Skip to content

Create and publish the CI docker image #3

Create and publish the CI docker image

Create and publish the CI docker image #3

Workflow file for this run

name: Create and publish the CI docker image
# Configures this workflow to run when triggered.
on:
push:
tags:
- v**
workflow_dispatch:
# Defines two custom environment variables for the workflow. These are used for
# the Container registry domain, and a name for the Docker image that this
# workflow builds.
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.actor }}/orca-jedi/ci-almalinux9
jobs:
build-and-push-image:
runs-on: ubuntu-latest
# Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
permissions:
contents: read
packages: write
attestations: write
id-token: write
#
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Uses the `docker/login-action` action to log in to the Container
# registry registry using the account and password that will publish the
# packages. Once published, the packages are scoped to the account
# defined here.
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# This step uses
# [docker/metadata-action](https://github.com/docker/metadata-action#about)
# to extract tags and labels that will be applied to the specified image.
# The `id` "meta" allows the output of this step to be referenced in a
# subsequent step. The `images` value provides the base name for the tags
# and labels.
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Install hpccm
run: |
python3 -m pip install hpccm
- name: Recipe to Dockerfile
run: |
hpccm --recipe ./ci/hpccm_recipe_almalinux9.py >./Dockerfile
# This step uses the `docker/build-push-action` action to build the
# image, based on your repository's `Dockerfile`. If the build succeeds,
# it pushes the image to GitHub Packages. It uses the `context`
# parameter to define the build's context as the set of files located in
# the specified path. For more information, see
# "[Usage](https://github.com/docker/build-push-action#usage)" in the
# README of the `docker/build-push-action` repository. It uses the
# `tags` and `labels` parameters to tag and label the image with the
# output from the "meta" step.
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v6
with:
context: .
cache-from: type=gha
cache-to: type=gha,mode=max`
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# This step generates an artifact attestation for the image, which is an
# unforgeable statement about where and how it was built. It increases
# supply chain security for people who consume the image. For more
# information, see
# "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true