Merge pull request #14 from bill-of-materials/renovate/actions-attest… #51

Workflow file for this run

.github/workflows/docker_build_push.yml at b394169

	name: build_and_push
	on:
	push:
	branches:
	- main

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	env:
	GHCR_IMAGE_NAME: ${{ github.repository }}

	jobs:
	docker_build:
	runs-on: ubuntu-24.04
	permissions:
	packages: write
	contents: read
	id-token: write

	strategy:
	matrix:
	architecture:
	- linux/amd64
	- linux/arm64
	- linux/arm/v6
	- linux/arm/v7
	steps:
	- name: Set vars
	id: vars
	run: \|
	echo "platform=$(echo -n ${{ matrix.architecture }} \| sed 's/\//-/g')" >> $GITHUB_OUTPUT

	- name: Check out code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@60a0d343a0d8a18aedee9d34e62251f752153bdb
	with:
	images: \|
	ghcr.io/${{ env.GHCR_IMAGE_NAME }}
	tags: \|
	# type=ref,event=branch
	# type=ref,event=tag
	# type=ref,event=pr
	type=sha,prefix=,suffix=-${{ matrix.architecture }}
	labels: \|
	org.opencontainers.image.authors=${{ github.repository_owner }}
	org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
	org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
	org.opencontainers.image.licenses=MIT
	org.opencontainers.image.revision=${{ github.sha }}
	org.opencontainers.image.source=https://github.com/${{ github.repository }}
	org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
	org.opencontainers.image.url=https://github.com/${{ github.repository }}
	org.opencontainers.image.vendor=${{ github.repository_owner }}
	org.opencontainers.image.version=0.0.1
	annotations: \|
	org.opencontainers.image.authors=${{ github.repository_owner }}
	org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
	org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
	org.opencontainers.image.licenses=MIT
	org.opencontainers.image.revision=${{ github.sha }}
	org.opencontainers.image.source=https://github.com/${{ github.repository }}
	org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
	org.opencontainers.image.url=https://github.com/${{ github.repository }}
	org.opencontainers.image.vendor=${{ github.repository_owner }}
	org.opencontainers.image.version=0.0.1

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3

	- name: Log in to the Container registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and push Docker images
	id: build
	uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6
	with:
	push: true
	platforms: ${{ matrix.architecture }}
	annotations: ${{ steps.meta.outputs.annotations }}
	labels: ${{ steps.meta.outputs.labels }}
	tags: ${{ steps.meta.outputs.tags }}

	- name: Export digest
	run: \|
	mkdir -p /tmp/digests
	digest="${{ steps.build.outputs.digest }}"
	touch "/tmp/digests/${digest#sha256:}"

	- name: Upload digest
	uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
	with:
	name: digests-${{ steps.vars.outputs.platform }}
	path: /tmp/digests/*
	if-no-files-found: error
	retention-days: 1

	- name: Inspect image
	run: \|
	docker buildx imagetools inspect ${{ steps.meta.outputs.tags }}


	create_multi_platform_manifest_and_push:
	runs-on: ubuntu-24.04
	permissions:
	packages: write
	contents: read
	attestations: write
	id-token: write

	needs:
	- docker_build
	steps:
	- name: Download digests
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	path: /tmp/digests
	pattern: digests-*
	merge-multiple: true

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@60a0d343a0d8a18aedee9d34e62251f752153bdb
	with:
	images: \|
	ghcr.io/${{ env.GHCR_IMAGE_NAME }}
	docker.io/${{ vars.DOCKERHUB_IMAGE_NAME }}
	tags: \|
	type=sha
	labels: \|
	org.opencontainers.image.authors=${{ github.repository_owner }}
	org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
	org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
	org.opencontainers.image.documentation=https://github.com/${{ github.repository }}
	org.opencontainers.image.licenses=MIT
	org.opencontainers.image.revision=${{ github.sha }}
	org.opencontainers.image.source=https://github.com/${{ github.repository }}
	org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
	org.opencontainers.image.url=https://github.com/${{ github.repository }}
	org.opencontainers.image.vendor=${{ github.repository_owner }}
	org.opencontainers.image.version=0.0.1
	annotations: \|
	org.opencontainers.image.authors=${{ github.repository_owner }}
	org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
	org.opencontainers.image.description=tg2 IRIG-B or WWV timecode generator
	org.opencontainers.image.documentation=https://github.com/${{ github.repository }}
	org.opencontainers.image.licenses=MIT
	org.opencontainers.image.revision=${{ github.sha }}
	org.opencontainers.image.source=https://github.com/${{ github.repository }}
	org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }}
	org.opencontainers.image.url=https://github.com/${{ github.repository }}
	org.opencontainers.image.vendor=${{ github.repository_owner }}
	org.opencontainers.image.version=0.0.1

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3

	- name: Log in to Docker Hub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_PASSWORD }}

	- name: Log in to the Container registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Create manifest list and push
	id: build
	working-directory: /tmp/digests
	run: \|
	docker buildx imagetools create \
	$(jq -cr '.tags \| map("-t " + .) \| join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
	$(jq -cr '.annotations \| map("--annotation " + gsub("manifest:"; "index:"))) \| join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
	$(printf 'ghcr.io/${{ env.GHCR_IMAGE_NAME }}@sha256:%s ' *)

	echo "" >> $GITHUB_OUTPUT

	- name: Inspect image
	id: digest
	run: \|
	docker buildx imagetools inspect ghcr.io/${{ env.GHCR_IMAGE_NAME }}:${{ steps.meta.outputs.version }}
	docker buildx imagetools inspect docker.io/${{ vars.DOCKERHUB_IMAGE_NAME }}:${{ steps.meta.outputs.version }}
	echo "digest=$(docker buildx imagetools inspect ghcr.io/${{ env.GHCR_IMAGE_NAME }}:${{ steps.meta.outputs.version }} \| head -n 3 \| grep Digest \| awk '{ print $2 }')" >> $GITHUB_OUTPUT

	- name: Generate artifact attestation (ghcr)
	id: push-ghcr
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1
	with:
	subject-name: ghcr.io/${{ env.GHCR_IMAGE_NAME }}
	subject-digest: ${{ steps.digest.outputs.digest }}
	push-to-registry: true

	- name: Generate artifact attestation (dockerhub)
	id: push-dockerhub
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1
	with:
	subject-name: index.docker.io/${{ vars.DOCKERHUB_IMAGE_NAME }}
	subject-digest: ${{ steps.digest.outputs.digest }}
	push-to-registry: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #14 from bill-of-materials/renovate/actions-attest… #51

Workflow file

Merge pull request #14 from bill-of-materials/renovate/actions-attest… #51

Jobs

Run details

Workflow file for this run