Docker Provenance Multi-Arch Build #7
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Provenance Multi-Arch Build | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| outputs: | |
| version: ${{ steps.version.outputs.tag }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Extract release version | |
| id: version | |
| run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| - name: Build and push image with provenance for ${{ matrix.arch }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }} | |
| push: true | |
| provenance: true | |
| build-args: | | |
| VERSION=${{ steps.version.outputs.tag }} | |
| merge: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Extract release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Merge multi-arch image | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag fontebasso/php-nginx:${RELEASE_VERSION} \ | |
| --tag fontebasso/php-nginx:latest \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-arm64 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Sign image using GitHub OIDC | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| cosign sign --yes --key github docker.io/fontebasso/php-nginx:${RELEASE_VERSION} | |
| cosign sign --yes --key github docker.io/fontebasso/php-nginx:latest | |
| - name: Generate and attach SLSA Provenance | |
| run: | | |
| cosign attest --yes \ | |
| --key github \ | |
| --type=provenance \ | |
| docker.io/fontebasso/php-nginx:${RELEASE_VERSION} | |
| cosign attest --yes \ | |
| --key github \ | |
| --type=provenance \ | |
| docker.io/fontebasso/php-nginx:latest |