fix pipeline

jkuettner · Mar 12, 2024 · db8661f · db8661f
1 parent a857375
commit db8661f
Showing 1 changed file with 59 additions and 8 deletions.
diff --git a/.github/workflows/publish-images.yml b/.github/workflows/publish-images.yml
@@ -66,21 +66,69 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
+      # DEV
+      - name: Build and push master-server
+        id: build-and-push-master-server-dev
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: ./master-server
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: master-latest
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Build and push game-server-dev
+        id: build-and-push-game-server
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: ./game-server
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: latest
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign the published master-server image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: master-latest
+          DIGEST: ${{ steps.build-and-push-master-server-dev.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+      - name: Sign the published game-server image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: latest
+          DIGEST: ${{ steps.build-and-push-game-server-dev.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      # STABLE
       - name: Build and push master-server
         id: build-and-push-master-server
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        on:
+          push:
+            tags:
+              - '**'
         with:
           context: ./master-server
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: master-${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
       - name: Build and push game-server
         id: build-and-push-game-server
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        on:
+          push:
+            tags:
+              - '**'
         with:
           context: ./game-server
           push: ${{ github.event_name != 'pull_request' }}
@@ -89,11 +137,6 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
       - name: Sign the published master-server image
         if: ${{ github.event_name != 'pull_request' }}
         env:
@@ -103,6 +146,10 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+        on:
+          push:
+            tags:
+              - '**'
       - name: Sign the published game-server image
         if: ${{ github.event_name != 'pull_request' }}
         env:
@@ -112,3 +159,7 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+        on:
+          push:
+            tags:
+              - '**'