diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000..eaa4329be --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,63 @@ +# +name: Create and publish a Docker image + +on: + push: + branches: + - main + +env: + IMAGE_NAME: ${{ github.repository }} + REGISTRY: ghcr.io + +jobs: + build-and-push-image: + permissions: + attestations: write + contents: read + id-token: write + packages: write + runs-on: ubuntu-latest + steps: + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - id: meta + name: Extract metadata (tags, labels) for Docker + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=sha + + # setup qemu and buildx for cross-builds (arm64) + - name: Set up QEMU (for arm64 builds) + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3 + + - id: push + name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: . + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + push-to-registry: true + subject-digest: ${{ steps.push.outputs.digest }} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}