reusable-container-publication.yml

name: Reusable - Container publication
# description: |
#   Builds a new container image with Docker and pushes it to a registry
#   Make sure to add (needed by cosign):
#   ```
#   permissions:
#     id-token: write
#     contents: read
#   ```

on:
  workflow_call:
    inputs:
      container-registry:
        description: Container registry
        type: string
        required: false
        default: "docker.io"
      create-latest:
        description: "Create latest tag?"
        type: boolean
        required: false
        default: false
      extra-build-arguments:
        description: Container build additional arguments
        type: string
        required: false
        default: ""
      image-definition:
        description: Path to the container definition file (Dockerfile, Containerfile)
        type: string
        required: true
      image-name:
        description: Image name
        type: string
        required: true
      image-path:
        description: Image path
        type: string
        required: true
      image-tag:
        description: Image tag
        type: string
        required: true
      image-platform:
        description: Image platform
        type: string
        required: false
        default: "linux/amd64,linux/arm64"
      job-name:
        description: Job name
        type: string
        required: false
        default: Publication
      operating-system:
        description: Operating system executing the runner
        type: string
        required: false
        default: ubuntu-latest
      workflow-parts-version:
        description: GitHub workflow parts version (branch/tag/SHA)
        type: string
        required: false
        default: main
      working-directory:
        description: Working directory
        type: string
        required: false
        default: "."
    secrets:
      container-registry-username:
        description: Container registry username
        required: true
      container-registry-password:
        description: Container registry password
        required: true
      secret-vars:
        description: "Additional environment variables"
        required: false

jobs:
  container-publication:
    name: ${{ inputs.job-name }}
    runs-on: ${{ inputs.operating-system }}
    defaults:
      run:
        working-directory: ${{ inputs.working-directory }}
    steps:
      - name: Set secret variables
        shell: bash
        env:
          SECRET_VARS: ${{ secrets.secret-vars }}
        run: |
          if [[ -n "$SECRET_VARS" ]]; then
            echo "$SECRET_VARS" | while IFS='=' read -r key val; do
              if [[ -n "$val" ]]; then
                echo "::add-mask::$val"
              fi
            done
            echo "$SECRET_VARS" >> "$GITHUB_ENV"
          fi
      - name: Clone repository
        uses: actions/checkout@v6
      - name: Checkout workflow parts
        uses: actions/checkout@v6
        with:
          repository: devpro/github-workflow-parts
          ref: ${{ inputs.workflow-parts-version }}
          path: workflow-parts
      - name: Login to container registry
        uses: docker/login-action@v4
        with:
          registry: ${{ inputs.container-registry }}
          username: ${{ secrets.container-registry-username }}
          password: ${{ secrets.container-registry-password }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v4
      - name: Set up Buildx
        uses: docker/setup-buildx-action@v4
      - name: Build and push container image
        id: build-push
        uses: docker/build-push-action@v7
        with:
          context: ${{ inputs.working-directory }}
          file: ${{ inputs.image-definition }}
          platforms: ${{ inputs.image-platform }}
          push: true
          tags: ${{ env.IMAGE_REF }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: ${{ inputs.extra-build-arguments }}
      - name: Generate SBOM with Syft
        uses: anchore/sbom-action@v0
        continue-on-error: true
        with:
          image: ${{ env.IMAGE_REF }}
      - name: Push latest tag
        if: ${{ inputs.create-latest }}
        run: |
          docker buildx imagetools create \
            --tag ${{ env.IMAGE_REF_LATEST }} \
            ${{ env.IMAGE_REF }}
      - name: Sign container image with Cosign
        uses: ./workflow-parts/actions/cosign/sign
        with:
          image-name: ${{ inputs.image-name }}
          image-path: ${{ inputs.image-path }}
          image-tag: ${{ inputs.image-tag }}
    env:
      IMAGE_REF: ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
      IMAGE_REF_LATEST: ${{ inputs.image-path }}/${{ inputs.image-name }}:latest