-
Notifications
You must be signed in to change notification settings - Fork 0
122 lines (109 loc) · 4.19 KB
/
docker.yml
File metadata and controls
122 lines (109 loc) · 4.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: docker
on:
workflow_call:
inputs:
version:
description: Version tag for the image (uses git commit SHA if not provided)
required: false
type: string
push-image:
description: "Set to true to push the image, false to only build it"
required: true
type: boolean
secrets:
GIT_ACCESS_TOKEN:
description: "A GitHub PAT with permissions to read the private repository."
required: true
workflow_dispatch:
inputs:
version:
description: Version tag for the image (uses git commit SHA if not provided)
required: false
type: string
push-image:
description: "Set to true to push the image, false to only build it"
required: true
type: boolean
default: false
jobs:
build:
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
id-token: write # needed for provenance attestation
attestations: write # needed for provenance attestation
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Export build information
run: |
echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
echo "EXTRA_LABELS<<EOF
org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ssZZ'}}
org.opencontainers.image.title=UI Operator
org.opencontainers.image.vendor=${{ github.repository_owner }}
EOF" >> $GITHUB_ENV
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}
# Use version input if available, otherwise use the git SHA
tags: |
type=raw,value=${{ inputs.version || github.sha }}
type=raw,value=latest,enable=${{ inputs.version && '{{is_default_branch}}' || 'false' }}
labels: ${{ env.EXTRA_LABELS }}
annotations: ${{ env.EXTRA_LABELS }}
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
context: .
push: ${{ inputs.push-image }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
PRIVATE_REPO_HOST=github.com/scality
BUILD_DATE=${{ fromJson(steps.meta.outputs.json)['org.opencontainers.image.created'] }}
GIT_COMMIT=${{ github.sha }}
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
VERSION=${{ inputs.version || github.sha }}
secrets: |
gh_token=${{ secrets.GIT_ACCESS_TOKEN }}
- name: Generate GitHub SLSA provenance
uses: actions/attest-build-provenance@v1
if: ${{ inputs.push-image }}
with:
subject-digest: ${{ steps.build.outputs.digest }}
subject-name: ghcr.io/${{ github.repository }}
push-to-registry: true
- name: Output image info to summary
if: ${{ inputs.push-image }}
run: |
IMAGE_TAG="${{ inputs.version || github.sha }}"
IMAGE_FULL="ghcr.io/${{ github.repository }}:${IMAGE_TAG}"
echo "## Docker Image" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Image pushed to registry:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "${IMAGE_FULL}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Pull command:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
echo "docker pull ${IMAGE_FULL}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY