Build container image, sign it, and generate SBOMs

Merge pull request #438 from kubewarden/renovate/kubewarden-github-ac… #369

Workflow file for this run

.github/workflows/container-build.yml at be002cd

	name: Build container image, sign it, and generate SBOMs

	on:
	workflow_call:
	outputs:
	digest:
	description: "Container image digest"
	value: ${{jobs.build.outputs.digest}}

	push:
	branches:
	- "main"
	- "feat-**"

	jobs:
	build:
	name: Build container image
	permissions:
	packages: write
	id-token: write
	runs-on: ubuntu-latest
	outputs:
	repository: ${{ steps.setoutput.outputs.repository }}
	tag: ${{ steps.setoutput.outputs.tag }}
	digest: ${{ steps.setoutput.outputs.digest }}
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Retrieve tag name (main branch)
	if: ${{ startsWith(github.ref, 'refs/heads/main') }}
	run: \|
	echo TAG_NAME=latest >> $GITHUB_ENV
	- name: Retrieve tag name (feat branch)
	if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
	run: \|
	echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
	- name: Retrieve tag name (tag)
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	run: \|
	echo TAG_NAME=$(echo $GITHUB_REF \| sed -e "s\|refs/tags/\|\|") >> $GITHUB_ENV
	- name: Build and push container image
	id: build-image
	uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
	with:
	context: .
	file: ./Dockerfile
	platforms: linux/amd64, linux/arm64
	push: true
	sbom: true
	provenance: mode=max
	tags: \|
	ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
	- id: setoutput
	name: Set output parameters
	run: \|
	echo "repository=ghcr.io/${{github.repository_owner}}/audit-scanner" >> $GITHUB_OUTPUT
	echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT
	echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #438 from kubewarden/renovate/kubewarden-github-ac… #369

Workflow file

Merge pull request #438 from kubewarden/renovate/kubewarden-github-ac… #369

Jobs

Run details

Workflow file for this run