capsule/.github/workflows/docker-publish.yml

name: Publish images
permissions: {}

on:
  push:
    tags:
      - "v*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  publish-images:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      id-token: write
    outputs:
      capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup caches
        uses: ./.github/actions/setup-caches
        timeout-minutes: 5
        continue-on-error: true
        with:
          build-cache-key: publish-images
      - name: Run Trivy vulnerability (Repo)
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
      - name: Install Cosign
        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
      - name: Publish Capsule
        id: publish-capsule
        uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
        with:
          makefile-target: ko-publish-capsule
          registry: ghcr.io
          registry-username: ${{ github.actor }}
          registry-password: ${{ secrets.GITHUB_TOKEN }}
          repository: ${{ github.repository_owner }}
          version: ${{ github.ref_name }}
          sign-image: true
          sbom-name: capsule
          sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
          signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
          main-path: ./cmd/
        env:
          REPOSITORY: ${{ github.repository }}
  generate-capsule-provenance:
    needs: publish-images
    permissions:
      id-token: write   # To sign the provenance.
      packages: write   # To upload assets to release.
      actions: read     # To read the workflow path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ghcr.io/${{ github.repository_owner }}/capsule
      digest: "${{ needs.publish-images.outputs.capsule-digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}