Add attestation and fix image README push to Docker Hub

ohmyzsh · Sep 15, 2024 · 3efe21b · 3efe21b
1 parent ee1a706
commit 3efe21b
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 7 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -10,6 +10,7 @@ on:
 
 env:
   LATEST_ZSH: "5.9"
+  REGISTRY: "docker.io"
   DOCKERHUB_ORG: "ohmyzsh"
   MAIN_OMZ_BRANCH: "master" # TODO: we need to change master with main when migrating the branch
 
@@ -29,6 +30,8 @@ jobs:
   build-omz:
     name: Build Oh My Zsh Docker image
     runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: ${{ env.DOCKERHUB_ORG }}/ohmyzsh
     needs:
       - get-omz-versions
     strategy:
@@ -53,23 +56,33 @@ jobs:
       - name: Get tags and versions
         id: tags
         run: |
-          tags=${{ env.DOCKERHUB_ORG }}/ohmyzsh:${{ matrix.omz-version }}
+          tags=${{ env.IMAGE_NAME }}:${{ matrix.omz-version }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.omz-version }}
           if [ ${{matrix.omz-version }} = ${{ env.MAIN_OMZ_BRANCH }} ]; then
-            tags="${tags},${{ env.DOCKERHUB_ORG }}/ohmyzsh:latest"
+            tags="${tags},${{ env.IMAGE_NAME }}:latest,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
           fi
           echo "tags=$tags" >> $GITHUB_OUTPUT
       - name: Build and push images
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: ohmyzsh
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           build-args: "OMZ_VERSION=${{ matrix.omz-version }}"
           tags: ${{ steps.tags.outputs.tags }}
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
 
   build-zsh:
     name: Build Zsh Docker images
     runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: ${{ env.DOCKERHUB_ORG }}/zsh
     strategy:
       matrix:
         zsh-version:
@@ -127,19 +140,27 @@ jobs:
       - name: Get tags and versions
         id: tags
         run: |
-          tags=${{ env.DOCKERHUB_ORG }}/zsh:${{ matrix.zsh-version }}
+          tags=${{ env.IMAGE_NAME }}:${{ matrix.zsh-version }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.zsh-version }}
           if [ ${{matrix.zsh-version }} = ${{ env.LATEST_ZSH }} ]; then
-            tags="${tags},${{ env.DOCKERHUB_ORG }}/zsh:latest"
+            tags="${tags},${{ env.IMAGE_NAME }}:latest,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
           fi
           echo "tags=$tags" >> $GITHUB_OUTPUT
       - name: Build and push images
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: zsh
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           build-args: "ZSH_VERSION=${{ matrix.zsh-version }}"
           tags: ${{ steps.tags.outputs.tags }}
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
 
   update-image-readme:
     needs:
@@ -148,6 +169,8 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name != 'pull_request' }}
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: Update image READMEs
         env:
           DH_USERNAME: ${{ secrets.DOCKERHUB_USER }}

diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # Oh My Zsh docker images
 
+[![Publish workflow](https://github.com/ohmyzsh/docker/actions/workflows/main.yml/badge.svg)](https://github.com/ohmyzsh/docker/actions/workflows/main.yml)
+
 This repository holds the Dockerfile files for the various docker images hosted in the
 [ohmyzsh organization at Docker Hub](https://hub.docker.com/u/ohmyzsh).
 
@@ -12,8 +14,7 @@ Inside this folder there needs to be:
 - `Dockerfile` for building the Docker image. See [`ohmyzsh/ohmyzsh`](ohmyzsh/Dockerfile) for
   an example of how to set it up, including metadata `LABEL`s.
 
-- `build.sh` file which receives the Docker Hub organization name as the first argument,
-  and builds all the tags for the given image.
-
 - `README.md` which provides information regarding the Docker image. If the image has a README.md
   file, this will be used to automatically update the README in Docker Hub.
+
+There also needs to be a separate build job for each image in the [`.github/workflows/main.yml`](https://github.com/ohmyzsh/docker/actions/workflows/main.yml) file.