fix missing ref + macos signing plist #15
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Release Container | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| # Build a container for x86_64 and aarch64 linux | |
| container: | |
| name: Release Container | |
| strategy: | |
| matrix: | |
| os: ["ubuntu-24.04", "ubuntu-24.04-arm"] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| # Extract needed info for use with the other steps | |
| - id: repo-meta | |
| name: Extract Metadata | |
| shell: bash | |
| run: | | |
| echo "fqdn=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT | |
| echo "name=`basename ${{ github.repository }}`" >> $GITHUB_OUTPUT | |
| - uses: nixbuild/nix-quick-install-action@v30 | |
| with: | |
| nix_conf: ${{ env.nix_conf }} | |
| - name: Restore and save Nix store | |
| uses: nix-community/cache-nix-action@v6 | |
| with: | |
| primary-key: build-${{ runner.os }}-${{ hashFiles('Cargo.lock', '**/Cargo.toml', 'flake.nix', 'flake.lock', 'rust-toolchain.toml') }} | |
| restore-prefixes-first-match: build-${{ runner.os }}- | |
| # We don't want to affect the cache when building the container | |
| purge: false | |
| save: false | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build Container | |
| run: nix run .#streamImage | docker image load | |
| - name: Tag the Container | |
| run: | | |
| docker image tag "${{ steps.repo-meta.outputs.name }}:latest" "${{ steps.repo-meta.outputs.fqdn }}:latest" | |
| docker image tag "${{ steps.repo-meta.outputs.name }}:latest" "${{ steps.repo-meta.outputs.fqdn }}:${{ github.ref_name }}" | |
| - name: Push the Container | |
| run: docker image push --all-tags "${{ steps.repo-meta.outputs.fqdn }}" | |
| - id: digest-meta | |
| name: Extract the digest | |
| shell: bash | |
| run: echo "digest=`docker manifest inspect ${{ steps.repo-meta.outputs.fqdn }}:latest --verbose | nix run nixpkgs#jq -- -r .Descriptor.digest`" >> $GITHUB_OUTPUT | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: ${{ steps.repo-meta.outputs.fqdn }} | |
| subject-digest: ${{ steps.digest-meta.outputs.digest }} | |
| push-to-registry: true |