Docker Provenance Multi-Arch Build #9
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Provenance Multi-Arch Build | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| outputs: | |
| version: ${{ steps.version.outputs.tag }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Extract release version | |
| id: version | |
| run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| - name: Build and push image with provenance for ${{ matrix.arch }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }} | |
| push: true | |
| provenance: true | |
| build-args: | | |
| VERSION=${{ steps.version.outputs.tag }} | |
| merge: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Extract release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Merge multi-arch image | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag fontebasso/php-nginx:${RELEASE_VERSION} \ | |
| --tag fontebasso/php-nginx:latest \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-arm64 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Sign image using GitHub OIDC | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| cosign sign --yes docker.io/fontebasso/php-nginx:${RELEASE_VERSION} | |
| cosign sign --yes docker.io/fontebasso/php-nginx:latest | |
| - name: Generate and attach SLSA Provenance | |
| run: | | |
| cosign attest --yes \ | |
| --type=provenance \ | |
| docker.io/fontebasso/php-nginx:${RELEASE_VERSION} | |
| cosign attest --yes \ | |
| --type=provenance \ | |
| docker.io/fontebasso/php-nginx:latest |