fix: update and fix docker workflows (#794)

NickOvt · web-flow · commit 7e77db782f54 · 2025-03-10T10:41:17.000+02:00
diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
@@ -1,4 +1,9 @@
 name: Build and publish a Docker image for master branch
+
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
+
 on:
     push:
         branches:
@@ -13,18 +18,18 @@ jobs:
             - name: Set up QEMU
               uses: docker/setup-qemu-action@v2
               with:
-                  platforms: 'arm64,arm'
+                  platforms: 'arm64'
 
             - name: Set up Docker Buildx
               id: buildx
               uses: docker/setup-buildx-action@v2
               with:
-                  platforms: linux/arm64,linux/amd64,linux/arm/v7
+                  platforms: linux/arm64,linux/amd64
 
             - name: Login to GHCR
               uses: docker/login-action@v3
               with:
-                  registry: ghcr.io
+                  registry: ${{ env.REGISTRY }}
                   username: ${{ github.repository_owner }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
@@ -35,4 +40,4 @@ jobs:
                   platforms: ${{ steps.buildx.outputs.platforms }}
                   push: true
                   tags: |
-                      ghcr.io/${{ github.repository }}:latest
+                      ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,16 +3,18 @@ on:
         branches:
             - master
 
-permissions:
-    contents: write
-    pull-requests: write
-    packages: write
-    attestations: write
-    id-token: write
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
 
 name: release
 jobs:
     release_please:
+        permissions:
+            contents: write
+            pull-requests: write
+            id-token: write
+
         runs-on: ubuntu-latest
         outputs:
             major: ${{ steps.release.outputs.major }}
@@ -44,39 +46,68 @@ jobs:
               if: ${{ steps.release.outputs.release_created }}
 
     publish_docker:
+        name: Create and publish a Docker image
         runs-on: ubuntu-latest
+
+        permissions:
+            contents: read
+            packages: write
+            attestations: write
+            id-token: write
+
         needs: release_please
         if: ${{needs.release_please.outputs.release_created}}
+
         steps:
             - run: echo version v${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}.${{needs.release_please.outputs.patch}}
 
-            - uses: actions/checkout@v4
+            - name: Checkout repository
+              uses: actions/checkout@v4
 
             - name: Set up QEMU
               uses: docker/setup-qemu-action@v3
               with:
-                  platforms: 'arm64,arm'
+                  platforms: 'arm64'
 
             - name: Set up Docker Buildx
               id: buildx
               uses: docker/setup-buildx-action@v3
               with:
-                  platforms: linux/arm64,linux/amd64,linux/arm/v7
+                  platforms: linux/arm64,linux/amd64
 
-            - name: Login to GHCR
+            - name: Log in to the Container registry
               uses: docker/login-action@v3
               with:
-                  registry: ghcr.io
+                  registry: ${{ env.REGISTRY }}
                   username: ${{ github.repository_owner }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
-            - name: Build and push
-              uses: docker/build-push-action@v5
+            - name: Extract metadata (tags, labels) for Docker
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+                  flavor: |
+                      latest=false
+                  tags: |
+                      type=semver,pattern={{version}},value=v${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}.${{needs.release_please.outputs.patch}}
+                      type=semver,pattern={{major}}.{{minor}},value=v${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}.${{needs.release_please.outputs.patch}}
+                      type=semver,pattern={{major}},value=v${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}.${{needs.release_please.outputs.patch}}
+
+            - name: Build and push Docker image
+              id: push
+              uses: docker/build-push-action@v6
               with:
                   context: .
-                  platforms: ${{ steps.buildx.outputs.platforms }}
                   push: true
-                  tags: |
-                      ghcr.io/${{ github.repository }}:${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}.${{needs.release_please.outputs.patch}}
-                      ghcr.io/${{ github.repository }}:${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}
-                      ghcr.io/${{ github.repository }}:${{needs.release_please.outputs.major}}
+                  platforms: ${{ steps.buildx.outputs.platforms }}
+                  tags: ${{ steps.meta.outputs.tags }}
+                  labels: ${{ steps.meta.outputs.labels }}
+
+            - name: Generate artifact attestation
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+                  subject-digest: ${{ steps.push.outputs.digest }}
+                  push-to-registry: true
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
