From ec7416eb766cc930c2fed1650cbfa5445a9c880a Mon Sep 17 00:00:00 2001
From: Markus Fenes <mafen@users.noreply.github.com>
Date: Fri, 22 Mar 2024 07:32:38 +0100
Subject: [PATCH 1/7] Create docker-publish.yml
---
.github/workflows/docker-publish.yml | 98 ++++++++++++++++++++++++++++
1 file changed, 98 insertions(+)
create mode 100644 .github/workflows/docker-publish.yml
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000..51612ce
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,98 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+ schedule:
+ - cron: '35 4 * * *'
+ push:
+ branches: [ "main" ]
+ # Publish semver tags as releases.
+ tags: [ 'v*.*.*' ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ # Use docker.io for Docker Hub if empty
+ REGISTRY: ghcr.io
+ # github.repository as <account>/<repo>
+ IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ # This is used to complete the identity challenge
+ # with sigstore/fulcio when running outside of PRs.
+ id-token: write
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ # Install the cosign tool except on PR
+ # https://github.com/sigstore/cosign-installer
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
+ with:
+ cosign-release: 'v2.1.1'
+
+ # Set up BuildKit Docker container builder to be able to build
+ # multi-platform images and export cache
+ # https://github.com/docker/setup-buildx-action
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ # Login against a Docker registry except on PR
+ # https://github.com/docker/login-action
+ - name: Log into registry ${{ env.REGISTRY }}
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ # Extract metadata (tags, labels) for Docker
+ # https://github.com/docker/metadata-action
+ - name: Extract Docker metadata
+ id: meta
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+ with:
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+ # Build and push Docker image with Buildx (don't push on PR)
+ # https://github.com/docker/build-push-action
+ - name: Build and push Docker image
+ id: build-and-push
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+ with:
+ context: .
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
+ # Sign the resulting Docker image digest except on PRs.
+ # This will only write to the public Rekor transparency log when the Docker
+ # repository is public to avoid leaking data. If you would like to publish
+ # transparency data even for private images, pass --force to cosign below.
+ # https://github.com/sigstore/cosign
+ - name: Sign the published Docker image
+ if: ${{ github.event_name != 'pull_request' }}
+ env:
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+ TAGS: ${{ steps.meta.outputs.tags }}
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
+ # This step uses the identity token to provision an ephemeral certificate
+ # against the sigstore community Fulcio instance.
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
From a7b84de2bb207b4f7240dfcef98a67851f680b2e Mon Sep 17 00:00:00 2001
From: Markus Fenes <mafen@users.noreply.github.com>
Date: Fri, 22 Mar 2024 07:33:59 +0100
Subject: [PATCH 2/7] Update docker-publish.yml
---
.github/workflows/docker-publish.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 51612ce..250742f 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -9,7 +9,7 @@ on:
schedule:
- cron: '35 4 * * *'
push:
- branches: [ "main" ]
+ branches: [ "*" ]
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
pull_request:
From 874b961465de1bc77f8db4463f6c66f4a208608f Mon Sep 17 00:00:00 2001
From: Mike Glenn <219478+ilude@users.noreply.github.com>
Date: Fri, 22 Mar 2024 09:56:26 -0400
Subject: [PATCH 3/7] Create test.yml
---
.github/workflows/test.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
create mode 100644 .github/workflows/test.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..838be12
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,13 @@
+name: Get Repository Name
+
+on:
+ push:
+ branches:
+ - main
+
+jobs:
+ get_repository_name:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Get Repository Name
+ run: echo "Repository Name: ${{ github.repository }}"
From c8f3abe480d9c0b5dc33d12487b1395111a70288 Mon Sep 17 00:00:00 2001
From: Mike Glenn <219478+ilude@users.noreply.github.com>
Date: Fri, 22 Mar 2024 10:05:58 -0400
Subject: [PATCH 4/7] Update test.yml
From b240ef23b5e52f99cdc639ea110ff6364a201a7e Mon Sep 17 00:00:00 2001
From: Mike Glenn <219478+ilude@users.noreply.github.com>
Date: Fri, 22 Mar 2024 10:10:18 -0400
Subject: [PATCH 5/7] Update test.yml
---
.github/workflows/test.yml | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 838be12..d699e98 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,13 +1,9 @@
name: Get Repository Name
-
on:
- push:
- branches:
- - main
-
+ - push
jobs:
- get_repository_name:
+ one:
runs-on: ubuntu-latest
steps:
- - name: Get Repository Name
- run: echo "Repository Name: ${{ github.repository }}"
+ - name: Echo in file
+ run: echo "Repository Name ${{ github.repository }}"
From 3228b7d6c0eaf87565d611e12ea16f1e3f50198f Mon Sep 17 00:00:00 2001
From: Mike Glenn <219478+ilude@users.noreply.github.com>
Date: Fri, 22 Mar 2024 10:15:05 -0400
Subject: [PATCH 6/7] Update test.yml
---
.github/workflows/test.yml | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d699e98..34a6096 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,9 +1,20 @@
name: Get Repository Name
+
on:
- - push
+ push:
+ branches:
+ - main
+
jobs:
- one:
+ get_repository_name:
runs-on: ubuntu-latest
steps:
- - name: Echo in file
+ - name: Get Repository Name
run: echo "Repository Name ${{ github.repository }}"
+
+ - name: Extract Repository Name
+ id: extract_repo_name
+ run: echo "::set-output name=repo_name::$(basename ${{ github.repository }})"
+
+ - name: Use Repository Name
+ run: echo "Repository Name ${{ steps.extract_repo_name.outputs.repo_name }}"
From 189311cd6258f3bddd9220b2d4a450667fa65b98 Mon Sep 17 00:00:00 2001
From: Mike Glenn <219478+ilude@users.noreply.github.com>
Date: Fri, 22 Mar 2024 13:22:34 -0400
Subject: [PATCH 7/7] Update docker-publish.yml
---
.github/workflows/docker-publish.yml | 24 +-----------------------
1 file changed, 1 insertion(+), 23 deletions(-)
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 250742f..cbd26e5 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -37,14 +37,6 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v3
- # Install the cosign tool except on PR
- # https://github.com/sigstore/cosign-installer
- - name: Install cosign
- if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
- with:
- cosign-release: 'v2.1.1'
-
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
@@ -76,23 +68,9 @@ jobs:
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: .
+ target: production
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
-
- # Sign the resulting Docker image digest except on PRs.
- # This will only write to the public Rekor transparency log when the Docker
- # repository is public to avoid leaking data. If you would like to publish
- # transparency data even for private images, pass --force to cosign below.
- # https://github.com/sigstore/cosign
- - name: Sign the published Docker image
- if: ${{ github.event_name != 'pull_request' }}
- env:
- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- TAGS: ${{ steps.meta.outputs.tags }}
- DIGEST: ${{ steps.build-and-push.outputs.digest }}
- # This step uses the identity token to provision an ephemeral certificate
- # against the sigstore community Fulcio instance.
- run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}