@@ -6,14 +6,7 @@ name: Docker
66# documentation.
77
88on :
9- # schedule:
10- # - cron: "27 0 * * *"
11- push :
12- branches : ["main", "next"]
13- # Publish semver tags as releases.
14- tags : ["v*.*.*"]
15- pull_request :
16- branches : ["main", "next"]
9+ workflow_run :
1710
1811env :
1912 # Use docker.io for Docker Hub if empty
3528 - name : Checkout repository
3629 uses : actions/checkout@v4
3730
38- # Install the cosign tool except on PR
39- # https://github.com/sigstore/cosign-installer
40- - name : Install cosign
41- if : github.event_name != 'pull_request'
42- uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
43- with :
44- cosign-release : " v2.2.4"
45-
4631 # Set up BuildKit Docker container builder to be able to build
4732 # multi-platform images and export cache
4833 # https://github.com/docker/setup-buildx-action
@@ -52,71 +37,23 @@ jobs:
5237 # Login against a Docker registry except on PR
5338 # https://github.com/docker/login-action
5439 - name : Log into registry ${{ env.REGISTRY }}
55- if : github.event_name != 'pull_request'
5640 uses : docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
5741 with :
5842 registry : ${{ env.REGISTRY }}
5943 username : ${{ github.actor }}
6044 password : ${{ secrets.GITHUB_TOKEN }}
6145
62- # Extract metadata (tags, labels) for Docker
63- # https://github.com/docker/metadata-action
64- - name : Extract Docker metadata
65- id : meta
66- uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
67- with :
68- images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
69- tags : |
70- type=schedule
71- type=ref,event=branch
72- type=ref,event=tag
73- type=ref,event=pr
74- type=semver,pattern={{version}}
75- type=semver,pattern={{major}}.{{minor}}
76- type=semver,pattern={{major}}
77- type=sha
78- type=edge
79- # Custom rule to prevent pre-releases from getting latest tag
80- type=raw,value=latest,enable=${{ github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
81-
82- name : Go Build Cache for Docker
83- uses : actions/cache@v4
84- with :
85- path : go-build-cache
86- key : ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
87-
88- - name : Inject go-build-cache
89- uses : reproducible-containers/buildkit-cache-dance@4b2444fec0c0fb9dbf175a96c094720a692ef810 # v2.1.4
90- with :
91- cache-source : go-build-cache
92-
9346 # Build and push Docker image with Buildx (don't push on PR)
9447 # https://github.com/docker/build-push-action
9548 - name : Build and push Docker image
9649 id : build-and-push
9750 uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
9851 with :
9952 context : .
100- push : ${{ github.event_name != 'pull_request' }}
101- tags : ${{ steps.meta.outputs.tags }}
102- labels : ${{ steps.meta.outputs.labels }}
53+ tags : latest
10354 cache-from : type=gha
10455 cache-to : type=gha,mode=max
10556 platforms : linux/amd64,linux/arm64
10657 build-args : |
10758 VERSION=${{ github.ref_name }}
10859
109- # Sign the resulting Docker image digest except on PRs.
110- # This will only write to the public Rekor transparency log when the Docker
111- # repository is public to avoid leaking data. If you would like to publish
112- # transparency data even for private images, pass --force to cosign below.
113- # https://github.com/sigstore/cosign
114- - name : Sign the published Docker image
115- if : ${{ github.event_name != 'pull_request' }}
116- env :
117- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
118- TAGS : ${{ steps.meta.outputs.tags }}
119- DIGEST : ${{ steps.build-and-push.outputs.digest }}
120- # This step uses the identity token to provision an ephemeral certificate
121- # against the sigstore community Fulcio instance.
122- run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
0 commit comments