Skip to content
Alpine Mainline

ci: Build images across multiple runners #439

Sign in to view logs

ci: Build images across multiple runners

ci: Build images across multiple runners #439

Workflow file for this run

.github/workflows/alpine-mainline.yml at abff974
---
name: Alpine Mainline
on:
pull_request:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
jobs:
version:
name: Fetch NGINX mainline version
runs-on: ubuntu-24.04
outputs:
major: ${{ steps.nginx_version.outputs.major }}
minor: ${{ steps.nginx_version.outputs.minor }}
patch: ${{ steps.nginx_version.outputs.patch }}
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Parse NGINX mainline version
id: nginx_version
run: |
echo "major=$(cat update.sh | grep -m1 '\[mainline\]=' | cut -d"'" -f2 | cut -d"." -f1)" >> "$GITHUB_OUTPUT"
echo "minor=$(cat update.sh | grep -m1 '\[mainline\]=' | cut -d"'" -f2 | cut -d"." -f2)" >> "$GITHUB_OUTPUT"
echo "patch=$(cat update.sh | grep -m1 '\[mainline\]=' | cut -d"'" -f2 | cut -d"." -f3)" >> "$GITHUB_OUTPUT"
- name: Parse Alpine version
id: distro_version
run: |
echo "release=$(cat update.sh | grep -m7 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
slim:
name: Build Alpine NGINX mainline slim Docker image
needs: version
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
platform: [linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x]
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
# - name: Configure AWS credentials
# if: ${{ github.event_name != 'pull_request' }}
# uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
# with:
# aws-region: ${{ secrets.AWS_REGION }}
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# - name: Login to Amazon ECR Public Gallery
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: public.ecr.aws
- name: Login to Docker Hub
# if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
# if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# - name: Login to Quay
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: quay.io
# username: ${{ secrets.QUAY_USERNAME }}
# password: ${{ secrets.QUAY_TOKEN }}
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
docker.io/nginxinc/nginx-unprivileged
ghcr.io/nginxinc/nginx-unprivileged
# public.ecr.aws/nginx/nginx-unprivileged
# quay.io/nginx/nginx-unprivileged
tags: |
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=${{ needs.version.outputs.major }}-alpine-slim
type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=mainline-alpine-slim
type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=alpine-slim
type=raw,value=alpine${{ needs.version.outputs.distro }}-slim
# env:
# DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Prepare env
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
with:
platforms: ${{ matrix.platform }}
context: "{{ defaultContext }}:mainline/alpine-slim"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
# outputs: type=image,"name=ghcr.io/nginxinc/nginx-unprivileged,docker.io/nginxinc/nginx-unprivileged",push-by-digest=true,name-canonical=true,push=true
# outputs: type=image,"name=ghcr.io/nginxinc/nginx-unprivileged,docker.io/nginxinc/nginx-unprivileged",push-by-digest=true,name-canonical=true,push=true
outputs: type=docker,dest=${{ runner.temp }}/alpine-slim-${{ env.PLATFORM_PAIR }}.tar
# tags: ${{ steps.meta.outputs.tags }}
# push: false
# push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=alpine-slim
# cache-to: type=gha,mode=min,scope=alpine-slim
- name: Upload artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: alpine-slim-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/alpine-slim-${{ env.PLATFORM_PAIR }}.tar
if-no-files-found: error
retention-days: 1
# - name: Save image as tarball
# run: |
# mkdir -p ${{ runner.temp }}/images
# docker save ghcr.io/nginxinc/nginx-unprivileged:temp-${{ matrix.platform }} -o ${{ runner.temp }}/images/nginx-unprivileged-${{ matrix.platform }}.tar
# - name: Export digest
# run: |
# mkdir -p ${{ runner.temp }}/digests
# digest="${{ steps.build.outputs.digest }}"
# touch "${{ runner.temp }}/digests/${digest#sha256:}"
# - name: Prepare env
# run: |
# platform=${{ matrix.platform }}
# echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
# - name: Upload digest
# uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
# with:
# name: digests-${{ env.PLATFORM_PAIR }}
# path: ${{ runner.temp }}/digests/*
# if-no-files-found: error
# retention-days: 1
# - name: Export digest
# run: |
# mkdir -p ${{ runner.temp }}/digests
# digest="${{ steps.build.outputs.digest }}"
# touch "${{ runner.temp }}/digests/${digest#sha256:}"
# - name: Upload digest
# uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
# with:
# name: digests-${{ env.PLATFORM_PAIR }}
# path: ${{ runner.temp }}/digests/*
# if-no-files-found: error
# retention-days: 1
merge-slim:
runs-on: ubuntu-24.04
needs: [slim, version]
steps:
- name: Download image tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: /tmp/images
pattern: alpine-slim-*
merge-multiple: true
# - name: Download digests
# uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
# with:
# pattern: digests-*
# path: /tmp/digests
# merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- name: Load images
run: |
for tar in /tmp/images/*.tar; do
docker load -i $tar
done
docker image ls -a
# - name: Login to Docker Hub
# # if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
# if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/nginxinc/nginx-unprivileged
# docker.io/nginxinc/nginx-unprivileged
tags: |
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim-test
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim-test
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim-test
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim-test
type=raw,value=${{ needs.version.outputs.major }}-alpine-slim-test
type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim-test
type=raw,value=mainline-alpine-slim-test
type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim-test
type=raw,value=alpine-slim-test
type=raw,value=alpine${{ needs.version.outputs.distro }}-slim-test
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: index
- name: Create manifest list and push
working-directory: /tmp/images
run: |
set -x
annotations=$(jq -cr '.annotations | map((split("=")[0] + "=\"" + split("=")[1] + "\"") | "--annotation " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")
tags=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")
eval "docker buildx imagetools create $annotations $tags $(for tar in /tmp/images/*.tar; do echo 'ghcr.io/nginxinc/nginx-unprivileged:temp-${tar##*/}'; done)"
- name: Inspect image
run: |
docker buildx imagetools inspect ghcr.io/nginxinc/nginx-unprivileged:alpine-slim-test
# docker buildx imagetools inspect docker.io/nginxinc/nginx-unprivileged:alpine-slim-test
# - name: Sign Docker Hub Manifest
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# set -ex
# sudo apt update
# sudo apt install -y notary
# mkdir -p ~/.docker/trust/private
# echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
# chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
# docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
# DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
# SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
# export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose
# env:
# DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
# DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
# DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
# NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
# core:
# name: Build Alpine NGINX mainline Docker image
# needs: [version, slim]
# runs-on: ubuntu-24.04
# strategy:
# fail-fast: false
# steps:
# - name: Check out the codebase
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: Set up QEMU
# uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
# - name: Configure AWS credentials
# if: ${{ github.event_name != 'pull_request' }}
# uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
# with:
# aws-region: ${{ secrets.AWS_REGION }}
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# - name: Login to Amazon ECR Public Gallery
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: public.ecr.aws
# - name: Login to Docker Hub
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# - name: Login to GitHub Container Registry
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# - name: Login to Quay
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: quay.io
# username: ${{ secrets.QUAY_USERNAME }}
# password: ${{ secrets.QUAY_TOKEN }}
# - name: Extract metadata (annotations, labels, tags) for Docker
# id: meta
# uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
# with:
# images: |
# docker.io/nginxinc/nginx-unprivileged
# ghcr.io/nginxinc/nginx-unprivileged
# public.ecr.aws/nginx/nginx-unprivileged
# quay.io/nginx/nginx-unprivileged
# tags: |
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}
# type=raw,value=${{ needs.version.outputs.major }}-alpine
# type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}
# type=raw,value=mainline-alpine
# type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}
# type=raw,value=alpine
# type=raw,value=alpine${{ needs.version.outputs.distro }}
# env:
# DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
# - name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
# id: build
# uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
# with:
# platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
# context: "{{ defaultContext }}:mainline/alpine"
# labels: ${{ steps.meta.outputs.labels }}
# annotations: ${{ steps.meta.outputs.annotations }}
# tags: ${{ steps.meta.outputs.tags }}
# push: ${{ github.event_name != 'pull_request' }}
# # cache-from: type=gha,scope=debian-perl
# # cache-to: type=gha,mode=min,scope=debian-perl
# - name: Sign Docker Hub Manifest
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# set -ex
# sudo apt update
# sudo apt install -y notary
# mkdir -p ~/.docker/trust/private
# echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
# chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
# docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
# DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
# SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
# export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose
# env:
# DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
# DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
# DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
# NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
# perl:
# name: Build Alpine NGINX mainline perl Docker image
# needs: [version, core]
# runs-on: ubuntu-24.04
# strategy:
# fail-fast: false
# steps:
# - name: Check out the codebase
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: Set up QEMU
# uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
# - name: Configure AWS credentials
# if: ${{ github.event_name != 'pull_request' }}
# uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
# with:
# aws-region: ${{ secrets.AWS_REGION }}
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# - name: Login to Amazon ECR Public Gallery
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: public.ecr.aws
# - name: Login to Docker Hub
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# - name: Login to GitHub Container Registry
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# - name: Login to Quay
# if: ${{ github.event_name != 'pull_request' }}
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: quay.io
# username: ${{ secrets.QUAY_USERNAME }}
# password: ${{ secrets.QUAY_TOKEN }}
# - name: Extract metadata (annotations, labels, tags) for Docker
# id: meta
# uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
# with:
# images: |
# docker.io/nginxinc/nginx-unprivileged
# ghcr.io/nginxinc/nginx-unprivileged
# public.ecr.aws/nginx/nginx-unprivileged
# quay.io/nginx/nginx-unprivileged
# tags: |
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl
# type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl
# type=raw,value=${{ needs.version.outputs.major }}-alpine-perl
# type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl
# type=raw,value=mainline-alpine-perl
# type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl
# type=raw,value=alpine-perl
# type=raw,value=alpine${{ needs.version.outputs.distro }}-perl
# env:
# DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
# - name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
# id: build
# uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
# with:
# platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
# context: "{{ defaultContext }}:mainline/alpine-perl"
# labels: ${{ steps.meta.outputs.labels }}
# annotations: ${{ steps.meta.outputs.annotations }}
# tags: ${{ steps.meta.outputs.tags }}
# push: ${{ github.event_name != 'pull_request' }}
# # cache-from: type=gha,scope=alpine-perl
# # cache-to: type=gha,mode=min,scope=alpine-perl
# - name: Sign Docker Hub Manifest
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# set -ex
# sudo apt update
# sudo apt install -y notary
# mkdir -p ~/.docker/trust/private
# echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
# chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
# docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
# DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
# SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
# export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose
# notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose
# env:
# DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
# DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
# DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
# NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}