Build and publish Docker images #19

Workflow file for this run

	name: Build and publish Docker images

	on:
	workflow_dispatch:
	inputs:
	version:
	description: 'The version of zizmor to build against'
	required: true

	permissions: {}

	env:
	ZIZMOR_IMAGE: ghcr.io/woodruffw/zizmor

	jobs:
	build:
	strategy:
	fail-fast: false
	matrix:
	image:
	- runner: ubuntu-latest
	platform: linux/amd64
	platform-pair: linux-amd64
	- runner: ubuntu-24.04-arm
	platform: linux/arm64
	platform-pair: linux-arm64

	name: Build and publish Docker image (${{ matrix.image.runner }})

	runs-on: ${{ matrix.image.runner }}

	environment:
	name: docker

	permissions:
	contents: read
	packages: write

	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
	with:
	persist-credentials: false

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
	with:
	cache-binary: false

	- name: Extract Docker metadata
	id: docker-metadata
	uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
	with:
	images: "${{ env.ZIZMOR_IMAGE }}"

	- name: Login to GHCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
	if: github.repository_owner == 'woodruffw'
	with:
	registry: ghcr.io
	username: "${{ github.repository_owner }}"
	password: "${{ secrets.GITHUB_TOKEN }}"

	- name: Build and push by digest
	id: build
	uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
	with:
	platforms: ${{ matrix.image.platform }}
	labels: ${{ steps.docker-metadata.outputs.labels }}
	outputs: type=image,"name=${{ env.ZIZMOR_IMAGE }}",push-by-digest=true,name-canonical=true,push=true

	- name: Export digest
	run: \|
	mkdir -p ${{ runner.temp }}/digests
	digest="${DIGEST}"
	touch "${{ runner.temp }}/digests/${digest#sha256:}"
	env:
	DIGEST: ${{ steps.build.outputs.digest }}

	- name: Upload digest
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
	with:
	name: digests-${{ matrix.image.platform-pair }}
	path: ${{ runner.temp }}/digests/*
	if-no-files-found: error
	retention-days: 1

	merge:
	needs: build
	runs-on: ubuntu-latest

	environment:
	name: docker

	permissions:
	contents: read
	packages: write

	steps:
	- name: Download digests
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	path: ${{ runner.temp }}/digests
	pattern: digests-*
	merge-multiple: true

	- name: Login to GHCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
	if: github.repository_owner == 'woodruffw'
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
	with:
	cache-binary: false

	- name: Extract Docker metadata
	id: docker-metadata
	uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
	with:
	images: "${{ env.ZIZMOR_IMAGE }}"
	tags: \|
	type=raw,value=${{ github.event.inputs.version }}

	- name: Create manifest list and push
	working-directory: ${{ runner.temp }}/digests
	run: \|
	docker buildx imagetools create $(jq -cr '.tags \| map("-t " + .) \| join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
	$(printf '${{ env.ZIZMOR_IMAGE }}@sha256:%s ' *)

	- name: Inspect image
	run: \|
	docker buildx imagetools inspect "${ZIZMOR_IMAGE}:${VERSION}"
	env:
	VERSION: ${{ steps.docker-metadata.outputs.version }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and publish Docker images #19

Workflow file

Build and publish Docker images #19

Jobs

Run details

Workflow file for this run