Build, publish, and scan image to GHCR

nginxinc · May 10, 2023 · 1f5e60a · 1f5e60a
1 parent 3a5c997
commit 1f5e60a
Showing 1 changed file with 31 additions and 19 deletions.
diff --git a/.github/workflows/build-and-sign-image.yml b/.github/workflows/build-and-sign-image.yml
@@ -3,19 +3,19 @@
 name: Build and sign image
 
 on:
-  # THIS BLOCK IS FOR TESTING
-  create:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - "main"
 
-# THIS BLOCK IS THE ACTUAL DESIRED EVENT TRIGGER
-#  pull_request:
+#  push:
 #    branches:
-#      - "*" # Run on all branches
-#    types:
-#      - closed   ## This needs to be uncommented after testing
+#      - "trigger-image-build-and-push-1"
 
 env:
-  REGISTRY: docker.io
-  IMAGE_NAME: "ciroque/nginx-k8s-loadbalancer" # ${{ github.repository }}
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   build_and_sign_image:
@@ -24,6 +24,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+      security-events: write
 
     steps:
       - name: Checkout
@@ -35,23 +36,34 @@ jobs:
         with:
           cosign-release: 'v1.13.1'
 
-      - name: Docker Buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+      - name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }}
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-#      - name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }}
-#        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
-#        with:
-#          registry: ${{ env.REGISTRY }}
-#          username: ${{ github.actor }}
-#          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build Docker Image
+        id: docker-build-and-push
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
         with:
           context: .
           file: ./Dockerfile
-          push: false
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{github.run_number}}
+
+      - name: Sign the published Docker images
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker-build-and-push.outputs.digest }}"
 
       # NOTE: This runs statically against the latest tag in Docker Hub which was not produced by this workflow
       # This should be updated once this workflow is fully implemented