attest-provider/.github/workflows/release.yml

name: release
on:
  release:
    types: [published]
env:
  IMAGE_NAME: docker/attest-provider
jobs:
  dockerhub:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: dockerpublicbot
          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
      - name: Generate GitHub App Token
        id: app-token
        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
          repositories: "attest,attest-provider"
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=sha
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          version: lab:latest
          driver: cloud
          endpoint: docker/default
          install: true
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          push: true
          target: production
          build-args: |
            VERSION=v${{ steps.meta.outputs.version }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64 # todo figure out additional platforms for release
          attests: type=sbom,generator=docker/scout-sbom-indexer:1
          provenance: mode=max
          secrets: |
            GITHUB_TOKEN=${{ steps.app-token.outputs.token }}