Skip to content

Commit 8dddc7a

Browse files
dfunktdfunkt
committed
Switch to github-builder
https://github.com/docker/github-builder Quote from the repo: > Official Docker-maintained reusable GitHub Actions workflows to securely build container images
1 parent 73c7adf commit 8dddc7a

File tree

1 file changed

+26
-125
lines changed

1 file changed

+26
-125
lines changed

.github/workflows/build.yaml

Lines changed: 26 additions & 125 deletions
Original file line numberDiff line numberDiff line change
@@ -1,145 +1,46 @@
11
name: Build Image
22

3-
permissions:
4-
contents: write # read for actions/checkout to check out the repository and write to upload the SBOM file
5-
id-token: write # for docker/login-action to authenticate to the GitHub Container Registry
6-
packages: write # for docker/build-push-action to push the image to the GitHub Container Registry
7-
83
on:
94
push:
105
tags:
116
- 'v*'
127

138
jobs:
149
build:
15-
strategy:
16-
fail-fast: false
17-
matrix:
18-
include:
19-
- platform: linux/amd64
20-
runner: ubuntu-24.04
21-
build_tags: ""
22-
build_args: ""
23-
- platform: linux/arm64
24-
runner: ubuntu-24.04-arm
25-
build_tags: ""
26-
build_args: ""
27-
- platform: linux/arm/v7
28-
runner: ubuntu-24.04-arm
29-
build_tags: "nobitwarden"
30-
build_args: "DISABLE_BITWARDEN=true"
31-
runs-on: ${{ matrix.runner }}
32-
steps:
33-
- name: Prepare
34-
run: |
35-
platform=${{ matrix.platform }}
36-
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
37-
38-
- name: Checkout
39-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
40-
41-
- name: Log in to the GitHub Container Registry
42-
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
43-
with:
44-
registry: ghcr.io
10+
uses: docker/github-builder/.github/workflows/build.yml@c767551a26459c30e1f683df73a12fdb918f7068 # v1
11+
permissions:
12+
contents: read # to fetch the repository content
13+
id-token: write # for signing attestation(s) with GitHub OIDC Token
14+
packages: write # required to push to GHCR
15+
with:
16+
build-args: |
17+
APP_VERSION=${{ github.ref_name }}
18+
platforms: linux/amd64,linux/arm64,linux/arm/v7
19+
cache: true
20+
cache-mode: max
21+
output: image
22+
push: true
23+
sbom: true
24+
set-meta-annotations: true
25+
set-meta-labels: true
26+
meta-images: ghcr.io/${{ github.repository }}
27+
meta-tags: |
28+
type=semver,pattern={{version}}
29+
type=semver,pattern={{major}}.{{minor}}
30+
type=semver,pattern={{major}}
31+
secrets:
32+
registry-auths: |
33+
- registry: ghcr.io
4534
username: ${{ github.actor }}
4635
password: ${{ secrets.GITHUB_TOKEN }}
4736
48-
- name: Set up Docker Buildx
49-
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
50-
51-
- name: Extract metadata for the Docker image
52-
id: meta
53-
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
54-
with:
55-
images: |
56-
ghcr.io/${{ github.repository }}
57-
58-
- name: Build and push by digest
59-
id: build
60-
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
61-
with:
62-
context: .
63-
provenance: mode=max
64-
sbom: true
65-
build-args: |
66-
APP_VERSION=${{ github.ref_name }}
67-
${{ matrix.build_args }}
68-
tags: ghcr.io/${{ github.repository }}
69-
labels: ${{ steps.meta.outputs.labels }}
70-
annotations: ${{ steps.meta.outputs.annotations }}
71-
platforms: ${{ matrix.platform }}
72-
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
73-
cache-from: type=gha,scope=build-${{ env.PLATFORM_PAIR }}
74-
cache-to: type=gha,mode=max,scope=build-${{ env.PLATFORM_PAIR }}
75-
76-
- name: Export digest
77-
run: |
78-
mkdir -p ${{ runner.temp }}/digests
79-
digest="${{ steps.build.outputs.digest }}"
80-
touch "${{ runner.temp }}/digests/${digest#sha256:}"
81-
82-
- name: Upload digest
83-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
84-
with:
85-
name: digests-${{ env.PLATFORM_PAIR }}
86-
path: ${{ runner.temp }}/digests/*
87-
if-no-files-found: error
88-
retention-days: 1
89-
90-
merge:
91-
name: Create and push multi-arch manifest
92-
runs-on: ubuntu-latest
93-
needs:
94-
- build
95-
steps:
96-
- name: Checkout
97-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
98-
99-
- name: Log in to the GitHub Container Registry
100-
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
101-
with:
102-
registry: ghcr.io
103-
username: ${{ github.actor }}
104-
password: ${{ secrets.GITHUB_TOKEN }}
105-
106-
- name: Set up Docker Buildx
107-
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
108-
109-
- name: Download digests
110-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
111-
with:
112-
path: ${{ runner.temp }}/digests
113-
pattern: digests-*
114-
merge-multiple: true
115-
116-
- name: Extract metadata for the Docker image
117-
id: meta
118-
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
119-
with:
120-
images: |
121-
ghcr.io/${{ github.repository }}
122-
tags: |
123-
type=semver,pattern={{version}}
124-
type=semver,pattern={{major}}.{{minor}}
125-
type=semver,pattern={{major}}
126-
127-
- name: Create manifest list and push
128-
working-directory: ${{ runner.temp }}/digests
129-
run: |
130-
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
131-
$(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
132-
133-
- name: Inspect image
134-
run: |
135-
docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.meta.outputs.version }}
136-
13737
generate-sbom:
13838
name: Generate SBOM
13939
runs-on: ubuntu-latest
40+
permissions:
41+
contents: write # write to upload the SBOM file
14042
needs:
14143
- build
142-
- merge
14344
steps:
14445
- name: Prepare
14546
run: |

0 commit comments

Comments
 (0)