Skip to content

Publish Dev/CI Container Images #10

Publish Dev/CI Container Images

Publish Dev/CI Container Images #10

name: "Publish Dev/CI Container Images"
on:
push:
branches:
- main
paths:
- testing/v8serialize-echo/**/*
schedule:
# weekly, Wednesday @ 04:51
- cron: 51 4 * * 3
workflow_dispatch:
env:
REGISTRY: ghcr.io
TAG_PREFIX: ghcr.io/${{ github.repository }}
jobs:
v8serialize-echo:
name: Build & Publish v8serialize/echoserver Container Images
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Cosign
uses: sigstore/cosign-installer@v3.6.0
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set Environment Variables
run: |
set -x
cd testing/v8serialize-echo
source .envrc
echo "ECHOSERVER_VERSION=${ECHOSERVER_VERSION:?}" >> "${GITHUB_ENV:?}"
- name: Build & Publish CI Container Images
id: bake
uses: docker/bake-action@v5
with:
workdir: testing/v8serialize-echo
provenance: true
sbom: true
push: true
set: |
*.cache-from=type=gha
*.cache-to=type=gha,mode=max
- name: Sign the images with GitHub OIDC Token
env:
BAKE_META: ${{ steps.bake.outputs.metadata }}
run: |
readarray -t image_refs < <(
jq <<<"${BAKE_META:?}" -r '
.[]
| select(.["image.name"]? and .["containerimage.digest"]?)
| (.["containerimage.digest"]) as $containerimage_digest
| (.["image.name"] | split(",")) as $image_names
| $image_names[] | "\(.)@\($containerimage_digest)"
'
)
echo "Images to sign:"
printf ' - %s\n' "${image_refs[@]}"
cosign sign --yes ${image_refs[@]:?}