mamasita[Actions]: bump sigstore/cosign-installer from 3.4.0 to 3.6.0 #557
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker | |
# This workflow uses actions that are not certified by GitHub. | |
# They are provided by a third-party and are governed by | |
# separate terms of service, privacy policy, and support | |
# documentation. | |
on: | |
schedule: | |
- cron: '41 9 * * *' # Ejecuta todos los días a las 9:41 UTC | |
push: | |
branches: [ "main" ] # rama main | |
# Publish semver tags as releases. https://github.com/marketplace/actions/docker-publish-semver-tags | |
tags: [ 'v*.*.*' ] # Desencadena el flujo de trabajo en push de etiquetas que siguen el patrón semver | |
# Esta acción de Github toma una imagen Docker existente y etiquetada de un registro de imágenes Docker | |
# (por ejemplo, el repositorio de paquetes de Github), crea varias etiquetas nuevas de acuerdo con el | |
# versionado semántico y las publica en un registro de destino determinado. | |
pull_request: | |
branches: [ "main" ] # rama main | |
env: | |
# Use docker.io for Docker Hub if empty | |
# Utiliza docker.io para Docker Hub si está vacío | |
REGISTRY: ghcr.io | |
# github.repository as <account>/<repo> | |
IMAGE_NAME: ${{ github.repository }} | |
jobs: | |
build: | |
runs-on: ubuntu-latest # Ejecuta una máquina virtual Ubuntu con la última versión disponible | |
permissions: # permisos | |
contents: read # Leer el contenido del repositorio | |
packages: write # Escribir en los paquetes | |
# This is used to complete the identity challenge | |
# with sigstore/fulcio when running outside of PRs. | |
# Esto se utiliza para completar la identidad con sigstore/fulcio cuando se ejecuta fuera de Pull Request. | |
id-token: write # Escribir en el token de identidad | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] # Utiliza checkout para clonar el repositorio | |
# Install the cosign tool except on PR | |
# https://github.com/sigstore/cosign-installer | |
- name: Install cosign | |
if: github.event_name != 'pull_request' # Instala la herramienta cosign solo si el evento no es un pull request https://github.com/sigstore/cosign | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #v3.6.0 | |
with: | |
cosign-release: 'v2.1.1' | |
# Set up BuildKit Docker container builder to be able to build | |
# multi-platform images and export cache | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
# Login against a Docker registry except on PR | |
# https://github.com/docker/login-action | |
- name: Log into registry ${{ env.REGISTRY }} | |
if: github.event_name != 'pull_request' # Inicia sesión en el registro de Docker solo si el evento no es un pull request | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Extract metadata (tags, labels) for Docker | |
# https://github.com/docker/metadata-action | |
- name: Extract Docker metadata | |
id: meta # Asigna un ID al paso para su posterior referencia | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Especifica las imágenes Docker | |
# Build and push Docker image with Buildx (don't push on PR) | |
# https://github.com/docker/build-push-action | |
- name: Build and push Docker image | |
id: build-and-push # Asigna un ID al paso para su posterior referencia | |
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 | |
with: | |
context: . # Especifica el contexto : Como por ejemplo : el directorio raíz del repositorio | |
push: ${{ github.event_name != 'pull_request' }} # Indica si se debe realizar el push basándose en el tipo de evento | |
tags: ${{ steps.meta.outputs.tags }} # Especifica las etiquetas de la imagen | |
labels: ${{ steps.meta.outputs.labels }} # Especifica las etiquetas de la imagen | |
cache-from: type=gha # Especifica el tipo de caché desde el que se cargará https://docs.docker.com/build/cache/backends/gha/ | |
cache-to: type=gha,mode=max # Especifica el tipo de caché en el que se guardará | |
# Sign the resulting Docker image digest except on PRs. | |
# This will only write to the public Rekor transparency log when the Docker | |
# repository is public to avoid leaking data. If you would like to publish | |
# transparency data even for private images, pass --force to cosign below. | |
# https://github.com/sigstore/cosign | |
- name: Sign the published Docker image | |
if: ${{ github.event_name != 'pull_request' }} # Firmar la imagen Docker solo si el evento no es un pull request | |
env: | |
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
TAGS: ${{ steps.meta.outputs.tags }} # Asigna las etiquetas de la imagen a la variable TAGS | |
DIGEST: ${{ steps.build-and-push.outputs.digest }} # Asigna el hash digest de la imagen a la variable DIGEST https://github.com/docker/build-push-action | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} # Firma la imagen Docker |