diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 2d8b2a4..995c3f5 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -23,34 +23,21 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. + contents: read + attestations: write id-token: write steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.1.1 - - name: Check install! - if: github.event_name != 'pull_request' - run: cosign version - - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_ACCOUNT_ID }} password: ${{ secrets.DOCKER_ACCESS_TOKEN }} @@ -63,61 +50,47 @@ jobs: echo "VERSION=${NEXT_VERSION}" >> $GITHUB_ENV echo "Next version to be published is: ${NEXT_VERSION}" - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@v6 with: context: . + file: Dockerfile push: ${{ github.event_name != 'pull_request' }} # This is needed so that a manifest is created, and we can have the same # docker container on both x86_64 and arm64. platforms: linux/amd64,linux/arm64 tags: ${{ env.VERSION }} - labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image + - name: Generate artifact attestation if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: | - echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.VERSION }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true - build-riscv64: + build-riscv: runs-on: ubuntu-latest permissions: - contents: read packages: write + contents: read + attestations: write id-token: write steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.1.1 - - name: Check install! - if: github.event_name != 'pull_request' - run: cosign version - - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_ACCOUNT_ID }} password: ${{ secrets.DOCKER_ACCESS_TOKEN }} @@ -128,22 +101,22 @@ jobs: echo "VERSION=${NEXT_VERSION}" >> $GITHUB_ENV echo "Next version to be published is: ${NEXT_VERSION}" - - name: Build and push Docker image for riscv64 - id: build-and-push-riscv64 - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + - name: Build and push Docker image for RISC-V + id: build-and-push-riscv + uses: docker/build-push-action@v6 with: context: . file: Dockerfile.riscv64 push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64 tags: ${{ env.VERSION }}-riscv - labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - name: Sign the published Docker image + - name: Generate artifact attestation if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - run: | - echo "${{ steps.meta.outputs.tags }}-riscv" | xargs -I {} cosign sign {}@${{ steps.build-and-push-riscv.outputs.digest }} + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.VERSION }}-riscv + subject-digest: ${{ steps.build-and-push-riscv.outputs.digest }} + push-to-registry: true