Publish Image to Docker Hub #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Image to Docker Hub | |
| on: | |
| workflow_call: {} | |
| workflow_dispatch: {} # Manual trigger for testing | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| build-and-push-image: | |
| # Restrict to home repository and main branch only for security | |
| if: github.repository == 'KemingHe/python-dependency-manager-companion-mcp-server' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # Minimum: checkout repository | |
| attestations: write # Required: artifact attestation | |
| id-token: write # Required: OIDC token for attestation | |
| environment: docker-hub-publish | |
| env: | |
| # Docker requires lowercase names for both images and cache references | |
| IMAGE_NAME: py-dep-man-companion | |
| REPO_NAME: ${{ vars.DOCKERHUB_USERNAME }}/py-dep-man-companion | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Log in to Docker Hub | |
| # Pinned 3rd party action to commit hash of release v3.4.0 on 2025-03-14 to prevent supply chain attacks | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| # Pinned 3rd party action to commit hash of release v5.7.0 on 2025-02-26 to prevent supply chain attacks | |
| uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 | |
| with: | |
| images: ${{ env.REPO_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=schedule,pattern=weekly-{{date 'YYYYMMDD'}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| # Add support for more platforms, i.e. linux/arm64 (macOS M1/M2) with QEMU | |
| - name: Set up QEMU | |
| # Pinned 3rd party action to commit hash of release v3.6.0 on 2025-02-28 to prevent supply chain attacks | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 | |
| # Enable advanced build features like cache export | |
| - name: Set up Docker Buildx | |
| # Pinned 3rd party action to commit hash of release v3.11.1 on 2025-06-18 to prevent supply chain attacks | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 | |
| - name: Build and push Docker image | |
| id: push | |
| # Pinned 3rd party action to commit hash of release v6.18.0 on 2025-05-27 to prevent supply chain attacks | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILD_DATE=${{ github.event.head_commit.timestamp }} | |
| VCS_REF=${{ github.sha }} | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: index.docker.io/${{ env.REPO_NAME }} | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| push-to-registry: true |