-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (131 loc) · 4.71 KB
/
build-and-push-runners.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Multiplatform Build with Runners
on:
push:
jobs:
armbuild:
runs-on: [linux-arm-for-testing]
permissions:
id-token: write
attestations: write
contents: read
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
-
name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ vars.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
images: |
amouat/images-bite-back-runner
tags: |
type=raw,arm-${{ github.RUN_ID }}
labels: |
org.opencontainers.image.description=Images Bite Back Demo Arm Runner
-
id: build
name: Build and push
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6
with:
file: Dockerfile
platforms: linux/arm64
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
-
name: Attest
uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
id: attest
with:
subject-name: index.docker.io/${{ vars.DOCKERHUB_USER }}/images-bite-back-runner
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
x86build:
runs-on: [ubuntu-latest-2-cores-testing]
outputs:
digest: ${{ steps.build.outputs.digest }}
permissions:
id-token: write
attestations: write
contents: read
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
-
name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ vars.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
images: |
amouat/images-bite-back-runner
tags: |
type=raw,x86-${{ github.RUN_ID }}
labels: |
org.opencontainers.image.description=Images Bite Back Demo X86 Runner
-
id: build
name: Build and push
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6
with:
file: Dockerfile
platforms: linux/amd64
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
-
name: Attest
uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
id: attest
with:
subject-name: index.docker.io/${{ vars.DOCKERHUB_USER }}/images-bite-back-runner
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
manifest:
permissions:
id-token: write
attestations: write
needs: [x86build, armbuild]
runs-on: ubuntu-latest
steps:
-
name: Install Cosign
uses: sigstore/cosign-installer@1aa8e0f2454b781fbf0fbf306a4c9533a0c57409 # v3.7.0
-
name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ vars.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Install crane
uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
-
name: Create, Push and Sign Multi-Platform Manifest
run: |
X86DIGEST=$(crane digest --platform linux/amd64 amouat/images-bite-back-runner@${{ needs.x86build.outputs.digest }})
ARMDIGEST=$(crane digest --platform linux/arm64 amouat/images-bite-back-runner@${{ needs.armbuild.outputs.digest }})
docker manifest create amouat/images-bite-back-runner:multi-${{ github.RUN_ID }} \
amouat/images-bite-back-runner@$X86DIGEST \
amouat/images-bite-back-runner@$ARMDIGEST
MULTIDIGEST=$(docker manifest push amouat/images-bite-back-runner:multi-${{ github.RUN_ID }})
cosign sign -r --yes amouat/images-bite-back-runner@$MULTIDIGEST