Skip to content

Build reusable workflow #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
crazy-max wants to merge 8 commits into from
Closed

Build reusable workflow #3

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
008be12
build reusable workflow
crazy-max Aug 18, 2025
fb69de5
build: set meta labels and annotations
crazy-max Aug 18, 2025
0ad0402
build: build args
crazy-max Aug 18, 2025
3b0cb21
build: build platforms
crazy-max Aug 18, 2025
aa904a9
build: install cosign and sign image
crazy-max Aug 18, 2025
fedb1f3
build: use oci-artifact for attestations
crazy-max Aug 18, 2025
bf418e0
build: step to get attestation manifest digest for signing
crazy-max Aug 18, 2025
c3cdb74
build: only sign attestation manifests
crazy-max Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 168 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
name: build

on:
workflow_call:
inputs:
push:
type: boolean
description: "Push image to registry"
required: false
default: false
set-meta-annotations:
type: boolean
description: "Set metadata-action annotations"
required: false
default: false
set-meta-labels:
type: boolean
description: "Set metadata-action labels"
required: false
default: false
meta-image:
type: string
description: "Image to use as base name for tags"
required: true
meta-tags:
type: string
description: "List of tags as key-value pair attributes"
required: false
meta-flavor:
type: string
description: "Flavors to apply"
required: false
meta-labels:
type: string
description: "List of custom labels"
required: false
meta-annotations:
type: string
description: "List of custom annotations"
required: false
login-registry:
type: string
description: "Server address of Docker registry. If not set then will default to Docker Hub"
required: false
login-username:
type: string
description: "Username used to log against the Docker registry"
required: false
login-ecr:
type: string
description: "Specifies whether the given registry is ECR (auto, true or false)"
default: 'auto'
required: false
build-args:
type: string
description: "List of build-time variables"
required: false
build-platforms:
type: string
description: "List of target platforms to build"
required: false
secrets:
login-password:
description: "Password or personal access token used to log against the Docker registry"
required: false
github-token:
description: "GitHub Token used to authenticate against a repository for Git context"
required: false

jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write # needed for pushing the images to GitHub Packages
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Login to registry
uses: docker/login-action@v3
if: ${{ inputs.push }}
with:
registry: ${{ inputs.login-registry }}
username: ${{ inputs.login-username }}
password: ${{ secrets.login-password }}
ecr: ${{ inputs.login-ecr }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ inputs.meta-image }}
tags: ${{ inputs.meta-tags }}
flavor: ${{ inputs.meta-flavor }}
labels: ${{ inputs.meta-labels }}
annotations: ${{ inputs.meta-annotations }}
-
name: Build
id: build
uses: docker/build-push-action@v6
with:
build-args: ${{ inputs.build-args }}
platforms: ${{ inputs.build-platforms }}
tags: ${{ steps.meta.outputs.tags }}
outputs: type=image,oci-artifact=true,push=${{ inputs.push }}
sbom: true
labels: ${{ inputs.set-meta-labels && steps.meta.outputs.labels || '' }}
annotations: ${{ inputs.set-meta-annotations && steps.meta.outputs.annotations || '' }}
github-token: ${{ secrets.github-token || github.token }}
-
name: Get attestations digest
id: attest
uses: actions/github-script@v7
env:
INPUT_TAGS: ${{ steps.meta.outputs.tags }}
with:
script: |
function getInputList(name) {
return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
}
await core.group(`Get attestations digest`, async () => {
await exec.getExecOutput('docker', ['buildx', 'imagetools', 'inspect', getInputList('tags')[0], '--format', '{{json .Manifest}}'], {
ignoreReturnCode: true,
silent: true
}).then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) {
throw new Error(res.stderr);
}
const dt = JSON.parse(res.stdout.trim());
const attestationDigests = dt.manifests.filter(m => m.annotations && m.annotations['vnd.docker.reference.type'] === 'attestation-manifest').map(m => m.digest);
core.info(JSON.stringify(attestationDigests, null, 2));
core.setOutput('digests', attestationDigests.join('\n'));
});
});
-
name: Install cosign
if: ${{ inputs.push }}
uses: sigstore/cosign-installer@v3
-
name: Sign with GitHub OIDC Token
if: ${{ inputs.push }}
uses: actions/github-script@v7
env:
INPUT_TAGS: ${{ steps.meta.outputs.tags }}
INPUT_DIGESTS: ${{ steps.attest.outputs.digests }}
with:
script: |
function getInputList(name) {
return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
}
const tags = getInputList('tags');
const digests = getInputList('digests');
const images = [];
for (const tag of tags) {
for (const digest of digests) {
images.push(`${tag}@${digest}`);
}
}
await exec.getExecOutput('cosign', ['-d', 'sign', '--yes', ...images], {
ignoreReturnCode: true
}).then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) {
throw new Error(res.stderr);
}
});