name: Create, publish, sign and verify container image on: push: tags: [ 'v*.*.*' ] env: REGISTRY: docker.io IMAGE_NAME: paralusio/paralus jobs: build-push-sign-verify: strategy: matrix: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: 'go.mod' - name: Create k8s Kind Cluster uses: helm/kind-action@v1.2.0 # Sanity check before publishing - name: Test all run: go test -v ./... - name: Log in to the Container registry uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 with: context: . platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Extract metadata (tags, labels) for Docker (paralus-init) id: meta-init uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-init - name: Build and push Docker image (paralus-init) id: build-init uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 with: context: . file: ./Dockerfile.initialize platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta-init.outputs.tags }} labels: ${{ steps.meta-init.outputs.labels }} - name: Extract metadata (tags, labels) for Docker (kratos-sync) id: meta-sync uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 with: images: ${{ env.REGISTRY }}/paralusio/kratos-synchronizer - name: Build and push Docker image (kratos-sync) id: build-sync uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 with: context: . file: ./Dockerfile.synchronizer platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta-sync.outputs.tags }} labels: ${{ steps.meta-sync.outputs.labels }} - name: Install Cosign uses: sigstore/cosign-installer@v3.8.2 - name: Check Cosign run: cosign version - name: Sign Published Docker image using Cosign run: | cosign sign -y --key env://COSIGN_PRIVATE_KEY \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-init@${{ steps.build-init.outputs.digest }} \ ${{ env.REGISTRY }}/paralusio/kratos-synchronizer@${{ steps.build-sync.outputs.digest }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Verify Cosign Signature run: | cosign verify --key env://COSIGN_PUBLIC_KEY \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-init:${{ github.ref_name }} \ ${{ env.REGISTRY }}/paralusio/kratos-synchronizer:${{ github.ref_name }} env: COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}