Push Container To Ghcr Gha
This action will
- Build a container for amd64 and arm64
- Push it to GHCR
- Generate an image attestation
- Generate an SBOM
name: Publish Docker amd64 image
on: push: branches: - main workflow_dispatch: schedule: - cron: "0 13 * * *"
env: REGISTRY: ghcr.io REPO: r-techsupport IMAGE: hyde
jobs: image-builder: runs-on: ubuntu-latest permissions: packages: write steps: - name: Checkout uses: actions/checkout@v4
- name: Set up QEMU uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: context: git images: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE }} flavor: latest=auto tags: | type=sha,enable=true,priority=100,prefix=,suffix=,format=long type=raw,value=devel,enable=${{ github.ref != format('refs/heads/{0}', 'main') }} type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image id: push uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} file: Containerfile
sbom-attestation: runs-on: ubuntu-latest needs: image-builder permissions: contents: write attestations: write id-token: write steps: - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: subject-name: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}} subject-digest: ${{ steps.push.outputs.digest }}
- name: Generate SBOM uses: anchore/sbom-action@v0 with: image: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}}:${{ github.sha }} artifact-name: ${{ env.IMAGE }}-${{ github.sha }}.spdx format: spdx-json upload-artifact: true upload-artifact-retention: 7