From d90dccaed37ba046062aed476ce1076234c9c723 Mon Sep 17 00:00:00 2001 From: ThePhaseless <kukubaorch@gmail.com> Date: Thu, 20 Feb 2025 20:50:11 +0000 Subject: [PATCH] gha cache fix --- .github/workflows/docker-publish.yml | 37 +++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index fb77290..74bef22 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -81,13 +81,14 @@ jobs: platforms: linux/amd64 cache-from: type=gha pull: true + push: ${{ github.event_name != 'pull_request' }} cache-to: type=gha,mode=max target: test # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push + - name: Build and push Docker image for x64 + id: build-and-push-x64 uses: docker/build-push-action@v6 with: context: . @@ -95,9 +96,33 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64,linux/arm64 - cache-from: type=gha - cache-to: type=gha,mode=max + platforms: linux/amd64 + cache-from: type=gha,scope=buildkit-x64 + cache-to: type=gha,mode=max,scope=buildkit-x64 + build-args: GITHUB_BUILD=true,VERSION=${{ github.ref_name }} + + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push-x64.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + - name: Build and push Docker image for arm64 + id: build-and-push-arm64 + uses: docker/build-push-action@v6 + with: + context: . + pull: true + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/arm64 + cache-from: type=gha,scope=buildkit-arm64 + cache-to: type=gha,mode=max,scope=buildkit-arm64 build-args: GITHUB_BUILD=true,VERSION=${{ github.ref_name }} # Sign the resulting Docker image digest except on PRs. @@ -110,7 +135,7 @@ jobs: env: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} + DIGEST: ${{ steps.build-and-push-arm64.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}