mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 11:34:00 +00:00
d648dba573
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
235 lines
7.6 KiB
YAML
235 lines
7.6 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
|
|
name: Docker Publish to GitHub Packages
|
|
description: 'Publishes a Docker image to GitHub Packages with advanced security and reliability features.'
|
|
author: 'Ismo Vuorinen'
|
|
|
|
branding:
|
|
icon: 'package'
|
|
color: 'blue'
|
|
|
|
inputs:
|
|
image-name:
|
|
description: 'The name of the Docker image to publish. Defaults to the repository name.'
|
|
required: false
|
|
tags:
|
|
description: 'Comma-separated list of tags for the Docker image.'
|
|
required: true
|
|
platforms:
|
|
description: 'Platforms to publish (comma-separated). Defaults to amd64 and arm64.'
|
|
required: false
|
|
default: 'linux/amd64,linux/arm64'
|
|
registry:
|
|
description: 'GitHub Container Registry URL'
|
|
required: false
|
|
default: 'ghcr.io'
|
|
token:
|
|
description: 'GitHub token with package write permissions'
|
|
required: false
|
|
default: ${{ github.token }}
|
|
provenance:
|
|
description: 'Enable SLSA provenance generation'
|
|
required: false
|
|
default: 'true'
|
|
sbom:
|
|
description: 'Generate Software Bill of Materials'
|
|
required: false
|
|
default: 'true'
|
|
max-retries:
|
|
description: 'Maximum number of retry attempts for publishing'
|
|
required: false
|
|
default: '3'
|
|
retry-delay:
|
|
description: 'Delay in seconds between retries'
|
|
required: false
|
|
default: '10'
|
|
|
|
outputs:
|
|
image-name:
|
|
description: 'Full image name including registry'
|
|
value: ${{ steps.metadata.outputs.full-name }}
|
|
digest:
|
|
description: 'The digest of the published image'
|
|
value: ${{ steps.publish.outputs.digest }}
|
|
tags:
|
|
description: 'List of published tags'
|
|
value: ${{ steps.metadata.outputs.tags }}
|
|
provenance:
|
|
description: 'SLSA provenance attestation'
|
|
value: ${{ steps.publish.outputs.provenance }}
|
|
sbom:
|
|
description: 'SBOM document location'
|
|
value: ${{ steps.publish.outputs.sbom }}
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Validate Inputs
|
|
id: validate
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Validate image name format
|
|
if [ -n "${{ inputs.image-name }}" ]; then
|
|
if ! [[ "${{ inputs.image-name }}" =~ ^[a-z0-9]+(?:[._-][a-z0-9]+)*$ ]]; then
|
|
echo "::error::Invalid image name format"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Validate tags
|
|
IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
|
|
for tag in "${TAGS[@]}"; do
|
|
if ! [[ "$tag" =~ ^(v?[0-9]+\.[0-9]+\.[0-9]+(-[\w.]+)?(\+[\w.]+)?|latest|[a-zA-Z][-a-zA-Z0-9._]{0,127})$ ]]; then
|
|
echo "::error::Invalid tag format: $tag"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# Validate platforms
|
|
IFS=',' read -ra PLATFORMS <<< "${{ inputs.platforms }}"
|
|
for platform in "${PLATFORMS[@]}"; do
|
|
if ! [[ "$platform" =~ ^linux/(amd64|arm64|arm/v7|arm/v6|386|ppc64le|s390x)$ ]]; then
|
|
echo "::error::Invalid platform: $platform"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
with:
|
|
platforms: ${{ inputs.platforms }}
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
|
|
with:
|
|
platforms: ${{ inputs.platforms }}
|
|
|
|
- name: Prepare Metadata
|
|
id: metadata
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Determine image name
|
|
if [ -z "${{ inputs.image-name }}" ]; then
|
|
image_name=$(basename $GITHUB_REPOSITORY)
|
|
else
|
|
image_name="${{ inputs.image-name }}"
|
|
fi
|
|
|
|
# Construct full image name with registry
|
|
full_name="${{ inputs.registry }}/${{ github.repository_owner }}/${image_name}"
|
|
echo "full-name=${full_name}" >> $GITHUB_OUTPUT
|
|
|
|
# Process tags
|
|
processed_tags=""
|
|
IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
|
|
for tag in "${TAGS[@]}"; do
|
|
processed_tags="${processed_tags}${full_name}:${tag},"
|
|
done
|
|
processed_tags=${processed_tags%,}
|
|
echo "tags=${processed_tags}" >> $GITHUB_OUTPUT
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: ${{ inputs.registry }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ inputs.token }}
|
|
|
|
- name: Set up Cosign
|
|
if: inputs.provenance == 'true'
|
|
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
|
|
|
|
- name: Publish Image
|
|
id: publish
|
|
shell: bash
|
|
env:
|
|
DOCKER_BUILDKIT: 1
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
attempt=1
|
|
max_attempts=${{ inputs.max-retries }}
|
|
|
|
while [ $attempt -le $max_attempts ]; do
|
|
echo "Publishing attempt $attempt of $max_attempts"
|
|
|
|
if docker buildx build \
|
|
--platform=${{ inputs.platforms }} \
|
|
--tag ${{ steps.metadata.outputs.tags }} \
|
|
--push \
|
|
${{ inputs.provenance == 'true' && '--provenance=true' || '' }} \
|
|
${{ inputs.sbom == 'true' && '--sbom=true' || '' }} \
|
|
--label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \
|
|
--label "org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
|
|
--label "org.opencontainers.image.revision=${GITHUB_SHA}" \
|
|
.; then
|
|
|
|
# Get image digest
|
|
digest=$(docker buildx imagetools inspect ${{ steps.metadata.outputs.full-name }}:${TAGS[0]} --raw)
|
|
echo "digest=${digest}" >> $GITHUB_OUTPUT
|
|
|
|
# Generate attestations if enabled
|
|
if [[ "${{ inputs.provenance }}" == "true" ]]; then
|
|
cosign verify-attestation \
|
|
--type slsaprovenance \
|
|
${{ steps.metadata.outputs.full-name }}@${digest}
|
|
echo "provenance=true" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
if [[ "${{ inputs.sbom }}" == "true" ]]; then
|
|
sbom_path="ghcr.io/${{ github.repository_owner }}/${image_name}.sbom"
|
|
echo "sbom=${sbom_path}" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
break
|
|
fi
|
|
|
|
attempt=$((attempt + 1))
|
|
if [ $attempt -le $max_attempts ]; then
|
|
echo "Publish failed, waiting ${{ inputs.retry-delay }} seconds before retry..."
|
|
sleep ${{ inputs.retry-delay }}
|
|
else
|
|
echo "::error::Publishing failed after $max_attempts attempts"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
- name: Verify Publication
|
|
id: verify
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Verify image existence and accessibility
|
|
IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
|
|
for tag in "${TAGS[@]}"; do
|
|
if ! docker buildx imagetools inspect ${{ steps.metadata.outputs.full-name }}:${tag} >/dev/null 2>&1; then
|
|
echo "::error::Published image not found: $tag"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# Verify platforms
|
|
IFS=',' read -ra PLATFORMS <<< "${{ inputs.platforms }}"
|
|
for platform in "${PLATFORMS[@]}"; do
|
|
if ! docker buildx imagetools inspect ${{ steps.metadata.outputs.full-name }}:${TAGS[0]} | grep -q "$platform"; then
|
|
echo "::warning::Platform $platform not found in published image"
|
|
fi
|
|
done
|
|
|
|
- name: Clean up
|
|
if: always()
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Remove temporary files and cleanup Docker cache
|
|
docker buildx prune -f --keep-storage=10GB
|
|
|
|
# Logout from registry
|
|
docker logout ${{ inputs.registry }}
|