This repository was archived by the owner on Jan 19, 2026. It is now read-only.
Merge pull request #1338 from flavio/main #686
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build container image and sign it | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| - "feat-**" | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build container image | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Retrieve tag name (main branch) | |
| if: ${{ startsWith(github.ref, 'refs/heads/main') }} | |
| run: | | |
| echo TAG_NAME=latest >> $GITHUB_ENV | |
| - name: Retrieve tag name (feat branch) | |
| if: ${{ startsWith(github.ref, 'refs/heads/feat') }} | |
| run: | | |
| echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV | |
| - name: Push and push container image | |
| id: build-image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64, linux/arm64 | |
| push: true | |
| sbom: false # SBOM for feature and main branches is not generated | |
| provenance: false # Provenance for feature and main branches is not generated | |
| tags: | | |
| ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }} | |
| # We need to disable the new bundle format enabled by default since | |
| # cosign v3.x.x because some verification tools (e.g. slsactl and old | |
| # cosign) are not able to properly verify the signatures using this | |
| # new format | |
| - name: Sign container image with cosign v2 signature format | |
| run: | | |
| cosign sign --yes --new-bundle-format=false --use-signing-config=false \ | |
| ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} | |
| - name: Sign container image with cosign v3 signature format | |
| run: | | |
| cosign sign --yes --new-bundle-format=true --use-signing-config=true \ | |
| ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} | |
| - name: Verify container image signature | |
| run: | | |
| cosign verify \ | |
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/container-build.yml@${{ github.ref }}" \ | |
| ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} |