|
1 | | -name: Publish Docker image |
| 1 | +# |
| 2 | +name: Create and publish a Docker image |
2 | 3 |
|
3 | 4 | on: |
4 | 5 | push: |
5 | | - branches: |
6 | | - - 'release/**' |
| 6 | + branches: ['release/*'] |
7 | 7 |
|
8 | 8 | env: |
9 | 9 | REGISTRY: ghcr.io |
10 | 10 | IMAGE_NAME: ${{ github.repository }} |
11 | 11 |
|
12 | 12 | jobs: |
13 | | - build-and-push: |
| 13 | + build-and-push-image: |
14 | 14 | runs-on: ubuntu-latest |
| 15 | + |
15 | 16 | permissions: |
16 | 17 | contents: read |
17 | 18 | packages: write |
| 19 | + attestations: write |
| 20 | + id-token: write |
18 | 21 |
|
19 | 22 | steps: |
20 | 23 | - name: Checkout repository |
21 | | - uses: actions/checkout@v3 |
| 24 | + uses: actions/checkout@v4 |
22 | 25 |
|
23 | 26 | - name: Log in to the Container registry |
24 | | - uses: docker/login-action@v2 |
| 27 | + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 |
25 | 28 | with: |
26 | 29 | registry: ${{ env.REGISTRY }} |
27 | 30 | username: ${{ github.actor }} |
28 | 31 | password: ${{ secrets.GITHUB_TOKEN }} |
29 | 32 |
|
30 | 33 | - name: Extract metadata (tags, labels) for Docker |
31 | 34 | id: meta |
32 | | - uses: docker/metadata-action@v4 |
| 35 | + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 |
33 | 36 | with: |
34 | 37 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} |
35 | | - tags: | |
36 | | - type=ref,event=branch |
37 | | - type=sha |
38 | 38 |
|
39 | 39 | - name: Build and push Docker image |
40 | | - uses: docker/build-push-action@v4 |
| 40 | + id: push |
| 41 | + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 |
41 | 42 | with: |
42 | 43 | context: . |
43 | 44 | push: true |
44 | 45 | tags: ${{ steps.meta.outputs.tags }} |
45 | 46 | labels: ${{ steps.meta.outputs.labels }} |
| 47 | + |
| 48 | + - name: Generate artifact attestation |
| 49 | + uses: actions/attest-build-provenance@v1 |
| 50 | + with: |
| 51 | + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} |
| 52 | + subject-digest: ${{ steps.push.outputs.digest }} |
| 53 | + push-to-registry: true |
| 54 | + |
0 commit comments