From c55135ecb54b4192fc85805ad28dcabe6c77bc44 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Fri, 4 Oct 2024 14:15:17 -0700 Subject: [PATCH] publish docker images to GitHub Container Registry The goal is to use GHCR to replace Google Container Registry (GCR) for future versions of Scorecard Action releases. These workflows will build two types of images: 1. Release images, which are tagged following a v1.2.3 pattern. These container images will be retained indefinitely. 2. Per-commit images for each push to main. These images are used when testing the action, and will be removed after a week. Signed-off-by: Spencer Schrock --- .github/workflows/ghcr-retention.yml | 22 +++++++++++ .github/workflows/ghcr.yml | 59 ++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 .github/workflows/ghcr-retention.yml create mode 100644 .github/workflows/ghcr.yml diff --git a/.github/workflows/ghcr-retention.yml b/.github/workflows/ghcr-retention.yml new file mode 100644 index 00000000..37771f92 --- /dev/null +++ b/.github/workflows/ghcr-retention.yml @@ -0,0 +1,22 @@ +name: Delete untagged GHCR images +on: + schedule: + - cron: '17 10 * * TUE' # Tuesday morning at 10:17 UTC + workflow_dispatch: + +permissions: {} + +jobs: + delete-untagged: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 + with: + package-name: 'scorecard-action' + package-type: 'container' + # keep official releases + delete-only-untagged-versions: 'true' + # 'latest' counts as a tag, so this won't break the e2e tests + min-versions-to-keep: 0 diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml new file mode 100644 index 00000000..dbf59b83 --- /dev/null +++ b/.github/workflows/ghcr.yml @@ -0,0 +1,59 @@ +name: Publish GitHub Container Registry +on: + push: + branches: ['main'] + tags: + - v* + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +permissions: + contents: read + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Log in to the Container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # pushes to the default branch get labeled latest, otherwise use tag name + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + # only publish attestation for our release builds + if: startsWith(github.ref, 'refs/tags/v') + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true