capsule/.github/workflows/docker-publish.yml

name: Publish images
permissions: {}

on:
  push:
    tags:
      - "v*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  publish-images:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      id-token: write
    outputs:
      capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup caches
        uses: ./.github/actions/setup-caches
        timeout-minutes: 5
        continue-on-error: true
        with:
          build-cache-key: publish-images
      - name: Run Trivy vulnerability (Repo)
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
      - name: Install Cosign
        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Publish Capsule
        id: publish-capsule
        uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
        with:
          makefile-target: ko-publish-capsule
          registry: ghcr.io
          registry-username: ${{ github.actor }}
          registry-password: ${{ secrets.GITHUB_TOKEN }}
          repository: ${{ github.repository_owner }}
          version: ${{ github.ref_name }}
          sign-image: true
          sbom-name: capsule
          sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
          signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
          main-path: ./
        env:
          REPOSITORY: ${{ github.repository }}
  generate-capsule-provenance:
    needs: publish-images
    permissions:
      id-token: write   # To sign the provenance.
      packages: write   # To upload assets to release.
      actions: read     # To read the workflow path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/${{ github.repository_owner }}/capsule
      digest: "${{ needs.publish-images.outputs.capsule-digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}