name: Publish Docker image on: schedule: - cron: '24 0 * * 1' workflow_dispatch: push: branches: - 'master' tags: - 'v*' pull_request: branches: - 'master' env: IMAGE_NAME: ${{ github.repository }} jobs: build-and-push-image: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write # needed for signing the images with GitHub OIDC Token attestations: write steps: - name: Checkout repository uses: actions/checkout@v3 with: fetch-depth: 1 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install Cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3.3.0 with: cosign-release: 'v2.2.2' - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata app id: meta-app uses: docker/metadata-action@v4.4.0 with: images: ghcr.io/${{ env.IMAGE_NAME }}-app tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,format=long - name: Extract Docker metadata backend id: meta-backend uses: docker/metadata-action@v4.4.0 with: images: ghcr.io/${{ env.IMAGE_NAME }}-backend tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,format=long # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and Push App container images uses: docker/build-push-action@v4 id: build-and-push-app with: context: . platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta-app.outputs.tags }} labels: ${{ steps.meta-app.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max file: ./app.dockerfile - name: Build and Push Backend container images uses: docker/build-push-action@v4 id: build-and-push-backend with: context: . platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta-backend.outputs.tags }} labels: ${{ steps.meta-backend.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max file: ./backend.dockerfile - name: Sign the app images with GitHub OIDC Token env: DIGEST: ${{ steps.build-and-push-app.outputs.digest }} TAGS: ${{ steps.meta-app.outputs.tags }} run: | images="" for tag in ${TAGS}; do images+="${tag}@${DIGEST} " done cosign sign --yes ${images} - name: Sign the backend images with GitHub OIDC Token env: DIGEST: ${{ steps.build-and-push-backend.outputs.digest }} TAGS: ${{ steps.meta-backend.outputs.tags }} run: | images="" for tag in ${TAGS}; do images+="${tag}@${DIGEST} " done cosign sign --yes ${images} - name: Attest app uses: actions/attest-build-provenance@v1 id: attest-app with: subject-name: ghcr.io/${{ env.IMAGE_NAME }}-app subject-digest: ${{ steps.build-and-push-app.outputs.digest }} push-to-registry: true - name: Attest backend uses: actions/attest-build-provenance@v1 id: attest-backend with: subject-name: ghcr.io/${{ env.IMAGE_NAME }}-backend subject-digest: ${{ steps.build-and-push-backend.outputs.digest }} push-to-registry: true