.github/workflows/build-image.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      containerfile:
        description: containerfile to build
        required: true
        type: string
      context:
        required: true
        type: string
      extra_tags:
        description: extra tags to apply to image
        required: true
        type: string
      build_args:
        required: true
        type: string
    secrets:
      akmods_key:
        description: private akmods key for signing
        required: false

env:
  REGISTRY: ghcr.io/${{ github.repository_owner }}

jobs:
  build:
    name: Build and Publish
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

      - name: Extract metadata
        id: metadata
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
          tags: |
            type=sha
            type=ref,event=branch
            type=ref,event=pr
            type=schedule,pattern={{date 'YYYYMMDD'}}
            ${{ inputs.extra_tags }}

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

      - name: Get akmods signing key
        if: github.event_name != 'pull_request'
        env:
          AKMODS_KEY: ${{ secrets.akmods_key }}
        run: |
          echo "$AKMODS_KEY" > akmods/certs/private_key.priv

      - name: Login to registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Build image
        id: build
        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
        with:
          context: ${{ inputs.context }}
          file: ${{ inputs.containerfile }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          build-args: ${{ inputs.build_args }}
          push: ${{ github.event_name != 'pull_request' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Sign image
        if: github.event_name != 'pull_request'
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          TAGS: ${{ steps.metadata.outputs.tags }}
        run: |
          images=()
          for tag in ${TAGS}; do
            images+=("${tag}@${DIGEST}")
          done
          cosign sign --yes "${images[@]}"