Skip to content
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
164 changes: 143 additions & 21 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,26 +12,45 @@ jobs:
permissions:
contents: read
outputs:
matrix: ${{ steps.generate.outputs.matrix }}
matrix: ${{ steps.plan.outputs.matrix }}
targets: ${{ steps.plan.outputs.targets }}
Comment thread
fzipi marked this conversation as resolved.
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout@v5
- name: List targets
id: generate
uses: docker/bake-action/subaction/matrix@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6
with:
target: default
fields: platforms
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # docker/setup-buildx-action@v3.11.1

- name: Resolve bake configuration
id: plan
run: |
set -euo pipefail
docker buildx bake --print default > bake-metadata.json
matrix=$(jq -c '[
.target | to_entries[] | .key as $target | .value.platforms[] |
{target: $target, platform: .}
]' bake-metadata.json)
targets=$(jq -c '.target | keys' bake-metadata.json)
echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
echo "targets=$targets" >> "$GITHUB_OUTPUT"
Comment thread
fzipi marked this conversation as resolved.
Outdated

- name: Upload bake metadata
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # actions/upload-artifact@v7.0.1
with:
name: bake-metadata
path: bake-metadata.json
retention-days: 1

build:
name: Build ${{ matrix.target }}
runs-on: ${{ startsWith(matrix.platforms, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
name: Build ${{ matrix.target }} (${{ matrix.platform }})
runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
needs:
- prepare
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
strategy:
matrix:
include: ${{ fromJson(needs.prepare.outputs.matrix) }}
Expand All @@ -40,9 +59,12 @@ jobs:
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout@v5
with:
fetch-depth: 1
persist-credentials: false

- name: Install Cosign
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # sigstore/cosign-installer@v3.9.2
- name: Download bake metadata
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # actions/download-artifact@v8.0.1
with:
name: bake-metadata

# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
Expand All @@ -69,27 +91,127 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: 'Build and push ${{ matrix.target }}'
- name: Determine push-by-digest repository
id: repo
env:
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
repo=$(jq -r --arg t "$TARGET" '.target[$t].tags[0] | split(":")[0]' bake-metadata.json)
echo "repo=$repo" >> "$GITHUB_OUTPUT"
Comment thread
fzipi marked this conversation as resolved.
Outdated

- name: 'Build and push ${{ matrix.target }} (${{ matrix.platform }}) by digest'
id: build-and-push
uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # docker/bake-action@v6.9.0
with:
files: |
./docker-bake.hcl
targets: ${{ matrix.target }}
set: |
*.platform=${{ matrix.platforms }}
push: true
${{ matrix.target }}.platform=${{ matrix.platform }}
${{ matrix.target }}.tags=
Comment thread
fzipi marked this conversation as resolved.
${{ matrix.target }}.output=type=image,name=${{ steps.repo.outputs.repo }},push-by-digest=true,name-canonical=true,push=true
provenance: true
sbom: true

- name: 'Sign the image for ${{ matrix.target }} with GitHub OIDC Token'
- name: Export digest
env:
METADATA: ${{ steps.build-and-push.outputs.metadata }}
TARGET: ${{ matrix.target }}
run: |
DIGEST=$(echo ${METADATA} | jq -r '."${{ matrix.target }}" ."containerimage.digest"')
TAGS=$(echo ${METADATA} | jq -r '."${{ matrix.target }}" ."image.name" | tostring' | tr ',' '\n')
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
set -euo pipefail
digest=$(echo "$METADATA" | jq -r --arg t "$TARGET" '.[$t]."containerimage.digest"')
Comment thread
fzipi marked this conversation as resolved.
Outdated
mkdir -p /tmp/digests
touch "/tmp/digests/${digest#sha256:}"
Comment thread
theseion marked this conversation as resolved.

- name: Platform slug
id: slug
run: echo "slug=$(echo '${{ matrix.platform }}' | tr '/' '-')" >> "$GITHUB_OUTPUT"

- name: Upload digest
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # actions/upload-artifact@v7.0.1
with:
name: digests-${{ matrix.target }}-${{ steps.slug.outputs.slug }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1

merge:
name: Merge ${{ matrix.target }}
runs-on: ubuntu-latest
needs:
- prepare
- build
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
strategy:
matrix:
target: ${{ fromJson(needs.prepare.outputs.targets) }}
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # sigstore/cosign-installer@v3.9.2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # docker/setup-buildx-action@v3.11.1

- name: Login to DockerHub
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0
with:
username: ${{ secrets.dockerhub_user }}
password: ${{ secrets.dockerhub_token }}

- name: Login to GitHub Container Registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Download bake metadata
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # actions/download-artifact@v8.0.1
with:
name: bake-metadata

- name: Download digests
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # actions/download-artifact@v8.0.1
with:
path: /tmp/digests
pattern: digests-${{ matrix.target }}-*
merge-multiple: true

- name: 'Create and push manifest list for ${{ matrix.target }}'
id: manifest
env:
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
repo=$(jq -r --arg t "$TARGET" '.target[$t].tags[0] | split(":")[0]' bake-metadata.json)
first_tag=$(jq -r --arg t "$TARGET" '.target[$t].tags[0]' bake-metadata.json)

tag_args=()
while IFS= read -r tag; do
tag_args+=(-t "$tag")
done < <(jq -r --arg t "$TARGET" '.target[$t].tags[]' bake-metadata.json)

sources=()
for digest_file in /tmp/digests/*; do
sources+=("${repo}@sha256:$(basename "$digest_file")")
done
cosign sign --yes ${images}

docker buildx imagetools create "${tag_args[@]}" "${sources[@]}"
digest=$(docker buildx imagetools inspect "$first_tag" --format '{{json .Manifest}}' | jq -r '.digest')
echo "digest=$digest" >> "$GITHUB_OUTPUT"
Comment thread
fzipi marked this conversation as resolved.

- name: 'Sign the manifest for ${{ matrix.target }} with GitHub OIDC Token'
env:
DIGEST: ${{ steps.manifest.outputs.digest }}
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
images=()
while IFS= read -r tag; do
images+=("${tag}@${DIGEST}")
done < <(jq -r --arg t "$TARGET" '.target[$t].tags[]' bake-metadata.json)
Comment thread
fzipi marked this conversation as resolved.
Outdated
cosign sign --yes "${images[@]}"
Loading