diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 4eb92db9..103a511e 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -3,7 +3,7 @@ name: user book on: push: paths: - - 'userguide' + - '/userguide' branches: - main pull_request: diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 664c142d..299bdbc4 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,155 +1,98 @@ -name: Docker Publish +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. on: push: - branches: - - "main" + branches: [ "main" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] env: - REGISTRY_IMAGE: user/app + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} -jobs: - prepare: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.platforms.outputs.matrix }} - steps: - - - name: Checkout - uses: actions/checkout@v4 - - - name: Create matrix - id: platforms - run: | - echo "matrix=$(docker buildx bake image-all --print | jq -cr '.target."image-all".platforms')" >>${GITHUB_OUTPUT} - - - name: Show matrix - run: | - echo ${{ steps.platforms.outputs.matrix }} - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Rename meta bake definition file - run: | - mv "${{ steps.meta.outputs.bake-file }}" "/tmp/bake-meta.json" - - - name: Upload meta bake definition - uses: actions/upload-artifact@v4 - with: - name: bake-meta - path: /tmp/bake-meta.json - if-no-files-found: error - retention-days: 1 +jobs: build: + runs-on: ubuntu-latest - needs: - - prepare - strategy: - fail-fast: false - matrix: - platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + steps: - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v3 with: - submodules: 'recursive' - - - name: Download meta bake definition - uses: actions/download-artifact@v4 + submodules: recursive + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 with: - name: bake-meta - path: /tmp - - - name: Set up QEMU + cosign-release: 'v2.1.1' + - name: Set up QEMU uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build - id: bake - uses: docker/bake-action@v4 - with: - files: | - ./docker-bake.hcl - /tmp/bake-meta.json - targets: image - set: | - *.tags= - *.platform=${{ matrix.platform }} - *.output=type=image,"name=${{ env.REGISTRY_IMAGE }}",push-by-digest=true,name-canonical=true,push=true - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - merge: - runs-on: ubuntu-latest - needs: - - build - steps: - - - name: Download meta bake definition - uses: actions/download-artifact@v3 - with: - name: bake-meta - path: /tmp - - - name: Download digests - uses: actions/download-artifact@v4 + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) \ No newline at end of file + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max + + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} \ No newline at end of file diff --git a/userguide/src/characters/character.md b/userguide/src/characters/character.md index d012232d..a55f1fb9 100644 --- a/userguide/src/characters/character.md +++ b/userguide/src/characters/character.md @@ -1 +1,3 @@ # Characters + +Login and go to profile page... \ No newline at end of file