commit 113ced561e6cafe23d9058837cf3e3d52b4eff93 · hailey.at/cocoon

+56 -8

.github/workflows/docker-image.yml

···

       14
        
       

     

       15
        
       jobs:

     

       16
        
         build-and-push-image:

     

       17
       -
           runs-on: ubuntu-latest

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
           # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.

     

       19
        
           permissions:

     

       20
        
             contents: read

     

       21
        
             packages: write

     

       22
        
             attestations: write

     

       23
        
             id-token: write

     

       24
       -
             #

     

       0
        
       
     

       0
        
       
     

       25
        
           steps:

     

       26
        
             - name: Checkout repository

     

       27
        
               uses: actions/checkout@v4

     
···

       41
        
               with:

     

       42
        
                 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

     

       43
        
                 tags: |

     

       44
       -
                   type=raw,value=latest,enable={{is_default_branch}}

     

       45
       -
                   type=sha

     

       46
       -
                   type=sha,format=long

     

       47
       -
                   type=semver,pattern={{version}}

     

       48
       -
                   type=semver,pattern={{major}}.{{minor}}

     

       49
        
       

     

       50
        
             # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.

     

       51
        
             # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.

     
···

       59
        
                 tags: ${{ steps.meta.outputs.tags }}

     

       60
        
                 labels: ${{ steps.meta.outputs.labels }}

     

       61
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       62
        
             # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."

     

       63
        
             - name: Generate artifact attestation

     

       64
        
               uses: actions/attest-build-provenance@v1

     

       65
        
               with:

     

       66
        
                 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

     

       67
       -
                 subject-digest: ${{ steps.push.outputs.digest }}

     

       68
        
                 push-to-registry: true

···

       14
        
       

     

       15
        
       jobs:

     

       16
        
         build-and-push-image:

     

       17
       +
           strategy:

     

       18
       +
             matrix:

     

       19
       +
               include:

     

       20
       +
                 - arch: amd64

     

       21
       +
                   runner: ubuntu-latest

     

       22
       +
                 - arch: arm64

     

       23
       +
                   runner: ubuntu-24.04-arm

     

       24
       +
           runs-on: ${{ matrix.runner }}

     

       25
        
           # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.

     

       26
        
           permissions:

     

       27
        
             contents: read

     

       28
        
             packages: write

     

       29
        
             attestations: write

     

       30
        
             id-token: write

     

       31
       +
           outputs:

     

       32
       +
             digest-amd64: ${{ matrix.arch == 'amd64' && steps.push.outputs.digest || '' }}

     

       33
       +
             digest-arm64: ${{ matrix.arch == 'arm64' && steps.push.outputs.digest || '' }}

     

       34
        
           steps:

     

       35
        
             - name: Checkout repository

     

       36
        
               uses: actions/checkout@v4

     
···

       50
        
               with:

     

       51
        
                 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

     

       52
        
                 tags: |

     

       53
       +
                   type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.arch }}

     

       54
       +
                   type=sha,suffix=-${{ matrix.arch }}

     

       55
       +
                   type=sha,format=long,suffix=-${{ matrix.arch }}

     

       56
       +
                   type=semver,pattern={{version}},suffix=-${{ matrix.arch }}

     

       57
       +
                   type=semver,pattern={{major}}.{{minor}},suffix=-${{ matrix.arch }}

     

       58
        
       

     

       59
        
             # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.

     

       60
        
             # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.

     
···

       68
        
                 tags: ${{ steps.meta.outputs.tags }}

     

       69
        
                 labels: ${{ steps.meta.outputs.labels }}

     

       70
        
       

     

       71
       +
         publish-manifest:

     

       72
       +
           needs: build-and-push-image

     

       73
       +
           runs-on: ubuntu-latest

     

       74
       +
           permissions:

     

       75
       +
             packages: write

     

       76
       +
             attestations: write

     

       77
       +
             id-token: write

     

       78
       +
           steps:

     

       79
       +
             - name: Log in to the Container registry

     

       80
       +
               uses: docker/login-action@v3

     

       81
       +
               with:

     

       82
       +
                 registry: ${{ env.REGISTRY }}

     

       83
       +
                 username: ${{ github.actor }}

     

       84
       +
                 password: ${{ secrets.GITHUB_TOKEN }}

     

       85
       +
       

     

       86
       +
             - name: Extract metadata (tags, labels) for Docker

     

       87
       +
               id: meta

     

       88
       +
               uses: docker/metadata-action@v5

     

       89
       +
               with:

     

       90
       +
                 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

     

       91
       +
                 tags: |

     

       92
       +
                   type=raw,value=latest,enable={{is_default_branch}}

     

       93
       +
                   type=sha

     

       94
       +
                   type=sha,format=long

     

       95
       +
                   type=semver,pattern={{version}}

     

       96
       +
                   type=semver,pattern={{major}}.{{minor}}

     

       97
       +
       

     

       98
       +
             - name: Create and push manifest

     

       99
       +
               run: |

     

       100
       +
                 # Split tags into an array

     

       101
       +
                 readarray -t tags <<< "${{ steps.meta.outputs.tags }}"

     

       102
       +
       

     

       103
       +
                 # Create and push manifest for each tag

     

       104
       +
                 for tag in "${tags[@]}"; do

     

       105
       +
                   docker buildx imagetools create -t "$tag" \

     

       106
       +
                     "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-image.outputs.digest-amd64 }}" \

     

       107
       +
                     "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-image.outputs.digest-arm64 }}"

     

       108
       +
                 done

     

       109
       +
       

     

       110
        
             # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."

     

       111
        
             - name: Generate artifact attestation

     

       112
        
               uses: actions/attest-build-provenance@v1

     

       113
        
               with:

     

       114
        
                 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

     

       115
       +
                 subject-digest: ${{ needs.build-and-push-image.outputs.digest-amd64 }}

     

       116
        
                 push-to-registry: true

+1 -1

Dockerfile

···

       11
        
       ### Run stage

     

       12
        
       FROM debian:bookworm-slim AS run

     

       13
        
       

     

       14
       -
       RUN apt-get update && apt-get install -y dumb-init runit ca-certificates && rm -rf /var/lib/apt/lists/*

     

       15
        
       ENTRYPOINT ["dumb-init", "--"]

     

       16
        
       

     

       17
        
       WORKDIR /

···

       11
        
       ### Run stage

     

       12
        
       FROM debian:bookworm-slim AS run

     

       13
        
       

     

       14
       +
       RUN apt-get update && apt-get install -y dumb-init runit ca-certificates curl && rm -rf /var/lib/apt/lists/*

     

       15
        
       ENTRYPOINT ["dumb-init", "--"]

     

       16
        
       

     

       17
        
       WORKDIR /