name: Publish DockerImage from Release Branch on: workflow_dispatch: inputs: releaseBranch: description: 'Release Branch (releases/mXXX)' required: true jobs: publish-image: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write attestations: write env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository_owner }}/actions-runner steps: - name: Checkout repository uses: actions/checkout@v6 with: ref: ${{ github.event.inputs.releaseBranch }} - name: Compute image version id: image uses: actions/github-script@v8 with: script: | const fs = require('fs'); const runnerVersion = fs.readFileSync('${{ github.workspace }}/releaseVersion', 'utf8').replace(/\n$/g, ''); console.log(`Using runner version ${runnerVersion}`); if (!/^\d+\.\d+\.\d+$/.test(runnerVersion)) { throw new Error(`Invalid runner version: ${runnerVersion}`); } core.setOutput('version', runnerVersion); - name: Setup Docker buildx uses: docker/setup-buildx-action@v3 - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v6 with: context: ./images platforms: | linux/amd64 linux/arm64 tags: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image.outputs.version }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest build-args: | RUNNER_VERSION=${{ steps.image.outputs.version }} push: true labels: | org.opencontainers.image.source=${{github.server_url}}/${{github.repository}} org.opencontainers.image.licenses=MIT annotations: | org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }} - name: Generate attestation uses: actions/attest-build-provenance@v3 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true