Container Images: Release¶
Builds a container image with Buildx, pushes it to a registry, and
attaches a build provenance attestation.
On pull_request events the image is built but not pushed or attested.
Usage¶
Create a .github/workflows/release.yaml file:
.github/workflows/release.yaml
---
name: Release
on:
push:
branches: [main]
tags: ["v*.*.*"]
pull_request:
workflow_dispatch:
permissions: {} # (1)
jobs:
build:
permissions:
contents: read # (2)
packages: write # (3)
id-token: write # (4)
attestations: write # (5)
uses: projectpotos/actions/.github/workflows/release-container.yaml@v0.0.0
with:
tags: | # (6)
type=edge,branch=main
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
labels: |
org.opencontainers.image.title=<name>
org.opencontainers.image.description=<description>
org.opencontainers.image.licenses=GPL-3.0-or-later
- Deny all permissions at the workflow level as a secure baseline.
- Required to check out code.
- Required to push the built image to the registry (gated on non-PR events).
- Required for keyless signing of the provenance attestation via GitHub OIDC.
- Required to write the build-provenance attestation.
- A docker/metadata-action tag specification.
Inputs¶
| Input | Description | Required | Default |
|---|---|---|---|
tags |
Tag specification for docker/metadata-action (multiline) | Yes | — |
labels |
OCI labels for docker/metadata-action (multiline) | No | "" |
platforms |
Comma-separated target platforms | No | linux/amd64 |
setup-qemu |
Set up QEMU for cross-platform builds | No | false |
registry |
Container registry to publish to | No | ghcr.io |
image-name |
Image name | No | calling repository |
context |
Context directory for the Docker build | No | . |
dockerfile |
Path to the Dockerfile, relative to the context | No | Dockerfile |