From 78dc3c949555e852e864473323e6d557a94b7027 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Brodack=C3=BD?= Date: Thu, 7 Sep 2023 13:19:42 +0200 Subject: [PATCH] Reworked docker-publish.yml --- .github/workflows/docker-publish.yml | 58 ++++++++++++---------------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 4ebcbf7..9b89f71 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,14 +1,12 @@ name: Docker -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - +# Specifies the trigger for this workflow. +# docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 on: push: branches: ["production"] +# Setting the default enviroment env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io @@ -18,6 +16,7 @@ env: jobs: build: runs-on: ubuntu-latest + strategy: fail-fast: false matrix: @@ -28,6 +27,7 @@ jobs: - dockerfile: ./menza/Dockerfile image_name: inf_upol_menza context: ./menza + permissions: contents: read packages: write @@ -39,23 +39,18 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Install the cosign tool except on PR + # Install and setup the Cosign tool # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' + - name: Install Cosign uses: sigstore/cosign-installer@v3.1.1 - with: - cosign-release: 'v2.1.1' - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 - # Login against a Docker registry except on PR + # Login against a Docker registry # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + - name: Login to GitHub Container Registry + uses: docker/login-action@v2.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -65,33 +60,28 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 with: images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image_name }} - # Build and push Docker image with Buildx (don't push on PR) + # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 with: context: ${{ matrix.context }} file: ${{ matrix.dockerfile }} - push: ${{ github.event_name != 'pull_request' }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + # cache-from: type=gha + # cache-to: type=gha,mode=max - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} + # Sigh the image + # https://github.com/sigstore/cosign-installer + - name: Sign the images with GitHub OIDC Token env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: cosign sign --yes "${TAGS}@${DIGEST}"