Skip to content

Build Docker containers on new tag #269

Build Docker containers on new tag

Build Docker containers on new tag #269

name: Build Docker containers on new tag
on:
push:
tags:
- 'v*.*.*'
# workflow_dispatch is needed because release.yml's tag push runs as
# GITHUB_TOKEN, and GITHUB_TOKEN-triggered push/tag events don't fan out
# to other workflows. release.yml calls `gh workflow run` against this
# workflow with `--ref v<version>` so the Docker images for that release
# actually get built.
workflow_dispatch:
# id-token: write is the OIDC token that cosign exchanges for a short-lived
# Sigstore certificate. contents: read covers the actions/checkout step.
permissions:
contents: read
id-token: write
jobs:
docker:
runs-on: ubuntu-24.04
steps:
-
name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
with:
image: tonistiigi/binfmt:qemu-v9.2.2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
-
name: Login to DockerHub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract version
id: extract_version
run: |
VERSION_TAG=${GITHUB_REF#refs/tags/}
echo "Git tag: $VERSION_TAG"
VERSION=${VERSION_TAG#v}
echo "Full version without 'v': $VERSION"
MAJOR_VERSION=${VERSION%%.*}
echo "Major version: $MAJOR_VERSION"
echo "SITESPEED_VERSION=$VERSION" >> $GITHUB_OUTPUT
echo "SITESPEED_MAJOR_VERSION=$MAJOR_VERSION" >> $GITHUB_OUTPUT
-
name: Build and push sitespeed.io
id: build_full
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
# mode=max embeds the full build graph (every step, every input
# digest) in the SLSA provenance attestation. sbom: true attaches a
# SPDX SBOM as a separate attestation. Both ship to Docker Hub as
# OCI artefacts alongside the image and are inspectable with
# `docker buildx imagetools inspect --format '{{ json . }}'`.
provenance: mode=max
sbom: true
tags: |
sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}
sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}
sitespeedio/sitespeed.io:latest
-
name: Sign sitespeed.io with cosign
# cosign signs the digest; every tag that points at the digest
# (the version, the major, and :latest) is implicitly covered.
# Keyless: the workflow's OIDC token is exchanged for a short-lived
# Sigstore cert tied to this repo+workflow+ref. Users verify with
# `cosign verify --certificate-identity-regexp '...' --certificate-oidc-issuer https://token.actions.githubusercontent.com`.
env:
DIGEST: ${{ steps.build_full.outputs.digest }}
run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
-
name: Build and push sitespeed.io+1
id: build_plus1
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
with:
context: .
platforms: linux/amd64,linux/arm64
file: ./docker/Dockerfile-plus1
build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }}
push: true
provenance: mode=max
sbom: true
tags: |
sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-plus1
sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-plus1
-
name: Sign sitespeed.io+1 with cosign
env:
DIGEST: ${{ steps.build_plus1.outputs.digest }}
run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
-
name: Build and push sitespeed.io-slim
id: build_slim
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
with:
context: .
platforms: linux/amd64,linux/arm64
file: ./Dockerfile-slim
build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }}
push: true
provenance: mode=max
sbom: true
tags: |
sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-slim
sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-slim
-
name: Sign sitespeed.io-slim with cosign
env:
DIGEST: ${{ steps.build_slim.outputs.digest }}
run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"