From 33ccc842f26da8702c84fcc7d1544b03ce463ac4 Mon Sep 17 00:00:00 2001 From: Andreas Falk Date: Sun, 8 Oct 2023 23:07:42 +0200 Subject: [PATCH] Fix provenance task --- .github/workflows/publish.yml | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d6cf835..db84ef3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,6 +8,9 @@ jobs: permissions: contents: read packages: write + outputs: + image: ${{ steps.image.outputs.image }} + digest: ${{ steps.build.outputs.digest }} steps: - uses: actions/checkout@v4 - uses: actions/setup-java@v3 @@ -18,15 +21,32 @@ jobs: run: mvn --batch-mode deploy env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build image - run: docker build . --file Dockerfile --platform linux/amd64 --tag "andifalk/supply-chain-security:${GITHUB_REF_NAME}" - - name: Push image - run: docker push "andifalk/supply-chain-security:${GITHUB_REF_NAME}" + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a + with: + images: andifalk/supply-chain-security + - name: Build and push Docker image + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 + id: build + with: + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + - name: Output image + id: image + run: | + # NOTE: Set the image as an output because the `env` context is not + # available to the inputs of a reusable workflow call. + image_name="andifalk/supply-chain-security" + echo "image=$image_name" >> "$GITHUB_OUTPUT" # This step calls the container workflow to generate provenance and push it to # the container registry. @@ -38,7 +58,8 @@ jobs: packages: write # for uploading attestations. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 with: - image: "andifalk/supply-chain-security:${GITHUB_REF_NAME}" + image: "andifalk/supply-chain-security" + digest: ${{ needs.build.outputs.digest }} registry-username: andifalk secrets: registry-password: ${{ secrets.DOCKERHUB_TOKEN }} \ No newline at end of file