Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 68 additions & 3 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
name: Publish Docker Image
# Self-contained build + sign for challenger-go. This repo is public and cannot call
# the private actions-workflows reusables, so the build is inlined here (faithful port
# of docker-build-and-publish.yaml for challenger-go) and signing runs via the local
# sign-image.yaml. The signer is referenced as <repo>/sign-image.yaml@main so the
# cosign keyless SAN is sign-image.yaml@refs/heads/main, matching the Kyverno
# verify-chronicle-release-images enforce identity regardless of the build trigger.
on:
workflow_call:
workflow_dispatch:
Expand All @@ -10,11 +16,70 @@ on:
default: ''
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
digest: ${{ steps.build.outputs.digest }}
tags: ${{ steps.metadata.outputs.tags }}
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

- name: Docker Metadata
id: metadata
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
with:
images: ghcr.io/chronicleprotocol/challenger-go
tags: |
type=raw,value=${{ inputs.version }},enable=${{ inputs.version != '' }}
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha

- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
with:
install: true

- name: Login to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and Push
id: build
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
with:
context: .
file: Dockerfile
build-args: |
APP_NAME=challenger-go
APP_VERSION=${{ inputs.version != '' && inputs.version || steps.metadata.outputs.version }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

sign:
name: Sign published image
needs: build-and-push
if: ${{ needs.build-and-push.outputs.digest != '' }}
permissions:
contents: read
id-token: write
packages: write
uses: chronicleprotocol/actions-workflows/.github/workflows/docker-build-and-publish.yaml@main
# Pinned @main so the keyless SAN is sign-image.yaml@refs/heads/main (matches the
# Kyverno enforce identity), invariant of the calling ref.
uses: chronicleprotocol/challenger/.github/workflows/sign-image.yaml@main
with:
application: challenger-go
version: ${{ inputs.version }}
digest: ${{ needs.build-and-push.outputs.digest }}
tags: ${{ needs.build-and-push.outputs.tags }}
Loading