Skip to content

🍜 Build/publish all runners #45

🍜 Build/publish all runners

🍜 Build/publish all runners #45

Workflow file for this run

name: 🍜 Build/publish all runners
on:
workflow_dispatch: # build on demand
schedule:
- cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC
jobs:
build-all:
runs-on: ubuntu-latest # use the GitHub-hosted runner to build the image
permissions:
contents: write # for uploading the SBOM to the release
packages: write # for uploading the finished container
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs
strategy:
matrix:
os: [rootless-ubuntu-jammy, rootless-ubuntu-numbat, ubi8, ubi9, wolfi]
arch: [amd64, arm64]
continue-on-error: true
steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Set version
run: echo "VERSION=$(cat ${GITHUB_EVENT_PATH} | jq -r '.release.tag_name')" >> $GITHUB_ENV
if: github.event_name == 'release'
- name: Set short SHA
run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build the container
uses: docker/build-push-action@v6
with:
file: ./images/${{ matrix.os }}.Dockerfile
push: false
load: true
platforms: linux/${{ matrix.arch }}
tags: |
ghcr.io/${{ github.repository }}/${{ matrix.os }}:latest
ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}
- name: Scan it
uses: anchore/scan-action@v5
id: scan
with:
image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}"
fail-build: false
- name: Upload the container scan report
id: upload
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
wait-for-processing: true
- name: Dismiss alerts on other architectures
if: matrix.arch != 'amd64'
uses: advanced-security/dismiss-alerts@v1
with:
sarif-id: ${{ steps.upload.outputs.sarif-id }}
sarif-file: ${{ steps.scan.outputs.sarif }}
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Generate that SBOM
uses: anchore/sbom-action@v0
with:
image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}"
artifact-name: "${{ matrix.os }}-${{ matrix.arch }}-${{ env.SHA_SHORT }}.sbom"
- name: Get image digest
run: |
echo "IMAGE_DIGEST=$(docker inspect \
ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }} | \
jq -r '.[0].Id')" >> $GITHUB_ENV
- name: Install cosign
uses: sigstore/cosign-installer@main
- name: Log in to GHCR
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Sign the published Docker image
env:
COSIGN_EXPERIMENTAL: "true"
run: cosign sign -y ghcr.io/${{ github.repository }}/${{ matrix.os }}@${{ env.IMAGE_DIGEST }}
- name: Push the container
uses: docker/build-push-action@v6
with:
file: ./images/${{ matrix.os }}.Dockerfile
platforms: ${{ matrix.arch }}
push: true
tags: |
ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}
ghcr.io/${{ github.repository }}/${{ matrix.os }}:latest