diff --git a/.github/workflows/build-push.yaml b/.github/workflows/build-push.yaml index 9e5f5d9..18e026e 100644 --- a/.github/workflows/build-push.yaml +++ b/.github/workflows/build-push.yaml @@ -11,13 +11,17 @@ on: - contactform/**/* - .github/workflows/build-push.yaml +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write - id-token: write + attestations: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -28,10 +32,16 @@ jobs: - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + - name: Cache Docker layers uses: actions/cache@v4 with: @@ -40,12 +50,20 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- - - name: Build and Push Docker Image - uses: docker/build-push-action@v5 + - name: Build and Push Docker image + id: push + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 with: context: . - file: ./Dockerfile - tags: ghcr.io/vshn/conferenceli:latest + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache - push: true + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true