Skip to content

Commit 2df0c94

Browse files
authored
Update docker-publish.yml
1 parent d6c9b41 commit 2df0c94

1 file changed

Lines changed: 15 additions & 45 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 15 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -43,30 +43,21 @@ jobs:
4343
fail-fast: false
4444

4545
steps:
46-
4746
- name: Checkout repository
4847
uses: actions/checkout@v4
48+
4949
- name: Prepare
50-
# Sanitize platform name
5150
run: |
5251
platform=${{ matrix.platform }}
5352
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
5453
55-
# Install the cosign tool except on PR
56-
# https://github.com/sigstore/cosign-installer
57-
# - name: Install cosign
58-
# if: github.event_name != 'pull_request'
59-
# uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
60-
# with:
61-
# cosign-release: 'v2.2.4'
62-
63-
# Set up BuildKit Docker container builder to be able to build
64-
# multi-platform images and export cache
65-
# https://github.com/docker/setup-buildx-action
66-
- name: Set up Docker Buildx
67-
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
54+
- name: Docker meta
55+
id: meta
56+
uses: docker/metadata-action@v5
57+
with:
58+
images: ${{ env.REGISTRY_IMAGE }}
6859

69-
# Login against a Docker registry except on PR
60+
# Login against a Docker registry except on PR
7061
# https://github.com/docker/login-action
7162
- name: Log into registry ${{ env.REGISTRY }}
7263
if: github.event_name != 'pull_request'
@@ -76,28 +67,21 @@ jobs:
7667
username: ${{ github.actor }}
7768
password: ${{ secrets.GITHUB_TOKEN }}
7869

79-
# Extract metadata (tags, labels) for Docker
80-
# https://github.com/docker/metadata-action
81-
- name: Extract Docker metadata
82-
id: meta
83-
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
84-
with:
85-
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
70+
- name: Set up Docker Buildx
71+
uses: docker/setup-buildx-action@v3
8672

87-
# Build and push Docker image with Buildx (don't push on PR)
88-
# https://github.com/docker/build-push-action
89-
- name: Build and push Docker image
73+
- name: Build and push by digest
9074
id: build
9175
uses: docker/build-push-action@v6
9276
with:
93-
context: .
9477
platforms: ${{ matrix.platform }}
95-
push: ${{ github.event_name != 'pull_request' }}
96-
tags: ${{ steps.meta.outputs.tags }}
97-
outputs: type=image,name-canonical=true,push=true
9878
labels: ${{ steps.meta.outputs.labels }}
79+
tags: ${{ env.REGISTRY_IMAGE }}
80+
push: ${{ github.event_name != 'pull_request' }}
81+
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
9982
cache-from: type=gha
10083
cache-to: type=gha,mode=max
84+
10185
- name: Export digest
10286
run: |
10387
mkdir -p ${{ runner.temp }}/digests
@@ -155,18 +139,4 @@ jobs:
155139
- name: Inspect image
156140
run: |
157141
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
158-
159-
# Sign the resulting Docker image digest except on PRs.
160-
# This will only write to the public Rekor transparency log when the Docker
161-
# repository is public to avoid leaking data. If you would like to publish
162-
# transparency data even for private images, pass --force to cosign below.
163-
# https://github.com/sigstore/cosign
164-
# - name: Sign the published Docker image
165-
# if: ${{ github.event_name != 'pull_request' }}
166-
# env:
167-
# # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
168-
# TAGS: ${{ steps.meta.outputs.tags }}
169-
# DIGEST: ${{ steps.build-and-push.outputs.digest }}
170-
# # This step uses the identity token to provision an ephemeral certificate
171-
# # against the sigstore community Fulcio instance.
172-
# run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
142+
#

0 commit comments

Comments
 (0)