From 3a26553b0732845bc238156e55b8815b914d9ee6 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 13 Nov 2024 10:07:25 -0700 Subject: [PATCH] publish docker images to GitHub Container Registry (#1453) The goal is to use GHCR to replace Google Container Registry (GCR) for future versions of Scorecard Action releases. These workflows will build two types of images: 1. Release images, which are tagged following a v1.2.3 pattern. These container images will be retained indefinitely. 2. Per-commit images for each push to main. These images are used when testing the action, and will be removed after a week. Signed-off-by: Spencer Schrock --- .github/workflows/ghcr-retention.yml | 22 +++++++++++ .github/workflows/ghcr.yml | 59 ++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 .github/workflows/ghcr-retention.yml create mode 100644 .github/workflows/ghcr.yml diff --git a/.github/workflows/ghcr-retention.yml b/.github/workflows/ghcr-retention.yml new file mode 100644 index 00000000..37771f92 --- /dev/null +++ b/.github/workflows/ghcr-retention.yml @@ -0,0 +1,22 @@ +name: Delete untagged GHCR images +on: + schedule: + - cron: '17 10 * * TUE' # Tuesday morning at 10:17 UTC + workflow_dispatch: + +permissions: {} + +jobs: + delete-untagged: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 + with: + package-name: 'scorecard-action' + package-type: 'container' + # keep official releases + delete-only-untagged-versions: 'true' + # 'latest' counts as a tag, so this won't break the e2e tests + min-versions-to-keep: 0 diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml new file mode 100644 index 00000000..dbf59b83 --- /dev/null +++ b/.github/workflows/ghcr.yml @@ -0,0 +1,59 @@ +name: Publish GitHub Container Registry +on: + push: + branches: ['main'] + tags: + - v* + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +permissions: + contents: read + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Log in to the Container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # pushes to the default branch get labeled latest, otherwise use tag name + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + # only publish attestation for our release builds + if: startsWith(github.ref, 'refs/tags/v') + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true