-
Notifications
You must be signed in to change notification settings - Fork 0
84 lines (76 loc) · 3.1 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: release
on:
push:
branches:
- main
tags:
- '*'
env:
IMAGE_NAME: ${{ github.event.repository.name }}
VERSION: '1.6.1'
SHA256: '0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5'
jobs:
build-push:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Set up cosign
uses: sigstore/cosign-installer@main
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: thojkooi
password: ${{ secrets.GHCR_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: thojkooi
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Verify base image
run: |
cosign dockerfile verify -base-image-only -key ./build/cosign-allowed-dependencies.pub Dockerfile
- name: Publish container image
uses: docker/build-push-action@v3
with:
push: true
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./Dockerfile
platforms: linux/amd64
tags: |
ghcr.io/containerinfra/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
docker.io/containerinfra/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
build-args: |
GHOSTUNNEL_VERSION=v${{ env.VERSION }}
GHOSTUNNEL_SHA256=${{ env.SHA256 }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.version=${{ env.VERSION }}
- name: sign container image
run: |
echo "$COSIGN_KEY" >> cosign.key
cosign sign --key cosign.key ghcr.io/containerinfra/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
cosign sign --key cosign.key docker.io/containerinfra/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Check images
run: |
docker buildx imagetools inspect docker.io/containerinfra/${IMAGE_NAME}:${{ env.VERSION }}
docker buildx imagetools inspect ghcr.io/containerinfra/${IMAGE_NAME}:${{ env.VERSION }}
docker pull docker.io/containerinfra/${IMAGE_NAME}:${{ env.VERSION }}
docker pull ghcr.io/containerinfra/${IMAGE_NAME}:${{ env.VERSION }}
cosign verify --key cosign.pub docker.io/containerinfra/${IMAGE_NAME}:${{ env.VERSION }}
cosign verify --key cosign.pub ghcr.io/containerinfra/${IMAGE_NAME}:${{ env.VERSION }}
- uses: anchore/sbom-action@v0
with:
image: ghcr.io/containerinfra/${{ env.IMAGE_NAME }}:${{ env.VERSION }}