chore(ci): update

.github/workflows/publish-container.yml

@@ -33,7 +33,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-      actions: write
+      # actions: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
@@ -51,42 +51,40 @@ jobs:
               README.md
           # ./${{ matrix.name }}/*
 
-      - name: ❔ Stop if files not changed
-        if: ${{ steps.file_change.outputs.container_folder != 'true' }}
-        run: |
-          gh run cancel ${{ github.run_id }}
-          gh run watch ${{ github.run_id }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      
+      # - name: ❔ Stop if files not changed
+      #   if: ${{ steps.file_change.outputs.container_folder != 'true' }}
+      #   run: |
+      #     gh run cancel ${{ github.run_id }}
+      #     gh run watch ${{ github.run_id }}
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: 🏗 Extract Docker metadata
-        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
         id: meta
+        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
         uses: docker/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          images: |
-            name=${{env.REGISTRY}}/${{github.repository_owner}}/${{matrix.name}},enable=true
-
+          images: name=${{env.REGISTRY}}/${{github.repository_owner}}/${{matrix.name}}
           tags: |
             type=raw,value=${{matrix.version.short}}
             type=raw,value=${{matrix.version.full}}
-            
+
       - name: 🏗 Install cosign
         if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
         uses: sigstore/[email protected]
 
       - name: 🏗 Setup Docker Buildx
+        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
         uses: docker/[email protected]
-    
+
       - name: 🏗 Cache Docker Layers
+        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
         uses: actions/cache@v3
         with:
           path: /tmp/.buildx-cache
-          key: image-${{ matrix.name }}-version-${{ matrix.version.full }}-buildx-${{ hashFiles(format('{0}/Container_folder', matrix.name)) }}
-          restore-keys: |
-            image-${{ matrix.name }}-version-${{ matrix.version.full }}-buildx-
-          
+          key: container-${{ matrix.name }}
+
       - name: 🏗 Log into registry ${{env.REGISTRY}}
         if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
         uses: docker/[email protected]
@@ -97,10 +95,10 @@ jobs:
 
       - name: 🚀 Build and push container image
         if: ${{ steps.file_change.outputs.container_folder == 'true' }}
-        id: build-and-push
+        id: build_and_push
         uses: docker/[email protected]
         with:
-          context: ${{matrix.name}}
+          context: ./${{matrix.name}}
           push: ${{github.event_name != 'pull_request'}}
           tags: ${{steps.meta.outputs.tags}}
           labels: ${{steps.meta.outputs.labels}}
@@ -109,8 +107,9 @@ jobs:
           # cache-from: type=gha
           # cache-to: type=gha,mode=max
 
-      - name: 🏗 Sign the published container image
-        if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
+      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+      - name: 🏗 Sign the image with GitHub OIDC Token
         env:
-          COSIGN_EXPERIMENTAL: 'true'
-        run: echo "${{steps.meta.outputs.tags}}" | xargs -I {} cosign sign --yes {}@${{steps.build-and-push.outputs.digest}}
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: cosign sign --yes "${TAGS}@${DIGEST}"