diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml index 7ce50477085..477343bb271 100644 --- a/.github/workflows/image.yml +++ b/.github/workflows/image.yml @@ -2,14 +2,12 @@ name: Build Docker image on: push: - - # Run on pull requests to verify that the image still builds correctly - # The image is not pushed on pull requests - pull_request: + tags: + - "*" paths: - Dockerfile - .github/workflows/image.yml - + pull_request: permissions: packages: write @@ -32,24 +30,23 @@ jobs: echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.1 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.REGISTRY_IMAGE }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to GHCR # Login is only needed when the image is pushed - if: ${{ startsWith(github.ref, 'refs/tags') }} - uses: docker/login-action@v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -57,7 +54,7 @@ jobs: - name: Build and push by digest id: build - uses: docker/build-push-action@v5.3.0 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 with: context: . push: ${{ startsWith(github.ref, 'refs/tags') }} @@ -72,7 +69,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4.3.3 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: digests-${{ env.PLATFORM_PAIR }} path: /tmp/digests/* @@ -83,45 +80,41 @@ jobs: runs-on: ubuntu-latest needs: - build - if: ${{ startsWith(github.ref, 'refs/tags') }} steps: - name: Download digests - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.1 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.REGISTRY_IMAGE }} flavor: | latest=false - # Tag the image with the v-prefixed semver version on tags, tag with the ref on PRs - tags: | - type=semver,pattern={{raw}} - type=ref,event=pr - - name: Login to GHCR - uses: docker/login-action@v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Create manifest list and push + if: ${{ startsWith(github.ref, 'refs/tags') }} working-directory: /tmp/digests run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - name: Inspect image + if: ${{ startsWith(github.ref, 'refs/tags') }} run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}