proxy/.github/workflows/publish-docker-latest.yml at e8635b16de5bb83a4bdd96b6b592ec70c5d67f72 · DefGuard/proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Publish Docker latest tag

on:
  release:
    types: [published]

jobs:
  tag-docker-latest:
    # Only run when the release is marked as "Latest release" in the GitHub UI
    if: github.event.release.make_latest == 'true'
    runs-on: [self-hosted, Linux]

    env:
      GHCR_REPO: ghcr.io/defguard/defguard-proxy

    permissions:
      packages: write
      id-token: write # needed for Cosign keyless signing

    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@v4.1.1

      - name: Login to GitHub container registry
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4

      - name: Derive semver tag
        run: |
          # Strip the leading 'v' from the release tag name (e.g. v1.2.3 -> 1.2.3)
          VERSION="${{ github.event.release.tag_name }}"
          echo "VERSION=${VERSION#v}" >> $GITHUB_ENV

      - name: Tag image as latest
        run: |
          docker buildx imagetools create \
            --tag ${{ env.GHCR_REPO }}:latest \
            ${{ env.GHCR_REPO }}:${{ env.VERSION }}

      - name: Sign the latest tag with GitHub OIDC Token
        run: cosign sign --yes ${{ env.GHCR_REPO }}:latest

      - name: Verify image signature
        run: |
          cosign verify ${{ env.GHCR_REPO }}:latest \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
            --certificate-identity-regexp="https://github.com/DefGuard/proxy" \
            -o text