build-ubuntu-image.yml

name: Build and Publish Ubuntu Image

on:
  push:
    branches: [ "main" ]
    paths:
        - configs/Ubuntu/Dockerfile
        - .github/workflows/build-ubuntu-image.yml
  workflow_dispatch:

env:
  REGISTRY1: ghcr.io
  REGISTRY2: docker.io
  REGISTRY3: quay.io
  IMAGE_NAME: kasm-dev-ubuntu

jobs:
    
  ubuntu-image-docker:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      attestations: write
    steps:
    - uses: actions/checkout@v4

    - name: Login to Docker Hub
      uses: docker/login-action@v3
      with:
          registry: ${{ env.REGISTRY2 }}
          username: ${{ github.actor }}
          password: ${{ secrets.DOCKER_TOKEN }}

    - name: Build and push image
      id: push-docker
      uses: docker/build-push-action@v5.3.0
      with:
        context: configs/Ubuntu
        push: true
        tags: ${{ env.REGISTRY2 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest
    
    - uses: sigstore/cosign-installer@v3.5.0
    - name: Sign container image
      run: |
        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY2 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest
      env:
        COSIGN_EXPERIMENTAL: false
        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

    - name: Attest pushed image
      uses: actions/attest-build-provenance@v1
      id: attest
      with:
        subject-name: index.docker.io/${{ github.actor }}/${{ env.IMAGE_NAME }}
        subject-digest: ${{ steps.push-docker.outputs.digest }}
        push-to-registry: true

  ubuntu-image-ghcr:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      packages: write
      attestations: write
    steps:
    - uses: actions/checkout@v4

    - name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
          registry: ${{ env.REGISTRY1 }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and push image
      id: push-ghcr
      uses: docker/build-push-action@v5.3.0
      with:
        context: configs/Ubuntu
        push: true
        tags: ${{ env.REGISTRY1 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest
    
    - uses: sigstore/cosign-installer@v3.5.0
    - name: Sign container image
      run: |
        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY1 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest
      env:
        COSIGN_EXPERIMENTAL: false
        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

    - name: Attest pushed image
      uses: actions/attest-build-provenance@v1
      id: attest
      with:
        subject-name: ${{ env.REGISTRY1 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}
        subject-digest: ${{ steps.push-ghcr.outputs.digest }}
        push-to-registry: true

  ubuntu-image-quay:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      attestations: write
    steps:
    - uses: actions/checkout@v4

    - name: Login to QUAY
      uses: docker/login-action@v3
      with:
          registry: ${{ env.REGISTRY3 }}
          username: ${{ secrets.QUAY_USER }}
          password:  ${{ secrets.QUAY_TOKEN }}

    - name: Build and push image
      id: push-quay
      uses: docker/build-push-action@v5.3.0
      with:
        context: configs/Ubuntu
        push: true
        tags: ${{ env.REGISTRY3 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest
    
    - uses: sigstore/cosign-installer@v3.5.0
    - name: Sign container image
      run: |
        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY3 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest
      env:
        COSIGN_EXPERIMENTAL: false
        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
  
    - name: Attest pushed image
      uses: actions/attest-build-provenance@v1
      id: attest
      with:
        subject-name: ${{ env.REGISTRY3 }}/${{ github.actor }}/${{ env.IMAGE_NAME }}
        subject-digest: ${{ steps.push-quay.outputs.digest }}
        push-to-registry: true