Publish Docker Image #4

	name: Publish Docker Image

	on:
	release:
	types: [published]
	workflow_dispatch:

	# Required for cosign keyless (OIDC) to mint tokens
	permissions:
	contents: read
	packages: write
	id-token: write # needed for signing the images with GitHub OIDC Token

	jobs:
	push_to_registry:
	name: Push Docker image to GitHub Container registry
	runs-on: ubuntu-latest
	timeout-minutes: 60
	steps:
	- name: Check out the repo
	uses: actions/[email protected]

	- name: Install cosign
	uses: sigstore/[email protected]

	- name: Login to GitHub Container Registry
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/[email protected]
	with:
	images: ghcr.io/openmodelica/crossbuild

	- name: Build and push Docker image
	id: build-and-push
	uses: docker/[email protected]
	with:
	context: .
	file: ./Dockerfile
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	annotations: ${{ steps.meta.outputs.annotations }}
	push: true

	- name: Sign the images with GitHub OIDC Token
	env:
	DIGEST: ${{ steps.build-and-push.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done
	cosign sign --yes ${images}

	- name: Verify signatures
	env:
	DIGEST: ${{ steps.build-and-push.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done
	cosign verify ${images}

Provide feedback