Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/actions/extract-version/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ outputs:
description: 'Git tag name (e.g., v1.2.3)'
value: ${{ steps.extract.outputs.tag-name }}
image-tag:
description: 'Docker image tag (e.g., main-2025.12.17, pr-42, v0.2.0)'
description: 'Docker image tag (e.g., main-2025-12-17, pr-42, v0.2.0)'
value: ${{ steps.extract.outputs.image-tag }}
image-repository:
description: 'Docker repository name (e.g., finos/myapp)'
Expand Down Expand Up @@ -85,9 +85,9 @@ runs:
;;

main)
# Main branch: use main-YYYY.MM.DD format
# Tag format: main-2025.12.17
DATE=$(date +%Y.%m.%d)
# Main branch: use main-YYYY-MM-DD format
# Tag format: main-2025-12-17
DATE=$(date +%Y-%m-%d)
VERSION="0.0.0-main.${DATE}.${{ github.run_number }}"
TAG_NAME="main-${DATE}"
IMAGE_TAG="main-${DATE}${IMAGE_TAG_SUFFIX}"
Expand Down
27 changes: 21 additions & 6 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -385,14 +385,16 @@ jobs:

# Push to main and release: sign the image with Cosign (keyless, Sigstore).
# PR images are ephemeral and not deployed, so signing them is skipped.
# Sign by digest (not tag) to guarantee we sign exactly what was pushed.
- name: Install Cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3

- name: Sign container image with Cosign
if: github.event_name != 'pull_request'
uses: firestoned/github-actions/security/cosign-sign@v1.3.6
with:
image-digest: ${{ steps.docker_build.outputs.digest }}
image-tags: ${{ matrix.variant.image-tag }}
registry: ghcr.io
repository: ${{ matrix.variant.image-repository }}
run: |
cosign sign --yes \
ghcr.io/${{ matrix.variant.image-repository }}@${{ steps.docker_build.outputs.digest }}

# Release only: generate a CycloneDX SBOM for the published image.
- name: Generate Docker SBOM for ${{ matrix.variant.name }}
Expand All @@ -402,6 +404,7 @@ jobs:
image: ghcr.io/${{ matrix.variant.image-repository }}:${{ matrix.variant.image-tag }}
format: cyclonedx-json
output-file: docker-sbom-${{ matrix.variant.name }}.json
upload-release-assets: false

- name: Upload Docker SBOM as artifact
if: github.event_name == 'release'
Expand Down Expand Up @@ -493,6 +496,11 @@ jobs:
name: 🔭 Container Security Scan - ${{ matrix.variant.name }}
runs-on: ubuntu-latest
needs: [docker, extract-version]
permissions:
contents: read
packages: read
id-token: write
security-events: write
strategy:
fail-fast: false
matrix:
Expand All @@ -507,6 +515,13 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Run Trivy scan on ${{ matrix.variant.name }} image
uses: firestoned/github-actions/security/trivy-scan@v1.3.6
with:
Expand Down
Loading