diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml deleted file mode 100644 index d12ae1991..000000000 --- a/.github/workflows/publish-image.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Publish Runner Image - -on: - workflow_dispatch: - inputs: - runnerVersion: - type: string - description: Version of the runner being installed - -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository_owner }}/actions-runner - -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Compute image version - id: image - uses: actions/github-script@v7.0.1 - env: - RUNNER_VERSION: ${{ github.event.inputs.runnerVersion }} - with: - script: | - const fs = require('fs'); - const inputRunnerVersion = process.env.RUNNER_VERSION; - if (inputRunnerVersion) { - console.log(`Using input runner version ${inputRunnerVersion}`) - core.setOutput('version', inputRunnerVersion); - return - } - const runnerVersion = fs.readFileSync('${{ github.workspace }}/src/runnerversion', 'utf8').replace(/\n$/g, '') - console.log(`Using runner version ${runnerVersion}`) - core.setOutput('version', runnerVersion); - - - name: Setup Docker buildx - uses: docker/setup-buildx-action@v3 - - - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v6 - with: - context: ./images - platforms: | - linux/amd64 - linux/arm64 - tags: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image.outputs.version }} - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - build-args: | - RUNNER_VERSION=${{ steps.image.outputs.version }} - push: true - labels: | - org.opencontainers.image.source=${{github.server_url}}/${{github.repository}} - org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }} - org.opencontainers.image.licenses=MIT diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bdd98156b..2661416c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -291,6 +291,8 @@ jobs: permissions: contents: read packages: write + id-token: write + attestations: write env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository_owner }}/actions-runner @@ -336,3 +338,10 @@ jobs: org.opencontainers.image.source=${{github.server_url}}/${{github.repository}} org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }} org.opencontainers.image.licenses=MIT + + - name: Generate attestation + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true diff --git a/images/Dockerfile b/images/Dockerfile index b3b51fa39..39d6bc12e 100644 --- a/images/Dockerfile +++ b/images/Dockerfile @@ -1,5 +1,5 @@ # Source: https://github.com/dotnet/dotnet-docker -FROM mcr.microsoft.com/dotnet/runtime-deps:8.0-jammy as build +FROM mcr.microsoft.com/dotnet/runtime-deps:8.0-jammy AS build ARG TARGETOS ARG TARGETARCH