Update docker publish workflow to use new version

bigbrainenergy-org · Sep 28, 2024 · fe03eb2 · fe03eb2
1 parent 38ba7c5
commit fe03eb2
Showing 1 changed file with 19 additions and 16 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -1,33 +1,28 @@
-name: Docker
-
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+name: Docker Publish
 
+# Only publish when a semver tag is created:
+# https://github.com/bigbrainenergy-org/web.tdl.app/releases/new
 on:
-  schedule:
-    - cron: '32 4 * * *'
   push:
-    branches: [ "main" ]
+    # branches: ['main']
     # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
-  pull_request:
-    branches: [ "main" ]
+    tags: ['v*.*.*']
 
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
-
+  # Get the docker image tag, e.g. `v0.0.1`
+  TAG_NAME: ${{ github.ref_name }}
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      actions: read
+      attestations: write
+      contents: write
       packages: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
@@ -87,7 +82,7 @@ jobs:
       # repository is public to avoid leaking data.  If you would like to publish
       # transparency data even for private images, pass --force to cosign below.
       # https://github.com/sigstore/cosign
-      # FIXME: This step is broken, and ultimately we don't verify the image signature anyway
+      # FIXME: The signing step is broken, I can't tell why, and I don't care about fixing it that much atm
       # - name: Sign the published Docker image
       #   if: ${{ github.event_name != 'pull_request' }}
       #   env:
@@ -97,3 +92,11 @@ jobs:
       #   # This step uses the identity token to provision an ephemeral certificate
       #   # against the sigstore community Fulcio instance.
       #   run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      # 😒🫸 Signing and attestation?
+      # 😏👉 SBOM for no particular reason?
+      - name: Anchore SBOM Action
+        uses: anchore/sbom-action@v0
+        with:
+          upload-release-assets: true
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG_NAME }}