monitoring/.github/workflows/image-publish.yml at main · interuss/monitoring · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# This workflow builds and pushes the monitoring docker image when a release tag is pushed.
# The following secrets must be provided:
# DOCKER_USERNAME: The username to log into the registry.
# DOCKER_PASSWORD: The access token of the user to log into the registry.
# DOCKER_URL: The base url of the repository. Example: `docker.io/interuss` or `interuss`.

name: Publish monitoring image to Docker Registry (on new release tag)
on:
  push:
    tags:
      # To modify to trigger the job for fork's releases
      # Note: GitHub's filter pattern capabilities are limited[1], so this
      # pattern matches more often than it should.  A more correct regex would
      # be the one found in scripts/tag.sh.
      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
permissions:
  contents: read
jobs:
  docker-hub-push:
    name: Build and Push to Docker Hub
    runs-on: ubuntu-latest
    # To modify to enable the job for forked repository
    if: github.repository == 'interuss/monitoring'
    permissions:
      id-token: write # needed for signing the images with GitHub OIDC Token

    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
      - name: Job information
        run: |
          echo "Job information"
          echo "Trigger: ${{ github.event_name }}"
          echo "Host: ${{ runner.os }}"
          echo "Repository: ${{ github.repository }}"
          echo "Branch: ${{ github.ref }}"
          docker images
          cosign version

      - name: Checkout
        uses: actions/checkout@v6
        with:
          submodules: true
          fetch-depth: 0

      - name: Log in to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build, push and sign image
        env:
          DOCKER_URL: ${{ secrets.DOCKER_URL }}
          DOCKER_UPDATE_LATEST: true
          DOCKER_SIGN: true
          CERT_IDENTITY: https://github.com/${{ github.workflow_ref }}
          CERT_ISSUER: https://token.actions.githubusercontent.com
        run: |
          build/build_and_push.sh