@@ -26,10 +26,11 @@ jobs:
2626 id-token : write
2727 with :
2828 output : ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
29+ cache : true
2930 meta-images : |
3031 public.ecr.aws/q3b5f1u4/test-docker-action
3132meta-tags : |
32- type=raw,value=ghbuilder-single-${{ github.run_id }}
33+ type=raw,value=build- ghbuilder-single-${{ github.run_id }}
3334build-file : test/hello.Dockerfile
3435 build-sbom : true
3536 secrets :
@@ -46,10 +47,12 @@ jobs:
4647 id-token : write
4748 with :
4849 output : ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
50+ cache : true
51+ cache-scope : build-aws
4952 meta-images : |
5053 public.ecr.aws/q3b5f1u4/test-docker-action
5154meta-tags : |
52- type=raw,value=ghbuilder-${{ github.run_id }}
55+ type=raw,value=build- ghbuilder-${{ github.run_id }}
5356build-file : test/hello.Dockerfile
5457 build-sbom : true
5558 build-platforms : linux/amd64,linux/arm64
@@ -102,7 +105,7 @@ jobs:
102105 output : ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
103106 meta-images : ghcr.io/docker/github-builder-test
104107 meta-tags : |
105- type=raw,value=${{ github.run_id }}
108+ type=raw,value=build- ${{ github.run_id }}
106109build-file : test/hello.Dockerfile
107110 build-sbom : true
108111 build-platforms : linux/amd64,linux/arm64
@@ -122,7 +125,7 @@ jobs:
122125 output : ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
123126 meta-images : registry-1-stage.docker.io/docker/github-builder-test
124127 meta-tags : |
125- type=raw,value=${{ github.run_id }}
128+ type=raw,value=build- ${{ github.run_id }}
126129build-file : test/hello.Dockerfile
127130 build-sbom : true
128131 build-platforms : linux/amd64,linux/arm64
@@ -163,7 +166,7 @@ jobs:
163166 ghcr.io/docker/github-builder-test
164167 public.ecr.aws/q3b5f1u4/test-docker-action
165168meta-tags : |
166- type=raw,value=${{ github.run_id }},prefix=ghcr-and-aws-
169+ type=raw,value=${{ github.run_id }},prefix=build- ghcr-and-aws-
167170build-file : test/hello.Dockerfile
168171 build-sbom : true
169172 build-platforms : linux/amd64,linux/arm64
@@ -184,6 +187,7 @@ jobs:
184187 id-token : write
185188 with :
186189 output : ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
190+ artifact-name : build-output
187191 build-file : test/hello.Dockerfile
188192 build-sbom : true
189193 build-platforms : linux/amd64,linux/arm64
@@ -218,3 +222,104 @@ jobs:
218222 for (const cmd of cosignVerifyCommands) {
219223 await exec.exec(cmd);
220224 }
225+
226+ bake-aws :
227+ uses : ./.github/workflows/bake.yml
228+ permissions :
229+ contents : read
230+ packages : write
231+ id-token : write
232+ with :
233+ context : test
234+ target : hello-cross
235+ output : ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
236+ cache : true
237+ cache-scope : bake-aws
238+ meta-images : |
239+ public.ecr.aws/q3b5f1u4/test-docker-action
240+ meta-tags : |
241+ type=raw,value=bake-ghbuilder-${{ github.run_id }}
242+ bake-sbom : true
243+ secrets :
244+ registry-auths : |
245+ - registry: public.ecr.aws
246+ username: ${{ secrets.AWS_ACCESS_KEY_ID }}
247+ password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
248+
249+ bake-aws-verify :
250+ runs-on : ubuntu-latest
251+ if : ${{ github.event_name != 'pull_request' }}
252+ needs :
253+ - bake-aws
254+ steps :
255+ -
256+ name : Install Cosign
257+ uses : sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
258+ with :
259+ cosign-release : ${{ needs.bake-aws.outputs.cosign-version }}
260+ -
261+ name : Login to registry
262+ uses : docker/login-action@v3
263+ with :
264+ registry : public.ecr.aws
265+ username : ${{ secrets.AWS_ACCESS_KEY_ID }}
266+ password : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
267+ -
268+ name : Verify signatures
269+ uses : actions/github-script@v8
270+ env :
271+ INPUT_COSIGN-VERSION : ${{ needs.bake-aws.outputs.cosign-version }}
272+ INPUT_COSIGN-VERIFY-COMMANDS : ${{ needs.bake-aws.outputs.cosign-verify-commands }}
273+ with :
274+ script : |
275+ const cosignVersion = core.getInput('cosign-version');
276+ core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
277+ const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
278+ for (const cmd of cosignVerifyCommands) {
279+ await exec.exec(cmd);
280+ }
281+
282+ bake-local :
283+ uses : ./.github/workflows/bake.yml
284+ permissions :
285+ contents : read
286+ packages : write
287+ id-token : write
288+ with :
289+ context : test
290+ target : hello-cross
291+ output : ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
292+ cache : true
293+ artifact-name : bake-output
294+ bake-sbom : true
295+
296+ bake-local-verify :
297+ runs-on : ubuntu-latest
298+ if : ${{ github.event_name != 'pull_request' }}
299+ needs :
300+ - bake-local
301+ steps :
302+ -
303+ name : Install Cosign
304+ uses : sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
305+ with :
306+ cosign-release : ${{ needs.bake-local.outputs.cosign-version }}
307+ -
308+ name : Download artifact
309+ uses : actions/download-artifact@v5
310+ with :
311+ name : ${{ needs.bake-local.outputs.artifact-name }}
312+ -
313+ name : Verify signatures
314+ uses : actions/github-script@v8
315+ env :
316+ INPUT_COSIGN-VERSION : ${{ needs.bake-local.outputs.cosign-version }}
317+ INPUT_COSIGN-VERIFY-COMMANDS : ${{ needs.bake-local.outputs.cosign-verify-commands }}
318+ with :
319+ script : |
320+ const cosignVersion = core.getInput('cosign-version');
321+ core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
322+ const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
323+ for (const cmd of cosignVerifyCommands) {
324+ await exec.exec(cmd);
325+ }
0 commit comments