@@ -43,30 +43,21 @@ jobs:
4343 fail-fast : false
4444
4545 steps :
46-
4746 - name : Checkout repository
4847 uses : actions/checkout@v4
48+
4949 - name : Prepare
50- # Sanitize platform name
5150 run : |
5251 platform=${{ matrix.platform }}
5352 echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
5453
55- # Install the cosign tool except on PR
56- # https://github.com/sigstore/cosign-installer
57- # - name: Install cosign
58- # if: github.event_name != 'pull_request'
59- # uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
60- # with:
61- # cosign-release: 'v2.2.4'
62-
63- # Set up BuildKit Docker container builder to be able to build
64- # multi-platform images and export cache
65- # https://github.com/docker/setup-buildx-action
66- - name : Set up Docker Buildx
67- uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
54+ - name : Docker meta
55+ id : meta
56+ uses : docker/metadata-action@v5
57+ with :
58+ images : ${{ env.REGISTRY_IMAGE }}
6859
69- # Login against a Docker registry except on PR
60+ # Login against a Docker registry except on PR
7061 # https://github.com/docker/login-action
7162 - name : Log into registry ${{ env.REGISTRY }}
7263 if : github.event_name != 'pull_request'
@@ -76,28 +67,21 @@ jobs:
7667 username : ${{ github.actor }}
7768 password : ${{ secrets.GITHUB_TOKEN }}
7869
79- # Extract metadata (tags, labels) for Docker
80- # https://github.com/docker/metadata-action
81- - name : Extract Docker metadata
82- id : meta
83- uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
84- with :
85- images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
70+ - name : Set up Docker Buildx
71+ uses : docker/setup-buildx-action@v3
8672
87- # Build and push Docker image with Buildx (don't push on PR)
88- # https://github.com/docker/build-push-action
89- - name : Build and push Docker image
73+ - name : Build and push by digest
9074 id : build
9175 uses : docker/build-push-action@v6
9276 with :
93- context : .
9477 platforms : ${{ matrix.platform }}
95- push : ${{ github.event_name != 'pull_request' }}
96- tags : ${{ steps.meta.outputs.tags }}
97- outputs : type=image,name-canonical=true,push=true
9878 labels : ${{ steps.meta.outputs.labels }}
79+ tags : ${{ env.REGISTRY_IMAGE }}
80+ push : ${{ github.event_name != 'pull_request' }}
81+ outputs : type=image,push-by-digest=true,name-canonical=true,push=true
9982 cache-from : type=gha
10083 cache-to : type=gha,mode=max
84+
10185 - name : Export digest
10286 run : |
10387 mkdir -p ${{ runner.temp }}/digests
@@ -155,18 +139,4 @@ jobs:
155139 - name : Inspect image
156140 run : |
157141 docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
158-
159- # Sign the resulting Docker image digest except on PRs.
160- # This will only write to the public Rekor transparency log when the Docker
161- # repository is public to avoid leaking data. If you would like to publish
162- # transparency data even for private images, pass --force to cosign below.
163- # https://github.com/sigstore/cosign
164- # - name: Sign the published Docker image
165- # if: ${{ github.event_name != 'pull_request' }}
166- # env:
167- # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
168- # TAGS: ${{ steps.meta.outputs.tags }}
169- # DIGEST: ${{ steps.build-and-push.outputs.digest }}
170- # # This step uses the identity token to provision an ephemeral certificate
171- # # against the sigstore community Fulcio instance.
172- # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
142+ #
0 commit comments