name: Build and Publish Release on: push: tags: - 'v[0-9]+.[0-9]+.[0-9]+' workflow_dispatch: inputs: release_version: description: "Version of the release" required: true permissions: {} concurrency: group: build-opencost cancel-in-progress: true env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io jobs: build-and-publish-opencost: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write steps: - name: Get Version From Tag id: tag if: ${{ github.event_name }} == 'push' run: | echo "TRIGGERED_TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - name: Determine Version Number id: version_number env: RELEASE_VERSION: ${{ inputs.release_version }} run: | if [ -z "${TRIGGERED_TAG}" ]; then version=$RELEASE_VERSION else version=$TRIGGERED_TAG fi if [[ ${version:0:1} == "v" ]]; then echo "RELEASE_VERSION=${version:1}" >> $GITHUB_OUTPUT else echo "RELEASE_VERSION=$version" >> $GITHUB_OUTPUT fi - name: Show Input Values env: RELEASE_VERSION: ${{ inputs.release_version }} run: | echo "release version: $RELEASE_VERSION" - name: Make Branch Name id: branch env: RELEASE_VERSION: ${{ steps.version_number.outputs.RELEASE_VERSION }} run: | echo "BRANCH_NAME=v${RELEASE_VERSION%.*}" >> $GITHUB_OUTPUT - name: Checkout Repo uses: actions/checkout@v6.0.2 with: ref: '${{ steps.branch.outputs.BRANCH_NAME }}' - name: Set SHA id: sha run: | echo "OC_SHORTHASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Set OpenCost Image Tags id: tags env: REPO_OWNER: ${{ github.repository_owner }} RELEASE_VERSION: ${{ steps.version_number.outputs.RELEASE_VERSION }} OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }} run: | echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:$OC_SHORTHASH" >> $GITHUB_OUTPUT echo "IMAGE_TAG_LATEST=ghcr.io/$REPO_OWNER/opencost:latest" >> $GITHUB_OUTPUT echo "IMAGE_TAG_VERSION=ghcr.io/$REPO_OWNER/opencost:$RELEASE_VERSION" >> $GITHUB_OUTPUT - name: Build and publish container uses: ./.github/actions/build-container with: actor: ${{ github.actor }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} image_tag: ${{ steps.tags.outputs.IMAGE_TAG }} release_version: ${{ steps.version_number.outputs.RELEASE_VERSION }} - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install crane uses: imjasonh/setup-crane@v0.5 - name: Copy tags env: IMAGE_TAG: ${{ steps.tags.outputs.IMAGE_TAG }} IMAGE_TAG_LATEST: ${{ steps.tags.outputs.IMAGE_TAG_LATEST }} IMAGE_TAG_VERSION: ${{ steps.tags.outputs.IMAGE_TAG_VERSION }} run: | crane copy "$IMAGE_TAG" "$IMAGE_TAG_LATEST" crane copy "$IMAGE_TAG" "$IMAGE_TAG_VERSION" - name: Sign image and attest SLSA provenance # Only sign tag-triggered releases; workflow_dispatch runs produce a # non-tag GITHUB_REF, so the Fulcio certificate identity would not # match the `refs/tags/vX.Y.Z` pattern documented in SECURITY.md. if: github.event_name == 'push' uses: ./.github/actions/sign-image with: image: ${{ steps.tags.outputs.IMAGE_TAG_VERSION }} workflow-path: .github/workflows/build-and-publish-release.yml run-started-at: ${{ github.run_started_at }}