go-flare/.github/workflows/build-container.yml at 36e32b1615facc444f297a3627b6f374ddd3f7ab · flare-foundation/go-flare · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: container-images

on:
  push:
    branches: [ "main", "feature/**" ]
    tags: [ "v*" ]

jobs:
  build-and-push:
    name: Build & Push
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      packages: write
      id-token: write
    env:
      USE_DOCKER_HUB: true
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: docker/setup-qemu-action@v3
    - uses: docker/setup-buildx-action@v3

    - run: echo "IMAGE_TAG=dev" >> $GITHUB_ENV
      if: github.ref_name == 'main' || startsWith(github.ref_name, 'feature/')

    - run: echo "IMAGE_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
      if: startsWith(github.ref, 'refs/tags/v')

    - name: Login to ghcr.io
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Login to docker.io
      if: ${{ env.USE_DOCKER_HUB == 'true' }}
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKER_HUB_UID }}
        password: ${{ secrets.DOCKER_HUB_PAT }}

    - name: Build standard image
      env:
        USE_DOCKER_HUB: ${{ env.USE_DOCKER_HUB }}
      run: |
        TAGS="--tag ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}"

        if [ "${USE_DOCKER_HUB}" = "true" ]; then
          TAGS="$TAGS --tag ${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}"
        fi

        docker buildx build \
          --platform linux/amd64,linux/arm64 \
          $TAGS \
          --file ./Dockerfile \
          --output type=image,push=true \
          --iidfile std.digest \
          .

    - name: Export standard image digest
      run: |
        DIG=$(cat std.digest)
        echo "IMAGE_DIGEST=$DIG" >> $GITHUB_ENV

    - name: Build distroless image
      env:
        USE_DOCKER_HUB: ${{ env.USE_DOCKER_HUB }}
      run: |
        TAGS="--tag ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}-dless"

        if [ "${USE_DOCKER_HUB}" = "true" ]; then
          TAGS="$TAGS --tag ${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}-dless"
        fi

        docker buildx build \
          --platform linux/amd64,linux/arm64 \
          $TAGS \
          --file ./Dockerfile.dless \
          --output type=image,push=true \
          --iidfile dless.digest \
          .

    - name: Export distroless image digest
      run: |
        DIG=$(cat dless.digest)
        echo "DLESS_IMAGE_DIGEST=$DIG" >> $GITHUB_ENV

    - name: Install Cosign
      uses: sigstore/cosign-installer@v3.8.1

    - name: Sign ghcr images
      shell: bash
      env:
        COSIGN_EXPERIMENTAL: 1
      run: |
          cosign sign --yes ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }}
          cosign sign --yes ghcr.io/${{ github.repository }}@${{ env.DLESS_IMAGE_DIGEST }}

    - name: Sign docker hub images
      if: ${{ env.USE_DOCKER_HUB == 'true' }}
      shell: bash
      env:
        COSIGN_EXPERIMENTAL: 1
      run: |
          cosign sign --yes ${{ secrets.DOCKER_HUB_REPO }}@${{ env.IMAGE_DIGEST }}
          cosign sign --yes ${{ secrets.DOCKER_HUB_REPO }}@${{ env.DLESS_IMAGE_DIGEST }}

    - name: Verify ghcr image signatures
      shell: bash
      env:
        COSIGN_EXPERIMENTAL: 1
      run: |
        cosign verify \
          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          "ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }}"

        cosign verify \
          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          "ghcr.io/${{ github.repository }}@${{ env.DLESS_IMAGE_DIGEST }}"

    - name: Verify docker hub image signatures
      if: ${{ env.USE_DOCKER_HUB == 'true' }}
      shell: bash
      env:
        COSIGN_EXPERIMENTAL: 1
      run: |
        cosign verify \
          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          "${{ secrets.DOCKER_HUB_REPO }}@${{ env.IMAGE_DIGEST }}"

        cosign verify \
          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          "${{ secrets.DOCKER_HUB_REPO }}@${{ env.DLESS_IMAGE_DIGEST }}"