build_canary.yml

name: Publish canary image to GitHub Container Registry

on:
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-20.04
    permissions:
      contents: read
      packages: write
      id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**

    container: ghcr.io/kedacore/keda-tools:1.22.7
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Register workspace path
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

      - name: Login to GHCR
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          # Username used to log in to a Docker registry. If not set then no login will occur
          username: ${{ github.repository_owner }}
          # Password or personal access token used to log in to a Docker registry. If not set then no login will occur
          password: ${{ secrets.GITHUB_TOKEN }}
          # Server address of Docker registry. If not set then will default to Docker Hub
          registry: ghcr.io

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

      - name: Publish on GitHub Container Registry
        run: make publish-multiarch
        env:
          VERSION: canary

      # https://github.com/sigstore/cosign-installer
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Check Cosign install!
        run: cosign version

      - name: Sign KEDA images published on GitHub Container Registry
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: make sign-images
        env:
          VERSION: canary