Polish SBOM and provenance generation workflow

Author: ynojima

.github/workflows/publish-nightly.yml

@@ -1,4 +1,4 @@
-name: Publish Nightly Docker Image
+name: Publish Nightly Container Images
 
 on:
   push:
@@ -11,38 +11,32 @@ permissions:
 
 jobs:
   push-to-ghcr:
-    name: Build and Push Docker Image to GHCR
+    name: Build and Push Nightly to GHCR (Docker toolchain)
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out the repo
         uses: actions/checkout@v6
 
-      - name: Log in to the GitHub Container Registry
+      - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_BOT_USERNAME }}
-          password: ${{ secrets.QUAY_BOT_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Extract metadata (GHCR)
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: |
-            ghcr.io/${{ github.repository }}
-            quay.io/sharplab/switchbot-mcp-server
+          images: ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=nightly
 
-      - name: Build and push Docker image
+      - name: Build and push (GHCR)
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -52,3 +46,40 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           provenance: true
           sbom: true
+
+  push-to-quay:
+    name: Build and Push Nightly to Quay (Red Hat toolchain)
+    runs-on: ubuntu-latest
+
+    env:
+      REGISTRY: quay.io
+      IMAGE: sharplab/switchbot-mcp-server
+      TAG: nightly
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v6
+
+      - name: Log in to Quay.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.QUAY_BOT_USERNAME }}
+          password: ${{ secrets.QUAY_BOT_TOKEN }}
+
+      - name: Build image (buildah)
+        id: build_image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ env.IMAGE }}
+          tags: ${{ env.TAG }}
+          containerfiles: |
+            ./switchbot-mcp-server/src/main/docker/Dockerfile
+          context: .
+
+      - name: Push to Quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ${{ env.REGISTRY }}

.github/workflows/rebuild-tagged-releases.yml

@@ -28,8 +28,8 @@ jobs:
           tags=$(git ls-remote --tags --refs | grep -o 'refs/tags/.*\.RELEASE$' | sed 's#refs/tags/##' | jq -c -R -s 'split("\n") | map(select(length > 0))')
           echo "tags=${tags}" >> $GITHUB_OUTPUT
 
-  rebuild:
-    name: Rebuild and Push Tagged Release
+  rebuild-ghcr:
+    name: Rebuild and Push to GHCR
     runs-on: ubuntu-latest
     needs: list-tags
     if: needs.list-tags.outputs.tags != '[]'
@@ -52,20 +52,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_BOT_USERNAME }}
-          password: ${{ secrets.QUAY_BOT_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: |
             ghcr.io/${{ github.repository }}
-            quay.io/sharplab/switchbot-mcp-server
           tags: |
             type=raw,value=${{ matrix.tag }}
 
@@ -79,3 +74,48 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           provenance: true
           sbom: true
+
+  rebuild-quay:
+    name: Rebuild and Push to Quay
+    runs-on: ubuntu-latest
+    needs: list-tags
+    if: needs.list-tags.outputs.tags != '[]'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        tag: ${{ fromJson(needs.list-tags.outputs.tags) }}
+
+    env:
+      REGISTRY: quay.io
+      IMAGE: sharplab/switchbot-mcp-server
+
+    steps:
+      - name: Check out the repo at a specific tag
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ matrix.tag }}
+
+      - name: Log in to Quay.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.QUAY_BOT_USERNAME }}
+          password: ${{ secrets.QUAY_BOT_TOKEN }}
+
+      - name: Build image (buildah)
+        id: build_image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ env.IMAGE }}
+          tags: ${{ matrix.tag }}
+          containerfiles: |
+            ./switchbot-mcp-server/src/main/docker/Dockerfile
+          context: .
+
+      - name: Push to Quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ${{ env.REGISTRY }}

.github/workflows/release.yml

@@ -12,6 +12,8 @@ jobs:
     permissions:
       contents: write
       packages: write
+    outputs:
+      release_tag: ${{ steps.tag_commit.outputs.release_tag }}
 
     runs-on: ubuntu-latest
 
@@ -93,29 +95,37 @@ jobs:
           asset_name: switchbot-mcp-server.jar
           asset_content_type: application/java-archive
 
+  push-to-ghcr:
+    permissions:
+      contents: read
+      packages: write
+    needs:
+      - release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.release.outputs.release_tag }}
+
       - name: Log in to the GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_BOT_USERNAME }}
-          password: ${{ secrets.QUAY_BOT_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: |
             ghcr.io/${{ github.repository }}
-            quay.io/sharplab/switchbot-mcp-server
           tags: |
-            type=raw,value=${{ steps.tag_commit.outputs.release_tag }}
+            type=raw,value=${{ needs.release.outputs.release_tag }}
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
@@ -127,3 +137,43 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           provenance: true
           sbom: true
+
+  push-to-quay:
+    permissions:
+      contents: read
+      packages: write
+    needs:
+      - release
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: quay.io
+      IMAGE: sharplab/switchbot-mcp-server
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.release.outputs.release_tag }}
+
+      - name: Log in to Quay.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.QUAY_BOT_USERNAME }}
+          password: ${{ secrets.QUAY_BOT_TOKEN }}
+
+      - name: Build image (buildah)
+        id: build_image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ env.IMAGE }}
+          tags: ${{ needs.release.outputs.release_tag }}
+          containerfiles: |
+            ./switchbot-mcp-server/src/main/docker/Dockerfile
+          context: .
+
+      - name: Push to Quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ${{ env.REGISTRY }}