DCT for docker images (#23)

* chore: add dct signing to eps, sd and proxy
iris-connect · Feb 16, 2022 · 39f3768 · 39f3768
1 parent f156939
commit 39f3768
Showing 1 changed file with 94 additions and 25 deletions.
diff --git a/.github/workflows/build-and-push-docker-images.yml b/.github/workflows/build-and-push-docker-images.yml
@@ -20,30 +20,99 @@ jobs:
         run: |
           echo $VERSION
           echo ${{ env.VERSION }}
-      - name: Build and push eps
-        uses: docker/build-push-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
         with:
-          build_args: VERSION=${{ env.VERSION }}
-          username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_PW }}        
-          repository: inoeg/eps
-          tag_with_ref: true
-          dockerfile: ./docker/Eps.dockerfile
-      - name: Build and push sd
-        uses: docker/build-push-action@v1
-        with:
-          build_args: VERSION=${{ env.VERSION }}
-          username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_PW }}        
-          repository: inoeg/sd
-          tag_with_ref: true
-          dockerfile: ./docker/Sd.dockerfile
-      - name: Build and push proxy
-        uses: docker/build-push-action@v1
-        with:
-          build_args: VERSION=${{ env.VERSION }}
           username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_PW }}        
-          repository: inoeg/proxy
-          tag_with_ref: true
-          dockerfile: ./docker/Proxy.dockerfile
+          password: ${{ secrets.DOCKER_HUB_PW }}
+
+      - name: Create eps image tag
+        id: meta_eps
+        uses: docker/metadata-action@v3
+        with:
+          images: inoeg/eps
+      - name: Build eps
+        uses: docker/[email protected]
+        with:
+          build-args: VERSION=${{ env.VERSION }}
+          file: ./docker/Eps.dockerfile
+          tags: ${{ steps.meta_eps.outputs.tags }}
+          push: false
+          load: true
+          labels: |
+            iris.eps.image.revision=${{ github.sha }}
+      - name: Sign and push versioned eps image
+        uses: sudo-bot/action-docker-sign@latest
+        with:
+          image-ref: ${{fromJSON(steps.meta_eps.outputs.json).tags[0]}}
+          private-key-id: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY_IDENTIFIER }}
+          private-key: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY }}
+          private-key-passphrase: ${{ secrets.DOCKER_HUB_DCT_PASSPHRASE }}
+      - name: Sign and push latest eps image
+        uses: sudo-bot/action-docker-sign@latest
+        with:
+          image-ref: ${{fromJSON(steps.meta_eps.outputs.json).tags[1]}}
+          private-key-id: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY_IDENTIFIER }}
+          private-key: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY }}
+          private-key-passphrase: ${{ secrets.DOCKER_HUB_DCT_PASSPHRASE }}
+
+      - name: Create sd image tag
+        id: meta_sd
+        uses: docker/metadata-action@v3
+        with:
+          images: inoeg/sd
+      - name: Build sd
+        uses: docker/[email protected]
+        with:
+          build-args: VERSION=${{ env.VERSION }}
+          file: ./docker/Sd.dockerfile
+          tags: ${{ steps.meta_sd.outputs.tags }}
+          push: false
+          load: true
+          labels: |
+            iris.sd.image.revision=${{ github.sha }}
+      - name: Sign and push sd versioned image
+        uses: sudo-bot/action-docker-sign@latest
+        with:
+          image-ref: ${{fromJSON(steps.meta_sd.outputs.json).tags[0]}}
+          private-key-id: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY_IDENTIFIER }}
+          private-key: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY }}
+          private-key-passphrase: ${{ secrets.DOCKER_HUB_DCT_PASSPHRASE }}
+      - name: Sign and push sd latest image
+        uses: sudo-bot/action-docker-sign@latest
+        with:
+          image-ref: ${{fromJSON(steps.meta_sd.outputs.json).tags[1]}}
+          private-key-id: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY_IDENTIFIER }}
+          private-key: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY }}
+          private-key-passphrase: ${{ secrets.DOCKER_HUB_DCT_PASSPHRASE }}
+
+      - name: Create proxy image tag
+        id: meta_proxy
+        uses: docker/metadata-action@v3
+        with:
+          images: inoeg/proxy
+      - name: Build proxy
+        uses: docker/[email protected]
+        with:
+          build-args: VERSION=${{ env.VERSION }}
+          file: ./docker/Proxy.dockerfile
+          tags: ${{ steps.meta_proxy.outputs.tags }}
+          push: false
+          load: true
+          labels: |
+            iris.proxy.image.revision=${{ github.sha }}
+      - name: Sign and push proxy versioned image
+        uses: sudo-bot/action-docker-sign@latest
+        with:
+          image-ref: ${{fromJSON(steps.meta_proxy.outputs.json).tags[0]}}
+          private-key-id: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY_IDENTIFIER }}
+          private-key: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY }}
+          private-key-passphrase: ${{ secrets.DOCKER_HUB_DCT_PASSPHRASE }}
+      - name: Sign and push proxy latest image
+        uses: sudo-bot/action-docker-sign@latest
+        with:
+          image-ref: ${{fromJSON(steps.meta_proxy.outputs.json).tags[1]}}
+          private-key-id: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY_IDENTIFIER }}
+          private-key: ${{ secrets.DOCKER_HUB_DCT_PRIVATE_KEY }}
+          private-key-passphrase: ${{ secrets.DOCKER_HUB_DCT_PASSPHRASE }}