Skip to content

Publish Docker image multi-arch #384

Publish Docker image multi-arch

Publish Docker image multi-arch #384

Workflow file for this run

# https://docs.docker.com/build/ci/github-actions/multi-platform/
name: Publish Docker image multi-arch
on:
push:
workflow_dispatch:
schedule:
- cron: "0 13 * * *"
pull_request:
types: [opened, synchronize, reopened]
branches:
- main
env:
REGISTRY: ghcr.io
REPO: pipeittodevnull
IMAGE: nginx-certbot
jobs:
docker:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
attestations: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# This step uses a verbose sha variable to remove the "sha-" default prefix. This is required so the image has a short sha prefix that is easier to obtain in the SBOM step. The SBOM step was previously using branch name to pull, but we are renaming our branches to all be "devel" so we cannot use the branch variable in the SBOM pull step
# We are doing a negative match on "main" to label any non-main branch as devel. There is an open issue for negative matching is_default_branch which would be better https://github.com/docker/metadata-action/issues/247
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
context: git
images: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE }}
flavor: latest=auto
tags: |
type=sha,enable=true,priority=100,prefix=,suffix=,format=long
type=raw,value=devel,enable=${{ github.ref != format('refs/heads/{0}', 'main') }}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}}
subject-digest: ${{ steps.push.outputs.digest }}
# This steps pulls the container, you need a valid already pushed image that will resolve to the container you just pushed 2 seconds ago. We are using the SHA here because I believe that to be the most truthful method
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}}:${{ github.sha }}
artifact-name: ${{ env.IMAGE }}-${{ github.sha }}spdx
format: spdx-json
upload-artifact: true
upload-artifact-retention: 7