11name : Playwright
22
3- on : workflow_dispatch
3+ on :
4+ workflow_dispatch :
5+ push :
6+ paths :
7+ - ' .github/workflows/Playwright.yml'
8+ - ' src/ScreenshotCreator.Api/Dockerfile-Playwright'
9+ - ' src/ScreenshotCreator.Api/install-powershell-*.sh'
410
511jobs :
612 playwright :
1218 attestations : write
1319 id-token : write
1420
21+ outputs :
22+ digests : ${{ steps.extract-digests.outputs.digests }}
23+
1524 steps :
1625 - name : Check out code
1726 uses : actions/checkout@v5
@@ -38,12 +47,89 @@ jobs:
3847 $majorVersion = [regex]::Match($tfm, '\d+').Value
3948 Write-Output "major_version=$majorVersion" >> $env:GITHUB_OUTPUT
4049
41- name : Build and push Docker image for Playwright
42- id : docker_build
43- uses : docker/build-push-action@v6
50+ # - name: Build and push Docker image for Playwright
51+ # id: docker_build
52+ # uses: docker/build-push-action@v6
53+ # with:
54+ # push: true
55+ # provenance: false
56+ # platforms: linux/arm64,linux/amd64
57+ # tags: ghcr.io/mu88/screenshotcreator-playwright:latest,ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }}
58+ # file: src/ScreenshotCreator.Api/Dockerfile-Playwright
59+
60+ - name : Extract generated Docker image digests
61+ id : extract-digests
62+ shell : pwsh
63+ run : |
64+ $ErrorActionPreference = "Stop"
65+ $PSNativeCommandUseErrorActionPreference = $true
66+
67+ docker pull ghcr.io/mu88/screenshotcreator-playwright:latest
68+ $digests = @()
69+ $images = @(
70+ "ghcr.io/mu88/screenshotcreator-playwright:latest"
71+ #,"ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }}"
72+ )
73+
74+ foreach ($image in $images) {
75+ $manifest = docker manifest inspect $image | ConvertFrom-Json
76+
77+ # Collect digests from all manifests (for multi-arch images)
78+ foreach ($item in $manifest.manifests) {
79+ $digest = $item.digest
80+ if ($digest -notin $digests) {
81+ $digests += $digest
82+ }
83+ }
84+
85+ # Add the digest for the image itself
86+ $imageDigest = docker inspect --format='{{index .Descriptor.digest}}' $image
87+ if ($imageDigest -notin $digests) {
88+ $digests += $imageDigest
89+ }
90+ }
91+
92+ $json = $digests | ConvertTo-Json -Depth 10
93+ Write-Output "digests=$json" >> $env:GITHUB_OUTPUT
94+
95+ attest_provenance_sbom :
96+ name : ' Attest Docker image build provenance and SBOM'
97+ runs-on : ubuntu-latest
98+
99+ needs : playwright
100+
101+ strategy :
102+ matrix :
103+ digest : ${{ fromJson(needs.playwright.outputs.digests) }}
104+
105+ steps :
106+ - name : Check out code
107+ uses : actions/checkout@v5
108+
109+ - name : Login to Container registry
110+ uses : docker/login-action@v3
111+ with :
112+ registry : ghcr.io
113+ username : ${{ github.actor }}
114+ password : ${{ secrets.GITHUB_TOKEN }}
115+
116+ - name : Attest build provenance
117+ uses : actions/attest-build-provenance@v3
118+ with :
119+ push-to-registry : true
120+ subject-name : ghcr.io/mu88/screenshotcreator-playwright
121+ subject-digest : ${{ matrix.digest }}
122+
123+ - name : Generate SBOM
124+ uses : anchore/sbom-action@v0
125+ with :
126+ image : ghcr.io/mu88/screenshotcreator-playwright@${{ matrix.digest }}
127+ output-file : sbom.json
128+
129+ - name : Attest SBOM
130+ uses : actions/attest-sbom@v2
44131 with :
45- push : true
46- provenance : false
47- platforms : linux/arm64,linux/amd64
48- tags : ghcr.io/mu88/screenshotcreator-playwright:latest,ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }}
49- file : src/ScreenshotCreator.Api/Dockerfile-Playwright
132+ push-to-registry : true
133+ sbom-path : sbom.json
134+ subject-name : ghcr.io/mu88/screenshotcreator-playwright
135+ subject-digest : ${{ matrix.digest }}
0 commit comments