release-base.yaml

name: release-base

on:
  schedule:
    - cron: "0 0 * * 0"
  workflow_dispatch: # used for testing

permissions:
  contents: write
  packages: write
  id-token: write

jobs:
  release-base:
    runs-on: ubuntu-latest
    timeout-minutes: 360
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
        with:
          egress-policy: audit

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-tags: true
          fetch-depth: 0

      - name: Install Cosign
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0

      - name: Login to GHCR
        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
        id: build-and-push
        with:
          push: true
          tags: ghcr.io/sozercan/base:latest
          cache-from: type=gha,scope=base
          cache-to: type=gha,scope=base,mode=max
          sbom: true
          provenance: true
          platforms: linux/amd64,linux/arm64
          file: Dockerfile.base

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: cosign sign --yes "ghcr.io/sozercan/base@${DIGEST}"

      - name: Verify image signature
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
          cosign verify ghcr.io/sozercan/base@${DIGEST} \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
            --certificate-identity https://github.com/sozercan/aikit/.github/workflows/release-base.yaml@refs/heads/main