@@ -28,72 +28,46 @@ jobs:
2828
2929 runs-on : ubuntu-latest
3030 permissions :
31- contents : read
32- packages : write
33- # This is used to complete the identity challenge
34- # with sigstore/fulcio when running outside of PRs.
3531 id-token : write
32+ packages : write
33+ contents : read
34+ attestations : write
35+
36+ env :
37+ REGISTRY : ghcr.io
38+ IMAGE_NAME : ${{ github.repository }}
3639
3740 steps :
3841 - name : Checkout repository
39- uses : actions/checkout@v3
40-
41- # Install the cosign tool except on PR
42- # https://github.com/sigstore/cosign-installer
43- - name : Install cosign
44- if : github.event_name != 'pull_request'
45- uses : sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
46- with :
47- cosign-release : ' v2.1.1'
42+ uses : actions/checkout@v4
4843
4944 # Set up BuildKit Docker container builder to be able to build
5045 # multi-platform images and export cache
5146 # https://github.com/docker/setup-buildx-action
5247 - name : Set up Docker Buildx
5348 uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
5449
55- # Login against a Docker registry except on PR
56- # https://github.com/docker/login-action
57- - name : Log into registry ${{ env.REGISTRY }}
58- if : github.event_name != 'pull_request'
59- uses : docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
50+ - name : Login to GitHub Container Registry
51+ uses : docker/login-action@v3
6052 with :
6153 registry : ${{ env.REGISTRY }}
6254 username : ${{ github.actor }}
6355 password : ${{ secrets.GITHUB_TOKEN }}
6456
65- # Extract metadata (tags, labels) for Docker
66- # https://github.com/docker/metadata-action
67- - name : Extract Docker metadata
68- id : meta
69- uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
70- with :
71- images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
72-
73- # Build and push Docker image with Buildx (don't push on PR)
74- # https://github.com/docker/build-push-action
75- - name : Build and push Docker image
76- id : build-and-push
77- uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
57+ - name : Build and push image (main)
58+ id : push
59+ uses : docker/build-push-action@v5.0.0
7860 with :
7961 context : .
80- push : ${{ github.event_name != 'pull_request' }}
81- tags : ${{ steps.meta.outputs.tags }}
82- labels : ${{ steps.meta.outputs.labels }}
62+ push : true
63+ tags : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event_name != 'pull_request' && 'latest' || github.sha }}
8364 cache-from : type=gha
8465 cache-to : type=gha,mode=max
85-
86- # Sign the resulting Docker image digest except on PRs.
87- # This will only write to the public Rekor transparency log when the Docker
88- # repository is public to avoid leaking data. If you would like to publish
89- # transparency data even for private images, pass --force to cosign below.
90- # https://github.com/sigstore/cosign
91- - name : Sign the published Docker image
92- if : ${{ github.event_name != 'pull_request' }}
93- env :
94- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
95- TAGS : ${{ steps.meta.outputs.tags }}
96- DIGEST : ${{ steps.build-and-push.outputs.digest }}
97- # This step uses the identity token to provision an ephemeral certificate
98- # against the sigstore community Fulcio instance.
99- run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
66+
67+ - name : Attest
68+ uses : actions/attest-build-provenance@v2
69+ id : attest
70+ with :
71+ subject-name : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
72+ subject-digest : ${{ steps.push.outputs.digest }}
73+ push-to-registry : true
0 commit comments