Build an attested image from latest release

Build an attested image from latest release #65

Workflow file for this run

.github/workflows/build-attested-image.yml at d7d7d94

	name: Build an attested image from latest release
	on:
	workflow_run:
	workflows: [Build an attested release on tag push]
	types:
	- completed
	schedule:
	# every Sunday at 4am UTC
	- cron: "0 4 * * 0"
	workflow_dispatch:

	permissions:
	id-token: write
	attestations: write
	contents: write
	packages: write

	env:
	PRODUCT_NAME: ${{ github.event.repository.name }}
	PRODUCT_REGISTRY: "ghcr.io"
	PRODUCT_OWNER: ${{ github.repository_owner }}

	jobs:
	build-attested-image:
	runs-on: ubuntu-latest
	steps:
	- name: Check out code
	uses: actions/checkout@v4
	- name: Set up Docker build environment
	uses: docker/setup-buildx-action@v3
	- name: Log in to the registry
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
	with:
	registry: ${{ env.PRODUCT_REGISTRY }}
	username: ${{ env.PRODUCT_OWNER }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- uses: robinraju/release-downloader@v1.10
	id: get-latest-release
	with:
	latest: true
	extract: true
	- name: Verify attestation for latest release
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	# todo: will need to make this smarter if/when a release contains more than 1 file
	RELEASE_FILE=`echo ${{ fromJson(steps.get-latest-release.outputs.downloaded_files)[0] }} \| awk -F'/' '{print $NF}'`
	gh attestation verify $RELEASE_FILE -o ${{ env.PRODUCT_OWNER }}
	echo "IMAGE_BUILD_DATE=$(date '+%Y%m%d')" >> $GITHUB_ENV
	- name: Create image and push
	id: create-image-and-push
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ./Dockerfile
	platforms: linux/amd64
	push: true
	tags: "${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:${{ steps.get-latest-release.outputs.tag_name }}-${{ env.IMAGE_BUILD_DATE }},${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:${{ steps.get-latest-release.outputs.tag_name }}-latest,${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}:latest"
	- name: Create attestation for container image
	uses: actions/attest-build-provenance@v1
	with:
	# "Do NOT include a tag as part of the image name -- the specific image being attested is identified by the supplied digest."
	subject-name: "${{ env.PRODUCT_REGISTRY }}/${{ env.PRODUCT_OWNER }}/${{ env.PRODUCT_NAME }}"
	subject-digest: "${{ steps.create-image-and-push.outputs.digest }}"
	push-to-registry: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build an attested image from latest release #65

Workflow file

Build an attested image from latest release #65

Jobs

Run details

Workflow file for this run