build(deps): bump the github-actions group across 1 directory with 2 updates #54
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: Build & Publish Containers | |
| # Defines the events that trigger this workflow. | |
| on: | |
| # Allows manual execution from the GitHub UI. | |
| workflow_dispatch: | |
| # Triggers on pushes to the main branch. | |
| push: | |
| branches: | |
| - main | |
| # Triggers on pull requests targeting the main branch. | |
| pull_request: | |
| # Triggers when a new release is created. | |
| release: | |
| types: | |
| - created | |
| # Environment variables available to all jobs in the workflow. | |
| env: | |
| # Using github.repository_owner makes the workflow reusable and not hardcoded. | |
| REGISTRY_USER: ${{ github.repository_owner }} | |
| jobs: | |
| build-and-publish: | |
| name: Build & Publish Matrix | |
| runs-on: ubuntu-latest | |
| strategy: | |
| # Ensures that if one matrix job fails, others will continue to run. | |
| # This is useful for seeing all potential failures at once. | |
| fail-fast: false | |
| max-parallel: 1 | |
| matrix: | |
| include: | |
| - name: nginx | |
| path: nginx/base | |
| - name: nginx | |
| path: nginx/core | |
| - name: nginx | |
| path: nginx/cdn | |
| - name: nextjs | |
| path: nextjs/base | |
| - name: nextjs | |
| path: nextjs/with-prisma | |
| - name: nexload | |
| path: nextjs/with-payload | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: ⤵️ Checkout Repository | |
| uses: actions/checkout@v6.0.2 | |
| - name: ❔ Check for Relevant File Changes | |
| id: changes | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| uses: dorny/paths-filter@v3 | |
| with: | |
| filters: | | |
| container_folder: | |
| - ./${{ matrix.path }}/** | |
| - name: ⚙️ Determine if Build is Required | |
| id: build_decision | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ github.event_name }}" == "release" || "${{ steps.changes.outputs.container_folder }}" == "true" ]]; then | |
| echo "should_build=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "should_build=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: 🏗 Extract version from dockerfile | |
| if: ${{ steps.build_decision.outputs.should_build == 'true' }} | |
| id: version | |
| run: | | |
| version=$(grep 'ARG BUILD_VERSION' ./${{ matrix.path }}/Dockerfile | cut -d'=' -f2) | |
| echo "version=$version" >> $GITHUB_OUTPUT | |
| echo "version: $version" | |
| - name: 🏗 Install cosign | |
| if: ${{ github.event_name != 'pull_request' && steps.build_decision.outputs.should_build == 'true' }} | |
| uses: sigstore/cosign-installer@v3.8.1 | |
| - name: 🏗 Setup Docker Buildx | |
| if: steps.build_decision.outputs.should_build == 'true' | |
| uses: docker/setup-buildx-action@v3 | |
| - name: 🏗 Cache Docker Layers | |
| if: steps.build_decision.outputs.should_build == 'true' | |
| uses: actions/cache@v5 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: buildx-${{ runner.os }}-${{ matrix.path }}-${{ github.sha }} | |
| restore-keys: | | |
| buildx-${{ runner.os }}-${{ matrix.path }}- | |
| - name: 🔐 Log into ghcr.io Registry | |
| if: steps.build_decision.outputs.should_build == 'true' && github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Container Metadata | |
| id: meta | |
| if: steps.build_decision.outputs.should_build == 'true' | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{env.REGISTRY_USER}}/${{matrix.name}} | |
| tags: | | |
| type=ref,event=branch | |
| type=raw,value=${{steps.version.outputs.version}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=sha,prefix=,suffix=,format=short | |
| - name: 🚀 Build and Push Container Image | |
| id: build-and-push | |
| if: steps.build_decision.outputs.should_build == 'true' | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./${{ matrix.path }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILD_DATE=${{ github.event.repository.updated_at }} | |
| BUILD_REV=${{ github.sha }} | |
| # Step 11: Install Cosign for signing the images. | |
| - name: 🖋 Install Cosign | |
| if: steps.build_decision.outputs.should_build == 'true' && github.event_name != 'pull_request' | |
| uses: sigstore/cosign-installer@v3 | |
| # Step 12: Sign the pushed container images using Cosign's keyless signing. | |
| # We loop through each base image name from the metadata step and sign the immutable digest | |
| # produced by the build-and-push step. This is more secure than signing mutable tags. | |
| - name: 🖋 Sign Container Images | |
| if: steps.build_decision.outputs.should_build == 'true' && github.event_name != 'pull_request' | |
| run: | | |
| for image in ${{ steps.meta.outputs.images }}; do | |
| echo "Signing ${image}@${{ steps.build-and-push.outputs.digest }}" | |
| cosign sign --yes "${image}@${{ steps.build-and-push.outputs.digest }}" | |
| done |