name: Rebuild on: workflow_dispatch: inputs: ref: description: 'ref to rebuild, can be a tag, branch or commit sha.' required: true default: 'v0.6.1' permissions: contents: read jobs: checkout: name: Checkout repo runs-on: ubuntu-latest outputs: timestamp: ${{ steps.timestamp.outputs.timestamp }} steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: ${{ github.event.inputs.ref }} - name: set timestamp output id: timestamp run: | echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT # this rebuilds the image and creates a new tag with a timestamp suffix # e.g. v0.6.1-1669145271 and v0.6.1-ubi-1669145271 publish-artifacts: uses: ./.github/workflows/publish.yml needs: checkout permissions: contents: read id-token: write #for keyless sign packages: write #for updating packages strategy: matrix: include: - dockerfile: "Dockerfile" build-args: "CGO_ENABLED=0" build-arch: "amd64 arm64 ppc64le" build-platform: "linux/amd64,linux/arm64,linux/ppc64le" tag-suffix: "-${{ needs.checkout.outputs.timestamp }}" # distroless - dockerfile: "Dockerfile.ubi" build-args: "CGO_ENABLED=0" build-arch: "amd64 arm64 ppc64le" build-platform: "linux/amd64,linux/arm64,linux/ppc64le" tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" # ubi - dockerfile: "Dockerfile.ubi" build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" # fips build-arch: "amd64 ppc64le" build-platform: "linux/amd64,linux/ppc64le" tag-suffix: "-ubi-boringssl-${{ needs.checkout.outputs.timestamp }}" with: dockerfile: ${{ matrix.dockerfile }} tag-suffix: ${{ matrix.tag-suffix }} image-name: ghcr.io/${{ github.repository }} build-platform: ${{ matrix.build-platform }} build-args: ${{ matrix.build-args }} build-arch: ${{ matrix.build-arch }} ref: ${{ github.event.inputs.ref }} image-tag: ${{ github.event.inputs.ref }} username: ${{ github.actor }} secrets: IS_FORK: ${{ secrets.GHCR_USERNAME }}