From 91c88d99deada4c953d97009eb7459371b235c1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kr=C3=B3likowski?= Date: Sun, 3 Aug 2025 18:15:46 +0200 Subject: [PATCH] new pipeline --- ...{docker-build-push.yml => docker-push.yml} | 102 ++++++++---------- 1 file changed, 45 insertions(+), 57 deletions(-) rename .github/workflows/{docker-build-push.yml => docker-push.yml} (70%) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-push.yml similarity index 70% rename from .github/workflows/docker-build-push.yml rename to .github/workflows/docker-push.yml index 57190fb..83933b2 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-push.yml @@ -1,11 +1,8 @@ -name: Build and Push Docker Image +name: Publish Docker image on: - push: - branches: - - main - tags: - - "v*" + release: + types: [published] pull_request: branches: - main @@ -14,58 +11,10 @@ env: REGISTRY: docker.io IMAGE_NAME: iac-tools -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to Docker Hub - if: startsWith(github.ref, 'refs/tags/') - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Extract metadata - if: startsWith(github.ref, 'refs/tags/') - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=raw,value=latest,enable={{is_default_branch}} - type=sha,prefix={{branch}}- - - - name: Build and push Docker image - if: startsWith(github.ref, 'refs/tags/') - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max +jobs: test: runs-on: ubuntu-latest - needs: build if: github.event_name == 'pull_request' steps: @@ -102,10 +51,8 @@ jobs: run: | echo "Testing Git installation..." docker run --rm test-image git --version - security-scan: runs-on: ubuntu-latest - needs: build if: github.event_name == 'pull_request' permissions: contents: read @@ -138,3 +85,44 @@ jobs: if: always() with: sarif_file: "trivy-results.sarif" + push_to_registry: + if: github.event_name == 'release' + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + attestations: write + id-token: write + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v2 + with: + subject-name: index.docker.io/my-docker-hub-namespace/my-docker-hub-repository + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true