.github/workflows/docker.yaml

name: Build Docker images

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

jobs:
  docker-cm:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout the repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0

      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
        with:
          images: ctferio/chall-manager
      
      - name: Git commit date
        id: infos
        run: |
          # trim version prefix
          version=${{ github.ref_name }}
          version="${version#"v"}"
          echo "version=$version" >> "$GITHUB_OUTPUT"

          # output date per RFC 3339
          date="$(git log -1 --format=%cd --date=format:%Y-%m-%dT%H:%M:%SZ)"
          echo "date=$date" >> "$GITHUB_OUTPUT"

      - name: Build and push Docker image
        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
        id: build
        with:
          push: true
          sbom: true # may not produce SBOM in manifest if the image has no filesystem (e.g. "FROM scratch")
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          file: Dockerfile.chall-manager
          build-args: |
            VERSION=${{ steps.infos.outputs.version }}
            COMMIT=${{ github.sha }}
            DATE=${{ steps.infos.outputs.date }}

  # This step calls the container workflow to generate provenance and push it to
  # the container registry.
  provenance-cm:
    needs: [docker-cm]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ctferio/chall-manager
      digest: ${{ needs.docker-cm.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}


  docker-cmj:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout the repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0

      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
        with:
          images: ctferio/chall-manager-janitor
      
      - name: Git commit date
        id: infos
        run: |
          # trim version prefix
          version=${{ github.ref_name }}
          version="${version#"v"}"
          echo "version=$version" >> "$GITHUB_OUTPUT"

          # output date per RFC 3339
          date="$(git log -1 --format=%cd --date=format:%Y-%m-%dT%H:%M:%SZ)"
          echo "date=$date" >> "$GITHUB_OUTPUT"

      - name: Build and push Docker image
        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
        id: build
        with:
          push: true
          sbom: true # may not produce SBOM in manifest if the image has no filesystem (e.g. "FROM scratch")
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          file: Dockerfile.chall-manager-janitor
          build-args: |
            VERSION=${{ steps.infos.outputs.version }}
            COMMIT=${{ github.sha }}
            DATE=${{ steps.infos.outputs.date }}

  # This step calls the container workflow to generate provenance and push it to
  # the container registry.
  provenance-cmj:
    needs: [docker-cmj]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ctferio/chall-manager-janitor
      digest: ${{ needs.docker-cmj.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}