Skip to content

Various fixups for docker-build-release #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rainest merged 2 commits into from
Jun 1, 2026
+13 −12
Merged

Various fixups for docker-build-release #7

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
25483e6
Various fixups for docker-build-release
alexlovelltroy Jun 1, 2026
0c30b0e
feat: add annotations for image description in Docker build workflow
alexlovelltroy Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions .github/workflows/docker-build-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,13 @@ on:
description: 'Platforms to build for'
type: string
default: 'linux/amd64, linux/arm64'
image-description:
description: 'Container image description for metadata'
required: false
type: string
default: ''

permissions: write-all # Necessary for the generate-build-provenance action with containers
permissions: write-all # Necessary for provenance and SBOM attestations

jobs:
build-push-images:
Expand Down Expand Up @@ -101,6 +106,10 @@ jobs:
type=ref,event=tag
# pull request event
type=ref,event=pr
labels: |
org.opencontainers.image.description=${{ inputs.image-description }}
annotations: |
org.opencontainers.image.description=${{ inputs.image-description }}

- name: Auth to registry
uses: docker/login-action@v3.5.0
Expand All @@ -117,11 +126,10 @@ jobs:
file: ${{ inputs.docker-file }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Unclear how https://docs.docker.com/build/ci/github-actions/attestations/ interacts with
# multi-stage builds and cache. A separate build and cache step is useful if we copy the
# same binary to multiple images, but a single invocation may still be able to handle that?
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
# Built-in attestations work better with multi-arch than separate attest action
provenance: mode=max
sbom: true
target: ${{ inputs.docker-target }}
Expand All @@ -133,14 +141,7 @@ jobs:
"GOPATH=${{ env.GOPATH}}"
"GOCACHE=${{ env.GOCACHE}}"
"CGO_ENABLED=${{ env.CGO_ENABLED }}"
"CC=${{ env.CC }}"
- name: Attest
uses: actions/attest-build-provenance@v3
id: attest
with:
subject-name: ${{ inputs.registry-name }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
${{ env.CC != '' && format('"CC={0}"', env.CC) || '' }}

publish-release:
runs-on: ubuntu-latest
Expand Down
Loading