Skip to content

Build an attested image from latest release #64

Build an attested image from latest release

Build an attested image from latest release #64

name: Build an attested image from latest release
on:
workflow_run:
workflows: [Build an attested release on tag push]
types:
- completed
schedule:
# every Sunday at 4am UTC
- cron: "0 4 * * 0"
workflow_dispatch:
permissions:
id-token: write
attestations: write
contents: write
packages: write
env:
PRODUCT_NAME: ${{ github.event.repository.name }}
PRODUCT_REGISTRY: "ghcr.io"
PRODUCT_OWNER: ${{ github.repository_owner }}
jobs:
build-attested-image:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Docker build environment
uses: docker/setup-buildx-action@v3
- name: Log in to the registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
with:
registry: ${{ env.PRODUCT_REGISTRY }}
username: ${{ env.PRODUCT_OWNER }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: robinraju/release-downloader@v1.10
id: get-latest-release
with:
latest: true
extract: true
- name: Verify attestation for latest release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# todo: will need to make this smarter if/when a release contains more than 1 file
RELEASE_FILE=`echo ${{ fromJson(steps.get-latest-release.outputs.downloaded_files)[0] }} | awk -F'/' '{print $NF}'`
gh attestation verify $RELEASE_FILE -o ${{ env.PRODUCT_OWNER }}
echo "IMAGE_BUILD_DATE=$(date '+%Y%m%d')" >> $GITHUB_ENV
- name: Create image and push
id: create-image-and-push
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
tags: "${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:${{ steps.get-latest-release.outputs.tag_name }}-${{ env.IMAGE_BUILD_DATE }},${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:${{ steps.get-latest-release.outputs.tag_name }}-latest,${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:latest"
- name: Create attestation for container image
uses: actions/attest-build-provenance@v1
with:
# "Do NOT include a tag as part of the image name -- the specific image being attested is identified by the supplied digest."
subject-name: "${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}"
subject-digest: "${{ steps.create-image-and-push.outputs.digest }}"
push-to-registry: true