diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml index 5d9c89d..8e8ca3a 100644 --- a/.github/workflows/build-docker-image.yml +++ b/.github/workflows/build-docker-image.yml @@ -3,9 +3,12 @@ name: Docker build and push to quay on: push: branches: [ "main" ] + pull_request: + branches: [ "main" ] release: types: [ "published" ] + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -17,6 +20,8 @@ jobs: permissions: contents: read packages: write + attestations: write + id-token: write steps: - name: Checkout repository @@ -26,7 +31,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} + username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) for Docker @@ -34,6 +39,13 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.title=pipeline-of-identification + org.opencontainers.image.description=Tools used in the pipeline-of-identification + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.source=${{ github.event.repository.html_url }} + flavor: | # always generate latest tag + latest=true - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -44,13 +56,15 @@ jobs: with: context: . file: ./docker/python/Dockerfile - push: true + platforms: linux/amd64 + push: ${{ github.event_name != 'pull_request' }} # do not push for pull requests tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Generate artifact attestation + if: ${{ github.event_name != 'pull_request' }} # do not attest for pull requests uses: actions/attest-build-provenance@v2 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true + push-to-registry: ${{ github.event_name != 'pull_request' }}