Build and publish images for container registries

Merge pull request #228 from coreruleset/develop #5

Workflow file for this run

.github/workflows/publish.yml at adddf02

	name: Build and publish images for container registries
	on:
	push:
	branches:
	- master

	jobs:
	prepare:
	runs-on: ubuntu-latest
	outputs:
	targets: ${{ steps.generate.outputs.targets }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: List targets
	id: generate
	uses: docker/bake-action/subaction/list-targets@v4

	build:
	name: Build ${{ matrix.target }}
	runs-on: ubuntu-latest
	needs:
	- prepare
	permissions:
	contents: read
	packages: write
	id-token: write # needed for signing the images with GitHub OIDC Token
	strategy:
	matrix:
	target: ${{ fromJson(needs.prepare.outputs.targets) }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Install Cosign
	uses: sigstore/[email protected]

	# https://github.com/docker/setup-qemu-action
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	# https://github.com/docker/setup-buildx-action
	- name: Set up Docker Buildx
	uses: docker/[email protected]
	with:
	driver-opts: image=moby/buildkit:master

	- name: Login to DockerHub
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	username: ${{ secrets.dockerhub_user }}
	password: ${{ secrets.dockerhub_token }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: 'Build and push to Docker Hub: ${{ matrix.target }}'
	id: build-and-push
	uses: docker/[email protected]
	with:
	files: \|
	./docker-bake.hcl
	targets: ${{ matrix.target }}
	push: true
	provenance: true
	sbom: true

	- name: Sign the images with GitHub OIDC Token
	env:
	METADATA: ${{ steps.build-and-push.outputs.metadata }}
	run: \|
	DIGEST=$(echo ${METADATA} \| jq -r '.[] \| ."containerimage.digest"')
	TAGS=$(echo ${METADATA} \| jq -r '.[] \| ."image.name" \| tostring' \| tr ',' '\n')
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done
	cosign sign --yes ${images}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #228 from coreruleset/develop #5

Workflow file

Merge pull request #228 from coreruleset/develop #5

Jobs

Run details

Workflow file for this run