2626
2727 steps :
2828 - name : Checkout
29- uses : actions/checkout@v4
29+ uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
3030
3131 - name : Prepare image metadata
3232 id : meta
@@ -60,39 +60,18 @@ jobs:
6060 } >> "${GITHUB_OUTPUT}"
6161
6262name : Set up Docker Buildx
63- uses : docker/setup-buildx-action@v3
63+ uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
6464
6565 - name : Log in to GitHub Container Registry
66- uses : docker/login-action@v3
66+ uses : docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
6767 with :
6868 registry : ghcr.io
6969 username : ${{ github.actor }}
7070 password : ${{ secrets.GITHUB_TOKEN }}
7171
72- - name : Build ${{ matrix.flavor }} image for verification
73- uses : docker/build-push-action@v6
74- with :
75- context : .
76- file : ./Dockerfile
77- build-args : |
78- RUNTIME_FLAVOR=${{ matrix.flavor }}
79- load : true
80- tags : ${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}
81- labels : |
82- org.opencontainers.image.title=${{ env.IMAGE_NAME }}
83- org.opencontainers.image.description=AI agent runtime optimized for general tasks (${{ matrix.flavor }})
84- org.opencontainers.image.source=https://github.com/${{ github.repository }}
85- org.opencontainers.image.revision=${{ github.sha }}
86- org.opencontainers.image.version=${{ steps.meta.outputs.version_tag }}
87- cache-from : type=gha,scope=push-${{ matrix.flavor }}
88- cache-to : type=gha,mode=max,scope=push-${{ matrix.flavor }}
89-
90- - name : Verify ${{ matrix.flavor }} runtime
91- run : docker run --rm "${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}" verify-runtime
92-
93- - name : Push verified ${{ matrix.flavor }} image with attestations
72+ - name : Build and push ${{ matrix.flavor }} candidate with attestations
9473 id : push
95- uses : docker/build-push-action@v6
74+ uses : docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
9675 with :
9776 context : .
9877 file : ./Dockerfile
10180push : true
10281 provenance : mode=max
10382 sbom : true
104- tags : ${{ steps.meta.outputs.push_tags }}
83+ tags : ${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}
10584 labels : |
10685 org.opencontainers.image.title=${{ env.IMAGE_NAME }}
10786 org.opencontainers.image.description=AI agent runtime optimized for general tasks (${{ matrix.flavor }})
@@ -111,12 +90,35 @@ jobs:
11190cache-from : type=gha,scope=push-${{ matrix.flavor }}
11291 cache-to : type=gha,mode=max,scope=push-${{ matrix.flavor }}
11392
93+ - name : Verify ${{ matrix.flavor }} runtime from pushed digest
94+ run : |
95+ docker pull "${{ steps.meta.outputs.image }}@${{ steps.push.outputs.digest }}"
96+ docker tag "${{ steps.meta.outputs.image }}@${{ steps.push.outputs.digest }}" "${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}"
97+ docker run --rm "${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}" verify-runtime
98+
99+ name : Promote verified ${{ matrix.flavor }} digest to version tags
100+ run : |
101+ docker buildx imagetools create \
102+ --tag "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version_tag }}" \
103+ "${{ steps.meta.outputs.image }}@${{ steps.push.outputs.digest }}"
104+
105+ name : Promote verified ${{ matrix.flavor }} digest to stable tags
106+ run : |
107+ tags="${{ steps.meta.outputs.push_tags }}"
108+ args=""
109+ while IFS= read -r tag; do
110+ [ -n "$tag" ] || continue
111+ args="$args --tag $tag"
112+ done <<< "$tags"
113+ # shellcheck disable=SC2086
114+ docker buildx imagetools create $args "${{ steps.meta.outputs.image }}@${{ steps.push.outputs.digest }}"
115+
114116name : Install cosign
115- uses : sigstore/cosign-installer@v3.8.1
117+ uses : sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
116118 with :
117- cosign-release : ' v2.4.3'
119+ cosign-release : v2.4.3
118120
119- - name : Sign image with cosign
121+ - name : Sign ${{ matrix.flavor }} image
120122 env :
121123 COSIGN_YES : true
122124 run : |
0 commit comments