Build an attested image from latest release #62
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build an attested image from latest release | |
on: | |
workflow_run: | |
workflows: [Build an attested release on tag push] | |
types: | |
- completed | |
schedule: | |
# every Sunday at 4am UTC | |
- cron: "0 4 * * 0" | |
workflow_dispatch: | |
permissions: | |
id-token: write | |
attestations: write | |
contents: write | |
packages: write | |
env: | |
PRODUCT_NAME: ${{ github.event.repository.name }} | |
PRODUCT_REGISTRY: "ghcr.io" | |
PRODUCT_OWNER: ${{ github.repository_owner }} | |
jobs: | |
build-attested-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Set up Docker build environment | |
uses: docker/setup-buildx-action@v3 | |
- name: Log in to the registry | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 | |
with: | |
registry: ${{ env.PRODUCT_REGISTRY }} | |
username: ${{ env.PRODUCT_OWNER }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: robinraju/release-downloader@v1.10 | |
id: get-latest-release | |
with: | |
latest: true | |
extract: true | |
- name: Verify attestation for latest release | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
# todo: will need to make this smarter if/when a release contains more than 1 file | |
RELEASE_FILE=`echo ${{ fromJson(steps.get-latest-release.outputs.downloaded_files)[0] }} | awk -F'/' '{print $NF}'` | |
gh attestation verify $RELEASE_FILE -o ${{ env.PRODUCT_OWNER }} | |
echo "IMAGE_BUILD_DATE=$(date '+%Y%m%d')" >> $GITHUB_ENV | |
- name: Create image and push | |
id: create-image-and-push | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./Dockerfile | |
platforms: linux/amd64 | |
push: true | |
tags: "${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:${{ steps.get-latest-release.outputs.tag_name }}-${{ env.IMAGE_BUILD_DATE }},${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:${{ steps.get-latest-release.outputs.tag_name }}-latest,${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:latest" | |
- name: Create attestation for container image | |
uses: actions/attest-build-provenance@v1 | |
with: | |
# "Do NOT include a tag as part of the image name -- the specific image being attested is identified by the supplied digest." | |
subject-name: "${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}" | |
subject-digest: "${{ steps.create-image-and-push.outputs.digest }}" | |
push-to-registry: true |