.github/workflows/docker-publish.yml at main · opencourse.world/ocw-server

The server for Open Course World
ocw-server / .github / workflows / docker-publish.yml
at main 94 lines 3.3 kB view raw
wrap content
 1name: Docker
 2
 3# This workflow uses actions that are not certified by GitHub.
 4# They are provided by a third-party and are governed by
 5# separate terms of service, privacy policy, and support
 6# documentation.
 7
 8on:
 9  workflow_dispatch:
10  push:
11    branches: [ "main" ]
12    # Publish semver tags as releases.
13    tags: [ 'v*.*.*' ]
14    
15env:
16  # Use docker.io for Docker Hub if empty
17  REGISTRY: ghcr.io
18  # github.repository as <account>/<repo>
19  IMAGE_NAME: ${{ github.repository }}
20
21
22jobs:
23  build:
24
25    runs-on: ubuntu-latest
26    permissions:
27      contents: read
28      packages: write
29      # This is used to complete the identity challenge
30      # with sigstore/fulcio when running outside of PRs.
31      id-token: write
32
33    steps:
34      - name: Checkout repository
35        uses: actions/checkout@v4
36
37      # Install the cosign tool except on PR
38      # https://github.com/sigstore/cosign-installer
39      - name: Install cosign
40        if: github.event_name != 'pull_request'
41        uses: sigstore/cosign-installer@v3.5.0
42        with:
43          cosign-release: 'v2.2.4'
44
45
46      # Workaround: https://github.com/docker/build-push-action/issues/461
47      - name: Setup Docker buildx
48        uses: docker/setup-buildx-action@v3
49
50      # Login against a Docker registry except on PR
51      # https://github.com/docker/login-action
52      - name: Log into registry ${{ env.REGISTRY }}
53        if: github.event_name != 'pull_request'
54        uses: docker/login-action@v3
55        with:
56          registry: ${{ env.REGISTRY }}
57          username: ${{ github.actor }}
58          password: ${{ secrets.GITHUB_TOKEN }}
59
60      # Extract metadata (tags, labels) for Docker
61      # https://github.com/docker/metadata-action
62      - name: Extract Docker metadata
63        id: meta
64        uses: docker/metadata-action@v5
65        with:
66          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
67
68      # Build and push Docker image with Buildx (don't push on PR)
69      # https://github.com/docker/build-push-action
70      - name: Build and push Docker image
71        id: build-and-push
72        uses: docker/build-push-action@v5
73        with:
74          context: .
75          push: ${{ github.event_name != 'pull_request' }}
76          tags: ${{ steps.meta.outputs.tags }}
77          labels: ${{ steps.meta.outputs.labels }}
78          cache-from: type=gha
79          cache-to: type=gha,mode=max
80
81      # Sign the resulting Docker image digest except on PRs.
82      # This will only write to the public Rekor transparency log when the Docker
83      # repository is public to avoid leaking data.  If you would like to publish
84      # transparency data even for private images, pass --force to cosign below.
85      # https://github.com/sigstore/cosign
86      - name: Sign the published Docker image
87        if: ${{ github.event_name != 'pull_request' }}
88        env:
89          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
90          TAGS: ${{ steps.meta.outputs.tags }}
91          DIGEST: ${{ steps.build-and-push.outputs.digest }}
92        # This step uses the identity token to provision an ephemeral certificate
93        # against the sigstore community Fulcio instance.
94        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}