From 700a4700c59b4cffa97bbaf5de62ba1b0e95d512 Mon Sep 17 00:00:00 2001 From: FarisZR <35614734+FarisZR@users.noreply.github.com> Date: Sat, 6 Aug 2022 01:03:46 +0300 Subject: [PATCH] Swtich to buildx, and build for ARM64 --- .github/workflows/docker.yml | 82 +++++++++++++++++++++++++++++++----- 1 file changed, 71 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 0a70906..7b10421 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,42 +1,102 @@ -name: Create and publish a Docker image +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. on: push: - branches: - - master + branches: [ master ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ master ] env: + # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io + # github.repository as / IMAGE_NAME: ${{ github.repository }} + jobs: - build-and-push-image: + build: + runs-on: ubuntu-latest permissions: contents: read packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 - - name: Log in to the Container registry - uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + - name: Setup QEMU + uses: docker/setup-qemu-action@v2 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.9.0' + + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v2 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v3 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Set some variables for the image + run: | + echo "IMAGE_VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV + echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV - name: Build and push Docker image - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + id: build-and-push + uses: docker/build-push-action@v2 with: context: . - push: true - tags: ${{ steps.meta.outputs.tags }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: | + ghcr.io/${{ env.IMAGE_NAME }}:latest + ghcr.io/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }}