11name : Push ghcr
22
3- # This workflow uses actions that are not certified by GitHub.
4- # They are provided by a third-party and are governed by
5- # separate terms of service, privacy policy, and support
6- # documentation.
7-
8- # on:
9- # schedule:
10- # - cron: '17 18 * * *'
11- # push:
12- # branches: [ "main" ]
13- # # Publish semver tags as releases.
14- # tags: [ 'v*.*.*' ]
15- # pull_request:
16- # branches: [ "main" ]
173on :
4+ push :
5+ tags : ["v*.*.*"]
186 workflow_dispatch :
197 inputs :
208 branch :
2311 default : " main"
2412
2513env :
26- # Use docker.io for Docker Hub if empty
2714 REGISTRY : ghcr.io
28- # github.repository as <account>/<repo>
2915 IMAGE_NAME : ${{ github.repository }}
3016
3117jobs :
@@ -34,57 +20,41 @@ jobs:
3420 permissions :
3521 contents : read
3622 packages : write
37- # This is used to complete the identity challenge
38- # with sigstore/fulcio when running outside of PRs.
3923 id-token : write
4024
4125 steps :
4226 - name : Checkout repository
4327 uses : actions/checkout@v4
4428 with :
45- ref : ${{ github.event.inputs.branch }}
29+ ref : ${{ github.ref }}
4630 submodules : " true"
4731
48- # Install the cosign tool except on PR
49- # https://github.com/sigstore/cosign-installer
5032 - name : Install cosign
5133 if : github.event_name != 'pull_request'
52- uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
34+ 5335 with :
5436 cosign-release : " v2.2.4"
5537
56- # Set up BuildKit Docker container builder to be able to build
57- # multi-platform images and export cache
58- # https://github.com/docker/setup-buildx-action
5938 - name : Set up Docker Buildx
60- uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
39+ 6140
62- # Login against a Docker registry except on PR
63- # https://github.com/docker/login-action
6441 - name : Log into registry ${{ env.REGISTRY }}
6542 if : github.event_name != 'pull_request'
66- uses : docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
43+ 6744 with :
6845 registry : ${{ env.REGISTRY }}
6946 username : ${{ github.actor }}
7047 password : ${{ secrets.GITHUB_TOKEN }}
7148
72- # Extract metadata (tags, labels) for Docker
73- # https://github.com/docker/metadata-action
7449 - name : Extract Docker metadata
7550 id : meta
76- uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
51+ 7752 with :
7853 images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
79- tags : |
80- type=ref,event=branch
81- type=raw,value=${{ github.event.inputs.branch }}
8254
83- # Build and push Docker image with Buildx (don't push on PR)
84- # https://github.com/docker/build-push-action
8555 - name : Build and push Docker image
8656 id : build-and-push
87- uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
57+ 8858 with :
8959 context : .
9060 push : ${{ github.event_name != 'pull_request' }}
9363 cache-from : type=gha
9464 cache-to : type=gha,mode=max
9565
96- # Sign the resulting Docker image digest except on PRs.
97- # This will only write to the public Rekor transparency log when the Docker
98- # repository is public to avoid leaking data. If you would like to publish
99- # transparency data even for private images, pass --force to cosign below.
100- # https://github.com/sigstore/cosign
10166 - name : Sign the published Docker image
10267 if : ${{ github.event_name != 'pull_request' }}
10368 env :
104- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
10569 TAGS : ${{ steps.meta.outputs.tags }}
10670 DIGEST : ${{ steps.build-and-push.outputs.digest }}
107- # This step uses the identity token to provision an ephemeral certificate
108- # against the sigstore community Fulcio instance.
10971 run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
0 commit comments