diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 24a553f..207f0c5 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -52,6 +52,10 @@ jobs: actions: read security-events: write steps: + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Lowercase Image name run: | echo "IMAGE=${IMAGE_NAME@L}" >>${GITHUB_ENV} @@ -165,9 +169,98 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta-hub.outputs.tags }} labels: ${{ steps.meta-hub.outputs.labels }} + outputs: type=image,name=${{ env.IMAGE_DOCKER_HUB }},push-by-digest=true,name-canonical=true,push=true cache-from: type=gha cache-to: type=gha,mode=max build-args: | BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") VCS_REF=$(git rev-parse --short HEAD) VERSION=${{ steps.version.outputs.version }} + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build-and-push-hub.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + merge: + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + actions: read + security-events: write + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Set version + id: version + run: echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Docker meta + id: meta-hub + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE_DOCKER_HUB }} + tags: | + type=semver,pattern={{version}},value=${{ steps.version.outputs.version }} + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.IMAGE_DOCKER_HUB }}@sha256:%s ' *) + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.IMAGE_DOCKER_HUB }}:${{ steps.meta-hub.outputs.version }} + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set repo + id: repo + run: | + if [[ $GITHUB_REF == "refs/heads/master" || $GITHUB_REF == refs/tags/* ]]; then + echo "repo=${DOCKER_REPO@L}" >> $GITHUB_OUTPUT + else + echo "repo=${DOCKER_REPO_DEV@L}" >> $GITHUB_OUTPUT + fi + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ steps.repo.outputs.repo }} + tags: | + type=semver,pattern={{version}},value=${{ steps.version.outputs.version }} + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ steps.repo.outputs.repo }}@sha256:%s ' *) + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ steps.repo.outputs.repo }}:${{ steps.meta-hub.outputs.version }} \ No newline at end of file