-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use defined actions for docker image publish workflow
- Loading branch information
Showing
1 changed file
with
203 additions
and
93 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,115 +4,225 @@ on: | |
| push: | ||
| tags: | ||
| - '*' | ||
| branches: [ develop ] | ||
| branches: [ develop-meed ] | ||
| env: | ||
| REGISTRY: ghcr.io | ||
| GHCR_IMAGE_NAME: 'meeds-io/meeds/meeds-io' | ||
| DOCKERHUB_IMAGE_NAME: 'meedsio/meeds' | ||
|
|
||
| BRANCH_BUILD_TAGS: "develop-meed" | ||
| jobs: | ||
| build-and-push-image: | ||
| parse-docker-build-env: | ||
| name: 'Parse Docker Build Environment' | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| buildTags: ${{ steps.detect-push-event.outputs.buildTags }} | ||
| steps: | ||
| - name: Check if push is a tag or branch | ||
| id: detect-push-event | ||
| run: | | ||
| if [[ $GITHUB_REF == refs/tags/* ]]; then | ||
| echo "This is a tag push (${GITHUB_REF#refs/tags/})" | ||
| echo "Building docker tag: ${GITHUB_REF#refs/tags/}" | ||
| echo "buildTags=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | ||
| elif [[ $GITHUB_REF == refs/heads/* ]]; then | ||
| echo "This is a branch push (${GITHUB_REF#refs/heads/})" | ||
| echo "Building docker tags: ${{ env.BRANCH_BUILD_TAGS }}" | ||
| echo "buildTags=${{ env.BRANCH_BUILD_TAGS }}" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "Unknown push type" | ||
| exit 1 | ||
| fi | ||
| # dockerhub docker image build | ||
| build-dockerhub-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write # needed for signing the images with GitHub OIDC Token | ||
|
|
||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write | ||
| name: "Build Docker Images and push them to DockerHub Registry" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| tags: ${{ steps.build-docker-image.outputs.tags }} | ||
| digest: ${{ steps.build-docker-image.outputs.digest }} | ||
| timeout-minutes: 120 | ||
| needs: parse-docker-build-env | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Log in to the Container registry | ||
| uses: docker/login-action@v2 | ||
| - name: build docker image | ||
| uses: exo-actions/buildDockerImage-action/build-and-push-image@v1 | ||
| id: build-docker-image | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.SWF_TOKEN }} | ||
| dockerImage: "meedsio/meeds" | ||
| dockerImageTag: ${{ needs.parse-docker-build-env.outputs.buildTags }} | ||
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | ||
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: metaghcr | ||
| uses: docker/metadata-action@v4 | ||
| sign-dockerhub-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| strategy: | ||
| fail-fast: false | ||
| max-parallel: 1 | ||
| matrix: | ||
| tags: ${{ fromJson(needs.build-dockerhub-image.outputs.tags) }} | ||
| name: "sign-docker-image" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| needs: build-dockerhub-image | ||
| steps: | ||
| - name: sign docker image | ||
| uses: exo-actions/buildDockerImage-action/sign-image@v1 | ||
| id: sign-docker-image | ||
| with: | ||
| images: ${{ env.REGISTRY }}/${{ env.GHCR_IMAGE_NAME }} | ||
| flavor: | | ||
| latest=false | ||
| dockerImage: "meedsio/meeds" | ||
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | ||
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
| DOCKER_PRIVATE_KEY_ID: ${{secrets.DOCKER_PRIVATE_KEY_ID}} | ||
| DOCKER_PRIVATE_KEY: ${{secrets.DOCKER_PRIVATE_KEY}} | ||
| DOCKER_PRIVATE_KEY_PASSPHRASE: ${{secrets.DOCKER_PRIVATE_KEY_PASSPHRASE}} | ||
|
|
||
| - name: Build and push Docker image to ghcr.io | ||
| uses: docker/build-push-action@v4 | ||
| id: pushghcr | ||
| attest-dockerhub-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write | ||
| name: "attest-docker-image" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| needs: build-dockerhub-image | ||
| steps: | ||
| - name: attest docker image | ||
| uses: exo-actions/buildDockerImage-action/attest-image@v1 | ||
| id: attest-docker-image | ||
| with: | ||
| context: . | ||
| push: true | ||
| tags: ${{ steps.metaghcr.outputs.tags }} | ||
| labels: ${{ steps.metaghcr.outputs.labels }} | ||
| dockerImage: "meedsio/meeds" | ||
| dockerImageDigest: ${{ needs.build-dockerhub-image.outputs.digest }} | ||
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | ||
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
| attestImage: "true" | ||
|
|
||
| - name: Log in to Docker Hub | ||
| uses: docker/login-action@v2 | ||
| cosign-dockerhub-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write | ||
| name: "cosign-docker-image" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| needs: build-dockerhub-image | ||
| steps: | ||
| - name: attest docker image | ||
| uses: exo-actions/buildDockerImage-action/cosign-image@v1 | ||
| id: cosign-docker-image | ||
| with: | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| dockerImage: "meedsio/meeds" | ||
| dockerImageTag: ${{ needs.build-dockerhub-image.outputs.tags }} | ||
| dockerImageDigest: ${{ needs.build-dockerhub-image.outputs.digest }} | ||
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | ||
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
| cosignImage: "true" | ||
| cosignOidcImage: "true" | ||
| COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | ||
| COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: metadockerhub | ||
| uses: docker/metadata-action@v4 | ||
| with: | ||
| images: ${{ env.DOCKERHUB_IMAGE_NAME }} | ||
| flavor: | | ||
| latest=false | ||
| # ghcr docker image build | ||
|
|
||
| - name: Build and push Docker image to Dockerhub | ||
| uses: docker/build-push-action@v4 | ||
| id: pushdockerhub | ||
| build-ghcr-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write | ||
| name: "Build Docker Images and push them to ghcr Registry" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| tags: ${{ steps.build-ghcr-image.outputs.tags }} | ||
| digest: ${{ steps.build-ghcr-image.outputs.digest }} | ||
| timeout-minutes: 120 | ||
| needs: parse-docker-build-env | ||
| steps: | ||
| - name: build docker image | ||
| uses: exo-actions/buildDockerImage-action/build-and-push-image@v1 | ||
| id: build-ghcr-image | ||
| with: | ||
| context: . | ||
| push: true | ||
| tags: ${{ steps.metadockerhub.outputs.tags }} | ||
| labels: ${{ steps.metadockerhub.outputs.labels }} | ||
| dockerImage: "meeds-io/meeds/meeds-io" | ||
| dockerImageTag: ${{ needs.parse-docker-build-env.outputs.buildTags }} | ||
| DOCKER_USERNAME: ${{ secrets.SWF_ACTOR }} | ||
| DOCKER_PASSWORD: ${{ secrets.SWF_TOKEN }} | ||
| dockerRegistry: "ghcr.io" | ||
|
|
||
| - name: Sign the published Dockerhub Docker image with DCT | ||
| uses: sudo-bot/action-docker-sign@latest | ||
| sign-ghcr-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| strategy: | ||
| fail-fast: false | ||
| max-parallel: 1 | ||
| matrix: | ||
| tags: ${{ fromJson(needs.build-ghcr-image.outputs.tags) }} | ||
| name: "sign-docker-image" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| needs: build-ghcr-image | ||
| steps: | ||
| - name: sign docker image | ||
| uses: exo-actions/buildDockerImage-action/sign-image@v1 | ||
| id: sign-docker-image | ||
| with: | ||
| image-ref: ${{ steps.metadockerhub.outputs.tags }} | ||
| private-key-id: "${{ secrets.DOCKER_PRIVATE_KEY_ID }}" | ||
| private-key: ${{ secrets.DOCKER_PRIVATE_KEY }} | ||
| private-key-passphrase: ${{ secrets.DOCKER_PRIVATE_KEY_PASSPHRASE }} | ||
| dockerImage: "meeds-io/meeds/meeds-io" | ||
| DOCKER_USERNAME: ${{ secrets.SWF_ACTOR }} | ||
| DOCKER_PASSWORD: ${{ secrets.SWF_TOKEN }} | ||
| DOCKER_PRIVATE_KEY_ID: ${{secrets.DOCKER_PRIVATE_KEY_ID}} | ||
| DOCKER_PRIVATE_KEY: ${{secrets.DOCKER_PRIVATE_KEY}} | ||
| DOCKER_PRIVATE_KEY_PASSPHRASE: ${{secrets.DOCKER_PRIVATE_KEY_PASSPHRASE}} | ||
| dockerRegistry: "ghcr.io" | ||
|
|
||
| - name: Install Cosign | ||
| uses: sigstore/[email protected] | ||
|
|
||
| - name: Sign the published ghcr.io Docker image with Cosign | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} | ||
| env: | ||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | ||
| DIGEST: ${{ steps.pushghcr.outputs.digest }} | ||
| TAGS: ${{ steps.metaghcr.outputs.tags }} | ||
|
|
||
| - name: Sign the images with GitHub OIDC Token | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes ${images} | ||
| env: | ||
| DIGEST: ${{ steps.pushghcr.outputs.digest }} | ||
| TAGS: ${{ steps.metaghcr.outputs.tags }} | ||
| attest-ghcr-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write | ||
| name: "attest-docker-image" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| needs: build-ghcr-image | ||
| steps: | ||
| - name: attest docker image | ||
| uses: exo-actions/buildDockerImage-action/attest-image@v1 | ||
| id: attest-docker-image | ||
| with: | ||
| dockerImage: "meeds-io/meeds/meeds-io" | ||
| dockerImageDigest: ${{ needs.build-ghcr-image.outputs.digest }} | ||
| DOCKER_USERNAME: ${{ secrets.SWF_TOKEN }} | ||
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
| attestImage: "true" | ||
| dockerRegistry: "ghcr.io" | ||
| attestImageRegistry: "ghcr.io" | ||
|
|
||
| - name: Sign the published Dockerhub Docker image with Cosign | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} | ||
| env: | ||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | ||
| DIGEST: ${{ steps.pushdockerhub.outputs.digest }} | ||
| TAGS: ${{ steps.metadockerhub.outputs.tags }} | ||
| cosign-ghcr-image: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write | ||
| name: "cosign-docker-image" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| needs: build-ghcr-image | ||
| steps: | ||
| - name: attest docker image | ||
| uses: exo-actions/buildDockerImage-action/cosign-image@v1 | ||
| id: cosign-docker-image | ||
| with: | ||
| dockerImage: "meeds-io/meeds/meeds-io" | ||
| dockerImageTag: ${{ needs.build-ghcr-image.outputs.tags }} | ||
| dockerImageDigest: ${{ needs.build-ghcr-image.outputs.digest }} | ||
| DOCKER_USERNAME: ${{ secrets.SWF_ACTOR }} | ||
| DOCKER_PASSWORD: ${{ secrets.SWF_TOKEN }} | ||
| cosignImage: "true" | ||
| cosignOidcImage: "true" | ||
| COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | ||
| COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | ||
| dockerRegistry: "ghcr.io" | ||