name: Push Docker Image with VersionNumber on: workflow_dispatch: push: branches: - master - main permissions: contents: read packages: write id-token: write jobs: push: runs-on: ubuntu-latest permissions: packages: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 17 uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: java-version: "17" distribution: "temurin" - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 with: gradle-version: 8.7 - name: Run Gradle Command run: ./gradlew clean build env: DOCKER_ENABLE_SECURITY: false - name: Install cosign uses: sigstore/cosign-installer@v3.7.0 with: cosign-release: 'v2.4.1' - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Get version number id: versionNumber run: echo "versionNumber=$(./gradlew printVersion --quiet | tail -1)" >> $GITHUB_OUTPUT - name: Login to Docker Hub uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_API }} - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Convert repository owner to lowercase id: repoowner run: echo "lowercase=$(echo ${{ github.repository_owner }} | awk '{print tolower($0)}')" >> $GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf ghcr.io/${{ steps.repoowner.outputs.lowercase }}/s-pdf ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf ${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf tags: | type=raw,value=${{ steps.versionNumber.outputs.versionNumber }},enable=${{ github.ref == 'refs/heads/master' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} type=raw,value=alpha,enable=${{ github.ref == 'refs/heads/main' }} - name: Build and push main Dockerfile id: build-push-regular uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: builder: ${{ steps.buildx.outputs.name }} context: . file: ./Dockerfile push: true cache-from: type=gha cache-to: type=gha,mode=max tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }} platforms: linux/amd64,linux/arm64/v8 provenance: true sbom: true - name: Sign regular images env: DIGEST: ${{ steps.build-push-regular.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} run: | # Always sign images regardless of branch echo "$TAGS" | tr ',' '\n' | while read -r tag; do cosign sign --yes "${tag}@${DIGEST}" done # For alpha builds specifically, we want to ensure they're marked as development builds if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then echo "Signing alpha build with development attestation" echo "$TAGS" | tr ',' '\n' | while read -r tag; do if [[ $tag == *":alpha" ]]; then cosign attest --predicate <(echo '{"type":"development"}') --yes "${tag}@${DIGEST}" fi done fi - name: Generate tags ultra-lite id: meta2 uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 if: github.ref != 'refs/heads/main' with: images: | ${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf ghcr.io/${{ steps.repoowner.outputs.lowercase }}/s-pdf ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf ${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf tags: | type=raw,value=${{ steps.versionNumber.outputs.versionNumber }}-ultra-lite,enable=${{ github.ref == 'refs/heads/master' }} type=raw,value=latest-ultra-lite,enable=${{ github.ref == 'refs/heads/master' }} - name: Build and push Dockerfile-ultra-lite id: build-push-lite uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 if: github.ref != 'refs/heads/main' with: context: . file: ./Dockerfile-ultra-lite push: true cache-from: type=gha cache-to: type=gha,mode=max tags: ${{ steps.meta2.outputs.tags }} labels: ${{ steps.meta2.outputs.labels }} build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }} platforms: linux/amd64,linux/arm64/v8 provenance: true sbom: true - name: Sign ultra-lite images if: github.ref != 'refs/heads/main' env: DIGEST: ${{ steps.build-push-lite.outputs.digest }} TAGS: ${{ steps.meta2.outputs.tags }} run: | echo "$TAGS" | tr ',' '\n' | while read -r tag; do cosign sign --yes "${tag}@${DIGEST}" done - name: Generate tags fat id: meta3 uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 if: github.ref != 'refs/heads/main' with: images: | ${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf ghcr.io/${{ steps.repoowner.outputs.lowercase }}/s-pdf ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf ${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf tags: | type=raw,value=${{ steps.versionNumber.outputs.versionNumber }}-fat,enable=${{ github.ref == 'refs/heads/master' }} type=raw,value=latest-fat,enable=${{ github.ref == 'refs/heads/master' }} - name: Build and push main Dockerfile fat id: build-push-fat uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 if: github.ref != 'refs/heads/main' with: builder: ${{ steps.buildx.outputs.name }} context: . file: ./Dockerfile-fat push: true cache-from: type=gha cache-to: type=gha,mode=max tags: ${{ steps.meta3.outputs.tags }} labels: ${{ steps.meta3.outputs.labels }} build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }} platforms: linux/amd64,linux/arm64/v8 provenance: true sbom: true - name: Sign fat images if: github.ref != 'refs/heads/main' env: DIGEST: ${{ steps.build-push-fat.outputs.digest }} TAGS: ${{ steps.meta3.outputs.tags }} run: | echo "$TAGS" | tr ',' '\n' | while read -r tag; do cosign sign --yes "${tag}@${DIGEST}" done