Run instructions #89
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker CD | |
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| on: | |
| schedule: | |
| # Run every month at midnight on the first day of the month. | |
| - cron: "0 0 1 * *" | |
| push: | |
| branches: ["main"] | |
| # Publish semver tags as releases. | |
| tags: ["v*.*.*"] | |
| env: | |
| # Use docker.io for Docker Hub if empty | |
| REGISTRY: docker.io | |
| # github.repository as <account>/<repo> | |
| IMAGE_NAME: rgpeach10/shell | |
| concurrency: | |
| group: cd | |
| # If this is enabled it will cancel current running and start latest | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| buildkitd-flags: --debug | |
| # Install the cosign tool except on PR | |
| # https://github.com/sigstore/cosign-installer | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 | |
| with: | |
| cosign-release: "v2.2.4" | |
| # Login against a Docker registry except on PR | |
| # https://github.com/docker/login-action | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: rgpeach10 | |
| password: ${{ secrets.DOCKERHUB_PAT }} | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # Build each platform separately (to avoid runner disk space issues) | |
| # and push by digest only. A multi-arch manifest is created at the end. | |
| - name: Build and push Docker image arm64 | |
| id: build-arm | |
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
| with: | |
| context: . | |
| platforms: linux/arm64 | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=registry,ref=rgpeach10/shell:buildcache-arm64 | |
| cache-to: type=registry,ref=rgpeach10/shell:buildcache-arm64,mode=max | |
| outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true | |
| - name: Export arm64 digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build-arm.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Clean docker | |
| run: | | |
| docker buildx prune -f | |
| docker stop $(docker ps -a -q) 2>/dev/null || true | |
| docker rm $(docker ps -a -q) 2>/dev/null || true | |
| docker rmi $(docker images -a -q) 2>/dev/null || true | |
| docker system prune -a -f | |
| docker volume prune -f | |
| - name: Build and push Docker image amd64 | |
| id: build-amd | |
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=registry,ref=rgpeach10/shell:buildcache-amd64 | |
| cache-to: type=registry,ref=rgpeach10/shell:buildcache-amd64,mode=max | |
| outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true | |
| - name: Export amd64 digest | |
| run: | | |
| digest="${{ steps.build-amd.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| # Combine both platform images into a single multi-arch manifest list | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create \ | |
| $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
| # Sign both platform digests with cosign | |
| # https://github.com/sigstore/cosign | |
| - name: Sign the published Docker images | |
| env: | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| DIGEST_ARM: ${{ steps.build-arm.outputs.digest }} | |
| DIGEST_AMD: ${{ steps.build-amd.outputs.digest }} | |
| run: | | |
| echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST_ARM} | |
| echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST_AMD} |