Fix permissions for creating attestations #222
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker images | |
on: | |
workflow_dispatch: {} | |
push: | |
branches: | |
- main | |
pull_request: | |
schedule: | |
- cron: "46 2 * * 1" | |
env: | |
REGISTRY: "docker.io" | |
DOCKERHUB_ORG: "ohmyzsh" | |
LATEST_ZSH: "5.9" | |
LATEST_OMZ: "master" # TODO: we need to change master with main when migrating the branch | |
permissions: | |
id-token: write | |
contents: read | |
attestations: write | |
packages: write | |
jobs: | |
get-omz-versions: | |
name: Get Oh My Zsh versions | |
runs-on: ubuntu-latest | |
outputs: | |
versions: ${{ steps.versions.outputs.versions }} | |
steps: | |
- name: Get Oh My Zsh versions | |
id: versions | |
run: | | |
OMZ_VERSIONS=$(curl -sL https://api.github.com/repos/ohmyzsh/ohmyzsh/tags | jq -c '["${{ env.LATEST_OMZ }}",.[].name]') | |
echo "versions=$OMZ_VERSIONS" >> $GITHUB_OUTPUT | |
build-omz: | |
name: Build Oh My Zsh Docker image | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_NAME: "ohmyzsh/ohmyzsh" | |
needs: | |
- get-omz-versions | |
strategy: | |
matrix: | |
omz-version: ${{ fromJSON(needs.get-omz-versions.outputs.versions) }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: arm64 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USER }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Get tags and versions | |
id: tags | |
run: | | |
tags="${{ env.IMAGE_NAME }}:${{ matrix.omz-version }}" | |
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.omz-version }}" | |
if [ ${{matrix.omz-version }} = ${{ env.LATEST_OMZ }} ]; then | |
tags="${tags},${{ env.IMAGE_NAME }}:latest" | |
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" | |
fi | |
echo "tags=$tags" >> $GITHUB_OUTPUT | |
- name: Build and push images | |
id: push | |
uses: docker/build-push-action@v5 | |
with: | |
context: ohmyzsh | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ github.event_name != 'pull_request' }} | |
build-args: "OMZ_VERSION=${{ matrix.omz-version }}" | |
tags: ${{ steps.tags.outputs.tags }} | |
- name: Attest | |
uses: actions/attest-build-provenance@v1 | |
id: attest | |
with: | |
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
subject-digest: ${{ steps.push.outputs.digest }} | |
push-to-registry: true | |
build-zsh: | |
name: Build Zsh Docker images | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_NAME: "ohmyzsh/zsh" | |
strategy: | |
matrix: | |
zsh-version: | |
- "master" | |
- "5.9" | |
- "5.8.1" | |
- "5.8" | |
- "5.7.1" | |
- "5.7" | |
- "5.6.2" | |
- "5.6.1" | |
- "5.6" | |
- "5.5.1" | |
- "5.5" | |
- "5.4.2" | |
- "5.4.1" | |
- "5.4" | |
- "5.3.1" | |
- "5.3" | |
- "5.2" | |
- "5.1.1" | |
- "5.1" | |
- "5.0.8" | |
- "5.0.7" | |
- "5.0.6" | |
- "5.0.5" | |
- "5.0.4" | |
- "5.0.3" | |
- "5.0.2" | |
- "5.0.1" | |
- "5.0.0" | |
- "4.3.17" | |
- "4.3.16" | |
- "4.3.15" | |
- "4.3.14" | |
- "4.3.13" | |
- "4.3.12" | |
- "4.3.11" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: arm64 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USER }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Get tags and versions | |
id: tags | |
run: | | |
tags="${{ env.IMAGE_NAME }}:${{ matrix.zsh-version }}" | |
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.zsh-version }}" | |
if [ ${{matrix.zsh-version }} = ${{ env.LATEST_ZSH }} ]; then | |
tags="${tags},${{ env.IMAGE_NAME }}:latest" | |
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" | |
fi | |
echo "tags=$tags" >> $GITHUB_OUTPUT | |
- name: Build and push images | |
id: push | |
uses: docker/build-push-action@v5 | |
with: | |
context: zsh | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ github.event_name != 'pull_request' }} | |
build-args: "ZSH_VERSION=${{ matrix.zsh-version }}" | |
tags: ${{ steps.tags.outputs.tags }} | |
- name: Attest | |
uses: actions/attest-build-provenance@v1 | |
id: attest | |
with: | |
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
subject-digest: ${{ steps.push.outputs.digest }} | |
push-to-registry: true | |
update-image-readme: | |
needs: | |
- build-zsh | |
- build-omz | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name != 'pull_request' }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Update image READMEs | |
env: | |
DH_USERNAME: ${{ secrets.DOCKERHUB_USER }} | |
DH_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} | |
run: | | |
for image in */Dockerfile; do | |
image="$(basename $(dirname $image))" | |
if ! test -f "$image/README.md"; then | |
echo "::warning ::missing README.md file at /$image" | |
continue | |
fi | |
node .github/scripts/update-image-readme.js "${{ env.DOCKERHUB_ORG }}/$image" "$image/README.md" | |
done |