name: Create docker images on: push: tags: - 'v*.*.*' workflow_dispatch: jobs: build: name: Build, push, and deploy runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write strategy: matrix: db-type: [postgresql] steps: - uses: actions/checkout@v5 # Install cosign (for image signing) - name: Install cosign uses: sigstore/cosign-installer@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log into Docker Hub if: github.repository == 'umami-software/umami' uses: docker/login-action@v3 with: registry: docker.io username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Log into GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: images: | umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }} ghcr.io/${{ github.repository }} flavor: | latest=auto prefix=${{ matrix.db-type }}- tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm64 build-args: DATABASE_TYPE=${{ matrix.db-type }} push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max # Sign the published image digest - name: Sign the published Docker image env: TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"