1
1
name : Docker
2
2
3
- # This workflow uses actions that are not certified by GitHub.
4
- # They are provided by a third-party and are governed by
5
- # separate terms of service, privacy policy, and support
6
- # documentation.
7
-
8
3
on :
9
4
schedule :
10
5
- cron : ' 18 2 * * *'
17
12
REGISTRY : ghcr.io
18
13
IMAGE_NAME : dbsystel/postgresql-partman
19
14
20
-
21
15
jobs :
22
16
build :
23
17
strategy :
@@ -40,26 +34,22 @@ jobs:
40
34
permissions :
41
35
contents : read
42
36
packages : write
43
- # This is used to complete the identity challenge
44
- # with sigstore/fulcio when running outside of PRs.
45
37
id-token : write
46
38
47
39
steps :
48
40
- name : Checkout repository
49
41
uses : actions/checkout@v4
50
42
51
43
# Install the cosign tool except on PR
52
- # https://github.com/sigstore/cosign-installer
53
44
- name : Install cosign
54
45
if : github.event_name != 'pull_request'
55
46
uses : sigstore/cosign-installer@v3.4.0
56
47
57
- # Workaround: https://github.com/docker/build-push-action/issues/461
48
+ # Workaround for Docker buildx issue
58
49
- name : Setup Docker buildx
59
50
uses : docker/setup-buildx-action@v3
60
51
61
52
# Login against a Docker registry except on PR
62
- # https://github.com/docker/login-action
63
53
- name : Log into registry ${{ env.REGISTRY }}
64
54
if : github.event_name != 'pull_request'
65
55
uses : docker/login-action@v3
69
59
password : ${{ secrets.GITHUB_TOKEN }}
70
60
71
61
# Extract metadata (tags, labels) for Docker
72
- # https://github.com/docker/metadata-action
73
62
- name : Extract Docker metadata
74
63
id : meta
75
64
uses : docker/metadata-action@v5
80
69
type=raw,value=${{ matrix.postgres_version }},enable=${{ matrix.default == 'true'}}
81
70
${{ matrix.postgres_version }}-${{ matrix.major }}
82
71
83
- # Build and push Docker image with Buildx (don't push on PR)
84
- # https://github.com/docker/build-push-action
72
+ # Build and push Docker image with Buildx, using only the digest
85
73
- name : Build and push Docker image
86
74
id : build-and-push
87
75
uses : docker/build-push-action@v5
@@ -92,22 +80,43 @@ jobs:
92
80
PARTMAN_VERSION=${{ matrix.partman_version }}
93
81
PARTMAN_CHECKSUM=${{ matrix.partman_checksum }}
94
82
platforms : linux/amd64,linux/arm64
95
- push : ${{ github.event_name != 'pull_request' }}
96
- tags : ${{ steps.meta.outputs.tags }}
83
+ outputs : type=docker
84
+ push : true
97
85
labels : ${{ steps.meta.outputs.labels }}
98
86
cache-from : type=gha
99
87
cache-to : type=gha,mode=max
100
88
89
+ # Test the built Docker image using the digest
90
+ - name : Test Docker image
91
+ env :
92
+ POSTGRES_PASSWORD : examplepassword
93
+ run : |
94
+ DIGEST=${{ steps.build-and-push.outputs.digest }}
95
+ docker run -d --name test-db -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@$DIGEST
96
+ sleep 30
97
+ docker exec test-db pg_isready -U postgres
98
+ docker stop test-db
99
+ docker rm test-db
100
+
101
+ # Retag and push Docker image after successful tests
102
+ - name : Retag and push Docker image
103
+ if : github.event_name != 'pull_request'
104
+ run : |
105
+ DIGEST=${{ steps.build-and-push.outputs.digest }}
106
+ TAGS=$(echo ${{ steps.meta.outputs.tags }} | tr ',' '\n')
107
+ for TAG in $TAGS; do
108
+ docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@$DIGEST ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$TAG
109
+ docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$TAG
110
+ done
101
111
102
- # Sign the resulting Docker image digest except on PRs.
103
- # This will only write to the public Rekor transparency log when the Docker
104
- # repository is public to avoid leaking data. If you would like to publish
105
- # transparency data ev en for private images, pass --force to cosign below.
106
- # https://github.com/sigstore/cosign
112
+ # Sign the resulting Docker image digest except on PRs
107
113
- name : Sign the published Docker image
108
- if : ${{ github.event_name != 'pull_request' }}
114
+ if : github.event_name != 'pull_request'
109
115
env :
110
116
COSIGN_EXPERIMENTAL : " true"
111
- # This step uses the identity token to provision an ephemeral certificate
112
- # against the sigstore community Fulcio instance.
113
- run : echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign -y {}@${{ steps.build-and-push.outputs.digest }}
117
+ run : |
118
+ DIGEST=${{ steps.build-and-push.outputs.digest }}
119
+ TAGS=$(echo ${{ steps.meta.outputs.tags }} | tr ',' '\n')
120
+ for TAG in $TAGS; do
121
+ cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$TAG
122
+ done
0 commit comments