Skip to content

Bump the actions group with 6 updates #2

Bump the actions group with 6 updates

Bump the actions group with 6 updates #2

Workflow file for this run

name: Simple Build
on:
push:
workflow_dispatch:
jobs:
docker:
permissions: # needed for signing and attestations
id-token: write # write seems weird, but it is correct per docs
attestations: write
contents: read
packages: write
runs-on: ubuntu-latest
steps:
-
name: Install Cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
-
name: Login to GitHub Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-simple
labels: |
org.opencontainers.image.description=Demo Simple Build
-
name: Build and push
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
file: Dockerfile
platforms: linux/amd64
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
-
name: Attest
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v1
id: attest
with:
subject-name: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-simple
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
-
name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}