.github/workflows/docker-publish.yml

name: Docker

on:
  workflow_dispatch:
  push:
    tags: [ 'v*.*.*' ]

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Install Nix
      - name: Install Nix
        uses: cachix/install-nix-action@v27
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}

      # Build the Docker image using Nix flake
      - name: Build Docker image with Nix
        run: nix build .#docker --out-link ./docker-result

      # Log into the Docker registry
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Push the built Docker image to the registry
      - name: Push Docker image
        run: |
          REGISTRY=$(echo "${{ env.REGISTRY }}" | tr '[:upper:]' '[:lower:]')
          IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
          docker load -i ./docker-result
          IMAGE_ID=$(docker images --format '{{.ID}}' | head -n 1)
          docker tag ${IMAGE_ID} ${REGISTRY}/${IMAGE_NAME}:latest
          docker push ${REGISTRY}/${IMAGE_NAME}:latest
        env:
          IMAGE_NAME: ${{ env.IMAGE_NAME}}
          REGISTRY: ${{ env.REGISTRY}}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Install Cosign
      - name: Install Cosign
        run: |
          curl -Lo cosign https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
          chmod +x cosign
          sudo mv cosign /usr/local/bin/

      # Sign the resulting Docker image digest
      - name: Sign the published Docker image
        env:
          TAGS: ${{ env.IMAGE_NAME}}
        run: |
          REGISTRY=$(echo "${{ env.REGISTRY }}" | tr '[:upper:]' '[:lower:]')
          IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
          DIGEST=$(skopeo inspect docker://${REGISTRY}/${IMAGE_NAME}:latest --format "{{.Digest}}")
          echo "${IMAGE_NAME}" | xargs -I {} cosign sign --yes {}@${DIGEST}