|
24 | 24 |
|
25 | 25 | jobs: |
26 | 26 | build: |
27 | | - |
| 27 | + name: Build on ${{ matrix.platform.name }} |
28 | 28 | runs-on: ubuntu-latest |
29 | | - permissions: |
30 | | - contents: read |
31 | | - packages: write |
32 | | - # This is used to complete the identity challenge |
33 | | - # with sigstore/fulcio when running outside of PRs. |
34 | | - id-token: write |
35 | | - |
| 29 | + strategy: |
| 30 | + fail-fast: false |
| 31 | + matrix: |
| 32 | + platform: |
| 33 | + - linux/amd64 |
| 34 | + - linux/arm64 |
36 | 35 | steps: |
| 36 | + |
37 | 37 | - name: Checkout repository |
38 | 38 | uses: actions/checkout@v4 |
| 39 | + - name: Prepare |
| 40 | + # Sanitize platform name |
| 41 | + run: | |
| 42 | + platform=${{ matrix.platform.name }} |
| 43 | + echo "PLATFORM=${platform//\//-}" >> $GITHUB_ENV |
39 | 44 |
|
40 | 45 | # Install the cosign tool except on PR |
41 | 46 | # https://github.com/sigstore/cosign-installer |
@@ -73,14 +78,72 @@ jobs: |
73 | 78 | # https://github.com/docker/build-push-action |
74 | 79 | - name: Build and push Docker image |
75 | 80 | id: build-and-push |
76 | | - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 |
| 81 | + uses: docker/build-push-action@v6 |
77 | 82 | with: |
78 | 83 | context: . |
| 84 | + platforms: ${{ matrix.platform }} |
79 | 85 | push: ${{ github.event_name != 'pull_request' }} |
80 | 86 | tags: ${{ steps.meta.outputs.tags }} |
81 | 87 | labels: ${{ steps.meta.outputs.labels }} |
82 | 88 | cache-from: type=gha |
83 | 89 | cache-to: type=gha,mode=max |
| 90 | + - name: Export digest |
| 91 | + run: | |
| 92 | + mkdir -p ${{ runner.temp }}/digests |
| 93 | + digest="${{ steps.build.outputs.digest }}" |
| 94 | + touch "${{ runner.temp }}/digests/${digest#sha256:}" |
| 95 | +
|
| 96 | + - name: Upload digest |
| 97 | + uses: actions/upload-artifact@v4 |
| 98 | + with: |
| 99 | + name: digests-${{ env.PLATFORM_PAIR }} |
| 100 | + path: ${{ runner.temp }}/digests/* |
| 101 | + if-no-files-found: error |
| 102 | + retention-days: 1 |
| 103 | + |
| 104 | + merge: |
| 105 | + runs-on: ubuntu-latest |
| 106 | + needs: |
| 107 | + - build |
| 108 | + steps: |
| 109 | + - name: Download digests |
| 110 | + uses: actions/download-artifact@v4 |
| 111 | + with: |
| 112 | + path: ${{ runner.temp }}/digests |
| 113 | + pattern: digests-* |
| 114 | + merge-multiple: true |
| 115 | + |
| 116 | + - name: Log into registry ${{ env.REGISTRY }} |
| 117 | + if: github.event_name != 'pull_request' |
| 118 | + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 |
| 119 | + with: |
| 120 | + registry: ${{ env.REGISTRY }} |
| 121 | + username: ${{ github.actor }} |
| 122 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 123 | + |
| 124 | + - name: Set up Docker Buildx |
| 125 | + uses: docker/setup-buildx-action@v3 |
| 126 | + |
| 127 | + - name: Docker meta |
| 128 | + id: meta |
| 129 | + uses: docker/metadata-action@v5 |
| 130 | + with: |
| 131 | + images: ${{ env.REGISTRY_IMAGE }} |
| 132 | + tags: | |
| 133 | + type=ref,event=branch |
| 134 | + type=ref,event=pr |
| 135 | + type=semver,pattern={{version}} |
| 136 | + type=semver,pattern={{major}}.{{minor}} |
| 137 | +
|
| 138 | + - name: Create manifest list and push |
| 139 | + working-directory: ${{ runner.temp }}/digests |
| 140 | + run: | |
| 141 | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ |
| 142 | + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) |
| 143 | +
|
| 144 | + - name: Inspect image |
| 145 | + run: | |
| 146 | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} |
84 | 147 |
|
85 | 148 | # Sign the resulting Docker image digest except on PRs. |
86 | 149 | # This will only write to the public Rekor transparency log when the Docker |
|
0 commit comments