From 24a91f6a013efa35211c8d1e08ae55efb46c7ff9 Mon Sep 17 00:00:00 2001 From: charalamm Date: Wed, 27 Mar 2024 11:05:43 +0100 Subject: [PATCH] Attempt --- .github/workflows/docker-publish.yml | 74 ++++++++-------------------- 1 file changed, 20 insertions(+), 54 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index d49138ef..a37841ef 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,42 +1,25 @@ -name: Docker - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +name: Docker-build-push +# on: +# release: +# types: [published] on: - release: - types: [published] + push: + branches: + - 'Image-CI' env: - # Currently we don't have a dockerhub account - REGISTRY: ghcr.io - IMAGE_NAME: terracotta - + REGISTRY: docker.io + REPOSITORY: dhigras/terracotta jobs: - build: - + docker-build-push: runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - steps: - - name: Checkout repository - uses: actions/checkout@v3 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 - with: - cosign-release: 'v2.1.1' + # QEMU is used to emulate different processor architectures + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache @@ -47,12 +30,11 @@ jobs: # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action @@ -60,34 +42,18 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: ${{ env.REGISTRY }}/${{ env.REPOSITORY }} + tags: | + ${GITHUB_REF} + latest # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image - id: build-and-push uses: docker/build-push-action@v5 with: file: ${GITHUB_WORKSPACE}/docker/Dockerfile context: . - # push: ${{ github.event_name != 'pull_request' }} push: false - tags: ${GITHUB_REF},latest #${{ steps.meta.outputs.tags }} + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}