name: Rebuild on: workflow_dispatch: inputs: ref: description: 'ref to rebuild, can be a tag, branch or commit sha.' required: true default: 'v0.6.1' permissions: contents: read jobs: checkout: name: Checkout repo runs-on: ubuntu-latest outputs: timestamp: ${{ steps.timestamp.outputs.timestamp }} steps: - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 ref: ${{ github.event.inputs.ref }} - name: set timestamp output id: timestamp run: | echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT # this rebuilds the image and creates a new tag with a timestamp suffix # e.g. v0.6.1-1669145271 and v0.6.1-ubi-1669145271 publish-artifacts: uses: ./.github/workflows/publish.yml needs: checkout permissions: contents: read id-token: write #for keyless sign packages: write #for updating packages strategy: matrix: include: - dockerfile: "Dockerfile" build-args: "CGO_ENABLED=0" build-arch: "amd64 arm64 ppc64le" build-platform: "linux/amd64,linux/arm64,linux/ppc64le" tag-suffix: "-${{ needs.checkout.outputs.timestamp }}" # distroless - dockerfile: "Dockerfile.ubi" build-args: "CGO_ENABLED=0" build-arch: "amd64 arm64 ppc64le" build-platform: "linux/amd64,linux/arm64,linux/ppc64le" tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" # ubi - dockerfile: "Dockerfile.ubi" build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" # fips build-arch: "amd64 ppc64le" build-platform: "linux/amd64,linux/ppc64le" tag-suffix: "-ubi-boringssl-${{ needs.checkout.outputs.timestamp }}" with: dockerfile: ${{ matrix.dockerfile }} tag-suffix: ${{ matrix.tag-suffix }} image-name: ghcr.io/${{ github.repository }} build-platform: ${{ matrix.build-platform }} build-args: ${{ matrix.build-args }} build-arch: ${{ matrix.build-arch }} ref: ${{ github.event.inputs.ref }} image-tag: ${{ github.event.inputs.ref }} username: ${{ github.actor }} secrets: IS_FORK: ${{ secrets.GHCR_USERNAME }}