Skip to content

Commit

Permalink
publish docker images to GitHub Container Registry (#1453)
Browse files Browse the repository at this point in the history
The goal is to use GHCR to replace Google Container Registry (GCR) for
future versions of Scorecard Action releases. These workflows will build
two types of images:

  1. Release images, which are tagged following a v1.2.3 pattern. These
  container images will be retained indefinitely.
  2. Per-commit images for each push to main. These images are used when
     testing the action, and will be removed after a week.

Signed-off-by: Spencer Schrock <[email protected]>
  • Loading branch information
spencerschrock authored Nov 13, 2024
1 parent 22f8845 commit 3a26553
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 0 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/ghcr-retention.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Delete untagged GHCR images
on:
schedule:
- cron: '17 10 * * TUE' # Tuesday morning at 10:17 UTC
workflow_dispatch:

permissions: {}

jobs:
delete-untagged:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
with:
package-name: 'scorecard-action'
package-type: 'container'
# keep official releases
delete-only-untagged-versions: 'true'
# 'latest' counts as a tag, so this won't break the e2e tests
min-versions-to-keep: 0
59 changes: 59 additions & 0 deletions .github/workflows/ghcr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Publish GitHub Container Registry
on:
push:
branches: ['main']
tags:
- v*

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

permissions:
contents: read

jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
packages: write
attestations: write
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# pushes to the default branch get labeled latest, otherwise use tag name
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=ref,event=tag
- name: Build and push Docker image
id: push
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

- name: Generate artifact attestation
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
# only publish attestation for our release builds
if: startsWith(github.ref, 'refs/tags/v')
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true

0 comments on commit 3a26553

Please sign in to comment.