connected-chains-docker/.github/workflows/release-image.yml at 448839abaccd50b2fd96482c098e8679f06ef302 · flare-foundation/connected-chains-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
on:
  workflow_call:
    inputs:
      image:
        required: true
        type: string
      context:
        required: true
        type: string
      dockerfile:
        required: false
        type: string
        default: Dockerfile
    secrets:
      registry-password:
        required: true

permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    outputs:
      digest: ${{ steps.build-and-push.outputs.digest }}
      tags: ${{ steps.meta.outputs.tags }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Get image tag (from Dockerfile ARG VERSION)
        id: get_image_tag
        run: |
          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
           IMAGE_TAG=$(grep -m1 '^ARG VERSION=' "${{ inputs.context }}/${{ inputs.dockerfile }}" \
            | cut -d'=' -f2 | tr -d '"' | tr -d "'" | tr -d '[:space:]')
          else
            IMAGE_TAG=$(echo ${{ github.sha }} | cut -c1-7)
          fi
          echo "Using image tag: $IMAGE_TAG"
          echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad
        with:
          cosign-release: "v2.5.3"

      - name: Setup Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to registry
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.registry-password }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ inputs.image }}
          tags: |
            type=raw,value=${{ env.IMAGE_TAG }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

      - name: Build and push
        id: build-and-push
        uses: docker/build-push-action@v6
        with:
          context: ${{ inputs.context }}
          file: ${{ inputs.context }}/${{ inputs.dockerfile }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Sign published image (keyless / certificate-based)
        if: ${{ github.event_name != 'pull_request' }}
        env:
          COSIGN_EXPERIMENTAL: 1
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
          echo "${TAGS}" | xargs -n1 -I {} cosign sign --yes {}@${DIGEST}

      - name: Verify signatures
        if: ${{ github.event_name != 'pull_request' }}
        env:
          COSIGN_EXPERIMENTAL: 1
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
          echo "${TAGS}" | while read -r tag; do
            cosign verify \
              --certificate-identity="https://github.com/${{ github.repository }}/.github/workflows/release-image.yml@${{ github.ref }}" \
              --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
              "${tag}@${DIGEST}"
          done

      # - name: Sign the published Docker image
      #   if: ${{ github.event_name != 'pull_request' }}
      #   env:
      #     TAGS: ${{ steps.meta.outputs.tags }}
      #     DIGEST: ${{ steps.build-and-push.outputs.digest }}
      #   run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
      # - name: Verify ghcr image signatures
      #   if: ${{ github.event_name != 'pull_request' }}
      #   shell: bash
      #   env:
      #     COSIGN_EXPERIMENTAL: 1
      #     TAGS: ${{ steps.meta.outputs.tags }}
      #     DIGEST: ${{ steps.build-and-push.outputs.digest }}
      #   run: |
      #     echo "${TAGS}" | xargs -I {} cosign verify \
      #     --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/release-dogecoind.yml@${{ github.ref }} \
      #     --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      #     "{}@${DIGEST}"
  generate-provenance:
    needs: [build]
    if: ${{ github.event_name != 'pull_request' }}
    permissions:
      actions: read
      id-token: write
      packages: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ${{ inputs.image }}
      digest: ${{ needs.build.outputs.digest }}
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.registry-password }}