mirror of
https://github.com/element-hq/synapse.git
synced 2026-04-03 14:26:23 +00:00
90449b915d
Bumps the minor-and-patches group with 2 updates: [tailscale/github-action](https://github.com/tailscale/github-action) and [Swatinem/rust-cache](https://github.com/swatinem/rust-cache). Updates `tailscale/github-action` from 4.1.1 to 4.1.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailscale/github-action/releases">tailscale/github-action's releases</a>.</em></p> <blockquote> <h2>v4.1.2</h2> <h2>What's Changed</h2> <ul> <li>.github/workflows: fix check to skip integration test for PRs from forks by <a href="https://github.com/mpminardi"><code>@mpminardi</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/260">tailscale/github-action#260</a></li> <li>fix: Windows MSI download on self-hosted runners by <a href="https://github.com/doringeman"><code>@doringeman</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/259">tailscale/github-action#259</a></li> <li>Bump actions/checkout from 6.0.1 to 6.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/265">tailscale/github-action#265</a></li> <li>Bump actions/setup-node from 6.1.0 to 6.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/262">tailscale/github-action#262</a></li> <li><code>fix: add missing parentheses to core.isDebug()</code> by <a href="https://github.com/git-mracek"><code>@git-mracek</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/268">tailscale/github-action#268</a></li> <li>.github/workflows: run integration test if event is a push by <a href="https://github.com/mpminardi"><code>@mpminardi</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/270">tailscale/github-action#270</a></li> <li>store tailscale.tgz and tailscaled.pid in XDG cache/runtime by <a href="https://github.com/fbrv"><code>@fbrv</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/273">tailscale/github-action#273</a></li> <li>action,dist,src: bump default version to 1.94.2 by <a href="https://github.com/mpminardi"><code>@mpminardi</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/274">tailscale/github-action#274</a></li> <li>Bump actions/setup-node from 6.2.0 to 6.3.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/269">tailscale/github-action#269</a></li> <li>Bump <code>@actions/core</code> from 2.0.1 to 2.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/258">tailscale/github-action#258</a></li> <li>Bump <code>@actions/github</code> from 6.0.1 to 7.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/257">tailscale/github-action#257</a></li> <li>Bump <code>@actions/tool-cache</code> from 2.0.2 to 3.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/256">tailscale/github-action#256</a></li> <li>Bump <code>@actions/cache</code> from 5.0.1 to 5.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/255">tailscale/github-action#255</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/doringeman"><code>@doringeman</code></a> made their first contribution in <a href="https://redirect.github.com/tailscale/github-action/pull/259">tailscale/github-action#259</a></li> <li><a href="https://github.com/git-mracek"><code>@git-mracek</code></a> made their first contribution in <a href="https://redirect.github.com/tailscale/github-action/pull/268">tailscale/github-action#268</a></li> <li><a href="https://github.com/fbrv"><code>@fbrv</code></a> made their first contribution in <a href="https://redirect.github.com/tailscale/github-action/pull/273">tailscale/github-action#273</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tailscale/github-action/compare/v4.1.1...v4.1.2">https://github.com/tailscale/github-action/compare/v4.1.1...v4.1.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="306e68a486"><code>306e68a</code></a> Bump <code>@actions/cache</code> from 5.0.1 to 5.0.2</li> <li><a href="989d9be101"><code>989d9be</code></a> Bump <code>@actions/tool-cache</code> from 2.0.2 to 3.0.0</li> <li><a href="69584d71ae"><code>69584d7</code></a> Bump <code>@actions/github</code> from 6.0.1 to 7.0.0</li> <li><a href="cda17d523f"><code>cda17d5</code></a> Bump <code>@actions/core</code> from 2.0.1 to 2.0.2</li> <li><a href="81231eb3b2"><code>81231eb</code></a> Bump actions/setup-node from 6.2.0 to 6.3.0</li> <li><a href="48c6d0317a"><code>48c6d03</code></a> action,dist,src: bump default version to 1.94.2</li> <li><a href="cfed5b8999"><code>cfed5b8</code></a> store tailscale.tgz and tailscaled.pid in XDG cache/runtime dirs instead of t...</li> <li><a href="31d93e60e2"><code>31d93e6</code></a> .github/workflows: run integration test if event is a push</li> <li><a href="564fe381c8"><code>564fe38</code></a> chore: run make build to resolve linter error</li> <li><a href="127daded26"><code>127dade</code></a> <code>fix: add missing parentheses to core.isDebug()</code></li> <li>Additional commits viewable in <a href="53acf82332...306e68a486">compare view</a></li> </ul> </details> <br /> Updates `Swatinem/rust-cache` from 2.8.2 to 2.9.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/swatinem/rust-cache/releases">Swatinem/rust-cache's releases</a>.</em></p> <blockquote> <h2>v2.9.1</h2> <p>Fix regression in hash calculation</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/Swatinem/rust-cache/compare/v2.9.0...v2.9.1">https://github.com/Swatinem/rust-cache/compare/v2.9.0...v2.9.1</a></p> <h2>v2.9.0</h2> <h2>What's Changed</h2> <ul> <li>Add support for running rust-cache commands from within a Nix shell by <a href="https://github.com/marc0246"><code>@marc0246</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/290">Swatinem/rust-cache#290</a></li> <li>Bump taiki-e/install-action from 2.62.57 to 2.62.60 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/291">Swatinem/rust-cache#291</a></li> <li>Bump the actions group across 1 directory with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/296">Swatinem/rust-cache#296</a></li> <li>Bump the prd-major group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/294">Swatinem/rust-cache#294</a></li> <li>Bump <code>@types/node</code> from 24.10.1 to 25.0.2 in the dev-major group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/295">Swatinem/rust-cache#295</a></li> <li>Consider all installed toolchains in cache key by <a href="https://github.com/tamird"><code>@tamird</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/293">Swatinem/rust-cache#293</a></li> <li>Compare case-insenitively for full cache key match by <a href="https://github.com/kbriggs"><code>@kbriggs</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/303">Swatinem/rust-cache#303</a></li> <li>Migrate to <code>node24</code> runner by <a href="https://github.com/rhysd"><code>@rhysd</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/314">Swatinem/rust-cache#314</a></li> <li>Bump the actions group across 1 directory with 7 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/312">Swatinem/rust-cache#312</a></li> <li>Bump the prd-minor group across 1 directory with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/307">Swatinem/rust-cache#307</a></li> <li>Bump <code>@types/node</code> from 25.0.2 to 25.2.2 in the dev-minor group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/309">Swatinem/rust-cache#309</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/marc0246"><code>@marc0246</code></a> made their first contribution in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/290">Swatinem/rust-cache#290</a></li> <li><a href="https://github.com/tamird"><code>@tamird</code></a> made their first contribution in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/293">Swatinem/rust-cache#293</a></li> <li><a href="https://github.com/kbriggs"><code>@kbriggs</code></a> made their first contribution in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/303">Swatinem/rust-cache#303</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Swatinem/rust-cache/compare/v2.8.2...v2.9.0">https://github.com/Swatinem/rust-cache/compare/v2.8.2...v2.9.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md">Swatinem/rust-cache's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>2.9.1</h2> <ul> <li>Fix regression in hash calculation</li> </ul> <h2>2.9.0</h2> <ul> <li>Update to <code>node24</code></li> <li>Support running from within a <code>nix</code> shell</li> <li>Consider all installed toolchains for cache key</li> <li>Use case-insensitive comparison to determine exact cache hit</li> </ul> <h2>2.8.2</h2> <ul> <li>Don't overwrite env for cargo-metadata call</li> </ul> <h2>2.8.1</h2> <ul> <li>Set empty <code>CARGO_ENCODED_RUSTFLAGS</code> when retrieving metadata</li> <li>Various dependency updates</li> </ul> <h2>2.8.0</h2> <ul> <li>Add support for <code>warpbuild</code> cache provider</li> <li>Add new <code>cache-workspace-crates</code> feature</li> </ul> <h2>2.7.8</h2> <ul> <li>Include CPU arch in the cache key</li> </ul> <h2>2.7.7</h2> <ul> <li>Also cache <code>cargo install</code> metadata</li> </ul> <h2>2.7.6</h2> <ul> <li>Allow opting out of caching $CARGO_HOME/bin</li> <li>Add runner OS in cache key</li> <li>Adds an option to do lookup-only of the cache</li> </ul> <h2>2.7.5</h2> <ul> <li>Support Cargo.lock format cargo-lock v4</li> <li>Only run macOsWorkaround() on macOS</li> </ul> <h2>2.7.3</h2> <ul> <li>Work around upstream problem that causes cache saving to hang for minutes.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="c19371144d"><code>c193711</code></a> 2.9.1</li> <li><a href="781e8d91ab"><code>781e8d9</code></a> try reverting pipeline change</li> <li><a href="3d1fa4654a"><code>3d1fa46</code></a> add changelog</li> <li><a href="c676846f29"><code>c676846</code></a> 2.9.0</li> <li><a href="bf71d02c11"><code>bf71d02</code></a> bump dependencies and rebuild</li> <li><a href="8a02ed5e29"><code>8a02ed5</code></a> Bump <code>@types/node</code> from 25.0.2 to 25.2.2 in the dev-minor group (<a href="https://redirect.github.com/swatinem/rust-cache/issues/309">#309</a>)</li> <li><a href="390157d487"><code>390157d</code></a> Bump the prd-minor group across 1 directory with 2 updates (<a href="https://redirect.github.com/swatinem/rust-cache/issues/307">#307</a>)</li> <li><a href="68500c182e"><code>68500c1</code></a> Bump the actions group across 1 directory with 7 updates (<a href="https://redirect.github.com/swatinem/rust-cache/issues/312">#312</a>)</li> <li><a href="1a8384176d"><code>1a83841</code></a> Migrate to <code>node24</code> runner (<a href="https://redirect.github.com/swatinem/rust-cache/issues/314">#314</a>)</li> <li><a href="11da8522bc"><code>11da852</code></a> Compare case-insenitively for full cache key match (<a href="https://redirect.github.com/swatinem/rust-cache/issues/303">#303</a>)</li> <li>Additional commits viewable in <a href="779680da71...c19371144d">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
222 lines
8.4 KiB
YAML
222 lines
8.4 KiB
YAML
# GitHub actions workflow which builds and publishes the docker images.
|
|
|
|
name: Build docker images
|
|
|
|
on:
|
|
push:
|
|
tags: ["v*"]
|
|
branches: [master, main, develop]
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write # needed for signing the images with GitHub OIDC Token
|
|
jobs:
|
|
build:
|
|
name: Build and push image for ${{ matrix.platform }}
|
|
runs-on: ${{ matrix.runs_on }}
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- platform: linux/amd64
|
|
runs_on: ubuntu-24.04
|
|
suffix: linux-amd64
|
|
- platform: linux/arm64
|
|
runs_on: ubuntu-24.04-arm
|
|
suffix: linux-arm64
|
|
steps:
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: Extract version from pyproject.toml
|
|
# Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
|
|
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
|
|
shell: bash
|
|
run: |
|
|
echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV
|
|
|
|
- name: Log in to DockerHub
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Log in to GHCR
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Tailscale
|
|
uses: tailscale/github-action@306e68a486fd2350f2bfc3b19fcd143891a4a2d8 # v4.1.2
|
|
with:
|
|
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
|
|
audience: ${{ secrets.TS_AUDIENCE }}
|
|
tags: tag:github-actions
|
|
|
|
- name: Compute vault jwt role name
|
|
id: vault-jwt-role
|
|
run: |
|
|
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Get team registry token
|
|
id: import-secrets
|
|
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
|
|
with:
|
|
url: https://vault.infra.ci.i.element.dev
|
|
role: ${{ steps.vault-jwt-role.outputs.role_name }}
|
|
path: service-management/github-actions
|
|
jwtGithubAudience: https://vault.infra.ci.i.element.dev
|
|
method: jwt
|
|
secrets: |
|
|
services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
|
|
services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
|
|
|
|
- name: Login to Element OCI Registry
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
registry: oci-push.vpn.infra.element.io
|
|
username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
|
|
password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
|
|
|
|
- name: Build and push by digest
|
|
id: build
|
|
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
|
|
with:
|
|
push: true
|
|
labels: |
|
|
gitsha1=${{ github.sha }}
|
|
org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }}
|
|
tags: |
|
|
docker.io/matrixdotorg/synapse
|
|
ghcr.io/element-hq/synapse
|
|
oci-push.vpn.infra.element.io/synapse
|
|
file: "docker/Dockerfile"
|
|
platforms: ${{ matrix.platform }}
|
|
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
|
|
|
|
- name: Export digest
|
|
run: |
|
|
mkdir -p ${{ runner.temp }}/digests
|
|
digest="${{ steps.build.outputs.digest }}"
|
|
touch "${{ runner.temp }}/digests/${digest#sha256:}"
|
|
|
|
- name: Upload digest
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: digests-${{ matrix.suffix }}
|
|
path: ${{ runner.temp }}/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 1
|
|
|
|
merge:
|
|
name: Push merged images to ${{ matrix.repository }}
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
repository:
|
|
- docker.io/matrixdotorg/synapse
|
|
- ghcr.io/element-hq/synapse
|
|
- oci-push.vpn.infra.element.io/synapse
|
|
|
|
needs:
|
|
- build
|
|
steps:
|
|
- name: Download digests
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
path: ${{ runner.temp }}/digests
|
|
pattern: digests-*
|
|
merge-multiple: true
|
|
|
|
- name: Log in to DockerHub
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
if: ${{ startsWith(matrix.repository, 'docker.io') }}
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Log in to GHCR
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
if: ${{ startsWith(matrix.repository, 'ghcr.io') }}
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Tailscale
|
|
uses: tailscale/github-action@306e68a486fd2350f2bfc3b19fcd143891a4a2d8 # v4.1.2
|
|
with:
|
|
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
|
|
audience: ${{ secrets.TS_AUDIENCE }}
|
|
tags: tag:github-actions
|
|
|
|
- name: Compute vault jwt role name
|
|
id: vault-jwt-role
|
|
run: |
|
|
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Get team registry token
|
|
id: import-secrets
|
|
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
|
|
with:
|
|
url: https://vault.infra.ci.i.element.dev
|
|
role: ${{ steps.vault-jwt-role.outputs.role_name }}
|
|
path: service-management/github-actions
|
|
jwtGithubAudience: https://vault.infra.ci.i.element.dev
|
|
method: jwt
|
|
secrets: |
|
|
services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
|
|
services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
|
|
|
|
- name: Login to Element OCI Registry
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
registry: oci-push.vpn.infra.element.io
|
|
username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
|
|
password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
|
|
|
|
- name: Calculate docker image tag
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: ${{ matrix.repository }}
|
|
flavor: |
|
|
latest=false
|
|
tags: |
|
|
type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }}
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=pep440,pattern={{raw}}
|
|
type=sha
|
|
|
|
- name: Create manifest list and push
|
|
working-directory: ${{ runner.temp }}/digests
|
|
env:
|
|
REPOSITORY: ${{ matrix.repository }}
|
|
run: |
|
|
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
|
$(printf "$REPOSITORY@sha256:%s " *)
|
|
|
|
- name: Sign each manifest
|
|
env:
|
|
REPOSITORY: ${{ matrix.repository }}
|
|
run: |
|
|
DIGESTS=""
|
|
for TAG in $(echo "$DOCKER_METADATA_OUTPUT_JSON" | jq -r '.tags[]'); do
|
|
DIGEST="$(docker buildx imagetools inspect $TAG --format '{{json .Manifest}}' | jq -r '.digest')"
|
|
DIGESTS="$DIGESTS $REPOSITORY@$DIGEST"
|
|
done
|
|
cosign sign --yes $DIGESTS
|