Skip to content

Merge pull request #11 from bill-of-materials/renovate/docker-login-a… #47

Merge pull request #11 from bill-of-materials/renovate/docker-login-a…

Merge pull request #11 from bill-of-materials/renovate/docker-login-a… #47

name: build_and_push
on:
push:
branches:
- main
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
GHCR_IMAGE_NAME: ${{ github.repository }}
jobs:
docker_build:
runs-on: ubuntu-24.04
permissions:
packages: write
contents: read
id-token: write
strategy:
matrix:
architecture:
- linux/amd64
- linux/arm64
- linux/arm/v6
- linux/arm/v7
steps:
- name: Set vars
id: vars
run: |
echo "platform=$(echo -n ${{ matrix.architecture }} | sed 's/\//-/g')" >> $GITHUB_OUTPUT
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@60a0d343a0d8a18aedee9d34e62251f752153bdb
with:
images: |
ghcr.io/${{ env.GHCR_IMAGE_NAME }}
tags: |
# type=ref,event=branch
# type=ref,event=tag
# type=ref,event=pr
type=sha,prefix=,suffix=-${{ matrix.architecture }}
labels: |
org.opencontainers.image.authors=${{ github.repository_owner }}
org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
org.opencontainers.image.licenses=MIT
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
org.opencontainers.image.url=https://github.com/${{ github.repository }}
org.opencontainers.image.vendor=${{ github.repository_owner }}
org.opencontainers.image.version=0.0.1
annotations: |
org.opencontainers.image.authors=${{ github.repository_owner }}
org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
org.opencontainers.image.licenses=MIT
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
org.opencontainers.image.url=https://github.com/${{ github.repository }}
org.opencontainers.image.vendor=${{ github.repository_owner }}
org.opencontainers.image.version=0.0.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3
- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker images
id: build
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6
with:
push: true
platforms: ${{ matrix.architecture }}
annotations: ${{ steps.meta.outputs.annotations }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ steps.meta.outputs.tags }}
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: digests-${{ steps.vars.outputs.platform }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ steps.meta.outputs.tags }}
create_multi_platform_manifest_and_push:
runs-on: ubuntu-24.04
permissions:
packages: write
contents: read
attestations: write
id-token: write
needs:
- docker_build
steps:
- name: Download digests
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@60a0d343a0d8a18aedee9d34e62251f752153bdb
with:
images: |
ghcr.io/${{ env.GHCR_IMAGE_NAME }}
docker.io/${{ vars.DOCKERHUB_IMAGE_NAME }}
tags: |
type=sha
labels: |
org.opencontainers.image.authors=${{ github.repository_owner }}
org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
org.opencontainers.image.documentation=https://github.com/${{ github.repository }}
org.opencontainers.image.licenses=MIT
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
org.opencontainers.image.url=https://github.com/${{ github.repository }}
org.opencontainers.image.vendor=${{ github.repository_owner }}
org.opencontainers.image.version=0.0.1
annotations: |
org.opencontainers.image.authors=${{ github.repository_owner }}
org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
org.opencontainers.image.documentation=https://github.com/${{ github.repository }}
org.opencontainers.image.licenses=MIT
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
org.opencontainers.image.url=https://github.com/${{ github.repository }}
org.opencontainers.image.vendor=${{ github.repository_owner }}
org.opencontainers.image.version=0.0.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3
- name: Log in to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create manifest list and push
id: build
working-directory: /tmp/digests
run: |
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(jq -cr '.annotations | map("--annotation " + gsub("manifest:"; "index:"))) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf 'ghcr.io/${{ env.GHCR_IMAGE_NAME }}@sha256:%s ' *)
echo "" >> $GITHUB_OUTPUT
- name: Inspect image
id: digest
run: |
docker buildx imagetools inspect ghcr.io/${{ env.GHCR_IMAGE_NAME }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect docker.io/${{ vars.DOCKERHUB_IMAGE_NAME }}:${{ steps.meta.outputs.version }}
echo "digest=$(docker buildx imagetools inspect ghcr.io/${{ env.GHCR_IMAGE_NAME }}:${{ steps.meta.outputs.version }} | head -n 3 | grep Digest | awk '{ print $2 }')" >> $GITHUB_OUTPUT
- name: Generate artifact attestation (ghcr)
id: push-ghcr
uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1
with:
subject-name: ghcr.io/${{ env.GHCR_IMAGE_NAME }}
subject-digest: ${{ steps.digest.outputs.digest }}
push-to-registry: true
- name: Generate artifact attestation (dockerhub)
id: push-dockerhub
uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1
with:
subject-name: index.docker.io/${{ vars.DOCKERHUB_IMAGE_NAME }}
subject-digest: ${{ steps.digest.outputs.digest }}
push-to-registry: true