Skip to content

Fix permissions for creating attestations #222

Fix permissions for creating attestations

Fix permissions for creating attestations #222

Workflow file for this run

name: Publish Docker images
on:
workflow_dispatch: {}
push:
branches:
- main
pull_request:
schedule:
- cron: "46 2 * * 1"
env:
REGISTRY: "docker.io"
DOCKERHUB_ORG: "ohmyzsh"
LATEST_ZSH: "5.9"
LATEST_OMZ: "master" # TODO: we need to change master with main when migrating the branch
permissions:
id-token: write
contents: read
attestations: write
packages: write
jobs:
get-omz-versions:
name: Get Oh My Zsh versions
runs-on: ubuntu-latest
outputs:
versions: ${{ steps.versions.outputs.versions }}
steps:
- name: Get Oh My Zsh versions
id: versions
run: |
OMZ_VERSIONS=$(curl -sL https://api.github.com/repos/ohmyzsh/ohmyzsh/tags | jq -c '["${{ env.LATEST_OMZ }}",.[].name]')
echo "versions=$OMZ_VERSIONS" >> $GITHUB_OUTPUT
build-omz:
name: Build Oh My Zsh Docker image
runs-on: ubuntu-latest
env:
IMAGE_NAME: "ohmyzsh/ohmyzsh"
needs:
- get-omz-versions
strategy:
matrix:
omz-version: ${{ fromJSON(needs.get-omz-versions.outputs.versions) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Get tags and versions
id: tags
run: |
tags="${{ env.IMAGE_NAME }}:${{ matrix.omz-version }}"
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.omz-version }}"
if [ ${{matrix.omz-version }} = ${{ env.LATEST_OMZ }} ]; then
tags="${tags},${{ env.IMAGE_NAME }}:latest"
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
fi
echo "tags=$tags" >> $GITHUB_OUTPUT
- name: Build and push images
id: push
uses: docker/build-push-action@v5
with:
context: ohmyzsh
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
build-args: "OMZ_VERSION=${{ matrix.omz-version }}"
tags: ${{ steps.tags.outputs.tags }}
- name: Attest
uses: actions/attest-build-provenance@v1
id: attest
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
build-zsh:
name: Build Zsh Docker images
runs-on: ubuntu-latest
env:
IMAGE_NAME: "ohmyzsh/zsh"
strategy:
matrix:
zsh-version:
- "master"
- "5.9"
- "5.8.1"
- "5.8"
- "5.7.1"
- "5.7"
- "5.6.2"
- "5.6.1"
- "5.6"
- "5.5.1"
- "5.5"
- "5.4.2"
- "5.4.1"
- "5.4"
- "5.3.1"
- "5.3"
- "5.2"
- "5.1.1"
- "5.1"
- "5.0.8"
- "5.0.7"
- "5.0.6"
- "5.0.5"
- "5.0.4"
- "5.0.3"
- "5.0.2"
- "5.0.1"
- "5.0.0"
- "4.3.17"
- "4.3.16"
- "4.3.15"
- "4.3.14"
- "4.3.13"
- "4.3.12"
- "4.3.11"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Get tags and versions
id: tags
run: |
tags="${{ env.IMAGE_NAME }}:${{ matrix.zsh-version }}"
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.zsh-version }}"
if [ ${{matrix.zsh-version }} = ${{ env.LATEST_ZSH }} ]; then
tags="${tags},${{ env.IMAGE_NAME }}:latest"
tags="${tags},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
fi
echo "tags=$tags" >> $GITHUB_OUTPUT
- name: Build and push images
id: push
uses: docker/build-push-action@v5
with:
context: zsh
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
build-args: "ZSH_VERSION=${{ matrix.zsh-version }}"
tags: ${{ steps.tags.outputs.tags }}
- name: Attest
uses: actions/attest-build-provenance@v1
id: attest
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
update-image-readme:
needs:
- build-zsh
- build-omz
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Update image READMEs
env:
DH_USERNAME: ${{ secrets.DOCKERHUB_USER }}
DH_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
run: |
for image in */Dockerfile; do
image="$(basename $(dirname $image))"
if ! test -f "$image/README.md"; then
echo "::warning ::missing README.md file at /$image"
continue
fi
node .github/scripts/update-image-readme.js "${{ env.DOCKERHUB_ORG }}/$image" "$image/README.md"
done