.github/workflows/build-and-push-runners.yaml

Add signing and attestations to other actions. #50

Workflow file for this run

.github/workflows/build-and-push-runners.yaml at c9fddd7

	name: Multiplatform Build with Runners

	on:
	push:

	jobs:
	armbuild:
	runs-on: [linux-arm-for-testing]
	permissions:
	id-token: write
	attestations: write
	content: read
	outputs:
	digest: ${{ steps.build.outputs.digest }}
	steps:
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	-
	name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ vars.DOCKERHUB_USER }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	-
	name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
	with:
	images: \|
	amouat/images-bite-back-arm-runner-${{ github.RUN_ID }}
	labels: \|
	org.opencontainers.image.description=Images Bite Back Demo Arm Runner
	-
	id: build
	name: Build and push
	uses: docker/build-push-action@v6
	with:
	file: Dockerfile
	platforms: linux/arm64
	push: true
	sbom: true
	provenance: mode=max
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	-
	name: Attest
	uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
	id: attest
	with:
	subject-name: index.docker.io/${{ vars.DOCKERHUB_USER }}/images-bite-back-arm-runner-${{ github.RUN_ID }}
	subject-digest: ${{ steps.build.outputs.digest }}
	push-to-registry: true
	-
	name: Sign the images with GitHub OIDC Token
	env:
	DIGEST: ${{ steps.build.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done
	cosign sign --yes ${images}

	x86build:
	runs-on: [ubuntu-latest-2-cores-testing]
	outputs:
	digest: ${{ steps.build.outputs.digest }}
	permissions:
	id-token: write
	attestations: write
	content:read
Check failure on line 73 in .github/workflows/build-and-push-runners.yaml View workflow run for this annotation GitHub Actions / .github/workflows/build-and-push-runners.yaml Invalid workflow file `You have an error in your yaml syntax on line 73`
	steps:
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	-
	name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ vars.DOCKERHUB_USER }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	-
	name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
	with:
	images: \|
	amouat/images-bite-back-x86-runner-${{ github.RUN_ID }}
	labels: \|
	org.opencontainers.image.description=Images Bite Back Demo Arm Runner
	-
	id: build
	name: Build and push
	uses: docker/build-push-action@v6
	with:
	file: Dockerfile
	platforms: linux/amd64
	push: true
	sbom: true
	provenance: mode=max
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	-
	name: Attest
	uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
	id: attest
	with:
	subject-name: index.docker.io/${{ vars.DOCKERHUB_USER }}/images-bite-back-x86-runner-${{ github.RUN_ID }}
	subject-digest: ${{ steps.build.outputs.digest }}
	push-to-registry: true
	-
	name: Sign the images with GitHub OIDC Token
	env:
	DIGEST: ${{ steps.build.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done
	cosign sign --yes ${images}

	manifest:
	permissions: # needed for signing and attestations
	id-token: write # write seems weird, but it is correct per docs
	attestations: write
	needs: [x86build, armbuild]
	runs-on: ubuntu-latest
	steps:
	-
	name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ vars.DOCKERHUB_USER }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	-
	name: Install crane
	uses: imjasonh/[email protected]
	-
	name: Create and Push Multi-Platform Manifest
	run: \|
	X86DIGEST=$(crane digest --platform linux/amd64 amouat/images-bite-back@${{ needs.x86build.outputs.digest }})
	ARMDIGEST=$(crane digest --platform linux/arm64 amouat/images-bite-back@${{ needs.armbuild.outputs.digest }})
	docker manifest create amouat/images-bite-back:multiplatorm-${{ github.RUN_ID }} \
	amouat/images-bite-back@$X86DIGEST \
	amouat/images-bite-back@$ARMDIGEST
	docker manifest push amouat/images-bite-back:multiplatorm-${{ github.RUN_ID }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add signing and attestations to other actions. #50

Workflow file

Add signing and attestations to other actions. #50

Jobs

Run details

Workflow file for this run

GitHub Actions / .github/workflows/build-and-push-runners.yaml