-
Notifications
You must be signed in to change notification settings - Fork 1
55 lines (48 loc) · 1.86 KB
/
docker.yml
File metadata and controls
55 lines (48 loc) · 1.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Publish docker image
on:
workflow_dispatch:
inputs:
release_tag:
description: 'Tag to release'
required: true
type: string
permissions:
contents: read
packages: write
jobs:
build:
runs-on: ubuntu-latest
if: startsWith(github.event.inputs.release_tag, 'v')
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Validate tag format
run: |
TAG=${{ github.event.inputs.release_tag }}
if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "❌ Invalid tag format: $TAG"
exit 1
fi
echo "✅ Valid semver tag: $TAG"
- name: Log in to GitHub Container Registry
uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU for ARM builds
uses: step-security/setup-qemu-action@109c6ed9f089be1a250c75fd6a534e30df44e030 # v4.0.0
- name: Set up Docker Buildx
uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0
- name: Build and push Docker image
uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}