1
1
name : Docker
2
2
3
- # This workflow uses actions that are not certified by GitHub.
4
- # They are provided by a third-party and are governed by
5
- # separate terms of service, privacy policy, and support
6
- # documentation.
7
-
8
3
on :
9
4
schedule :
10
5
- cron : ' 18 2 * * *'
17
12
REGISTRY : ghcr.io
18
13
IMAGE_NAME : dbsystel/postgresql-partman
19
14
20
-
21
15
jobs :
22
16
build :
23
17
strategy :
@@ -40,26 +34,21 @@ jobs:
40
34
permissions :
41
35
contents : read
42
36
packages : write
43
- # This is used to complete the identity challenge
44
- # with sigstore/fulcio when running outside of PRs.
45
37
id-token : write
46
38
47
39
steps :
48
40
- name : Checkout repository
49
41
uses : actions/checkout@v4
50
42
51
43
# Install the cosign tool except on PR
52
- # https://github.com/sigstore/cosign-installer
53
44
- name : Install cosign
54
45
if : github.event_name != 'pull_request'
55
46
uses : sigstore/cosign-installer@v3.4.0
56
47
57
- # Workaround: https://github.com/docker/build-push-action/issues/461
58
48
- name : Setup Docker buildx
59
49
uses : docker/setup-buildx-action@v3
60
50
61
51
# Login against a Docker registry except on PR
62
- # https://github.com/docker/login-action
63
52
- name : Log into registry ${{ env.REGISTRY }}
64
53
if : github.event_name != 'pull_request'
65
54
uses : docker/login-action@v3
69
58
password : ${{ secrets.GITHUB_TOKEN }}
70
59
71
60
# Extract metadata (tags, labels) for Docker
72
- # https://github.com/docker/metadata-action
73
61
- name : Extract Docker metadata
74
62
id : meta
75
63
uses : docker/metadata-action@v5
80
68
type=raw,value=${{ matrix.postgres_version }},enable=${{ matrix.default == 'true'}}
81
69
${{ matrix.postgres_version }}-${{ matrix.major }}
82
70
83
- # Build and push Docker image with Buildx (don't push on PR)
84
- # https://github.com/docker/build-push-action
71
+ # Build and push Docker image with Buildx, using only the digest
85
72
- name : Build and push Docker image
86
73
id : build-and-push
87
74
uses : docker/build-push-action@v5
@@ -92,22 +79,50 @@ jobs:
92
79
PARTMAN_VERSION=${{ matrix.partman_version }}
93
80
PARTMAN_CHECKSUM=${{ matrix.partman_checksum }}
94
81
platforms : linux/amd64,linux/arm64
95
- push : ${{ github.event_name != 'pull_request' }}
96
- tags : ${{ steps.meta.outputs.tags }}
82
+ push : true
83
+ tags : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pipeline
97
84
labels : ${{ steps.meta.outputs.labels }}
98
85
cache-from : type=gha
99
86
cache-to : type=gha,mode=max
100
87
88
+ # Test the built Docker image using the digest
89
+ - name : Test Docker image
90
+ env :
91
+ POSTGRES_PASSWORD : examplepassword
92
+ run : |
93
+ DIGEST=${{ steps.build-and-push.outputs.digest }}
94
+ docker run -d --name test-db -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@$DIGEST
95
+ sleep 30
96
+ docker exec test-db pg_isready -U postgres
97
+ docker stop test-db
98
+ docker rm test-db
101
99
102
- # Sign the resulting Docker image digest except on PRs.
103
- # This will only write to the public Rekor transparency log when the Docker
104
- # repository is public to avoid leaking data. If you would like to publish
105
- # transparency data ev en for private images, pass --force to cosign below.
106
- # https://github.com/sigstore/cosign
100
+ # Build and push Docker image with Buildx,this time using the final tags
101
+ - name : Build and push Docker image
102
+ id : build-and-push
103
+ if : github.event_name != 'pull_request'
104
+ uses : docker/build-push-action@v5
105
+ with :
106
+ context : .
107
+ build-args : |
108
+ POSTGRESQL_VERSION=${{ matrix.postgres_version }}
109
+ PARTMAN_VERSION=${{ matrix.partman_version }}
110
+ PARTMAN_CHECKSUM=${{ matrix.partman_checksum }}
111
+ platforms : linux/amd64,linux/arm64
112
+ push : true
113
+ tags : ${{ steps.meta.outputs.tags }}
114
+ labels : ${{ steps.meta.outputs.labels }}
115
+ cache-from : type=gha
116
+ cache-to : type=gha,mode=max
117
+
118
+ # Sign the resulting Docker image digest except on PRs
107
119
- name : Sign the published Docker image
108
- if : ${{ github.event_name != 'pull_request' }}
120
+ if : github.event_name != 'pull_request'
109
121
env :
110
122
COSIGN_EXPERIMENTAL : " true"
111
- # This step uses the identity token to provision an ephemeral certificate
112
- # against the sigstore community Fulcio instance.
113
- run : echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign -y {}@${{ steps.build-and-push.outputs.digest }}
123
+ run : |
124
+ DIGEST=${{ steps.build-and-push.outputs.digest }}
125
+ TAGS=$(echo ${{ steps.meta.outputs.tags }} | tr ',' '\n')
126
+ for TAG in $TAGS; do
127
+ cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$TAG
128
+ done
0 commit comments