py-github-sts/.github/workflows/release-python-docker.yml at main · AlexandreODelisle/py-github-sts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
---
name: Release Docker

on:
  workflow_call:
    inputs:
      tag_name:
        description: "Release tag (e.g., v1.2.3)"
        required: true
        type: string
  workflow_dispatch:
    inputs:
      tag_name:
        description: "Release tag (e.g., v1.2.3)"
        required: true
        type: string

permissions: {}

jobs:
  # ─────────────────────────────────────────────────────────────────────────
  # Gate: run full CI before releasing
  # ─────────────────────────────────────────────────────────────────────────
  ci:
    name: CI Gate
    uses: ./.github/workflows/ci-python-docker.yml
    permissions:
      contents: read

  # ─────────────────────────────────────────────────────────────────────────
  # Build and push Docker image to GHCR
  # ─────────────────────────────────────────────────────────────────────────
  docker:
    name: Docker
    needs: [ci]
    runs-on: ubuntu-latest
    environment: release
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write
    outputs:
      version: ${{ steps.version.outputs.version }}
    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ github.repository }}
      TAG_NAME: ${{ inputs.tag_name || github.ref_name }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ env.TAG_NAME }}
          persist-credentials: false

      - name: Compute version
        id: version
        run: |
          TAG="${{ env.TAG_NAME }}"
          VERSION="${TAG#v}"
          MAJOR="${VERSION%%.*}"
          MINOR="${VERSION#*.}"
          MINOR="${MINOR%%.*}"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "major=${MAJOR}" >> "$GITHUB_OUTPUT"
          echo "minor=${MAJOR}.${MINOR}" >> "$GITHUB_OUTPUT"

      - name: Install cosign
        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log in to GHCR
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=${{ steps.version.outputs.version }}
            type=raw,value=${{ steps.version.outputs.minor }}
            type=raw,value=${{ steps.version.outputs.major }}
            type=sha,prefix=sha-
            type=raw,value=latest

      - name: Build and push
        id: build
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: true
          sbom: true

      - name: Sign image with cosign
        run: |
          IMAGE_REF="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
          echo "Signing: ${IMAGE_REF}"
          cosign sign --yes "$IMAGE_REF"
          echo "Image signed successfully"

      - name: Generate build attestation
        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
        with:
          subject-name: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true

      - name: Create success summary
        run: |
          echo "## Docker Image Released Successfully!" >> "$GITHUB_STEP_SUMMARY"
          echo "" >> "$GITHUB_STEP_SUMMARY"
          echo "**Image:** ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" >> "$GITHUB_STEP_SUMMARY"
          echo "**Version:** ${{ steps.version.outputs.version }}" >> "$GITHUB_STEP_SUMMARY"
          echo "**Platforms:** linux/amd64, linux/arm64" >> "$GITHUB_STEP_SUMMARY"
          echo "" >> "$GITHUB_STEP_SUMMARY"
          echo "### Tags" >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"
          echo "${{ steps.meta.outputs.tags }}" >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"
          echo "" >> "$GITHUB_STEP_SUMMARY"
          echo "### Installation" >> "$GITHUB_STEP_SUMMARY"
          echo '```bash' >> "$GITHUB_STEP_SUMMARY"
          echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}" >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"
          echo "" >> "$GITHUB_STEP_SUMMARY"
          echo "### Verification" >> "$GITHUB_STEP_SUMMARY"
          echo '```bash' >> "$GITHUB_STEP_SUMMARY"
          echo "cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"