Docker Image Release #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image Release | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| jobs: | |
| build-images: | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| outputs: | |
| version: ${{ steps.version.outputs.tag }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Extract release version | |
| id: version | |
| run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| - name: Build and push image for ${{ matrix.arch }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }} | |
| push: true | |
| provenance: true | |
| sbom: true | |
| build-args: | | |
| VERSION=${{ steps.version.outputs.tag }} | |
| merge-multiarch: | |
| name: Merge Multi-Arch Image and Sign | |
| needs: build-images | |
| runs-on: ubuntu-latest | |
| outputs: | |
| digest: ${{ steps.push.outputs.digest }} | |
| steps: | |
| - name: Extract release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Merge multi-arch image and get digest | |
| id: push | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag fontebasso/php-nginx:${RELEASE_VERSION} \ | |
| --tag fontebasso/php-nginx:latest \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \ | |
| fontebasso/php-nginx:${RELEASE_VERSION}-arm64 | |
| digest=$(docker buildx imagetools inspect fontebasso/php-nginx:${RELEASE_VERSION} --format '{{json .}}' | jq -r '.manifest.digest') | |
| echo "digest=$digest" | |
| echo "digest=$digest" >> "$GITHUB_OUTPUT" | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Sign image by digest (OIDC keyless) | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }} |