plaster/.github/workflows/docker-publish.yml

name: Build & push Docker image
on:
  workflow_dispatch:
  workflow_call:
    outputs:
      image:
        value: ${{ jobs.publish-manifest-list.outputs.image }}
env:
  DOCKER_REGISTRY: ghcr.io
jobs:
  build:
    name: Build Docker image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
          platforms: ${{ matrix.platform }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.DOCKER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Prepare Docker image name
        id: docker-image-name
        env:
          REPOSITORY: ${{ github.repository }}
        run: echo "value=${DOCKER_REGISTRY}/${REPOSITORY,,}" >> $GITHUB_OUTPUT
      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        id: build-and-push-docker-image
        with:
          context: .
          platforms: ${{ matrix.platform }}
          outputs: type=registry,name=${{ steps.docker-image-name.outputs.value }},push-by-digest=true
          cache-from: type=gha,scope=buildkit-${{ matrix.platform }}
          cache-to: type=gha,mode=max,scope=buildkit-${{ matrix.platform }}
      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build-and-push-docker-image.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v3
        with:
          name: digests
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  publish-manifest-list:
    name: Publish Docker manifest list
    runs-on: ubuntu-latest
    permissions:
      packages: write
    needs:
      - build
    outputs:
      image: ${{ steps.retrieve-image.outputs.value }}
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.DOCKER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Prepare Docker metadata
        uses: docker/metadata-action@v5
        id: docker-metadata
        with:
          images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha
          flavor: |
            latest=true
      - name: Download digests
        uses: actions/download-artifact@v3
        with:
          name: digests
          path: /tmp/digests
      - name: Prepare Docker image name
        id: docker-image-name
        env:
          REPOSITORY: ${{ github.repository }}
        run: echo "value=${DOCKER_REGISTRY}/${REPOSITORY,,}" >> $GITHUB_OUTPUT
      - name: Create and push manifest list
        run: |
          docker buildx imagetools create \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ steps.docker-image-name.outputs.value }}@sha256:%s ' $(ls /tmp/digests)) \
      - name: Retrieve image
        id: retrieve-image
        run: echo "value=$(echo "$DOCKER_METADATA_OUTPUT_JSON" | jq -r '.tags[1]')" >> $GITHUB_OUTPUT
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ steps.retrieve-image.outputs.value }}