.github/workflows/docker-master.yaml

name: Docker build and push on master
on:
  push:
    branches:
      - main
env:
  OPERATOR_REPO: quay.io/costoolkit/elemental-operator-ci
  REGISTER_REPO: quay.io/costoolkit/elemental-register-ci
jobs:
  docker:
    runs-on: ubuntu-latest
    permissions:
      id-token: write  # OIDC support.
      contents: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: cosign-installer
        uses: sigstore/cosign-installer@v2.8.0
      - name: Install the bom command
        shell: bash
        run: |
          curl -L  https://github.com/kubernetes-sigs/bom/releases/download/v0.3.0/bom-linux-amd64.tar.gz | tar xvz
          sudo mv ./bom /usr/bin/bom
      - name: Export tag
        id: export_tag
        run: |
          git describe --abbrev=0 --tags
          TAG=`git describe --abbrev=0 --tags 2>/dev/null || echo "v0.0.0"`
          COMMITDATE=`date -d @$(git log -n1 --format="%at") "+%FT%TZ"`
          echo "operator_tag=$TAG" >> $GITHUB_OUTPUT
          echo "commit_date=$COMMITDATE" >> $GITHUB_OUTPUT
      - name: Docker meta for operator master
        id: meta-operator
        uses: docker/metadata-action@v5.5.1
        with:
          images: |
            ${{ env.OPERATOR_REPO }}
          tags: |
            type=sha,format=short,prefix=${{ steps.export_tag.outputs.operator_tag }}-
            type=raw,value=latest
      - name: Docker meta for register master
        id: meta-register
        uses: docker/metadata-action@v5.5.1
        with:
          images: |
            ${{ env.REGISTER_REPO }}
          tags: |
            type=sha,format=short,prefix=${{ steps.export_tag.outputs.operator_tag }}-
            type=raw,value=latest
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3.1.0
      - name: Login to Quay
        uses: docker/login-action@v3.0.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}
      - name: Build operator image
        uses: docker/build-push-action@v5.2.0
        with:
          context: .
          tags: ${{ steps.meta-operator.outputs.tags }}
          labels: ${{ steps.meta-operator.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          target: elemental-operator
          push: true
          build-args: |
            TAG=${{ steps.export_tag.outputs.operator_tag }}
            COMMITDATE=${{ steps.export_tag.outputs.commit_date }}
            COMMIT=${{ github.sha }}
      - name: Build register image
        uses: docker/build-push-action@v5.2.0
        with:
          context: .
          tags: ${{ steps.meta-register.outputs.tags }}
          labels: ${{ steps.meta-register.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          target: elemental-register
          push: true
          build-args: |
            TAG=${{ steps.export_tag.outputs.operator_tag }}
            COMMITDATE=${{ steps.export_tag.outputs.commit_date }}
            COMMIT=${{ github.sha }}
      - name: Create SBOM file
        shell: bash
        run: |
          bom generate -o elemental-operator.spdx .
          bom generate -o elemental-register.spdx .
      - name: Attach SBOM file in the container image
        shell: bash
        run: |
          set -e
          cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}"
          cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:latest"
          cosign attach sbom --sbom elemental-register.spdx "${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}"
          cosign attach sbom --sbom elemental-register.spdx "${{ env.REGISTER_REPO }}:latest"
      - name: Sign images
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}
          cosign sign ${{ env.OPERATOR_REPO }}:latest
          cosign sign ${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}
          cosign sign ${{ env.REGISTER_REPO }}:latest