edge-build #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CD: Edge Build" | |
| on: | |
| repository_dispatch: | |
| types: [edge-build] | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: images.opencadc.org | |
| IMAGE: platform/skaha | |
| TAG: edge | |
| jobs: | |
| edge-build: | |
| if: github.repository == 'opencadc/science-platform' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| attestations: write | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Client Payload | |
| id: client-payload | |
| run: | | |
| echo "Client Payload: ${{ toJson(github.event.client_payload) }}" | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| with: | |
| install: true | |
| - name: Perform Container Registry Login | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: images.opencadc.org | |
| username: ${{ secrets.SKAHA_REGISTRY_USERNAME }} | |
| password: ${{ secrets.SKAHA_REGISTRY_TOKEN }} | |
| - name: Build and Push Docker Image | |
| id: build | |
| uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
| with: | |
| context: . | |
| target: production | |
| file: skaha/Dockerfile | |
| platforms: linux/amd64 | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: mode=max | |
| sbom: true | |
| push: true | |
| tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }} | |
| labels: | | |
| org.opencontainers.image.title=Science Platform | |
| org.opencontainers.image.licenses=AGPL-3.0 | |
| org.opencontainers.image.url=https://github.com/opencadc/science-platform | |
| - name: Attest Container Image | |
| # See https://github.com/marketplace/actions/attest-build-provenance#container-image | |
| # for more information on the attest-build-provenance action | |
| id: attest | |
| uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }} | |
| subject-digest: ${{ steps.build.outputs.digest }} | |
| # push-to-registry: true | |
| show-summary: true | |
| - name: Install Cosign | |
| id: install-cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| with: | |
| cosign-release: 'v2.4.1' | |
| - name: Cosign Container Image | |
| id: cosign | |
| run: | | |
| cosign version | |
| cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }} --upload |