···
- name: Workaround pushbot for misbehaving reverse proxies
if: ${{ github.event_name != 'pull_request' }}
for each ${{ steps.meta.outputs.tags }} in tag;
···
# against the sigstore community Fulcio instance.
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
119
-
name: Generate Gitpod workspace image snapshot
120
+
name: Generate Gitpod workspace image snapshot
121
+
runs-on: ubuntu-latest
125
+
# This is used to complete the identity challenge
126
+
# with sigstore/fulcio when running outside of PRs.
129
+
- name: Checkout repository
130
+
uses: actions/checkout@v3
132
+
# Install the cosign tool except on PR
133
+
# https://github.com/sigstore/cosign-installer
134
+
- name: Install cosign
135
+
if: github.event_name != 'pull_request'
136
+
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
138
+
cosign-release: 'v1.13.1'
140
+
# Workaround: https://github.com/docker/build-push-action/issues/461
141
+
- name: Setup Docker buildx
142
+
uses: docker/setup-buildx-action@v2
144
+
# Login against a Docker registry except on PR
145
+
# https://github.com/docker/login-action
146
+
- name: Log into GHCR
147
+
if: github.event_name != 'pull_request'
148
+
uses: docker/login-action@v2
151
+
username: ${{ secrets.HUB_USERNAME }}
152
+
password: ${{ secrets.HUB_TOKEN }}
153
+
- name: Log into RHQCR
154
+
if: github.event_name != 'pull_request'
155
+
uses: docker/login-action@v2
158
+
username: ${{ secrets.RHQCR_BOT_USERNAME }}
159
+
password: ${{ secrets.RHQCR_BOT_TOKEN }}
161
+
# Extract metadata (tags, labels) for Docker
162
+
# https://github.com/docker/metadata-action
163
+
- name: Extract Docker metadata
165
+
uses: docker/metadata-action@v4
168
+
ghcr.io/${{ env.IMAGE_NAME }}/devenv
170
+
type=raw,value=latest,enable={{is_default_branch}}
171
+
type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long
172
+
type=schedule,pattern=nightly
174
+
- uses: actions/checkout@v3
175
+
- uses: hadolint/hadolint-action@v3.1.0
177
+
dockerfile: docker/Dockerfile
179
+
# Build and push Docker image with Buildx (don't push on PR)
180
+
# https://github.com/docker/build-push-action
181
+
- name: Build and push Docker image
183
+
uses: docker/build-push-action@v4.1.1
187
+
# workaround: https://github.com/moby/buildkit/issues/2713#issuecomment-1068540101
190
+
tags: ${{ steps.meta.outputs.tags }}
191
+
labels: ${{ steps.meta.outputs.labels }}
192
+
cache-from: type=gha
193
+
cache-to: type=gha,mode=max
194
+
- name: Workaround pushbot for misbehaving reverse proxies
195
+
if: ${{ github.event_name != 'pull_request' }}
198
+
for each ${{ steps.meta.outputs.tags }} in tag;
203
+
# Sign the resulting Docker image digest except on PRs.
204
+
# This will only write to the public Rekor transparency log when the Docker
205
+
# repository is public to avoid leaking data. If you would like to publish
206
+
# transparency data even for private images, pass --force to cosign below.
207
+
# https://github.com/sigstore/cosign
208
+
- name: Sign the published Docker image
209
+
if: ${{ github.event_name != 'pull_request' }}
211
+
COSIGN_EXPERIMENTAL: "true"
212
+
# This step uses the identity token to provision an ephemeral certificate
213
+
# against the sigstore community Fulcio instance.
214
+
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
andreijiroh.dev