Docker Image Release #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image Release | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| jobs: | |
| build-images: | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| outputs: | |
| version: ${{ steps.version.outputs.tag }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Extract release version | |
| id: version | |
| run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| - name: Build and push image for ${{ matrix.arch }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }} | |
| push: true | |
| provenance: false | |
| build-args: | | |
| VERSION=${{ steps.version.outputs.tag }} | |
| merge-multiarch: | |
| name: Merge Multi-Arch Image and Sign | |
| needs: build-images | |
| runs-on: ubuntu-latest | |
| outputs: | |
| digest: ${{ steps.push.outputs.digest }} | |
| steps: | |
| - name: Extract release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Merge multi-arch image and get digest | |
| id: push | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag fontebasso/php-nginx:${RELEASE_VERSION} \ | |
| --tag fontebasso/php-nginx:latest \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-arm64 | |
| digest=$(docker buildx imagetools inspect fontebasso/php-nginx:${RELEASE_VERSION} --format '{{json .}}' | jq -r '.manifest.digest') | |
| echo "digest=$digest" | |
| echo "digest=$digest" >> "$GITHUB_OUTPUT" | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Sign image by digest (OIDC keyless) | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }} | |
| attach-sbom: | |
| name: Generate and Attach SBOM | |
| needs: merge-multiarch | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Syft | |
| uses: anchore/sbom-action/[email protected] | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Generate SBOM (Syft JSON) | |
| run: | | |
| syft docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \ | |
| -o spdx-json > sbom.spdx.json | |
| - name: Attach SBOM to image | |
| run: | | |
| cosign attach sbom \ | |
| --sbom sbom.spdx.json \ | |
| docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: 'sbom' | |
| path: sbom.spdx.json | |
| - name: Sign SBOM | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| cosign sign --yes \ | |
| --attachment sbom \ | |
| docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} | |
| generate-provenance: | |
| name: Generate SLSA Provenance v1.1 | |
| needs: merge-multiarch | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: docker.io/fontebasso/php-nginx | |
| digest: ${{ needs.merge-multiarch.outputs.digest }} | |
| secrets: | |
| registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| registry-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| permissions: | |
| packages: write | |
| id-token: write | |
| contents: read | |
| actions: read | |
| publish-assets: | |
| name: Publish SBOM and Provenance to Release | |
| needs: [ attach-sbom, generate-provenance, merge-multiarch ] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Extract release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Download provenance from registry | |
| run: | | |
| cosign download attestation \ | |
| docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \ | |
| --output-file provenance.intoto.jsonl | |
| - name: Download SBOM artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: 'sbom' | |
| - name: Save digest to file | |
| run: echo "${{ needs.merge-multiarch.outputs.digest }}" > digest.txt | |
| - name: Generate checksums | |
| run: | | |
| sha256sum \ | |
| provenance.intoto.jsonl \ | |
| sbom.spdx.json \ | |
| digest.txt > checksums.txt | |
| - name: Upload release assets | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| provenance.intoto.jsonl | |
| sbom.spdx.json | |
| digest.txt | |
| checksums.txt |