Skip to content

edge-build

edge-build #18

Workflow file for this run

name: "CD: Edge Build"
on:
repository_dispatch:
types: [edge-build]
permissions:
contents: read
env:
REGISTRY: images.opencadc.org
IMAGE: platform/skaha
TAG: edge
jobs:
edge-build:
if: github.repository == 'opencadc/science-platform'
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Client Payload
id: client-payload
run: |
echo "Client Payload: ${{ toJson(github.event.client_payload) }}"
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
install: true
- name: Perform Container Registry Login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: images.opencadc.org
username: ${{ secrets.SKAHA_REGISTRY_USERNAME }}
password: ${{ secrets.SKAHA_REGISTRY_TOKEN }}
- name: Build and Push Docker Image
id: build
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: .
target: production
file: skaha/Dockerfile
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: mode=max
sbom: true
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
labels: |
org.opencontainers.image.title=Science Platform
org.opencontainers.image.licenses=AGPL-3.0
org.opencontainers.image.url=https://github.com/opencadc/science-platform
- name: Attest Container Image
# See https://github.com/marketplace/actions/attest-build-provenance#container-image
# for more information on the attest-build-provenance action
id: attest
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
subject-digest: ${{ steps.build.outputs.digest }}
# push-to-registry: true
show-summary: true
- name: Install Cosign
id: install-cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: 'v2.4.1'
- name: Cosign Container Image
id: cosign
run: |
cosign version
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }} --upload