feat: enhance CI/CD workflows with Docker support and artifact management (#1977)

* feat: enhance CI/CD workflows with Docker support and artifact management * chore: update GitHub Actions workflows with version pinning and permission adjustments * feat: update CI workflows to support new OS versions and improve artifact handling * chore: remove macOS-specific installation of libssl and XCode switching * fix: update artifact zipping logic to target build directories in canary and release workflows * chore: update actions/checkout to version 6.0.2 in CI workflow * fix: update continue-on-error condition in CI workflow and add macOS RelWithDebInfo build preset * fix: rename step to accurately reflect Docker image signing process * don't ignore pdb's
2026-06-07 07:14:22 +00:00 · 2026-06-06 01:30:12 -05:00
parent 0c1808686c
commit 8e09ffd6e8
8 changed files with 329 additions and 28 deletions
--- a/.github/workflows/build-and-push-docker.yml
+++ b/.github/workflows/build-and-push-docker.yml
@@ -1,14 +1,14 @@
-name: CI
+name: Docker

 on:
  push:
    branches:
-      - "main"
+      - main
    tags:
      - "v*.*.*"
  pull_request:
    branches:
-      - "main"
+      - main

 env:
  REGISTRY: ghcr.io
@@ -20,15 +20,21 @@ jobs:
    permissions:
      contents: read
      packages: write
+      attestations: write
+      id-token: write

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: recursive

+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+
      - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -36,21 +42,32 @@ jobs:

      - name: Extract metadata (tags, labels) for Docker
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          # generate Docker tags based on the following events/attributes
          tags: |
            type=ref,event=pr
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=raw,value=canary,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}

      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        id: push
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign Docker image
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true