Publish Docker image multi-arch #384
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://docs.docker.com/build/ci/github-actions/multi-platform/ | |
name: Publish Docker image multi-arch | |
on: | |
push: | |
workflow_dispatch: | |
schedule: | |
- cron: "0 13 * * *" | |
pull_request: | |
types: [opened, synchronize, reopened] | |
branches: | |
- main | |
env: | |
REGISTRY: ghcr.io | |
REPO: pipeittodevnull | |
IMAGE: nginx-certbot | |
jobs: | |
docker: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
attestations: write | |
id-token: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Log in to the Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# This step uses a verbose sha variable to remove the "sha-" default prefix. This is required so the image has a short sha prefix that is easier to obtain in the SBOM step. The SBOM step was previously using branch name to pull, but we are renaming our branches to all be "devel" so we cannot use the branch variable in the SBOM pull step | |
# We are doing a negative match on "main" to label any non-main branch as devel. There is an open issue for negative matching is_default_branch which would be better https://github.com/docker/metadata-action/issues/247 | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
context: git | |
images: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE }} | |
flavor: latest=auto | |
tags: | | |
type=sha,enable=true,priority=100,prefix=,suffix=,format=long | |
type=raw,value=devel,enable=${{ github.ref != format('refs/heads/{0}', 'main') }} | |
type=raw,value=latest,enable={{is_default_branch}} | |
- name: Build and push Docker image | |
id: push | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Generate artifact attestation | |
uses: actions/attest-build-provenance@v1 | |
with: | |
subject-name: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}} | |
subject-digest: ${{ steps.push.outputs.digest }} | |
# This steps pulls the container, you need a valid already pushed image that will resolve to the container you just pushed 2 seconds ago. We are using the SHA here because I believe that to be the most truthful method | |
- name: Generate SBOM | |
uses: anchore/sbom-action@v0 | |
with: | |
image: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}}:${{ github.sha }} | |
artifact-name: ${{ env.IMAGE }}-${{ github.sha }}spdx | |
format: spdx-json | |
upload-artifact: true | |
upload-artifact-retention: 7 |