11name : Playwright
22
3- on : workflow_dispatch
3+ on :
4+ workflow_dispatch :
5+ push :
6+ paths :
7+ - ' .github/workflows/Playwright.yml'
8+ - ' src/ScreenshotCreator.Api/Dockerfile-Playwright'
9+ - ' src/ScreenshotCreator.Api/install-powershell-*.sh'
410
511jobs :
612 playwright :
1218 attestations : write
1319 id-token : write
1420
21+ outputs :
22+ digests : ${{ steps.extract-digests.outputs.digests }}
23+
1524 steps :
1625 - name : Check out code
1726 uses : actions/checkout@v5
@@ -38,12 +47,91 @@ jobs:
3847 $majorVersion = [regex]::Match($tfm, '\d+').Value
3948 Write-Output "major_version=$majorVersion" >> $env:GITHUB_OUTPUT
4049
41- name : Build and push Docker image for Playwright
42- id : docker_build
43- uses : docker/build-push-action@v6
50+ # - name: Build and push Docker image for Playwright
51+ # id: docker_build
52+ # uses: docker/build-push-action@v6
53+ # with:
54+ # push: true
55+ # provenance: false
56+ # platforms: linux/arm64,linux/amd64
57+ # tags: ghcr.io/mu88/screenshotcreator-playwright:latest,ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }}
58+ # file: src/ScreenshotCreator.Api/Dockerfile-Playwright
59+
60+ - name : Extract generated Docker image digests
61+ id : extract-digests
62+ shell : pwsh
63+ run : |
64+ $ErrorActionPreference = "Stop"
65+ $PSNativeCommandUseErrorActionPreference = $true
66+
67+ docker pull ghcr.io/mu88/screenshotcreator-playwright:latest
68+ $digests = @{}
69+ $images = @(
70+ "ghcr.io/mu88/screenshotcreator-playwright:latest"
71+ #,"ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }}"
72+ )
73+
74+ foreach ($image in $images) {
75+ $manifestOutput = docker manifest inspect $image
76+ $manifest = $manifestOutput | ConvertFrom-Json
77+
78+ # Collect digests from all manifests (for multi-arch images)
79+ foreach ($item in $manifest.manifests) {
80+ $digest = $item.digest
81+ Write-Host "Found digest: $digest"
82+ if ($digest -notin $digests) {
83+ $digests += $digest
84+ }
85+ }
86+
87+ # Add the digest for the image itself
88+ $imageDigest = docker inspect --format='{{index .Descriptor.digest}}' $image
89+ if ($imageDigest -notin $digests) {
90+ $digests += $imageDigest
91+ }
92+ }
93+
94+ $json = $digests | ConvertTo-Json -Depth 10
95+ Write-Output "digests=$json" >> $env:GITHUB_OUTPUT
96+
97+ attest_provenance_sbom :
98+ name : ' Attest Docker image build provenance and SBOM'
99+ runs-on : ubuntu-latest
100+
101+ needs : playwright
102+
103+ strategy :
104+ matrix :
105+ digest : ${{ fromJson(needs.playwright.outputs.digests) }}
106+
107+ steps :
108+ - name : Check out code
109+ uses : actions/checkout@v5
110+
111+ - name : Login to Container registry
112+ uses : docker/login-action@v3
113+ with :
114+ registry : ghcr.io
115+ username : ${{ github.actor }}
116+ password : ${{ secrets.GITHUB_TOKEN }}
117+
118+ - name : Attest build provenance
119+ uses : actions/attest-build-provenance@v3
120+ with :
121+ push-to-registry : true
122+ subject-name : ghcr.io/mu88/screenshotcreator-playwright
123+ subject-digest : ${{ matrix.digest }}
124+
125+ - name : Generate SBOM
126+ uses : anchore/sbom-action@v0
127+ with :
128+ image : ghcr.io/mu88/screenshotcreator-playwright@${{ matrix.digest }}
129+ output-file : sbom.json
130+
131+ - name : Attest SBOM
132+ uses : actions/attest-sbom@v2
44133 with :
45- push : true
46- provenance : false
47- platforms : linux/arm64,linux/amd64
48- tags : ghcr.io/mu88/screenshotcreator-playwright:latest,ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }}
49- file : src/ScreenshotCreator.Api/Dockerfile-Playwright
134+ push-to-registry : true
135+ sbom-path : sbom.json
136+ subject-name : ghcr.io/mu88/screenshotcreator-playwright
137+ subject-digest : ${{ matrix.digest }}
0 commit comments