v0.3.20 #19
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push to Docker Hub | |
| on: | |
| release: | |
| types: [published] | |
| env: | |
| REGISTRY: docker.io | |
| REPOSITORY: getspike | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| COSIGN_EXPERIMENTAL: 1 | |
| DOCKER_CONTENT_TRUST: 1 | |
| jobs: | |
| docker: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| app: [pilot, keeper, nexus] | |
| arch: [linux/amd64, linux/arm64] | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.release.tag_name }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3.3.0 | |
| # Login to Docker Hub | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # Set up Docker Content Trust delegation key | |
| - name: Set up Docker Content Trust | |
| env: | |
| DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DCT_DELEGATION_PASSPHRASE }} | |
| DOCKER_DELEGATION_KEY: ${{ secrets.DCT_DELEGATION_KEY }} | |
| run: | | |
| # Create a temporary file with the delegation key | |
| echo "$DOCKER_DELEGATION_KEY" > delegation.key | |
| chmod 600 delegation.key | |
| # Load the key using docker trust key load | |
| docker trust key load delegation.key --name delegation | |
| # Build and push images using the script | |
| - name: Build and push images | |
| env: | |
| DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DCT_DELEGATION_PASSPHRASE }} | |
| DOCKER_CONTENT_TRUST: 1 | |
| run: | | |
| # Extract version from release tag | |
| VERSION="${{ github.event.release.tag_name }}" | |
| VERSION=${VERSION#v} # Remove 'v' prefix if present | |
| ./k8s/build-push-sign.sh ${{ matrix.app }} ${{ matrix.arch }} ${VERSION} ${{ env.REGISTRY }} ${{ env.REPOSITORY }} | |
| - name: Sign the images with GitHub OIDC (Cosign) | |
| env: | |
| DIGEST: ${{ steps.build-and-load.outputs.digest }} | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| run: | | |
| echo "${TAGS}" | tr ',' '\n' | while read -r tag; do | |
| cosign sign --yes "${tag}@${DIGEST}" | |
| done |