forked from matrix-org/sygnal
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
36 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,55 +5,79 @@ name: Build and push docker images | |
on: | ||
push: | ||
tags: ["v*"] | ||
branches: [ tchap ] | ||
workflow_dispatch: | ||
|
||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write # needed for signing the images with GitHub OIDC Token | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Set up QEMU | ||
id: qemu | ||
uses: docker/setup-qemu-action@v1 | ||
uses: docker/setup-qemu-action@v3 | ||
with: | ||
platforms: arm64 | ||
|
||
- name: Set up Docker Buildx | ||
id: buildx | ||
uses: docker/setup-buildx-action@v1 | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Inspect builder | ||
run: docker buildx inspect | ||
|
||
- name: Log in to DockerHub | ||
uses: docker/login-action@v1 | ||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
|
||
- name: Log in to GHCR | ||
uses: docker/login-action@v3 | ||
with: | ||
username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
password: ${{ secrets.DOCKER_HUB_TOKEN }} | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Calculate docker image tags | ||
- name: Calculate docker image tag | ||
id: set-tag | ||
uses: docker/metadata-action@v3 | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: matrixdotorg/sygnal | ||
images: ghcr.io/tchapgouv/sygnal | ||
flavor: | | ||
latest=false | ||
tags: | | ||
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/tchap' }} | ||
type=ref,event=tag | ||
# we explicitly check out the repository (and use `context: .` in buildx) | ||
# because we need to preserve the git metadata so that setuptools_scm | ||
# (part of build system config in pyproject.toml) can deduce the package version. | ||
# See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
uses: actions/checkout@v4 | ||
|
||
- name: Build and push all platforms | ||
uses: docker/build-push-action@v2 | ||
id: build-and-push | ||
uses: docker/build-push-action@v5 | ||
with: | ||
context: . | ||
push: true | ||
labels: "gitsha1=${{ github.sha }}" | ||
labels: | | ||
gitsha1=${{ github.sha }} | ||
org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }} | ||
tags: "${{ steps.set-tag.outputs.tags }}" | ||
file: "docker/Dockerfile" | ||
platforms: linux/amd64,linux/arm64 | ||
|
||
- name: Sign the images with GitHub OIDC Token | ||
env: | ||
DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
TAGS: ${{ steps.set-tag.outputs.tags }} | ||
run: | | ||
images="" | ||
for tag in ${TAGS}; do | ||
images+="${tag}@${DIGEST} " | ||
done | ||
cosign sign --yes ${images} |