XenitAB · anundsson · Apr 10, 2025 · Mar 4, 2025 · Mar 4, 2025 · Mar 4, 2025
diff --git a/.github/workflows/container-build-template.yml b/.github/workflows/container-build-template.yml
@@ -0,0 +1,53 @@
+name: Docker Build Template
+
+on:
+  workflow_call:
+    inputs:
+      push:
+        type: boolean
+        required: true
+      tag:
+        type: string
+        required: false
+      platforms:
+        type: string
+        required: false
+        default: linux/amd64,linux/arm64
+
+jobs:
+  build:
+    name: Build and Push Container Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.push }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push container image
+        id: build-push
+        uses: docker/build-push-action@v6
+        with:
+          cache-from: "ghcr.io/${{ github.repository }}/tools:latest"
+          file: docker/Dockerfile
+          context: docker
+          tags: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/tools:${{ inputs.tag }}"
+          platforms: ${{ inputs.platforms }}
+          push: ${{ inputs.push }}
+
+      - name: Generate Artifact Attestation
+        if: ${{ inputs.push }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build-push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml
diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml
diff --git a/.github/workflows/tools-container-latest.yml b/.github/workflows/tools-container-latest.yml
@@ -0,0 +1,16 @@
+name: Tools Container - Publish Latest
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'docker/**'
+      - '.github/**'
+
+jobs:
+  publish_latest:
+    uses: ./.github/workflows/container-build-template.yml
+    with:
+      push: true
+      tag: "latest"
diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml
@@ -7,19 +7,7 @@ on:
 
 jobs:
   pr_validation:
-    name: PR Validation
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Build container image
-        uses: docker/build-push-action@v2
-        with:
-          cache-from: ghcr.io/xenitab/github-actions/tools:latest
-          file: docker/Dockerfile
-          context: docker
-          push: false
+    uses: ./.github/workflows/container-build-template.yml
+    with:
+      push: false
+      tag: "pr"
diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml
@@ -4,38 +4,22 @@ on:
   release:
     types:
       - published
-    paths:
-      - "docker/**"
-      - ".github/**"
 
 jobs:
-  publish_latest:
-    name: Push tagged container image to GitHub Packages
+  generate_tag:
     runs-on: ubuntu-latest
+    outputs:
+      date_tag: ${{ steps.get_date.outputs.date_tag }}
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Get GitHub Tag
-        id: get_tag
+      - name: Generate Tag
+        id: get_date
         run: |
-          echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          date=$(date -u +"%Y.%-m.%-d")
+          echo "date_tag=${date}" >> $GITHUB_OUTPUT
 
-      - name: Build and push container image
-        uses: docker/build-push-action@v2
-        with:
-          cache-from: ghcr.io/xenitab/github-actions/tools:latest
-          file: docker/Dockerfile
-          context: docker
-          tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }}
-          push: true
+  publish_tag:
+    needs: generate_tag
+    uses: ./.github/workflows/container-build-template.yml
+    with:
+      push: true
+      tag: ${{ needs.generate_tag.outputs.date_tag }}
diff --git a/.github/workflows/tools-lite-container-latest.yml b/.github/workflows/tools-lite-container-latest.yml
diff --git a/.github/workflows/tools-lite-container-pr.yaml b/.github/workflows/tools-lite-container-pr.yaml
diff --git a/.github/workflows/tools-lite-container-tag.yaml b/.github/workflows/tools-lite-container-tag.yaml
diff --git a/.github/workflows/tools-opa-test.yaml b/.github/workflows/tools-opa-test.yaml
@@ -8,9 +8,9 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Setup OPA
-        uses: open-policy-agent/setup-opa@v1
+        uses: open-policy-agent/setup-opa@v2
         with:
-          version: 0.40.0
+          version: 1.3.0
 
       - name: Run OPA Tests
         run: opa test docker/opa-policies/ -v