Add release workflow #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sysbox Installer Release | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| attestations: write | |
| id-token: write | |
| contents: write | |
| packages: write | |
| jobs: | |
| build-and-release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Parse version from tag or generate timestamp | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION=$(date -u +%Y%m%d%H%M%S) | |
| echo "Manual trigger - using timestamp: $VERSION" | |
| else | |
| VERSION=${GITHUB_REF#refs/tags/v} | |
| echo "Tag trigger - parsed version: $VERSION" | |
| fi | |
| echo "VERSION=$VERSION" >> $GITHUB_ENV | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Record Git revision | |
| run: | | |
| echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV | |
| - name: Build and push Docker image | |
| id: build-and-push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: docker/Dockerfile | |
| push: true | |
| tags: ${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer:${{ env.VERSION }} | |
| platforms: linux/amd64 | |
| provenance: false | |
| build-args: | | |
| DSTACK_REV=${{ env.GIT_REV }} | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer" | |
| subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
| push-to-registry: true | |
| - name: GitHub Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| name: "Sysbox Installer Release v${{ env.VERSION }}" | |
| body: | | |
| ## Docker Image Information | |
| **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer:${{ env.VERSION }}` | |
| **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}` | |
| **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }}) | |
| ## Installation | |
| ```bash | |
| docker run --rm --privileged --pid=host --net=host -v /:/host \ | |
| docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer:${{ env.VERSION }} | |
| ``` | |
| ## Verify Image Attestation | |
| ```bash | |
| # Install cosign | |
| curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" | |
| sudo mv cosign-linux-amd64 /usr/local/bin/cosign | |
| sudo chmod +x /usr/local/bin/cosign | |
| # Verify the image | |
| cosign verify-attestation \ | |
| --type https://slsa.dev/provenance/v1 \ | |
| --certificate-identity-regexp "^https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/tags/v${{ env.VERSION }}$" \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer@${{ steps.build-and-push.outputs.digest }} | |
| ``` |