Use OpenID Connect for container registry in CD Workflow (#2333)

* Cache layers using type=gha in CI/CD workflow

* Use OpenID Connect for container registry in CD Workflow

* Bump docker/dockerfile from experimental to 1

.github/workflows/cd.yml

@@ -17,35 +17,36 @@ jobs:
         uses: actions/checkout@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Log into Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: container.chitoku.jp
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-      - name: Cache Buildx
-        uses: actions/cache@v3
-        with:
-          path: /tmp/buildx-cache
-          key: buildx-${{ github.sha }}
-          restore-keys: buildx-
       - name: Unpackage fonts
         run: |
           gpg --quiet --batch --yes --decrypt --passphrase=${{ secrets.FONTS_PASSPHRASE }} --output client/fonts.tar.gz client/fonts.tar.gz.gpg
           cd client/fonts
           tar xf ../fonts.tar.gz
-      - name: Build and push
+      - name: Build
         uses: docker/[email protected]
         with:
           files: docker-bake.hcl
-          push: true
+          load: true
           set: |
-            *.cache-from=type=local,src=/tmp/buildx-cache
-            *.cache-to=type=local,mode=max,dest=/tmp/buildx-cache.new
-      - name: Move cache
+            *.cache-from=type=gha
+            *.cache-to=type=gha,mode=max
+      - name: Set up ID token
+        uses: actions/github-script@v6
+        id: id-token
+        with:
+          result-encoding: string
+          script: |
+            return await core.getIDToken('container.chitoku.jp');
+      - name: Log into Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: container.chitoku.jp
+          username: oauth2accesstoken
+          password: ${{ steps.id-token.outputs.result }}
+      - name: Push to Container Registry
         run: |
-          rm -rf /tmp/buildx-cache
-          mv /tmp/buildx-cache{.new,}
+          docker push container.chitoku.jp/chitoku-k/homochecker/api
+          docker push container.chitoku.jp/chitoku-k/homochecker/web
   deploy:
     name: Deploy
     runs-on: ubuntu-latest

.github/workflows/ci.yml

@@ -11,19 +11,13 @@ jobs:
         uses: actions/checkout@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Cache Buildx
-        uses: actions/cache@v3
-        with:
-          path: /tmp/buildx-cache
-          key: buildx-apitest-${{ github.sha }}
-          restore-keys: buildx-apitest-
       - name: Build
         uses: docker/build-push-action@v4
         with:
           context: ./api
           target: dev
-          cache-from: type=local,src=/tmp/buildx-cache
-          cache-to: type=local,mode=max,dest=/tmp/buildx-cache.new
+          cache-from: type=gha,scope=${{ github.ref_name }}-apitest
+          cache-to: type=gha,scope=${{ github.ref_name }}-apitest,mode=max
           load: true
           tags: homochecker-test_api
       - name: Run tests
@@ -47,10 +41,6 @@ jobs:
         env:
           COMPOSE_PROJECT_NAME: homochecker-test
           COMPOSE_FILE: compose.test.yaml
-      - name: Move cache
-        run: |
-          rm -rf /tmp/buildx-cache
-          mv /tmp/buildx-cache{.new,}
   web-test:
     name: Web Tests
     runs-on: ubuntu-latest
@@ -59,19 +49,13 @@ jobs:
         uses: actions/checkout@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Cache Buildx
-        uses: actions/cache@v3
-        with:
-          path: /tmp/buildx-cache
-          key: buildx-webtest-${{ github.sha }}
-          restore-keys: buildx-webtest-
       - name: Build
         uses: docker/build-push-action@v4
         with:
           context: .
           target: dev
-          cache-from: type=local,src=/tmp/buildx-cache
-          cache-to: type=local,mode=max,dest=/tmp/buildx-cache.new
+          cache-from: type=gha,scope=${{ github.ref_name }}-webtest
+          cache-to: type=gha,scope=${{ github.ref_name }}-webtest,mode=max
           load: true
           tags: homochecker-test_build
       - name: Run lints
@@ -81,10 +65,6 @@ jobs:
         env:
           COMPOSE_PROJECT_NAME: homochecker-test
           COMPOSE_FILE: compose.test.yaml
-      - name: Move cache
-        run: |
-          rm -rf /tmp/buildx-cache
-          mv /tmp/buildx-cache{.new,}
   build:
     name: Build
     runs-on: ubuntu-latest
@@ -93,20 +73,10 @@ jobs:
         uses: actions/checkout@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Cache Buildx
-        uses: actions/cache@v3
-        with:
-          path: /tmp/buildx-cache
-          key: buildx-${{ github.sha }}
-          restore-keys: buildx-
       - name: Build
         uses: docker/[email protected]
         with:
           files: docker-bake.hcl
           set: |
-            *.cache-from=type=local,src=/tmp/buildx-cache
-            *.cache-to=type=local,mode=max,dest=/tmp/buildx-cache.new
-      - name: Move cache
-        run: |
-          rm -rf /tmp/buildx-cache
-          mv /tmp/buildx-cache{.new,}
+            *.cache-from=type=gha
+            *.cache-to=type=gha,mode=max

Dockerfile

@@ -1,4 +1,4 @@
-# syntax = docker/dockerfile:experimental
+# syntax = docker/dockerfile:1
 FROM node:20.2.0-slim AS dependencies
 WORKDIR /usr/src/client
 RUN --mount=type=cache,id=client:/var/cache/apt,target=/var/cache/apt \

api/Dockerfile

@@ -1,4 +1,4 @@
-# syntax = docker/dockerfile:experimental
+# syntax = docker/dockerfile:1
 FROM debian:bullseye-slim AS build-dependencies
 RUN --mount=type=cache,id=api:/var/cache/apt,target=/var/cache/apt \
     --mount=type=cache,id=api:/var/lib/apt/lists,target=/var/lib/apt/lists \