|
1 | 1 | name: Playwright |
2 | 2 |
|
3 | | -on: workflow_dispatch |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + push: |
| 6 | + paths: |
| 7 | + - '.github/workflows/Playwright.yml' |
| 8 | + - 'src/ScreenshotCreator.Api/Dockerfile-Playwright' |
| 9 | + - 'src/ScreenshotCreator.Api/install-powershell-*.sh' |
4 | 10 |
|
5 | 11 | jobs: |
6 | 12 | playwright: |
|
9 | 15 | permissions: |
10 | 16 | contents: read |
11 | 17 | packages: write |
12 | | - attestations: write |
13 | | - id-token: write |
| 18 | + |
| 19 | + outputs: |
| 20 | + digests: ${{ steps.extract-digests.outputs.digests }} |
14 | 21 |
|
15 | 22 | steps: |
16 | 23 | - name: Check out code |
|
47 | 54 | platforms: linux/arm64,linux/amd64 |
48 | 55 | tags: ghcr.io/mu88/screenshotcreator-playwright:latest,ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }} |
49 | 56 | file: src/ScreenshotCreator.Api/Dockerfile-Playwright |
| 57 | + |
| 58 | + - name: Extract generated Docker image digests |
| 59 | + id: extract-digests |
| 60 | + shell: pwsh |
| 61 | + run: | |
| 62 | + $ErrorActionPreference = "Stop" |
| 63 | + $PSNativeCommandUseErrorActionPreference = $true |
| 64 | +
|
| 65 | + $digests = @() |
| 66 | + $manifest = docker manifest inspect ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }} | ConvertFrom-Json |
| 67 | +
|
| 68 | + # Collect digests from all manifests (for multi-arch images) |
| 69 | + foreach ($item in $manifest.manifests) { |
| 70 | + $digest = $item.digest |
| 71 | + if ($digest -notin $digests) { |
| 72 | + $digests += $digest |
| 73 | + } |
| 74 | + } |
| 75 | +
|
| 76 | + # Add the digest for the image itself |
| 77 | + $imageDigest = "${{ steps.docker_build.outputs.digest }}" |
| 78 | + if ($imageDigest -notin $digests) { |
| 79 | + $digests += $imageDigest |
| 80 | + } |
| 81 | +
|
| 82 | + $json = $digests | ConvertTo-Json -Compress |
| 83 | + Write-Host "Extracted digests: $json" |
| 84 | + Write-Output "digests=$json" >> $env:GITHUB_OUTPUT |
| 85 | +
|
| 86 | + attest_provenance_sbom: |
| 87 | + name: 'Attest Docker image build provenance and SBOM' |
| 88 | + runs-on: ubuntu-latest |
| 89 | + |
| 90 | + needs: playwright |
| 91 | + |
| 92 | + permissions: |
| 93 | + contents: read |
| 94 | + packages: write |
| 95 | + attestations: write |
| 96 | + id-token: write |
| 97 | + |
| 98 | + strategy: |
| 99 | + matrix: |
| 100 | + digest: ${{ fromJson(needs.playwright.outputs.digests) }} |
| 101 | + |
| 102 | + steps: |
| 103 | + - name: Check out code |
| 104 | + uses: actions/checkout@v5 |
| 105 | + |
| 106 | + - name: Login to Container registry |
| 107 | + uses: docker/login-action@v3 |
| 108 | + with: |
| 109 | + registry: ghcr.io |
| 110 | + username: ${{ github.actor }} |
| 111 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 112 | + |
| 113 | + - name: Attest build provenance |
| 114 | + uses: actions/attest-build-provenance@v3 |
| 115 | + with: |
| 116 | + push-to-registry: true |
| 117 | + subject-name: ghcr.io/mu88/screenshotcreator-playwright |
| 118 | + subject-digest: ${{ matrix.digest }} |
| 119 | + |
| 120 | + - name: Generate SBOM |
| 121 | + uses: anchore/sbom-action@v0 |
| 122 | + with: |
| 123 | + image: ghcr.io/mu88/screenshotcreator-playwright@${{ matrix.digest }} |
| 124 | + output-file: sbom.json |
| 125 | + |
| 126 | + - name: Attest SBOM |
| 127 | + uses: actions/attest-sbom@v2 |
| 128 | + with: |
| 129 | + push-to-registry: true |
| 130 | + sbom-path: sbom.json |
| 131 | + subject-name: ghcr.io/mu88/screenshotcreator-playwright |
| 132 | + subject-digest: ${{ matrix.digest }} |
0 commit comments