diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index efecf31..6e2151f 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -14,55 +14,103 @@ env: jobs: buildx: runs-on: ubuntu-latest + permissions: + # cosign uses the GitHub OIDC token + id-token: write + # needed to upload artifacts to a GH release + contents: write + packages: write + repository-projects: write steps: - - + - # Checkout Repository name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: fetch-depth: 0 - - + - # Set up QEMU name: Set up QEMU uses: docker/setup-qemu-action@v1 - - + - # Setup Docker buildx name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 - - - name: Log in to the Container registry - uses: docker/login-action@v1 + uses: docker/setup-buildx-action@v2 + - # Install cosign + name: Install Cosign + uses: sigstore/cosign-installer@v3.0.1 + with: + cosign-release: v2.2.0 + - # Login into registry + name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - + - # Extract Docker metadata name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - # Build and push to GHCR Registry name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v5 + id: build-tagged with: - context: . - push: true + push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - file: Dockerfile labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile cache-from: type=gha cache-to: type=gha,mode=max - - + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + ${{ steps.meta.outputs.tags }} + - # Keyless signing of Image with Cosign + name: Sign the image with GitHub OIDC token + shell: bash + run: | + cosign sign \ + --yes \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }} + - # Prepare verification assets + name: Prepare assets for upload + if: runner.os != 'Windows' + shell: bash + run: | + mkdir _dist + cat < verify.txt + cosign verify \\ + --certificate-identity https://github.com/${{ github.workflow_ref }} \\ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \\ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }} + EOF + cp verify.txt _dist/ + - # Upload verification assets + name: upload binary as GitHub artifact + if: runner.os != 'Windows' + uses: actions/upload-artifact@v3 + with: + name: kwasm + path: _dist/ + - # Configure Git name: Configure Git run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - + - # Install Helm name: Install Helm uses: azure/setup-helm@v3 with: version: v3.10.0 - - + - # Run chart-releaser name: Run chart-releaser if: github.ref == 'refs/heads/main' uses: helm/chart-releaser-action@v1.4.1