Build container image #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build container image | |
on: | |
workflow_dispatch: | |
inputs: | |
push-image: | |
type: boolean | |
default: true | |
workflow_call: | |
inputs: | |
push-image: | |
type: boolean | |
required: true | |
outputs: | |
repository: | |
description: "Repository used to build the container image" | |
value: ${{ jobs.build.outputs.repository }} | |
tag: | |
description: "Tag used to build the container image" | |
value: ${{ jobs.build.outputs.tag }} | |
artifact: | |
description: "Uploaded artifact with the container tarball" | |
value: ${{ jobs.build.outputs.artifact }} | |
digest: | |
description: "Image digest" | |
value: ${{ jobs.build.outputs.digest }} | |
jobs: | |
build: | |
name: Build container image | |
permissions: | |
packages: write | |
id-token: write # to mint the OIDC token for Sigstore signatures | |
runs-on: ubuntu-latest | |
outputs: | |
repository: ${{ steps.setoutput.outputs.repository }} | |
tag: ${{ steps.setoutput.outputs.tag }} | |
artifact: ${{ steps.setoutput.outputs.artifact }} | |
digest: ${{ steps.setoutput.outputs.digest }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Install cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Retrieve tag name (main branch) | |
if: ${{ startsWith(github.ref, 'refs/heads/main') }} | |
run: | | |
echo TAG_NAME="dev-${{ github.sha }}" >> $GITHUB_ENV | |
echo VERSION="dev-${{ github.sha }}" >> $GITHUB_ENV | |
- name: Retrieve tag name (tag) | |
if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
run: | | |
echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/v||") >> $GITHUB_ENV | |
echo VERSION=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV | |
- name: Build and push container image | |
if: ${{ inputs.push-image }} | |
id: build-image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: VERSION=${{ env.VERSION }} | |
platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
push: true | |
sbom: true | |
provenance: mode=max | |
tags: | | |
ghcr.io/${{github.repository_owner}}/ddflare:${{ env.TAG_NAME }} | |
- name: Sign container image | |
if: ${{ inputs.push-image }} | |
run: | | |
cosign sign --yes \ | |
ghcr.io/${{github.repository_owner}}/ddflare@${{ steps.build-image.outputs.digest }} | |
cosign verify \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
--certificate-identity-regexp="https://github.com/${{github.repository_owner}}/ddflare/.github/workflows/container-image.yaml@" \ | |
ghcr.io/${{github.repository_owner}}/ddflare@${{ steps.build-image.outputs.digest }} | |
- id: setoutput | |
name: Set output parameters | |
run: | | |
echo "repository=ghcr.io/${{github.repository_owner}}/ddflare" >> $GITHUB_OUTPUT | |
echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT | |
echo "artifact=ddflare-image-${{env.TAG_NAME}}" >> $GITHUB_OUTPUT | |
echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT |