[action] common docker workflow with keyless cosign

.github/workflows/ci.yml

@@ -9,6 +9,10 @@ on:
   pull_request:
   workflow_call:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   ci:
     uses: smallstep/workflows/.github/workflows/goCI.yml@main

.github/workflows/release.yml

@@ -8,36 +8,35 @@ on:
 
 jobs:
   ci:
-    uses: smallstep/step-issuer/.github/workflows/ci.yml@main
+    uses: smallstep/step-issuer/.github/workflows/ci.yml@master
 
   create_release:
     name: Create Release
     needs: ci
     runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE: smallstep/step-issuer
     outputs:
-      version: ${{ steps.extract-tag.outputs.VERSION }}
-      vversion: ${{ steps.extract-tag.outputs.VVERSION }}
-      is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
+      docker_tags: ${{ env.DOCKER_TAGS }}
     steps:
-      -
-        name: Extract Tag Names
-        id: extract-tag
-        run: |
-          VVERSION=${GITHUB_REF#refs/tags/}
-          VERSION=${GITHUB_REF#refs/tags/v}
-          echo "::set-output name=VVERSION::${VVERSION}"
-          echo "::set-output name=VERSION::${VERSION}"
-      -
-        name: Is Pre-release
+      - name: Is Pre-release
         id: is_prerelease
         run: |
           set +e
           echo ${{ github.ref }} | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
-          echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
-      -
-        name: Create Release
+          echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
+      - name: Extract Tag Names
+        id: extract-tag
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
+      - name: Add Latest Tag
+        if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
+        run: |
+          echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
+      - name: Create Release
         id: create_release
         uses: actions/create-release@v1
         env:
@@ -50,21 +49,15 @@ jobs:
 
   build_upload_docker:
     name: Build & Upload Docker Images
-    runs-on: ubuntu-latest
-    needs: ci
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: '1.19'
-      -
-        name: Build
-        id: build
-        run: make artifacts
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+    needs: create_release
+    permissions:
+      id-token: write
+      contents: write
+    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
+    with:
+      platforms: linux/amd64,linux/arm64
+      tags: ${{ needs.create_release.outputs.docker_tags }}
+      docker_image: smallstep/step-issuer
+      docker_file: Dockerfile
+    secrets: inherit
+

Dockerfile

@@ -1,7 +1,16 @@
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:latest
-ARG BINPATH="docker/bin/manager"
+FROM golang:alpine AS builder
+
+RUN mkdir /src
+WORKDIR /src
+COPY . .
+
+RUN apk add --no-cache make git curl && \
+	make CGO_ENABLED=0 V=1 bin/manager
+
+FROM alpine
+
 WORKDIR /
-COPY $BINPATH .
+COPY --from=builder /src/bin/manager .
 ENTRYPOINT ["/manager"]

Makefile

@@ -173,75 +173,3 @@ ifneq ($(BINNAME),"")
 endif
 
 .PHONY: clean
-
-#################################################
-# Docker
-#################################################
-
-DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
-DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(2)
-DOCKER_BUILD=$Q docker build -t $(IMG) -f $(2) --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(1) .
-
-docker: docker-make Dockerfile
-	$(call DOCKER_BUILD,manager,Dockerfile)
-
-docker-make:
-	$Q mkdir -p $(DOCKER_OUTPUT)
-	$(call DOCKER_MAKE,$(DOCKER_OUTPUT),manager)
-
-.PHONY: docker docker-make
-
-# Make sure to run a local registry
-# docker run -d -p 5000:5000 --restart=always --name registry registry:2
-docker-dev: docker
-	$Q docker tag ${IMG} localhost:5000/${IMG}
-	$Q docker push localhost:5000/${IMG}
-
-.PHONY: docker-dev
-
-#################################################
-# Releasing Docker Images
-#################################################
-
-DOCKER_TAG=docker tag smallstep/$(1):latest smallstep/$(1):$(2)
-DOCKER_PUSH=docker push smallstep/$(1):$(2)
-
-docker-tag:
-	$(call DOCKER_TAG,step-issuer,$(VERSION))
-
-docker-push-tag: docker-tag
-	$(call DOCKER_PUSH,step-issuer,$(VERSION))
-
-docker-push-tag-latest:
-	$(call DOCKER_PUSH,step-issuer,latest)
-
-# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
-# equivalent environment
-docker-login:
-	$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
-
-.PHONY: docker-login docker-tag docker-push-tag docker-push-tag-latest
-
-#################################################
-# Targets for pushing the docker images
-#################################################
-
-# For all builds we build the docker container
-docker-master: docker
-
-# For all builds with a release candidate tag
-docker-release-candidate: docker-master docker-login docker-push-tag
-
-# For all builds with a release tag
-docker-release: docker-release-candidate docker-push-tag-latest
-
-.PHONY: docker-master docker-release-candidate docker-release
-
-#################################################
-# Targets for creating step artifacts
-#################################################
-
-# This command is called by travis directly *after* a successful build
-artifacts: docker-$(PUSHTYPE)
-
-.PHONY: artifacts