From eeedb94716dc0491e77f614870443ea066e558b4 Mon Sep 17 00:00:00 2001 From: Matthew Kilgore Date: Wed, 19 Jun 2024 06:44:08 -0400 Subject: [PATCH] fix(ci): better version tagging --- .../workflows/docker-publish-rootless.yaml | 30 ++++++++++++++----- .github/workflows/docker-publish.yaml | 3 ++ 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index d166fc9c..b98c41c8 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -1,4 +1,4 @@ -name: Docker rootless publish +name: Docker publish rootless on: schedule: @@ -18,7 +18,7 @@ env: jobs: - build: + build-rootless: runs-on: ubuntu-latest permissions: @@ -26,6 +26,7 @@ jobs: packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. + attestations: write id-token: write steps: @@ -59,10 +60,17 @@ jobs: # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata - id: meta + id: metadata uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=schedule,pattern=nightly # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action @@ -70,11 +78,10 @@ jobs: id: build-and-push uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: - file: {context}/Dockerfile.rootless context: . push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} platforms: linux/amd64,linux/arm64,linux/arm/v7 cache-from: type=gha cache-to: type=gha,mode=max @@ -88,8 +95,17 @@ jobs: if: ${{ github.event_name != 'pull_request' }} env: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} + TAGS: ${{ steps.metadata.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + - name: Attest + uses: actions/attest-build-provenance@v1 + id: attest + if: ${{ github.event_name != 'pull_request' }} + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index d2f82a25..55322876 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -69,6 +69,8 @@ jobs: type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=schedule,pattern=nightly # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action @@ -102,6 +104,7 @@ jobs: - name: Attest uses: actions/attest-build-provenance@v1 id: attest + if: ${{ github.event_name != 'pull_request' }} with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build-and-push.outputs.digest }}