Merge pull request #3153 from samsrabin/doc-builder-podman-support #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action (last accessed 2025-05-09) | |
| name: Build and publish ctsm-docs Docker image | |
| on: | |
| # Run this whenever a change to certain files gets pushed to master | |
| push: | |
| branches: ['master'] | |
| paths: | |
| - 'doc/ctsm-docs_container/**' | |
| - '!doc/ctsm-docs_container/README.md' | |
| # Run this whenever it's manually called | |
| workflow_dispatch: | |
| jobs: | |
| # This first job checks that the container can be built, and that we can use it to build the docs without error. | |
| build-image-and-test-docs: | |
| name: Build image and test docs | |
| uses: ./.github/workflows/docker-image-common.yml | |
| secrets: inherit | |
| # This second job actually builds and publishes the container. | |
| push-and-attest: | |
| name: Publish and attest | |
| runs-on: ubuntu-latest | |
| # Wait to run this job until after build-image-and-test-docs. If that job fails, something might be wrong with the container, so don't try this one. (It might also have failed because of something wrong with doc-builder or the documentation.) | |
| needs: build-image-and-test-docs | |
| # Variables output by the build-image-and-test-docs job. | |
| env: | |
| REGISTRY: ${{ needs.build-image-and-test-docs.outputs.REGISTRY }} | |
| IMAGE_NAME: ${{ needs.build-image-and-test-docs.outputs.IMAGE_NAME }} | |
| VERSION_TAG: ${{ needs.build-image-and-test-docs.outputs.version_tag }} | |
| # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Uses the `docker/login-action` action to log in to the Container registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # This step sets up Docker Buildx, which is needed for the multi-platform build in the next step | |
| # https://docs.docker.com/build/ci/github-actions/multi-platform/ | |
| # v3.1.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 | |
| # This step uses the `docker/build-push-action` action to build the image, based on the ctsm-docs `Dockerfile`. | |
| # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository. | |
| # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. | |
| # Note that we should avoid relying on the "latest" tag for anything, but it's good practice to have one. | |
| # v6.15.0 | |
| - name: Push Docker image | |
| id: push | |
| uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 | |
| with: | |
| context: doc/ctsm-docs_container | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| load: false | |
| tags: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
| ${{ env.VERSION_TAG }} | |
| labels: "" | |
| # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| push-to-registry: true | |