Merge pull request #984 from jvanz/main #387
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build container image and sign it | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| - "feat-**" | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build container image | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Retrieve tag name (main branch) | |
| if: ${{ startsWith(github.ref, 'refs/heads/main') }} | |
| run: | | |
| echo TAG_NAME=latest >> $GITHUB_ENV | |
| - name: Retrieve tag name (feat branch) | |
| if: ${{ startsWith(github.ref, 'refs/heads/feat') }} | |
| run: | | |
| echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV | |
| - name: Push and push container image | |
| id: build-image | |
| uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64, linux/arm64 | |
| push: true | |
| sbom: false # SBOM for feature and main branches is not generated | |
| provenance: false # Provenance for feature and main branches is not generated | |
| tags: | | |
| ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }} | |
| - name: Sign container image | |
| run: | | |
| cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} | |
| cosign verify \ | |
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/container-build.yml@${{ github.ref }}" \ | |
| ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} |