actions/docker-publish-gh/action.yml

# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
# permissions:
#   - packages: write  # Required for publishing to GitHub Container Registry
#   - contents: read   # Required for checking out repository
---
name: Docker Publish to GitHub Packages
description: 'Publishes a Docker image to GitHub Packages with advanced security and reliability features.'
author: 'Ismo Vuorinen'

branding:
  icon: 'package'
  color: 'blue'

inputs:
  image-name:
    description: 'The name of the Docker image to publish. Defaults to the repository name.'
    required: false
  tags:
    description: 'Comma-separated list of tags for the Docker image.'
    required: true
  platforms:
    description: 'Platforms to publish (comma-separated). Defaults to amd64 and arm64.'
    required: false
    default: 'linux/amd64,linux/arm64'
  registry:
    description: 'GitHub Container Registry URL'
    required: false
    default: 'ghcr.io'
  token:
    description: 'GitHub token with package write permissions'
    required: false
    default: ''
  provenance:
    description: 'Enable SLSA provenance generation'
    required: false
    default: 'true'
  sbom:
    description: 'Generate Software Bill of Materials'
    required: false
    default: 'true'
  max-retries:
    description: 'Maximum number of retry attempts for publishing'
    required: false
    default: '3'
  retry-delay:
    description: 'Delay in seconds between retries'
    required: false
    default: '10'
  buildx-version:
    description: 'Specific Docker Buildx version to use'
    required: false
    default: 'latest'
  cache-mode:
    description: 'Cache mode for build layers (min, max, or inline)'
    required: false
    default: 'max'
  auto-detect-platforms:
    description: 'Automatically detect and build for all available platforms'
    required: false
    default: 'false'
  scan-image:
    description: 'Scan published image for vulnerabilities'
    required: false
    default: 'true'
  sign-image:
    description: 'Sign the published image with cosign'
    required: false
    default: 'true'
  parallel-builds:
    description: 'Number of parallel platform builds (0 for auto)'
    required: false
    default: '0'
  verbose:
    description: 'Enable verbose logging'
    required: false
    default: 'false'

outputs:
  image-name:
    description: 'Full image name including registry'
    value: ${{ steps.metadata.outputs.full-name }}
  digest:
    description: 'The digest of the published image'
    value: ${{ steps.publish.outputs.digest }}
  tags:
    description: 'List of published tags'
    value: ${{ steps.metadata.outputs.tags }}
  provenance:
    description: 'SLSA provenance attestation'
    value: ${{ steps.publish.outputs.provenance }}
  sbom:
    description: 'SBOM document location'
    value: ${{ steps.publish.outputs.sbom }}
  scan-results:
    description: 'Vulnerability scan results'
    value: ${{ steps.scan.outputs.results }}
  platform-matrix:
    description: 'Build status per platform'
    value: ${{ steps.publish.outputs.platform-matrix }}
  build-time:
    description: 'Total build time in seconds'
    value: ${{ steps.publish.outputs.build-time }}

runs:
  using: composite
  steps:
    - name: Mask Secrets
      shell: bash
      env:
        INPUT_TOKEN: ${{ inputs.token }}
      run: |
        set -euo pipefail
        # Use provided token or fall back to GITHUB_TOKEN
        TOKEN="${INPUT_TOKEN:-${GITHUB_TOKEN:-}}"
        if [ -n "$TOKEN" ]; then
          echo "::add-mask::$TOKEN"
        fi

    - name: Validate Inputs
      id: validate
      shell: bash
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        TAGS: ${{ inputs.tags }}
        PLATFORMS: ${{ inputs.platforms }}
      run: |
        set -euo pipefail

        # Validate image name format
        if [ -n "$IMAGE_NAME" ]; then
          if ! [[ "$IMAGE_NAME" =~ ^[a-z0-9]+(?:[._-][a-z0-9]+)*$ ]]; then
            echo "::error::Invalid image name format"
            exit 1
          fi
        fi

        # Validate tags
        IFS=',' read -ra TAG_ARRAY <<< "$TAGS"
        for tag in "${TAG_ARRAY[@]}"; do
          if ! [[ "$tag" =~ ^(v?[0-9]+\.[0-9]+\.[0-9]+(-[\w.]+)?(\+[\w.]+)?|latest|[a-zA-Z][-a-zA-Z0-9._]{0,127})$ ]]; then
            echo "::error::Invalid tag format: $tag"
            exit 1
          fi
        done

        # Validate platforms
        IFS=',' read -ra PLATFORM_ARRAY <<< "$PLATFORMS"
        for platform in "${PLATFORM_ARRAY[@]}"; do
          if ! [[ "$platform" =~ ^linux/(amd64|arm64|arm/v7|arm/v6|386|ppc64le|s390x)$ ]]; then
            echo "::error::Invalid platform: $platform"
            exit 1
          fi
        done

    - name: Set up QEMU
      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      with:
        platforms: ${{ inputs.platforms }}

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      with:
        version: ${{ inputs.buildx-version }}
        platforms: ${{ inputs.platforms }}
        buildkitd-flags: --debug
        driver-opts: |
          network=host
          image=moby/buildkit:${{ inputs.buildx-version }}

    - name: Prepare Metadata
      id: metadata
      shell: bash
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        REGISTRY: ${{ inputs.registry }}
        TAGS: ${{ inputs.tags }}
        REPO_OWNER: ${{ github.repository_owner }}
      run: |
        set -euo pipefail

        # Determine image name
        if [ -z "$IMAGE_NAME" ]; then
          image_name=$(basename $GITHUB_REPOSITORY)
        else
          image_name="$IMAGE_NAME"
        fi

        # Output image name for reuse
        echo "image-name=${image_name}" >> $GITHUB_OUTPUT

        # Normalize repository owner to lowercase for GHCR compatibility
        repo_owner_lower=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]')

        # Construct full image name with registry
        full_name="$REGISTRY/${repo_owner_lower}/${image_name}"
        echo "full-name=${full_name}" >> $GITHUB_OUTPUT

        # Process tags
        processed_tags=""
        IFS=',' read -ra TAG_ARRAY <<< "$TAGS"
        for tag in "${TAG_ARRAY[@]}"; do
          processed_tags="${processed_tags}${full_name}:${tag},"
        done
        processed_tags=${processed_tags%,}
        echo "tags=${processed_tags}" >> $GITHUB_OUTPUT

    - name: Log in to GitHub Container Registry
      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ github.actor }}
        password: ${{ inputs.token || github.token }}

    - name: Set up Cosign
      if: inputs.provenance == 'true' || inputs.sign-image == 'true'
      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

    - name: Detect Available Platforms
      id: detect-platforms
      if: inputs.auto-detect-platforms == 'true'
      shell: bash
      env:
        PLATFORMS: ${{ inputs.platforms }}
      run: |
        set -euo pipefail

        # Get available platforms from buildx
        available_platforms=$(docker buildx ls | grep -o 'linux/[^ ]*' | sort -u | tr '\n' ',' | sed 's/,$//')

        if [ -n "$available_platforms" ]; then
          echo "platforms=${available_platforms}" >> $GITHUB_OUTPUT
          echo "Detected platforms: ${available_platforms}"
        else
          echo "platforms=$PLATFORMS" >> $GITHUB_OUTPUT
          echo "Using default platforms: $PLATFORMS"
        fi

    - name: Publish Image
      id: publish
      shell: bash
      env:
        DOCKER_BUILDKIT: 1
        AUTO_DETECT_PLATFORMS: ${{ inputs.auto-detect-platforms }}
        DETECTED_PLATFORMS: ${{ steps.detect-platforms.outputs.platforms }}
        DEFAULT_PLATFORMS: ${{ inputs.platforms }}
        VERBOSE: ${{ inputs.verbose }}
        MAX_RETRIES: ${{ inputs.max-retries }}
        METADATA_TAGS: ${{ steps.metadata.outputs.tags }}
        REGISTRY: ${{ inputs.registry }}
        CACHE_MODE: ${{ inputs.cache-mode }}
        PROVENANCE: ${{ inputs.provenance }}
        SBOM: ${{ inputs.sbom }}
        INPUT_TAGS: ${{ inputs.tags }}
        FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }}
        IMAGE_NAME: ${{ steps.metadata.outputs.image-name }}
        RETRY_DELAY: ${{ inputs.retry-delay }}
        REPO_OWNER: ${{ github.repository_owner }}
      run: |
        set -euo pipefail

        # Normalize repository owner to lowercase for GHCR compatibility
        REPO_OWNER_LOWER=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]')
        export REPO_OWNER_LOWER

        # Track build start time
        build_start=$(date +%s)

        # Determine platforms
        if [ "$AUTO_DETECT_PLATFORMS" == "true" ] && [ -n "$DETECTED_PLATFORMS" ]; then
          platforms="$DETECTED_PLATFORMS"
        else
          platforms="$DEFAULT_PLATFORMS"
        fi

        # Initialize platform matrix tracking
        platform_matrix="{}"

        # Prepare verbose flag
        verbose_flag=""
        if [ "$VERBOSE" == "true" ]; then
          verbose_flag="--progress=plain"
        fi

        attempt=1
        max_attempts="$MAX_RETRIES"

        while [ $attempt -le $max_attempts ]; do
          echo "Publishing attempt $attempt of $max_attempts"

          # Prepare tag arguments from comma-separated tags
          tag_args=""
          IFS=',' read -ra TAGS <<< "$METADATA_TAGS"
          for tag in "${TAGS[@]}"; do
            tag=$(echo "$tag" | xargs) # trim whitespace
            tag_args="$tag_args --tag $tag"
          done

          # Prepare provenance flag
          provenance_flag=""
          if [ "$PROVENANCE" == "true" ]; then
            provenance_flag="--provenance=true"
          fi

          # Prepare SBOM flag
          sbom_flag=""
          if [ "$SBOM" == "true" ]; then
            sbom_flag="--sbom=true"
          fi

          if docker buildx build \
            --platform=${platforms} \
            $tag_args \
            --push \
            --cache-from type=registry,ref="$REGISTRY/$REPO_OWNER_LOWER/cache:buildcache" \
            --cache-to type=registry,ref="$REGISTRY/$REPO_OWNER_LOWER/cache:buildcache",mode="$CACHE_MODE" \
            ${provenance_flag} \
            ${sbom_flag} \
            ${verbose_flag} \
            --metadata-file=/tmp/build-metadata.json \
            --label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \
            --label "org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
            --label "org.opencontainers.image.revision=${GITHUB_SHA}" \
            --label "org.opencontainers.image.version=$INPUT_TAGS" \
            .; then

            # Get image digest
            IFS=',' read -ra TAG_ARRAY <<< "$INPUT_TAGS"
            digest=$(docker buildx imagetools inspect "$FULL_IMAGE_NAME:${TAG_ARRAY[0]}" --raw | jq -r '.digest // "unknown"' || echo "unknown")
            echo "digest=${digest}" >> $GITHUB_OUTPUT

            # Calculate build time
            build_end=$(date +%s)
            build_time=$((build_end - build_start))
            echo "build-time=${build_time}" >> $GITHUB_OUTPUT

            # Build platform matrix
            IFS=',' read -ra PLATFORM_ARRAY <<< "${platforms}"
            platform_matrix="{"
            for p in "${PLATFORM_ARRAY[@]}"; do
              platform_matrix="${platform_matrix}\"${p}\":\"success\","
            done
            platform_matrix="${platform_matrix%,}}"
            echo "platform-matrix=${platform_matrix}" >> $GITHUB_OUTPUT

            # Generate attestations if enabled
            if [[ "$PROVENANCE" == "true" ]]; then
              echo "provenance=true" >> $GITHUB_OUTPUT
            fi

            if [[ "$SBOM" == "true" ]]; then
              sbom_path="$REGISTRY/$REPO_OWNER_LOWER/$IMAGE_NAME.sbom"
              echo "sbom=${sbom_path}" >> $GITHUB_OUTPUT
            fi

            break
          fi

          attempt=$((attempt + 1))
          if [ $attempt -le $max_attempts ]; then
            echo "Publish failed, waiting $RETRY_DELAY seconds before retry..."
            sleep "$RETRY_DELAY"
          else
            echo "::error::Publishing failed after $max_attempts attempts"
            exit 1
          fi
        done

    - name: Scan Published Image
      id: scan
      if: inputs.scan-image == 'true'
      shell: bash
      env:
        IMAGE_DIGEST: ${{ steps.publish.outputs.digest }}
        FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }}
      run: |
        set -euo pipefail

        # Validate digest availability
        if [ -z "$IMAGE_DIGEST" ] || [ "$IMAGE_DIGEST" == "unknown" ]; then
          echo "::error::No valid image digest available for scanning"
          exit 1
        fi

        # Install Trivy
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
        echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
        sudo apt-get update && sudo apt-get install -y trivy

        # Scan the exact digest that was just built (not tags which could be stale)
        trivy image \
          --severity HIGH,CRITICAL \
          --format json \
          --output /tmp/scan-results.json \
          "$FULL_IMAGE_NAME@${IMAGE_DIGEST}"

        # Output results
        scan_results=$(cat /tmp/scan-results.json | jq -c '.')
        echo "results=${scan_results}" >> $GITHUB_OUTPUT

        # Check for critical vulnerabilities
        critical_count=$(cat /tmp/scan-results.json | jq '.Results[].Vulnerabilities[] | select(.Severity == "CRITICAL") | .VulnerabilityID' | wc -l)
        if [ "$critical_count" -gt 0 ]; then
          echo "::warning::Found $critical_count critical vulnerabilities in published image"
        fi

    - name: Sign Published Image
      id: sign
      if: inputs.sign-image == 'true'
      shell: bash
      env:
        IMAGE_DIGEST: ${{ steps.publish.outputs.digest }}
        FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }}
      run: |
        set -euo pipefail

        # Validate digest availability
        if [ -z "$IMAGE_DIGEST" ] || [ "$IMAGE_DIGEST" == "unknown" ]; then
          echo "::error::No valid image digest available for signing"
          exit 1
        fi

        # Sign the exact digest that was just built (not tags which could be stale)
        echo "Signing $FULL_IMAGE_NAME@${IMAGE_DIGEST}"

        # Using keyless signing with OIDC
        export COSIGN_EXPERIMENTAL=1
        cosign sign --yes "$FULL_IMAGE_NAME@${IMAGE_DIGEST}"

        echo "signature=signed" >> $GITHUB_OUTPUT

    - name: Verify Publication
      id: verify
      shell: bash
      env:
        IMAGE_DIGEST: ${{ steps.publish.outputs.digest }}
        FULL_IMAGE_NAME: ${{ steps.metadata.outputs.full-name }}
        AUTO_DETECT_PLATFORMS: ${{ inputs.auto-detect-platforms }}
        DETECTED_PLATFORMS: ${{ steps.detect-platforms.outputs.platforms }}
        DEFAULT_PLATFORMS: ${{ inputs.platforms }}
        SIGN_IMAGE: ${{ inputs.sign-image }}
      run: |
        set -euo pipefail

        # Validate digest availability
        if [ -z "$IMAGE_DIGEST" ] || [ "$IMAGE_DIGEST" == "unknown" ]; then
          echo "::error::No valid image digest available for verification"
          exit 1
        fi

        # Verify the exact digest that was just built
        if ! docker buildx imagetools inspect "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" >/dev/null 2>&1; then
          echo "::error::Published image not found at digest: $IMAGE_DIGEST"
          exit 1
        fi

        # Determine platforms to verify
        if [ "$AUTO_DETECT_PLATFORMS" == "true" ] && [ -n "$DETECTED_PLATFORMS" ]; then
          platforms="$DETECTED_PLATFORMS"
        else
          platforms="$DEFAULT_PLATFORMS"
        fi

        # Verify platforms using the exact digest
        IFS=',' read -ra PLATFORM_ARRAY <<< "${platforms}"
        for platform in "${PLATFORM_ARRAY[@]}"; do
          if ! docker buildx imagetools inspect "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" | grep -q "$platform"; then
            echo "::warning::Platform $platform not found in published image"
          else
            echo "✅ Verified platform: $platform"
          fi
        done

        # Verify signature if signing was enabled (verify the digest)
        if [ "$SIGN_IMAGE" == "true" ]; then
          export COSIGN_EXPERIMENTAL=1
          if ! cosign verify --certificate-identity-regexp ".*" --certificate-oidc-issuer-regexp ".*" "$FULL_IMAGE_NAME@${IMAGE_DIGEST}" >/dev/null 2>&1; then
            echo "::warning::Could not verify signature for digest: $IMAGE_DIGEST"
          else
            echo "✅ Signature verified for digest: $IMAGE_DIGEST"
          fi
        fi

    - name: Clean up
      if: always()
      shell: bash
      env:
        REGISTRY: ${{ inputs.registry }}
      run: |-
        set -euo pipefail

        # Remove temporary files and cleanup Docker cache
        docker buildx prune -f --keep-storage=10GB

        # Logout from registry
        docker logout "$REGISTRY"