From 378cb011fbd15cacffdf231f4b70f24133310113 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 17:33:52 +0200 Subject: [PATCH 01/13] Test --- .../build-and-upload-docker-image.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/build-and-upload-docker-image.yml diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml new file mode 100644 index 0000000..41499a7 --- /dev/null +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -0,0 +1,58 @@ +# +name: Create and publish a Docker image + +# Configures this workflow to run every time a change is pushed to the branch called `release`. +on: + push +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + attestations: write + id-token: write + # + steps: + - name: Checkout repository + uses: actions/checkout@v4 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image + id: push + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + From a23ddecd759497ca65be44e175de13905208c591 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 17:37:39 +0200 Subject: [PATCH 02/13] Test --- .../build-and-upload-docker-image.yml | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 41499a7..1144a86 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,44 +1,44 @@ -# name: Create and publish a Docker image -# Configures this workflow to run every time a change is pushed to the branch called `release`. on: push -# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} -# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. jobs: build-and-push-image: runs-on: ubuntu-latest - # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. permissions: contents: read packages: write attestations: write id-token: write - # + steps: - name: Checkout repository uses: actions/checkout@v4 - # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. - # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository. - # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha + - name: Build and push Docker image id: push uses: docker/build-push-action@v6 @@ -48,11 +48,9 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). - name: Generate artifact attestation uses: actions/attest-build-provenance@v2 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true - From 30105664ce8a789a5a939cefc2ad53edf3728eae Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 17:43:50 +0200 Subject: [PATCH 03/13] Test --- .../build-and-upload-docker-image.yml | 33 +++++++++++++------ 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 1144a86..81e25d5 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,56 +1,69 @@ +# name: Create and publish a Docker image +# Configures this workflow to run every time a change is pushed to the branch called `release`. on: push - +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. jobs: build-and-push-image: runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. permissions: contents: read packages: write attestations: write id-token: write + # steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Get next version + uses: reecetech/version-increment@2023.10.2 + id: version + with: + scheme: calver + increment: patch + + - name: Print version + run: echo "Version is ${{ steps.version.outputs.version }}" + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. - name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=sha - + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. - name: Build and push Docker image id: push uses: docker/build-push-action@v6 with: context: . push: true - tags: ${{ steps.meta.outputs.tags }} + tags: ${{ steps.version.outputs.version }} labels: ${{ steps.meta.outputs.labels }} + # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). - name: Generate artifact attestation uses: actions/attest-build-provenance@v2 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true + From d38e9a09e44300662ba3ecefa53c66037053bbc8 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:30:21 +0200 Subject: [PATCH 04/13] Test --- .../build-and-upload-docker-image.yml | 30 ++++++------------- 1 file changed, 9 insertions(+), 21 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 81e25d5..57be075 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,29 +1,25 @@ -# name: Create and publish a Docker image -# Configures this workflow to run every time a change is pushed to the branch called `release`. on: - push -# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. + push: + branches: [release] + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} -# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. jobs: build-and-push-image: runs-on: ubuntu-latest - # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. permissions: contents: read packages: write - attestations: write - id-token: write - # + id-token: write # Required for OIDC if used steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Get next version uses: reecetech/version-increment@2023.10.2 id: version @@ -34,29 +30,21 @@ jobs: - name: Print version run: echo "Version is ${{ steps.version.outputs.version }}" - # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. - name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. - # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository. - # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image - id: push uses: docker/build-push-action@v6 with: context: . push: true - tags: ${{ steps.version.outputs.version }} + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest labels: ${{ steps.meta.outputs.labels }} # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). From 963541ffd35425aa407201fd8ea3cebc2b0172d9 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:30:59 +0200 Subject: [PATCH 05/13] Test --- .github/workflows/build-and-upload-docker-image.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 57be075..a83cf32 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,9 +1,7 @@ name: Create and publish a Docker image on: - push: - branches: [release] - + push env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} From fad9c35e5b728132abef8a48ef6c12892a41a905 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:35:58 +0200 Subject: [PATCH 06/13] Test --- .../workflows/build-and-upload-docker-image.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index a83cf32..2de9ef3 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,7 +1,9 @@ name: Create and publish a Docker image on: - push + push: + branches: [release] + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -12,7 +14,7 @@ jobs: permissions: contents: read packages: write - id-token: write # Required for OIDC if used + id-token: write # Required for OIDC steps: - name: Checkout repository @@ -36,6 +38,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image + id: push # Critical: ID needed to reference outputs uses: docker/build-push-action@v6 with: context: . @@ -43,13 +46,10 @@ jobs: tags: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - labels: ${{ steps.meta.outputs.labels }} - # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). - name: Generate artifact attestation uses: actions/attest-build-provenance@v2 with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - + push-to-registry: true \ No newline at end of file From fc6fa433edd24384e666dfa1dff416128c1c49a3 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:37:58 +0200 Subject: [PATCH 07/13] Test --- .github/workflows/build-and-upload-docker-image.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 2de9ef3..0d06fd7 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,9 +1,7 @@ name: Create and publish a Docker image on: - push: - branches: [release] - + push env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} From b792783fc3c0b29e71c7f5b47ffa5652979a8ae2 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:48:08 +0200 Subject: [PATCH 08/13] Test --- .github/workflows/build-and-upload-docker-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 0d06fd7..6c7b3c6 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -12,6 +12,7 @@ jobs: permissions: contents: read packages: write + attestations: write # Required for attestation id-token: write # Required for OIDC steps: From 49c011c1f70563afb61c90c2543c9413da61b236 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:48:26 +0200 Subject: [PATCH 09/13] Test --- .github/workflows/build-and-upload-docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 6c7b3c6..d0068a1 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,4 +1,4 @@ -name: Create and publish a Docker image +name: Create and publish the Docker image on: push From af84d22a397934041713ad7e0736339fbedebb9f Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 18:53:51 +0200 Subject: [PATCH 10/13] Test --- .github/workflows/build-and-upload-docker-image.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index d0068a1..5cf4790 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,7 +1,8 @@ -name: Create and publish the Docker image +name: Create and publish Docker image on: push + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -12,8 +13,8 @@ jobs: permissions: contents: read packages: write - attestations: write # Required for attestation - id-token: write # Required for OIDC + attestations: write + id-token: write steps: - name: Checkout repository @@ -37,7 +38,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image - id: push # Critical: ID needed to reference outputs + id: push uses: docker/build-push-action@v6 with: context: . From fea7c27e4de8a9dc8521f5d03de31b35e6dc2021 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 19:01:01 +0200 Subject: [PATCH 11/13] Suppression attestation --- .github/workflows/build-and-upload-docker-image.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 5cf4790..6bceab3 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -45,11 +45,4 @@ jobs: push: true tags: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v2 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true \ No newline at end of file + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \ No newline at end of file From e6f3098077c38a342885a5e8bd9ee775f5b29469 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 19:06:03 +0200 Subject: [PATCH 12/13] Ajout build push preview --- .github/workflows/build-and-upload-docker-image.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 6bceab3..8948403 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -38,11 +38,20 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image - id: push + if: "contains(github.ref, 'master') && github.event_name != 'pull_request'" uses: docker/build-push-action@v6 with: context: . push: true tags: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \ No newline at end of file + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + + - name: Build and push Docker image preview + if: "github.ref != 'refs/heads/master'" + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }} \ No newline at end of file From 098d8002c0079202904ea5f642181749ed4c8df9 Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 13 Apr 2025 19:09:36 +0200 Subject: [PATCH 13/13] Test ajout build manuel --- .github/workflows/build-and-upload-docker-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload-docker-image.yml b/.github/workflows/build-and-upload-docker-image.yml index 8948403..f4a665c 100644 --- a/.github/workflows/build-and-upload-docker-image.yml +++ b/.github/workflows/build-and-upload-docker-image.yml @@ -1,8 +1,8 @@ name: Create and publish Docker image on: - push - + push: + workflow_dispatch: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}