publish docker images to GitHub Container Registry

The goal is to use GHCR to replace Google Container Registry (GCR) for future versions of Scorecard Action releases. These workflows will build two types of images: 1. Release images, which are tagged following a v1.2.3 pattern. These container images will be retained indefinitely. 2. Per-commit images for each push to main. These images are used when testing the action, and will be removed after a week. Signed-off-by: Spencer Schrock <[email protected]>
ossf · Oct 7, 2024 · c55135e · c55135e
1 parent 72803a1
commit c55135e
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 0 deletions.
diff --git a/.github/workflows/ghcr-retention.yml b/.github/workflows/ghcr-retention.yml
@@ -0,0 +1,22 @@
+name: Delete untagged GHCR images
+on:
+  schedule:
+    - cron:  '17 10 * * TUE' # Tuesday morning at 10:17 UTC
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  delete-untagged:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
+        with: 
+          package-name: 'scorecard-action'
+          package-type: 'container'
+          # keep official releases
+          delete-only-untagged-versions: 'true'
+          # 'latest' counts as a tag, so this won't break the e2e tests
+          min-versions-to-keep: 0
diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
@@ -0,0 +1,59 @@
+name: Publish GitHub Container Registry
+on:
+  push:
+    branches: ['main']
+    tags:
+      - v*
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # pushes to the default branch get labeled latest, otherwise use tag name
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=tag
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        # only publish attestation for our release builds
+        if: startsWith(github.ref, 'refs/tags/v')
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true