Build Docker containers on new tag #269
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Docker containers on new tag | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| # workflow_dispatch is needed because release.yml's tag push runs as | |
| # GITHUB_TOKEN, and GITHUB_TOKEN-triggered push/tag events don't fan out | |
| # to other workflows. release.yml calls `gh workflow run` against this | |
| # workflow with `--ref v<version>` so the Docker images for that release | |
| # actually get built. | |
| workflow_dispatch: | |
| # id-token: write is the OIDC token that cosign exchanges for a short-lived | |
| # Sigstore certificate. contents: read covers the actions/checkout step. | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| docker: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - | |
| name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - | |
| name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v9.2.2 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 | |
| - | |
| name: Install cosign | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - | |
| name: Login to DockerHub | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Extract version | |
| id: extract_version | |
| run: | | |
| VERSION_TAG=${GITHUB_REF#refs/tags/} | |
| echo "Git tag: $VERSION_TAG" | |
| VERSION=${VERSION_TAG#v} | |
| echo "Full version without 'v': $VERSION" | |
| MAJOR_VERSION=${VERSION%%.*} | |
| echo "Major version: $MAJOR_VERSION" | |
| echo "SITESPEED_VERSION=$VERSION" >> $GITHUB_OUTPUT | |
| echo "SITESPEED_MAJOR_VERSION=$MAJOR_VERSION" >> $GITHUB_OUTPUT | |
| - | |
| name: Build and push sitespeed.io | |
| id: build_full | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| # mode=max embeds the full build graph (every step, every input | |
| # digest) in the SLSA provenance attestation. sbom: true attaches a | |
| # SPDX SBOM as a separate attestation. Both ship to Docker Hub as | |
| # OCI artefacts alongside the image and are inspectable with | |
| # `docker buildx imagetools inspect --format '{{ json . }}'`. | |
| provenance: mode=max | |
| sbom: true | |
| tags: | | |
| sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }} | |
| sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }} | |
| sitespeedio/sitespeed.io:latest | |
| - | |
| name: Sign sitespeed.io with cosign | |
| # cosign signs the digest; every tag that points at the digest | |
| # (the version, the major, and :latest) is implicitly covered. | |
| # Keyless: the workflow's OIDC token is exchanged for a short-lived | |
| # Sigstore cert tied to this repo+workflow+ref. Users verify with | |
| # `cosign verify --certificate-identity-regexp '...' --certificate-oidc-issuer https://token.actions.githubusercontent.com`. | |
| env: | |
| DIGEST: ${{ steps.build_full.outputs.digest }} | |
| run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}" | |
| - | |
| name: Build and push sitespeed.io+1 | |
| id: build_plus1 | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| file: ./docker/Dockerfile-plus1 | |
| build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }} | |
| push: true | |
| provenance: mode=max | |
| sbom: true | |
| tags: | | |
| sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-plus1 | |
| sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-plus1 | |
| - | |
| name: Sign sitespeed.io+1 with cosign | |
| env: | |
| DIGEST: ${{ steps.build_plus1.outputs.digest }} | |
| run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}" | |
| - | |
| name: Build and push sitespeed.io-slim | |
| id: build_slim | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| file: ./Dockerfile-slim | |
| build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }} | |
| push: true | |
| provenance: mode=max | |
| sbom: true | |
| tags: | | |
| sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-slim | |
| sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-slim | |
| - | |
| name: Sign sitespeed.io-slim with cosign | |
| env: | |
| DIGEST: ${{ steps.build_slim.outputs.digest }} | |
| run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}" |