
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and push image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        push: true
+        sbom: true
+        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.tag }}
+
     - uses: release-drafter/release-drafter@v6
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pull_requests.yaml b/.github/workflows/pull_requests.yaml
@@ -5,6 +5,10 @@ on:
     branches:
       - master
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -32,14 +36,23 @@ jobs:
     - name: Lint
       uses: golangci/golangci-lint-action@v7
 
-    - name: Build Docker image
-      run: |
-        export GITHUB_TAG_NAME=${GITHUB_HEAD_REF##*/}
-        docker build -f Dockerfile -t ghcr.io/metal-stack/metal-console:pr-${GITHUB_TAG_NAME} .
+    - name: Make tag
+      run: echo "tag=pr-${GITHUB_HEAD_REF##*/}" >> $GITHUB_ENV || true
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and push image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        load: true
+        push: false
+        sbom: true
+        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.tag }}
 
     - name: Push Docker image
       run: |
-        export GITHUB_TAG_NAME=${GITHUB_HEAD_REF##*/}
         # pull request images are prefixed with 'pr' to prevent them from overriding released images
-        docker push ghcr.io/metal-stack/metal-console:pr-${GITHUB_TAG_NAME}
+        docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.tag }}
       if: steps.fork.outputs.is_fork_pr == 'false'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,6 +5,10 @@ on:
     types:
       - published
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -27,8 +31,16 @@ jobs:
     - name: Lint
       uses: golangci/golangci-lint-action@v7
 
-    - name: Build the Docker images
-      run: |
-        export GITHUB_TAG_NAME=${GITHUB_REF##*/}
-        docker build -f Dockerfile -t ghcr.io/metal-stack/metal-console:${GITHUB_TAG_NAME} .
-        docker push ghcr.io/metal-stack/metal-console:${GITHUB_TAG_NAME}
+    - name: Make tag
+      run: echo "tag=${GITHUB_REF##*/}" >> $GITHUB_ENV || true
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and push image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        push: true
+        sbom: true
+        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.tag }}
