Skip to content
This repository was archived by the owner on Jun 5, 2025. It is now read-only.

Commit 5d08511

Browse files
lukehindslukehinds
committed
Fix Image Build
1 parent 36e7fb3 commit 5d08511

File tree

1 file changed

+28
-15
lines changed

1 file changed

+28
-15
lines changed

.github/workflows/image-publish.yml

Lines changed: 28 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Publish Docker Image
22
on:
33
schedule:
4-
# Once weekly on fridays at noon
4+
# Once weekly on Fridays at noon
55
- cron: "00 12 * * 5"
66
workflow_dispatch:
77

@@ -20,25 +20,25 @@ jobs:
2020
IMAGE_NAME: ${{ github.repository }}
2121
steps:
2222
- name: Checkout
23-
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
23+
uses: actions/checkout@v4
2424
- name: Set up QEMU for cross-platform builds
25-
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
25+
uses: docker/setup-qemu-action@v3
2626
- name: Set up Docker Buildx
27-
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
27+
uses: docker/setup-buildx-action@v3
2828
- name: Compute version number
2929
id: version-string
3030
run: |
3131
DATE="$(date +%Y%m%d)"
3232
COMMIT="$(git rev-parse --short HEAD)"
33-
echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT"
33+
echo "tag=0.$DATE.$GITHUB_RUN_NUMBER-ref.$COMMIT" >> "$GITHUB_OUTPUT"
3434
- name: Login to GHCR
35-
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
35+
uses: docker/login-action@v3
3636
with:
3737
registry: ghcr.io
3838
username: ${{ github.actor }}
3939
password: ${{ secrets.GITHUB_TOKEN }}
4040
- name: Set container metadata
41-
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
41+
uses: docker/metadata-action@v5
4242
id: docker-metadata
4343
with:
4444
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -73,15 +73,13 @@ jobs:
7373
run: |
7474
git lfs install
7575
git lfs pull
76-
- name: Build image
76+
- name: Build and Push Image
7777
id: image-build
78-
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v5
78+
uses: docker/build-push-action@v5
7979
with:
80-
github-token: ${{ github.token }}
8180
context: .
8281
platforms: linux/amd64,linux/arm64
8382
push: true
84-
file: ./Dockerfile
8583
tags: ${{ steps.docker-metadata.outputs.tags }}
8684
labels: ${{ steps.docker-metadata.outputs.labels }}
8785
cache-from: type=gha
@@ -90,15 +88,30 @@ jobs:
9088
gh_token=${{ secrets.GH_CI_TOKEN }}
9189
build-args: |
9290
LATEST_COMMIT_SHA=${{ env.LATEST_COMMIT_SHA }}
93-
- name: Install cosign
94-
if: github.event_name != 'pull_request'
95-
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
91+
- name: Capture Image Digest
92+
id: image-digest
93+
run: |
94+
echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }})" >> "$GITHUB_OUTPUT"
9695
- name: Run Trivy vulnerability scanner
9796
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
9897
with:
99-
image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }}'
98+
image-ref: '${{ steps.image-digest.outputs.digest }}'
10099
format: 'table'
101100
exit-code: '1'
102101
ignore-unfixed: true
103102
vuln-type: 'os,library'
104103
severity: 'CRITICAL,HIGH'
104+
- name: Install cosign
105+
if: github.event_name != 'pull_request'
106+
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
107+
- name: Sign the images with GitHub OIDC Token
108+
env:
109+
DIGEST: ${{ steps.image-build.outputs.digest }}
110+
TAGS: ${{ steps.docker-metadata.outputs.tags }}
111+
run: |
112+
images=""
113+
for tag in ${TAGS}; do
114+
images+="${tag}@${DIGEST} "
115+
done
116+
cosign sign --yes ${images}
117+

0 commit comments

Comments
 (0)