@@ -93,25 +93,34 @@ jobs:
9393 restore-keys : ${{ runner.os }}-buildx-
9494
9595 # -------------------------------------------------------------
96- # 3️⃣ Build & tag image (timestamp + latest)
96+ # Build & push image (timestamp + latest)
9797 # -------------------------------------------------------------
98+
99+ - name : 🔑 Log in to GHCR
100+ uses : docker/login-action@v3
101+ with :
102+ registry : ghcr.io
103+ username : ${{ github.actor }}
104+ password : ${{ secrets.GITHUB_TOKEN }}
105+
98106 - name : 🏗️ Build Docker image
99107 env :
100108 DOCKER_CONTENT_TRUST : " 1"
101109 run : |
102110 TAG=$(date +%s)
103111 echo "TAG=$TAG" >> "$GITHUB_ENV"
104112 docker buildx build \
113+ --platform linux/amd64,linux/arm64 \
105114 --file Containerfile.lite \
106115 --tag $IMAGE_NAME:$TAG \
107116 --tag $IMAGE_NAME:latest \
108117 --cache-from type=local,src=${{ env.CACHE_DIR }} \
109118 --cache-to type=local,dest=${{ env.CACHE_DIR }},mode=max \
110- --load \
119+ --push \
111120 . # build context is mandatory
112121
113122# -------------------------------------------------------------
114- # 4️⃣ Image lint (Dockle CLI → SARIF)
123+ # Image lint (Dockle CLI → SARIF)
115124 # -------------------------------------------------------------
116125 - name : 🔍 Image lint (Dockle)
117126 id : dockle
@@ -133,7 +142,7 @@ jobs:
133142 sarif_file : dockle-results.sarif
134143
135144 # -------------------------------------------------------------
136- # 5️⃣ Generate SPDX SBOM with Syft
145+ # Generate SPDX SBOM with Syft
137146 # -------------------------------------------------------------
138147 - name : 📄 Generate SBOM (Syft)
139148 uses : anchore/sbom-action@v0
@@ -142,7 +151,7 @@ jobs:
142151 output-file : sbom.spdx.json
143152
144153 # -------------------------------------------------------------
145- # 6️⃣ Trivy CVE scan → SARIF
154+ # Trivy CVE scan → SARIF
146155 # -------------------------------------------------------------
147156 - name : 🛡️ Trivy vulnerability scan
148157 id : trivy
@@ -160,23 +169,9 @@ jobs:
160169 with :
161170 sarif_file : trivy-results.sarif
162171
163- # -------------------------------------------------------------
164- # 7️⃣ Push both tags to GHCR
165- # -------------------------------------------------------------
166- - name : 🔑 Log in to GHCR
167- uses : docker/login-action@v3
168- with :
169- registry : ghcr.io
170- username : ${{ github.actor }}
171- password : ${{ secrets.GITHUB_TOKEN }}
172-
173- - name : 🚀 Push image to GHCR
174- run : |
175- docker push $IMAGE_NAME:${{ env.TAG }}
176- docker push $IMAGE_NAME:latest
177172
178173 # -------------------------------------------------------------
179- # 8️⃣ Key-less Cosign sign + attest (latest **and** timestamp)
174+ # Key-less Cosign sign + attest (latest **and** timestamp)
180175 # -------------------------------------------------------------
181176 - name : 📥 Install Cosign
182177 uses : sigstore/cosign-installer@v3 # provides the matching CLI
@@ -197,7 +192,7 @@ jobs:
197192 done
198193
199194# -------------------------------------------------------------
200- # 9️⃣ Single gate - fail job on any scanner error
195+ # Single gate - fail job on any scanner error
201196 # -------------------------------------------------------------
202197 - name : ⛔ Enforce lint & vuln gates
203198 if : |
0 commit comments