Build #243
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "**.md" | |
| push: | |
| branches: | |
| - main | |
| merge_group: | |
| workflow_dispatch: | |
| env: | |
| IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
| IMAGE_NAME: common | |
| jobs: | |
| build_push: | |
| name: Build and push image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 | |
| - name: Generate tags | |
| id: generate-tags | |
| shell: bash | |
| run: | | |
| echo "sha_short=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT | |
| alias_tags=() | |
| # Only perform the follow code when the action is spawned from a Pull Request | |
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| alias_tags+=("pr-${{ github.event.number }}") | |
| else | |
| # The following is run when the timer is triggered or a merge/push to main | |
| echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT | |
| alias_tags+=("latest") | |
| fi | |
| echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT | |
| - name: Build Image | |
| id: build_image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| containerfiles: | | |
| ./Containerfile | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: | | |
| ${{ steps.generate-tags.outputs.alias_tags }} | |
| ${{ steps.generate-tags.outputs.date }} | |
| ${{ steps.generate-tags.outputs.sha_short }} | |
| oci: true | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Push the image to GHCR (Image Registry) | |
| - name: Push To GHCR | |
| uses: redhat-actions/push-to-registry@v2 | |
| id: push | |
| if: github.event_name != 'pull_request' | |
| env: | |
| REGISTRY_USER: ${{ github.actor }} | |
| REGISTRY_PASSWORD: ${{ github.token }} | |
| with: | |
| image: ${{ steps.build_image.outputs.image }} | |
| tags: ${{ steps.build_image.outputs.tags }} | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ env.REGISTRY_PASSWORD }} | |
| extra-args: | | |
| --compression-format=zstd:chunked | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 | |
| if: github.event_name != 'pull_request' | |
| - name: Sign container image | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${TAGS} | |
| env: | |
| TAGS: ${{ steps.push.outputs.digest }} | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |