.github/workflows/docker.yaml

name: Build Docker images

on:
  push:
    tags:
      - "v*"

jobs:
  docker:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout the repository
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ctferio/ctfd-setup
      
      - name: Git commit date
        id: infos
        run: |
          # trim version prefix
          version=${{ github.ref_name }}
          version="${version#"v"}"
          echo "version=$version" >> "$GITHUB_OUTPUT"

          # output date per RFC 3339
          date="$(git log -1 --format=%cd --date=format:%Y-%m-%dT%H:%M:%SZ)"
          echo "date=$date" >> "$GITHUB_OUTPUT"

      - name: Build and push Docker image
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        id: build
        with:
          push: true
          sbom: true # may not produce SBOM in manifest if the image has no filesystem (e.g. "FROM scratch")
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            VERSION=${{ steps.infos.outputs.version }}
            COMMIT=${{ github.sha }}
            DATE=${{ steps.infos.outputs.date }}

  # This step calls the container workflow to generate provenance and push it to
  # the container registry.
  provenance:
    needs: [docker]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ctferio/ctfd-setup
      digest: ${{ needs.docker.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}