diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 29e0490..af9f7a8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,35 +1,52 @@ name: release on: - push: - tags: "*" + push: + tags: "*" + +env: + REGISTRY: ghcr.io + IMAGE_NAME: WikiWatershed/rwd jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 - - - name: Set SHA_TAG - run: | - echo "SHA_TAG=`git rev-parse --short HEAD`" >> $GITHUB_ENV - - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Quay - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - - name: Build and push - uses: docker/build-push-action@v6 - with: - push: true - tags: | - quay.io/wikiwatershed/rwd:${SHA_TAG} - quay.io/wikiwatershed/rwd:${{ github.ref_name }} - quay.io/wikiwatershed/rwd:latest + release: + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push + id: push + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true