GSA · aj-stein-gsa · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -5,20 +5,24 @@ on:
     branches:
       - master
     paths:
+      - Dockerfile
       - "src/**"
       - "oscal"
   pull_request:
     types: [opened, synchronize, reopened]
   workflow_dispatch:
     branches:
       - master
+      - 'feature**'
 name: Process Content
 env:
   HOME_REPO: GSA/fedramp-automation
   IMAGE_NAME: GSA/fedramp-automation/validation-tools
   REGISTRY: ghcr.io
   # Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
   DOCKER_METADATA_PR_HEAD_SHA: true
+  # https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
+  DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 jobs:
   validate-and-publish-content:
     name: Content Validation Checking, Conversion and Validation
@@ -62,22 +66,26 @@ jobs:
           commit_user_name: OSCAL GitHub Actions Bot
           commit_user_email: [email protected]
           commit_author: OSCAL GitHub Actions Bot <[email protected]>
-      - name: Container image QEMU setup for cross-arch builds
+      - if: github.repository == env.HOME_REPO
+        name: Container image QEMU setup for cross-arch builds
         id: image_setup_qemu
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
-      - name: Container image buildx setup for cross-arch builds
+      - if: github.repository == env.HOME_REPO
+        name: Container image buildx setup for cross-arch builds
         id: image_setup_buildx
         with:
           platforms: linux/amd64,linux/arm64 
         uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
-      - name: Container image login
+      - if: github.repository == env.HOME_REPO
+        name: Container image login
         id: image_login
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Container image metadata and tag generation
+      - if: github.repository == env.HOME_REPO
+        name: Container image metadata and tag generation
         id: image_metadata
         uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
         with:
@@ -91,7 +99,7 @@ jobs:
           # For now, do not auto-tag latest, maintainers will decided what is
           # release-worthy.
           flavor: |
-            latest=false
+            latest=true
           annotations:
             maintainers="FedRAMP Automation Team <[email protected]>"
             org.opencontainers.image.authors="FedRAMP Automation Team <[email protected]>"
@@ -101,7 +109,8 @@ jobs:
             org.opencontainers.image.title="FedRAMP Validation Tools"
             org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data"
             org.opencontainers.image.licenses="CC0-1.0"
-      - name: Container image registry push
+      - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
+        name: Container image registry push
         id: image_registry_push
         uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
         with:
@@ -112,7 +121,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - name: Container image push attestations
+      - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
+        name: Container image push attestations
         uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}