8.0.2 #15

Workflow file for this run

.github/workflows/release.yml at 113996f

	name: Docker Image Release

	on:
	release:
	types:
	- published

	permissions:
	id-token: write
	contents: read
	packages: write

	jobs:
	build-images:
	strategy:
	matrix:
	arch: [amd64, arm64]
	include:
	- arch: amd64
	runner: ubuntu-24.04
	- arch: arm64
	runner: ubuntu-24.04-arm

	runs-on: ${{ matrix.runner }}
	outputs:
	version: ${{ steps.version.outputs.tag }}
	alpine_version: ${{ steps.versions.outputs.alpine_version }}
	php_version: ${{ steps.versions.outputs.php_version }}
	nginx_version: ${{ steps.versions.outputs.nginx_version }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Extract release version
	id: version
	run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"

	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	install: true

	- name: Software updated versions
	id: versions
	run: \|
	alpine_version=$(curl -s https://alpinelinux.org/downloads/ \| grep -oP 'Current Alpine Version <strong>\K[0-9]+\.[0-9]+\.[0-9]+')
	php_version=$(curl -s "https://www.php.net/releases/index.php?json&version=8.3" \| jq -r '.version')
	nginx_version=$(curl -s https://nginx.org/en/CHANGES \| grep -m1 -oP 'Changes with nginx \K[0-9]+\.[0-9]+\.[0-9]+')
	[ -z "$alpine_version" ] && { echo "Error: empty alpine_version"; exit 1; }
	[ -z "$php_version" ] && { echo "Error: empty php_version"; exit 1; }
	[ -z "$nginx_version" ] && { echo "Error: empty nginx_version"; exit 1; }
	echo "alpine_version=$alpine_version" >> "$GITHUB_OUTPUT"
	echo "php_version=$php_version" >> "$GITHUB_OUTPUT"
	echo "nginx_version=$nginx_version" >> "$GITHUB_OUTPUT"

	- name: Build and push image for ${{ matrix.arch }}
	uses: docker/build-push-action@v6
	with:
	context: .
	platforms: linux/${{ matrix.arch }}
	tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }}
	push: true
	provenance: true
	sbom: true
	build-args: \|
	VERSION=${{ steps.version.outputs.tag }}
	ALPINE_VERSION=${{ steps.versions.outputs.alpine_version }}
	PHP_VERSION=${{ steps.versions.outputs.php_version }}
	NGINX_VERSION=${{ steps.versions.outputs.nginx_version }}

	- name: Install Cosign
	uses: sigstore/[email protected]

	- name: Digest for image
	id: get_digest
	run: \|
	digest=$(docker buildx imagetools inspect fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }} --format '{{json .}}' \| jq -r '.manifest.digest')
	echo "digest=$digest"
	echo "digest=$digest" >> "$GITHUB_OUTPUT"

	- name: Sign image by digest (OIDC keyless)
	env:
	COSIGN_EXPERIMENTAL: "1"
	run: \|
	cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.get_digest.outputs.digest }}

	merge-multiarch:
	name: Merge Multi-Arch Image and Sign
	needs: build-images
	runs-on: ubuntu-latest
	outputs:
	digest: ${{ steps.push.outputs.digest }}
	steps:
	- name: Extract release version
	run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Merge multi-arch image and get digest
	id: push
	run: \|
	docker buildx imagetools create \
	--tag fontebasso/php-nginx:${RELEASE_VERSION} \
	--tag fontebasso/php-nginx:latest \
	fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \
	fontebasso/php-nginx:${RELEASE_VERSION}-arm64
	digest=$(docker buildx imagetools inspect fontebasso/php-nginx:${RELEASE_VERSION} --format '{{json .}}' \| jq -r '.manifest.digest')
	echo "digest=$digest" >> "$GITHUB_OUTPUT"

	- name: Install Cosign
	uses: sigstore/[email protected]

	- name: Sign image by digest (OIDC keyless)
	env:
	COSIGN_EXPERIMENTAL: "1"
	run: \|
	cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }}

	generate-sbom:
	name: Generate SBOM
	needs: merge-multiarch
	runs-on: ubuntu-latest
	steps:
	- name: Install Syft
	uses: anchore/sbom-action@v0
	with:
	image: fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}
	format: spdx-json
	output-file: sbom.spdx.json
	registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
	registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
	upload-artifact: "false"

	- name: Upload SBOM
	uses: actions/upload-artifact@v4
	with:
	name: sbom.spdx.json
	path: sbom.spdx.json
	permissions:
	actions: read
	contents: write

	attest-sbom:
	name: Attest SBOM
	needs: [merge-multiarch, generate-sbom]
	runs-on: ubuntu-latest
	steps:
	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Download SBOM artifact
	uses: actions/download-artifact@v4
	with:
	name: sbom.spdx.json

	- name: Install Cosign
	uses: sigstore/[email protected]

	- name: Attest SBOM with Cosign (OIDC keyless)
	env:
	COSIGN_EXPERIMENTAL: "1"
	run: \|
	cosign attest --yes \
	--predicate sbom.spdx.json \
	--type https://spdx.dev/Document \
	docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}

	generate-provenance:
	name: Generate SLSA Provenance
	needs: merge-multiarch
	if: startsWith(github.ref, 'refs/tags/')
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: docker.io/fontebasso/php-nginx
	digest: ${{ needs.merge-multiarch.outputs.digest }}
	secrets:
	registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
	registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
	permissions:
	id-token: write
	contents: read
	packages: write
	actions: read

	release:
	name: Release Files
	needs: [merge-multiarch, attest-sbom, generate-provenance]
	runs-on: ubuntu-latest
	permissions:
	contents: write
	steps:
	- name: Download SBOM artifact
	uses: actions/download-artifact@v4
	with:
	name: sbom.spdx.json

	- uses: fontebasso/generate-licenses-md-from-sbom@v1
	with:
	sbom-file: sbom.spdx.json
	output-file: LICENSES.md
	overrides: \|
	nginx=BSD-2-Clause
	php-cli=PHP-3.01
	php-fpm=PHP-3.01
	fontebasso/php-nginx=MIT
	*******/php-nginx=MIT

	- name: Install Cosign
	uses: sigstore/[email protected]

	- name: Download Provenance attestation
	run: \|
	cosign download attestation \
	docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \
	--output-file provenance.intoto.jsonl

	- name: Generate checksum.txt
	run: \|
	sha256sum sbom.spdx.json provenance.intoto.jsonl LICENSES.md > checksum.txt

	- name: Sign checksum.txt with Cosign (OIDC keyless)
	env:
	COSIGN_EXPERIMENTAL: "1"
	run: \|
	cosign sign-blob --yes --output-signature checksum.txt.sig checksum.txt

	- name: Upload Provenance, SBOM, and Checksum (signed) to Release
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	sbom.spdx.json
	provenance.intoto.jsonl
	checksum.txt
	checksum.txt.sig
	LICENSES.md
	continue-on-error: false

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

8.0.2 #15

Workflow file

8.0.2 #15

Jobs

Run details

Workflow file for this run