Add attestations

NathanVaughn · May 5, 2024 · 7581dd3 · 7581dd3
1 parent 11f72ec
commit 7581dd3
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 12 deletions.
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
@@ -11,7 +11,7 @@ on:
         description: "Space-seperated version numbers to force update of"
 
 jobs:
-  get-versions:
+  bake:
     runs-on: ubuntu-latest
 
     permissions:
@@ -41,11 +41,11 @@ jobs:
     outputs:
       matrixes: ${{ steps.script.outputs.matrixes }}
 
-  build-versions:
-    needs: get-versions
-    if: ${{ fromJSON(needs.get-versions.outputs.matrixes.builder).include[0] != null }}
+  build:
+    needs: bake
+    if: ${{ fromJSON(needs.bake.outputs.matrixes).builder.include[0] != null }}
     strategy:
-      matrix: ${{ fromJSON(needs.get-versions.outputs.matrixes.builder) }}
+      matrix: ${{ fromJSON(needs.bake.outputs.matrixes).builder }}
 
     permissions:
       contents: read
@@ -57,7 +57,6 @@ jobs:
       tags: ${{ matrix.tags }}
       context: docker
       dockerfile: docker/Dockerfile
-      dockerhub_reponame: webtrees
       buildargs: |
         WEBTREES_VERSION=${{ matrix.webtrees_version }}
         PHP_VERSION=${{ matrix.php_version }}
@@ -66,14 +65,56 @@ jobs:
       dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
       dockerhub_password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
+  attest:
+    needs:
+      - bake
+      - build
+    strategy:
+      matrix: ${{ fromJSON(needs.bake.outputs.matrixes).attester }}
+
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
+
+    uses: NathanVaughn/reusable-actions/.github/workflows/docker-attest.yml@main
+    with:
+      name: ${{ matrix.name }}
+      attest_id: ${{ matrix.attest_id }}
+    secrets:
+      dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub_password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+  update-dockerhub:
+    needs: build
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Update DockerHub README
+        uses: christian-korneck/update-container-description-action@v1
+        env:
+          DOCKER_USER: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_PASS: ${{ secrets.DOCKERHUB_PASSWORD }}
+        with:
+          destination_container_repo: ${{ secrets.DOCKERHUB_USERNAME }}/webtrees
+          provider: dockerhub
+          short_description: ${{ github.event.repository.description }}
+
   create-releases:
     needs:
-      - get-versions
-      - build-versions
-    if: ${{ fromJSON(needs.get-versions.outputs.matrixes.builder).include[0] != null }}
+      - bake
+      - build
+    if: ${{ fromJSON(needs.bake.outputs.matrixes).releaser.include[0] != null }}
 
     strategy:
-      matrix: ${{ fromJSON(needs.get-versions.outputs.matrixes.releaser) }}
+      matrix: ${{ fromJSON(needs.bake.outputs.matrixes).releaser }}
 
     permissions:
       contents: write

diff --git a/dev/versionchecker.py → dev/baker.py b/dev/versionchecker.py → dev/baker.py
@@ -11,7 +11,7 @@
 MY_REPO = os.getenv("GITHUB_REPOSITORY", default="nathanvaughn/webtrees-docker")
 ARCHITECTURES = ["linux/amd64", "linux/arm/v7", "linux/arm64"]
 BASE_IMAGES = [
-    "docker.io/nathanvaughn/webtrees",
+    "index.docker.io/nathanvaughn/webtrees",
     "ghcr.io/nathanvaughn/webtrees",
 ]
 
@@ -124,13 +124,17 @@ def main(forced_versions: Optional[List[str]] = None) -> None:
     # build output json
     builder_list = []
     releaser_list = []
+    attester_list = []
 
     for missing_version_dict in missing_version_dicts:
         ver = missing_version_dict[VERSION_KEY]
 
         for arch in ARCHITECTURES:
+            attest_id = f"{ver}-{arch}".replace("/", "-")
+
             builder_list.append(
                 {
+                    "attest_id": attest_id,
                     "platform": arch,
                     "tags": ",".join(all_tags[ver]),
                     "webtrees_version": ver,
@@ -143,6 +147,9 @@ def main(forced_versions: Optional[List[str]] = None) -> None:
                 }
             )
 
+            for image in BASE_IMAGES:
+                attester_list.append({"name": image, "attest_id": attest_id})
+
         tag_pretty_list = "\n".join(f"- {tag}" for tag in all_tags[ver])
         releaser_list.append(
             {
@@ -156,6 +163,7 @@ def main(forced_versions: Optional[List[str]] = None) -> None:
     output_data = {
         "builder": {"include": builder_list},
         "releaser": {"include": releaser_list},
+        "attester": {"include": attester_list},
     }
 
     # save output

diff --git a/dev/build_test_version.py b/dev/build_test_version.py
@@ -3,7 +3,7 @@
 import subprocess
 import sys
 
-from versionchecker import WEBTREES_PATCH, WEBTREES_PHP
+from dev.baker import WEBTREES_PATCH, WEBTREES_PHP
 
 ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 CACHE_FILE = os.path.join(ROOT_DIR, "dev", ".last_built_version")