.github/workflows/container-push.yml

name: Container Push

on:
  workflow_call:
    inputs:
      name:
        description: 'A short name for the container image. Will be used to create the image path and set the title.'
        required: true
        type: string
      tag:
        description: 'Container image tag to push. Normally it will be the GITHUB_REF_NAME env variable'
        required: true
        type: string
      latest:
        description: 'Denotes if the `latest` tag should be generated or not'
        required: false
        type: boolean
        default: false
      registry_org:
        description: 'The registry organization to push to'
        default: '${{ github.repository_owner }}'
        required: false
        type: string
      dockerfile_path:
        description: 'The relative path to the Dockerfile to build.'
        default: 'Dockerfile'
        required: false
        type: string
      build_context:
        description: 'The path to the context to build the container from.'
        default: '.'
        required: false
        type: string
      licenses:
        description: 'The licenses under which the container is distributed.'
        default: 'Apache-2.0'
        required: false
        type: string
      vendor:
        description: 'The vendor of the container.'
        default: 'Equinix, Inc.'
        required: false
        type: string
      platforms:
        description: 'The platforms to build the container for.'
        default: 'linux/amd64'
        required: false
        type: string

env:
  COSIGN_EXPERIMENTAL: 1

jobs:
  container:
    runs-on: ubuntu-latest

    permissions:
      packages: write
      contents: read

    outputs:
      image-digest: ${{ steps.container_info.outputs.image-digest }}
      image-tags: ${{ steps.container_info.outputs.image-tags }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4.0.0

      - name: Login to ghcr.io
        uses: docker/login-action@v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Get input with Github Environment Variable reference
        id: get_inputs
        run: |
          echo "name=${{ inputs.name }}" >> $GITHUB_OUTPUT
          echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT
          echo "latest=${{ inputs.latest }}" >> $GITHUB_OUTPUT
          echo "registry_org=${{ inputs.registry_org }}" >> $GITHUB_OUTPUT
          echo "dockerfile_path=${{ inputs.dockerfile_path }}" >> $GITHUB_OUTPUT
          echo "build_context=${{ inputs.build_context }}" >> $GITHUB_OUTPUT
          echo "licenses=${{ inputs.licenses }}" >> $GITHUB_OUTPUT
          echo "vendor=${{ inputs.vendor }}" >> $GITHUB_OUTPUT
          echo "platforms=${{ inputs.platforms }}" >> $GITHUB_OUTPUT
          echo "github_server_url=${GITHUB_SERVER_URL}" >> $GITHUB_OUTPUT
          echo "github_repository=${GITHUB_REPOSITORY}" >> $GITHUB_OUTPUT

      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ steps.get_inputs.outputs.registry_org }}/${{ steps.get_inputs.outputs.name }}
          tags: |
            type=raw,value=${{ steps.get_inputs.outputs.tag}}
            type=sha,format=long
            type=raw,value=latest,enable=${{ steps.get_inputs.outputs.latest }}
          labels: |

            org.opencontainers.image.source=${{ steps.get_inputs.outputs.github_server_url }}/${{ steps.get_inputs.outputs.github_repository }}
            org.opencontainers.image.title=${{ steps.get_inputs.outputs.name }}
            org.opencontainers.image.version=${{ steps.get_inputs.outputs.tag }}
            org.opencontainers.image.licenses=${{ steps.get_inputs.outputs.licenses }}
            org.opencontainers.image.vendor=${{ steps.get_inputs.outputs.vendor }}
      - name: Build container images and push
        id: docker_build
        uses: docker/build-push-action@v5
        with:
          context: ${{ steps.get_inputs.outputs.build_context }}
          file: ${{ steps.get_inputs.outputs.dockerfile_path }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          push: true
          platforms: ${{ steps.get_inputs.outputs.platforms }}

      - name: Get container info
        id: container_info
        run: |
          image_tags="${{ steps.get_inputs.outputs.tag }},sha-$(git rev-parse HEAD)"
          echo "image-digest=${{ steps.docker_build.outputs.digest }}" >> $GITHUB_OUTPUT
          echo "image-tags=${image_tags}" >> $GITHUB_OUTPUT

  sign:
    runs-on: ubuntu-latest
    needs: [container]

    permissions:
      packages: write
      id-token: write

    env:
      IMAGE_DIGEST: ${{ needs.container.outputs.image-digest }}

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.1.2

      - name: Login to ghcr.io
        uses: docker/login-action@v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Sign image
        run: |
          cosign sign -y "ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST}"
          echo "::notice title=Verify signature::COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST} | jq '.[0]'"
          echo "::notice title=Inspect signature bundle::COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST} | jq '.[0].optional.Bundle.Payload.body |= @base64d | .[0].optional.Bundle.Payload.body | fromjson'"
          echo "::notice title=Inspect certificate::COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST} | jq -r '.[0].optional.Bundle.Payload.body |= @base64d | .[0].optional.Bundle.Payload.body | fromjson | .spec.signature.publicKey.content |= @base64d | .spec.signature.publicKey.content' | openssl x509 -text"
  sbom:
    runs-on: ubuntu-latest
    needs: [container]

    permissions:
      packages: write
      id-token: write

    env:
      IMAGE_DIGEST: ${{ needs.container.outputs.image-digest }}

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.1.2

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@v0.14.3

      - name: Login to ghcr.io
        uses: docker/login-action@v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Attach SBOM to image
        run: |
          syft "ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST}" -o spdx-json=sbom-spdx.json
          cosign attest -y --predicate sbom-spdx.json --type spdx "ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST}"
          echo "::notice title=Verify SBOM attestation::COSIGN_EXPERIMENTAL=1 cosign verify-attestation ghcr.io/${{ inputs.registry_org }}/${{ inputs.name }}@${IMAGE_DIGEST} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType == \"https://spdx.dev/Document\") | .predicate.Data | fromjson'"