Skip to content

Update docker/setup-qemu-action action to v4.2.0 #471

Update docker/setup-qemu-action action to v4.2.0

Update docker/setup-qemu-action action to v4.2.0 #471

name: Simple Build
on:
push:
workflow_dispatch:
jobs:
docker:
permissions: # needed for signing and attestations
id-token: write # write seems weird, but it is correct per docs
attestations: write
contents: read
packages: write
runs-on: ubuntu-latest
steps:
-
name: Install Cosign
uses: chainguard-actions/cosign-installer@bfabdbcbb11bc852ac8fa201706815d39d4a9a3e # v4.1.2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
-
name: Login to GitHub Container Registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-simple
labels: |
org.opencontainers.image.description=Demo Simple Build
-
name: Build and push
id: build
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
with:
file: Dockerfile
platforms: linux/amd64
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
-
name: Attest
uses: chainguard-actions/attest-build-provenance@c52790f45e81e8ce3d44fd64d15e089cdac2d60e # v4.1.0
id: attest
with:
subject-name: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-simple
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
-
name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}