|
1 | 1 | name: Playwright |
2 | 2 |
|
3 | | -on: workflow_dispatch |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + push: |
| 6 | + paths: |
| 7 | + - '.github/workflows/Playwright.yml' |
| 8 | + - 'src/ScreenshotCreator.Api/Dockerfile-Playwright' |
| 9 | + - 'src/ScreenshotCreator.Api/install-powershell-*.sh' |
4 | 10 |
|
5 | 11 | jobs: |
6 | 12 | playwright: |
|
12 | 18 | attestations: write |
13 | 19 | id-token: write |
14 | 20 |
|
| 21 | + outputs: |
| 22 | + digests: ${{ steps.extract-digests.outputs.digests }} |
| 23 | + |
15 | 24 | steps: |
16 | 25 | - name: Check out code |
17 | 26 | uses: actions/checkout@v5 |
|
47 | 56 | platforms: linux/arm64,linux/amd64 |
48 | 57 | tags: ghcr.io/mu88/screenshotcreator-playwright:latest,ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }} |
49 | 58 | file: src/ScreenshotCreator.Api/Dockerfile-Playwright |
| 59 | + |
| 60 | + - name: Extract generated Docker image digests |
| 61 | + id: extract-digests |
| 62 | + shell: pwsh |
| 63 | + run: | |
| 64 | + $ErrorActionPreference = "Stop" |
| 65 | + $PSNativeCommandUseErrorActionPreference = $true |
| 66 | +
|
| 67 | + $digests = @() |
| 68 | + $manifest = docker manifest inspect ghcr.io/mu88/screenshotcreator-playwright:${{ steps.extract_version.outputs.major_version }}.0.${{ github.run_number }} | ConvertFrom-Json |
| 69 | +
|
| 70 | + # Collect digests from all manifests (for multi-arch images) |
| 71 | + foreach ($item in $manifest.manifests) { |
| 72 | + $digest = $item.digest |
| 73 | + if ($digest -notin $digests) { |
| 74 | + $digests += $digest |
| 75 | + } |
| 76 | + } |
| 77 | +
|
| 78 | + # Add the digest for the image itself |
| 79 | + $imageDigest = "${{ steps.docker_build.outputs.digest }}" |
| 80 | + if ($imageDigest -notin $digests) { |
| 81 | + $digests += $imageDigest |
| 82 | + } |
| 83 | +
|
| 84 | + $json = $digests | ConvertTo-Json -Depth 10 |
| 85 | + Write-Output "digests=$json" >> $env:GITHUB_OUTPUT |
| 86 | +
|
| 87 | + attest_provenance_sbom: |
| 88 | + name: 'Attest Docker image build provenance and SBOM' |
| 89 | + runs-on: ubuntu-latest |
| 90 | + |
| 91 | + needs: playwright |
| 92 | + |
| 93 | + strategy: |
| 94 | + matrix: |
| 95 | + digest: ${{ fromJson(needs.playwright.outputs.digests) }} |
| 96 | + |
| 97 | + steps: |
| 98 | + - name: Check out code |
| 99 | + uses: actions/checkout@v5 |
| 100 | + |
| 101 | + - name: Login to Container registry |
| 102 | + uses: docker/login-action@v3 |
| 103 | + with: |
| 104 | + registry: ghcr.io |
| 105 | + username: ${{ github.actor }} |
| 106 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 107 | + |
| 108 | + - name: Attest build provenance |
| 109 | + uses: actions/attest-build-provenance@v3 |
| 110 | + with: |
| 111 | + push-to-registry: true |
| 112 | + subject-name: ghcr.io/mu88/screenshotcreator-playwright |
| 113 | + subject-digest: ${{ matrix.digest }} |
| 114 | + |
| 115 | + - name: Generate SBOM |
| 116 | + uses: anchore/sbom-action@v0 |
| 117 | + with: |
| 118 | + image: ghcr.io/mu88/screenshotcreator-playwright@${{ matrix.digest }} |
| 119 | + output-file: sbom.json |
| 120 | + |
| 121 | + - name: Attest SBOM |
| 122 | + uses: actions/attest-sbom@v2 |
| 123 | + with: |
| 124 | + push-to-registry: true |
| 125 | + sbom-path: sbom.json |
| 126 | + subject-name: ghcr.io/mu88/screenshotcreator-playwright |
| 127 | + subject-digest: ${{ matrix.digest }} |
0 commit comments