Stirling-PDF/.github/workflows/push-docker-base.yml

name: Push Docker Base Image

on:
  push:
    branches:
      - baseDockerImage
      - accessIssueFix
  workflow_dispatch:
    inputs:
      version:
        description: 'Base image version (e.g., 1.0.0, 1.0.1)'
        required: true
        type: string

permissions:
  contents: read

jobs:
  push-base:
    if: ${{ vars.CI_PROFILE != 'lite' && github.actor == 'Frooodle' }}
    runs-on: ubuntu-24.04-8core
    permissions:
      packages: write
      id-token: write
    steps:
      - name: Verify authorized user
        run: |
          if [ "${{ github.actor }}" != "Frooodle" ]; then
            echo "Error: Only Frooodle is authorized to run this workflow"
            exit 1
          fi

      - name: Set version
        id: version
        run: |
          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
            VERSION="${{ github.event.inputs.version }}"
          elif [ "${{ github.ref_name }}" == "accessIssueFix" ]; then
            VERSION="1.0.3"
          else
            VERSION="1.0.0"
          fi
          echo "version=${VERSION}" >> $GITHUB_OUTPUT

      - name: Harden Runner
        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
        with:
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Login to Docker Hub
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_API }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Convert repository owner to lowercase
        id: repoowner
        run: echo "lowercase=$(echo ${{ github.repository_owner }} | awk '{print tolower($0)}')" >> $GITHUB_OUTPUT

      - name: Generate tags for base image
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf-base
            ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf-base
          tags: |
            type=raw,value=${{ steps.version.outputs.version }}

      - name: Build and push base image
        id: build-push-base
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          builder: ${{ steps.buildx.outputs.name }}
          context: docker/base
          file: ./docker/base/Dockerfile
          push: true
          cache-from: type=gha,scope=stirling-pdf-base
          cache-to: type=gha,mode=max,scope=stirling-pdf-base
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64/v8
          provenance: true
          sbom: true

      - name: Install cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
          cosign-release: "v2.4.1"

      - name: Sign base images
        env:
          DIGEST: ${{ steps.build-push-base.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
        run: |
          if [ -n "$COSIGN_PRIVATE_KEY" ]; then
            echo "$TAGS" | tr ',' '\n' | while read -r tag; do
              cosign sign --yes \
                --key env://COSIGN_PRIVATE_KEY \
                "${tag}@${DIGEST}"
            done
          else
            echo "Warning: COSIGN_PRIVATE_KEY not set, skipping image signing"
          fi