# yaml-language-server: $schema=https://json.schemastore.org/github-action.json # permissions: # - packages: write # Required for publishing to GitHub Container Registry # - contents: read # Required for checking out repository --- name: Docker Publish to GitHub Packages description: 'Publishes a Docker image to GitHub Packages with advanced security and reliability features.' author: 'Ismo Vuorinen' branding: icon: 'package' color: 'blue' inputs: image-name: description: 'The name of the Docker image to publish. Defaults to the repository name.' required: false tags: description: 'Comma-separated list of tags for the Docker image.' required: true platforms: description: 'Platforms to publish (comma-separated). Defaults to amd64 and arm64.' required: false default: 'linux/amd64,linux/arm64' registry: description: 'GitHub Container Registry URL' required: false default: 'ghcr.io' token: description: 'GitHub token with package write permissions' required: false default: '' provenance: description: 'Enable SLSA provenance generation' required: false default: 'true' sbom: description: 'Generate Software Bill of Materials' required: false default: 'true' max-retries: description: 'Maximum number of retry attempts for publishing' required: false default: '3' retry-delay: description: 'Delay in seconds between retries' required: false default: '10' buildx-version: description: 'Specific Docker Buildx version to use' required: false default: 'latest' cache-mode: description: 'Cache mode for build layers (min, max, or inline)' required: false default: 'max' auto-detect-platforms: description: 'Automatically detect and build for all available platforms' required: false default: 'false' scan-image: description: 'Scan published image for vulnerabilities' required: false default: 'true' sign-image: description: 'Sign the published image with cosign' required: false default: 'true' parallel-builds: description: 'Number of parallel platform builds (0 for auto)' required: false default: '0' verbose: description: 'Enable verbose logging' required: false default: 'false' outputs: image-name: description: 'Full image name including registry' value: ${{ steps.metadata.outputs.full-name }} digest: description: 'The digest of the published image' value: ${{ steps.publish.outputs.digest }} tags: description: 'List of published tags' value: ${{ steps.metadata.outputs.tags }} provenance: description: 'SLSA provenance attestation' value: ${{ steps.publish.outputs.provenance }} sbom: description: 'SBOM document location' value: ${{ steps.publish.outputs.sbom }} scan-results: description: 'Vulnerability scan results' value: ${{ steps.scan.outputs.results }} platform-matrix: description: 'Build status per platform' value: ${{ steps.publish.outputs.platform-matrix }} build-time: description: 'Total build time in seconds' value: ${{ steps.publish.outputs.build-time }} runs: using: composite steps: - name: Mask Secrets shell: bash env: INPUT_TOKEN: ${{ inputs.token }} run: | set -euo pipefail # Use provided token or fall back to GITHUB_TOKEN TOKEN="${INPUT_TOKEN:-${GITHUB_TOKEN:-}}" if [ -n "$TOKEN" ]; then echo "::add-mask::$TOKEN" fi - name: Validate Inputs id: validate shell: bash env: IMAGE_NAME: ${{ inputs.image-name }} TAGS: ${{ inputs.tags }} PLATFORMS: ${{ inputs.platforms }} run: | set -euo pipefail # Validate image name format if [ -n "$IMAGE_NAME" ]; then if ! [[ "$IMAGE_NAME" =~ ^[a-z0-9]+(?:[._-][a-z0-9]+)*$ ]]; then echo "::error::Invalid image name format" exit 1 fi fi # Validate tags IFS=',' read -ra TAG_ARRAY <<< "$TAGS" for tag in "${TAG_ARRAY[@]}"; do if ! [[ "$tag" =~ ^(v?[0-9]+\.[0-9]+\.[0-9]+(-[\w.]+)?(\+[\w.]+)?|latest|[a-zA-Z][-a-zA-Z0-9._]{0,127})$ ]]; then echo "::error::Invalid tag format: $tag" exit 1 fi done # Validate platforms IFS=',' read -ra PLATFORM_ARRAY <<< "$PLATFORMS" for platform in "${PLATFORM_ARRAY[@]}"; do if ! [[ "$platform" =~ ^linux/(amd64|arm64|arm/v7|arm/v6|386|ppc64le|s390x)$ ]]; then echo "::error::Invalid platform: $platform" exit 1 fi done - name: Set up QEMU uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: platforms: ${{ inputs.platforms }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: version: ${{ inputs.buildx-version }} platforms: ${{ inputs.platforms }} buildkitd-flags: --debug driver-opts: | network=host image=moby/buildkit:${{ inputs.buildx-version }} - name: Prepare Metadata id: metadata shell: bash env: IMAGE_NAME: ${{ inputs.image-name }} REGISTRY: ${{ inputs.registry }} TAGS: ${{ inputs.tags }} REPO_OWNER: ${{ github.repository_owner }} run: | set -euo pipefail # Determine image name if [ -z "$IMAGE_NAME" ]; then image_name=$(basename $GITHUB_REPOSITORY) else image_name="$IMAGE_NAME" fi # Output image name for reuse echo "image-name=${image_name}" >> $GITHUB_OUTPUT # Normalize repository owner to lowercase for GHCR compatibility repo_owner_lower=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]') # Construct full image name with registry full_name="$REGISTRY/${repo_owner_lower}/${image_name}" echo "full-name=${full_name}" >> $GITHUB_OUTPUT # Process tags processed_tags="" IFS=',' read -ra TAG_ARRAY <<< "$TAGS" for tag in "${TAG_ARRAY[@]}"; do processed_tags="${processed_tags}${full_name}:${tag}," done processed_tags=${processed_tags%,} echo "tags=${processed_tags}" >> $GITHUB_OUTPUT - name: Log in to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ inputs.registry }} username: ${{ github.actor }} password: ${{ inputs.token || github.token }} - name: Set up Cosign if: inputs.provenance == 'true' || inputs.sign-image == 'true' uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Detect Available Platforms id: detect-platforms if: inputs.auto-detect-platforms == 'true' shell: bash env: PLATFORMS: ${{ inputs.platforms }} run: | set -euo pipefail # Get available platforms from buildx available_platforms=$(docker buildx ls | grep -o 'linux/[^ ]*' | sort -u | tr '\n' ',' | sed 's/,$//') if [ -n "$available_platforms" ]; then echo "platforms=${available_platforms}" >> $GITHUB_OUTPUT echo "Detected platforms: ${available_platforms}" else echo "platforms=$PLATFORMS" >> $GITHUB_OUTPUT echo "Using default platforms: $PLATFORMS" fi - name: Publish Image id: publish shell: bash env: DOCKER_BUILDKIT: 1 AUTO_DETECT_PLATFORMS: ${{ inputs.auto-detect-platforms }} DETECTED_PLATFORMS: ${{ steps.detect-platforms.outputs.platforms }} DEFAULT_PLATFORMS: ${{ inputs.platforms }} VERBOSE: ${{ inputs.verbose }} MAX_RETRIES: ${{ inputs.max-retries }} METADATA_TAGS: ${{ steps.metadata.outputs.tags }} REGISTRY: ${{ inputs.registry }} CACHE_MODE: ${{ inputs.cache-mode }} PROVENANCE: ${{ inputs.provenance }} SBOM: ${{ inputs.sbom }} INPUT_TAGS: ${{ inputs.tags }} FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }} IMAGE_NAME: ${{ steps.metadata.outputs.image-name }} RETRY_DELAY: ${{ inputs.retry-delay }} REPO_OWNER: ${{ github.repository_owner }} run: | set -euo pipefail # Normalize repository owner to lowercase for GHCR compatibility REPO_OWNER_LOWER=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]') export REPO_OWNER_LOWER # Track build start time build_start=$(date +%s) # Determine platforms if [ "$AUTO_DETECT_PLATFORMS" == "true" ] && [ -n "$DETECTED_PLATFORMS" ]; then platforms="$DETECTED_PLATFORMS" else platforms="$DEFAULT_PLATFORMS" fi # Initialize platform matrix tracking platform_matrix="{}" # Prepare verbose flag verbose_flag="" if [ "$VERBOSE" == "true" ]; then verbose_flag="--progress=plain" fi attempt=1 max_attempts="$MAX_RETRIES" while [ $attempt -le $max_attempts ]; do echo "Publishing attempt $attempt of $max_attempts" # Prepare tag arguments from comma-separated tags tag_args="" IFS=',' read -ra TAGS <<< "$METADATA_TAGS" for tag in "${TAGS[@]}"; do tag=$(echo "$tag" | xargs) # trim whitespace tag_args="$tag_args --tag $tag" done # Prepare provenance flag provenance_flag="" if [ "$PROVENANCE" == "true" ]; then provenance_flag="--provenance=true" fi # Prepare SBOM flag sbom_flag="" if [ "$SBOM" == "true" ]; then sbom_flag="--sbom=true" fi if docker buildx build \ --platform=${platforms} \ $tag_args \ --push \ --cache-from type=registry,ref="$REGISTRY/$REPO_OWNER_LOWER/cache:buildcache" \ --cache-to type=registry,ref="$REGISTRY/$REPO_OWNER_LOWER/cache:buildcache",mode="$CACHE_MODE" \ ${provenance_flag} \ ${sbom_flag} \ ${verbose_flag} \ --metadata-file=/tmp/build-metadata.json \ --label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \ --label "org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ --label "org.opencontainers.image.revision=${GITHUB_SHA}" \ --label "org.opencontainers.image.version=$INPUT_TAGS" \ .; then # Get image digest IFS=',' read -ra TAG_ARRAY <<< "$INPUT_TAGS" digest=$(docker buildx imagetools inspect "$FULL_IMAGE_NAME:${TAG_ARRAY[0]}" --raw | jq -r '.digest // "unknown"' || echo "unknown") echo "digest=${digest}" >> $GITHUB_OUTPUT # Calculate build time build_end=$(date +%s) build_time=$((build_end - build_start)) echo "build-time=${build_time}" >> $GITHUB_OUTPUT # Build platform matrix IFS=',' read -ra PLATFORM_ARRAY <<< "${platforms}" platform_matrix="{" for p in "${PLATFORM_ARRAY[@]}"; do platform_matrix="${platform_matrix}\"${p}\":\"success\"," done platform_matrix="${platform_matrix%,}}" echo "platform-matrix=${platform_matrix}" >> $GITHUB_OUTPUT # Generate attestations if enabled if [[ "$PROVENANCE" == "true" ]]; then echo "provenance=true" >> $GITHUB_OUTPUT fi if [[ "$SBOM" == "true" ]]; then sbom_path="$REGISTRY/$REPO_OWNER_LOWER/$IMAGE_NAME.sbom" echo "sbom=${sbom_path}" >> $GITHUB_OUTPUT fi break fi attempt=$((attempt + 1)) if [ $attempt -le $max_attempts ]; then echo "Publish failed, waiting $RETRY_DELAY seconds before retry..." sleep "$RETRY_DELAY" else echo "::error::Publishing failed after $max_attempts attempts" exit 1 fi done - name: Scan Published Image id: scan if: inputs.scan-image == 'true' shell: bash env: IMAGE_DIGEST: ${{ steps.publish.outputs.digest }} FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }} run: | set -euo pipefail # Validate digest availability if [ -z "$IMAGE_DIGEST" ] || [ "$IMAGE_DIGEST" == "unknown" ]; then echo "::error::No valid image digest available for scanning" exit 1 fi # Install Trivy wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update && sudo apt-get install -y trivy # Scan the exact digest that was just built (not tags which could be stale) trivy image \ --severity HIGH,CRITICAL \ --format json \ --output /tmp/scan-results.json \ "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" # Output results scan_results=$(cat /tmp/scan-results.json | jq -c '.') echo "results=${scan_results}" >> $GITHUB_OUTPUT # Check for critical vulnerabilities critical_count=$(cat /tmp/scan-results.json | jq '.Results[].Vulnerabilities[] | select(.Severity == "CRITICAL") | .VulnerabilityID' | wc -l) if [ "$critical_count" -gt 0 ]; then echo "::warning::Found $critical_count critical vulnerabilities in published image" fi - name: Sign Published Image id: sign if: inputs.sign-image == 'true' shell: bash env: IMAGE_DIGEST: ${{ steps.publish.outputs.digest }} FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }} run: | set -euo pipefail # Validate digest availability if [ -z "$IMAGE_DIGEST" ] || [ "$IMAGE_DIGEST" == "unknown" ]; then echo "::error::No valid image digest available for signing" exit 1 fi # Sign the exact digest that was just built (not tags which could be stale) echo "Signing $FULL_IMAGE_NAME@${IMAGE_DIGEST}" # Using keyless signing with OIDC export COSIGN_EXPERIMENTAL=1 cosign sign --yes "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" echo "signature=signed" >> $GITHUB_OUTPUT - name: Verify Publication id: verify shell: bash env: IMAGE_DIGEST: ${{ steps.publish.outputs.digest }} FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }} AUTO_DETECT_PLATFORMS: ${{ inputs.auto-detect-platforms }} DETECTED_PLATFORMS: ${{ steps.detect-platforms.outputs.platforms }} DEFAULT_PLATFORMS: ${{ inputs.platforms }} SIGN_IMAGE: ${{ inputs.sign-image }} run: | set -euo pipefail # Validate digest availability if [ -z "$IMAGE_DIGEST" ] || [ "$IMAGE_DIGEST" == "unknown" ]; then echo "::error::No valid image digest available for verification" exit 1 fi # Verify the exact digest that was just built if ! docker buildx imagetools inspect "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" >/dev/null 2>&1; then echo "::error::Published image not found at digest: $IMAGE_DIGEST" exit 1 fi # Determine platforms to verify if [ "$AUTO_DETECT_PLATFORMS" == "true" ] && [ -n "$DETECTED_PLATFORMS" ]; then platforms="$DETECTED_PLATFORMS" else platforms="$DEFAULT_PLATFORMS" fi # Verify platforms using the exact digest IFS=',' read -ra PLATFORM_ARRAY <<< "${platforms}" for platform in "${PLATFORM_ARRAY[@]}"; do if ! docker buildx imagetools inspect "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" | grep -q "$platform"; then echo "::warning::Platform $platform not found in published image" else echo "✅ Verified platform: $platform" fi done # Verify signature if signing was enabled (verify the digest) if [ "$SIGN_IMAGE" == "true" ]; then export COSIGN_EXPERIMENTAL=1 if ! cosign verify --certificate-identity-regexp ".*" --certificate-oidc-issuer-regexp ".*" "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" >/dev/null 2>&1; then echo "::warning::Could not verify signature for digest: $IMAGE_DIGEST" else echo "✅ Signature verified for digest: $IMAGE_DIGEST" fi fi - name: Clean up if: always() shell: bash env: REGISTRY: ${{ inputs.registry }} run: |- set -euo pipefail # Remove temporary files and cleanup Docker cache docker buildx prune -f --keep-storage=10GB # Logout from registry docker logout "$REGISTRY"