forked from Xeio/IdleCodeRedeemer
-
Notifications
You must be signed in to change notification settings - Fork 1
129 lines (111 loc) · 4.04 KB
/
Copy pathdocker.yml
File metadata and controls
129 lines (111 loc) · 4.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Build & Deploy Docker Image
on:
push:
branches:
- main
tags:
- 'v*'
release:
types: [published]
pull_request:
branches:
- main
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
permissions:
contents: read
jobs:
build:
name: Build Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # Needed for Cosign signing
outputs:
image-digest: ${{ steps.build.outputs.digest }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: step-security/docker-login-action@164e21d7e52229904128e2f946001cb88278c33d # v4.2.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build
uses: step-security/docker-build-push-action@9af9b5acc1751dcec2aa5375a068979fa526bc9a # v7.2.0
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install Cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: Sign Docker image with Cosign (Keyless - OIDC)
if: github.event_name != 'pull_request'
env:
COSIGN_EXPERIMENTAL: 1
COSIGN_YES: 1
run: |
IMAGES="${{ steps.meta.outputs.tags }}"
for image in $IMAGES; do
echo "🔐 Signing image: $image"
cosign sign "$image"
done
- name: Verify Docker image signature
if: github.event_name != 'pull_request'
env:
COSIGN_EXPERIMENTAL: 1
run: |
IMAGES="${{ steps.meta.outputs.tags }}"
for image in $IMAGES; do
echo "✅ Verifying signature for: $image"
cosign verify "$image" | head -20
done
deploy:
name: Deploy to Production
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Deploy notification
run: |
echo "🚀 Deployment step"
echo "Image ready at: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
echo ""
echo "Configure deployment by adding one of these steps:"
echo "1. SSH to server and pull latest image with docker-compose"
echo "2. Deploy to Kubernetes cluster"
echo "3. Deploy to container orchestration platform (Docker Swarm, etc.)"
echo ""
echo "See .github/workflows/docker.yml for configuration options"