docker · crazy-max · Nov 5, 2025 · Aug 18, 2025 · Aug 18, 2025 · Aug 18, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,238 @@
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      push:
+        type: boolean
+        description: "Push image to registry"
+        required: false
+        default: false
+      set-meta-annotations:
+        type: boolean
+        description: "Set metadata-action annotations"
+        required: false
+        default: false
+      set-meta-labels:
+        type: boolean
+        description: "Set metadata-action labels"
+        required: false
+        default: false
+      meta-image:
+        type: string
+        description: "Image to use as base name for tags"
+        required: true
+      meta-tags:
+        type: string
+        description: "List of tags as key-value pair attributes"
+        required: false
+      meta-flavor:
+        type: string
+        description: "Flavors to apply"
+        required: false
+      meta-labels:
+        type: string
+        description: "List of custom labels"
+        required: false
+      meta-annotations:
+        type: string
+        description: "List of custom annotations"
+        required: false
+      login-registry:
+        type: string
+        description: "Server address of Docker registry. If not set then will default to Docker Hub"
+        required: false
+      login-username:
+        type: string
+        description: "Username used to log against the Docker registry"
+        required: false
+      login-ecr:
+        type: string
+        description: "Specifies whether the given registry is ECR (auto, true or false)"
+        default: 'auto'
+        required: false
+      build-args:
+        type: string
+        description: "List of build-time variables"
+        required: false
+      build-platforms:
+        type: string
+        description: "List of target platforms to build"
+        required: false
+      build-sbom:
+        type: string
+        description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
+        required: false
+    secrets:
+      login-password:
+        description: "Password or personal access token used to log against the Docker registry"
+        required: false
+      github-token:
+        description: "GitHub Token used to authenticate against a repository for Git context"
+        required: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write # needed for pushing the images to GitHub Packages
+      id-token: write # needed for signing the images with GitHub OIDC Token
+    steps:
+      -
+        name: Validate
+        uses: actions/github-script@v7
+        env:
+          INPUT_META-IMAGE: ${{ inputs.meta-image }}
+        with:
+          script: |
+            function getInputList(name) {
+              return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+            }
+            if (getInputList('meta-image').length > 1) {
+              throw new Error('Only one meta-image is allowed');
+            }
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Login to registry
+        uses: docker/login-action@v3
+        if: ${{ inputs.push }}
+        with:
+          registry: ${{ inputs.login-registry }}
+          username: ${{ inputs.login-username }}
+          password: ${{ secrets.login-password }}
+          ecr: ${{ inputs.login-ecr }}
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ inputs.meta-image }}
+          tags: ${{ inputs.meta-tags }}
+          flavor: ${{ inputs.meta-flavor }}
+          labels: ${{ inputs.meta-labels }}
+          annotations: ${{ inputs.meta-annotations }}
+      -
+        name: Build
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          build-args: ${{ inputs.build-args }}
+          platforms: ${{ inputs.build-platforms }}
+          outputs: type=image,"name=${{ inputs.meta-image }}",oci-artifact=true,push-by-digest=true,name-canonical=true,push=${{ inputs.push }}
+          sbom: ${{ inputs.build-sbom }}
+          labels: ${{ inputs.set-meta-labels && steps.meta.outputs.labels || '' }}
+          annotations: ${{ inputs.set-meta-annotations && steps.meta.outputs.annotations || '' }}
+          github-token: ${{ secrets.github-token || github.token }}
+      -
+        name: Get attestations digest
+        id: attest
+        uses: actions/github-script@v7
+        env:
+          INPUT_TAGS: ${{ steps.meta.outputs.tags }}
+        with:
+          script: |
+            function getInputList(name) {
+              return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+            }
+            await core.group(`Get attestations digest`, async () => {
+              await exec.getExecOutput('docker', ['buildx', 'imagetools', 'inspect', getInputList('tags')[0], '--format', '{{json .Manifest}}'], {
+                ignoreReturnCode: true,
+                silent: true
+              }).then(res => {
+                if (res.stderr.length > 0 && res.exitCode != 0) {
+                  throw new Error(res.stderr);
+                }
+                const dt = JSON.parse(res.stdout.trim());
+                const attestationDigests = dt.manifests.filter(m => m.annotations && m.annotations['vnd.docker.reference.type'] === 'attestation-manifest').map(m => m.digest);
+                core.info(JSON.stringify(attestationDigests, null, 2));
+                core.setOutput('digests', attestationDigests.join('\n'));
+              });
+            });
+      -
+        name: Install cosign
+        if: ${{ inputs.push }}
+        uses: sigstore/cosign-installer@v3
+      -
+        name: Sign with GitHub OIDC Token
+        if: ${{ inputs.push }}
+        uses: actions/github-script@v7
+        env:
+          INPUT_TAGS: ${{ steps.meta.outputs.tags }}
+          INPUT_DIGESTS: ${{ steps.attest.outputs.digests }}
+        with:
+          script: |
+            function getInputList(name) {
+              return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+            }
+            const tags = getInputList('tags');
+            const digests = getInputList('digests');
+            const images = [];
+            for (const tag of tags) {
+              for (const digest of digests) {
+                images.push(`${tag}@${digest}`);
+              }
+            }
+            await exec.getExecOutput('cosign', ['-d', 'sign', '--yes', ...images], {
+              ignoreReturnCode: true
+            }).then(res => {
+              if (res.stderr.length > 0 && res.exitCode != 0) {
+                throw new Error(res.stderr);
+              }
+            });
+      -
+        name: Verify signatures
+        if: ${{ inputs.push }}
+        uses: actions/github-script@v7
+        env:
+          INPUT_TAGS: ${{ steps.meta.outputs.tags }}
+          INPUT_DIGESTS: ${{ steps.attest.outputs.digests }}
+        with:
+          script: |
+            function getInputList(name) {
+              return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+            }
+            const tags = getInputList('tags');
+            const digests = getInputList('digests');
+            const images = [];
+            for (const tag of tags) {
+              for (const digest of digests) {
+                await core.group(`Verifying ${tag}@${digest}`, async () => {
+                  await exec.getExecOutput('cosign', ['-d', 'verify', '--certificate-identity-regexp', `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$`, '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com', `${tag}@${digest}`], {
+                    ignoreReturnCode: true
+                  }).then(res => {
+                    if (res.stderr.length > 0 && res.exitCode != 0) {
+                      core.warning(`Verification failed for ${tag}@${digest}: ${res.stderr}`);
+                    }
+                  });
+                });
+              }
+            }
+      -
+        name: Create manifest
+        if: ${{ inputs.push }}
+        uses: actions/github-script@v7
+        env:
+          INPUT_TAGS: ${{ steps.meta.outputs.tags }}
+          INPUT_IMAGE-DIGEST: ${{ steps.build.outputs.digest }}
+        with:
+          script: |
+            function getInputList(name) {
+              return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+            }
+
+            let createArgs = ['buildx', 'imagetools', 'create'];
+            for (const tag of getInputList('tags')) {
+              createArgs.push('-t', tag);
+            }
+            createArgs.push(core.getInput('image-digest'));
+
+            await exec.getExecOutput('docker', createArgs, {
+              ignoreReturnCode: true
+            }).then(res => {
+              if (res.stderr.length > 0 && res.exitCode != 0) {
+                throw new Error(res.stderr);
+              }
+            });