Skip to content

Add Github Attestations support #37

Add Github Attestations support

Add Github Attestations support #37

name: Build Docker Image
on:
push:
branches: [main, test]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push:
runs-on: ubuntu-latest
strategy:
matrix:
base_image: [alpine, debian]
permissions:
contents: read
packages: write
id-token: write
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Determine Base Tags
shell: bash
run: |
if [[ "${{ github.ref_name }}" == "main" ]]; then
echo "BASE_TAGS=latest" | tee -a "${GITHUB_ENV}"
else
echo "BASE_TAGS=${{ github.ref_name }}" | tee -a "${GITHUB_ENV}"
fi
- name: Bake ${{ matrix.base_image }} containers
uses: docker/bake-action@v4
id: build
env:
BASE_TAGS: "${{ env.BASE_TAGS }}"
CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
SOURCE_REPOSITORY_URL: "${{ github.server_url }}/${{ github.repository }}"
SOURCE_VERSION: ${{ github.sha }}
VW_VERSION: ${{ github.sha }}
with:
push: true
sbom: true
files: docker/docker-bake.hcl
targets: ${{ matrix.base_image }}-multi
set: |
*.platform=linux/amd64,linux/arm64
*.cache-from=type=gha
*.cache-to=type=gha,mode=max
- name: Extract digest SHA
run: |
GET_DIGEST_SHA="$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"')"
echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ env.DIGEST_SHA }}
push-to-registry: true
- name: Generate SBOM attestation
uses: actions/attest-sbom@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ env.DIGEST_SHA }}
sbom-path: 'sbom.spdx.json'
push-to-registry: true