.github/workflows/build_and_publish.yml

name: Build & Push traefik-forward-auth image

on: [ push ]

env:
  IMAGE_NAME: ghcr.io/${{ github.repository }}
  # https://github.com/thomseddon/traefik-forward-auth/releases
  # https://github.com/n8n-io/n8n/releases
  VERSION: 2.3.0

jobs:
  push_to_registry:
    name: Build & Push image to registry
    runs-on: ubuntu-22.04

    permissions:
      packages: write
      contents: read
      attestations: write
      id-token: write

    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.2.0

      - name: Set up Buildx
        uses: docker/setup-buildx-action@v3.7.1

      - name: Login to the GitHub Container Registry
        uses: docker/login-action@v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure metadata
        id: meta
        uses: docker/metadata-action@v5.6.1
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
        with:
          images: ${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}},value=${{ env.VERSION }}
            type=semver,pattern={{major}}.{{minor}},value=${{ env.VERSION }}
            type=semver,pattern={{major}},value=${{ env.VERSION }}
          labels: |
            org.opencontainers.image.title=traefik-forward-auth
            org.opencontainers.image.description="Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy"
            org.opencontainers.image.authors="Thom Seddon"
            org.opencontainers.image.url=https://github.com/flokod/traefik-forward-auth
            org.opencontainers.image.source=https://github.com/thomseddon/traefik-forward-auth
            org.opencontainers.image.version=${{ env.VERSION }}
            org.opencontainers.image.licenses=MIT

      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@v6.10.0
        with:
          platforms: linux/amd64,linux/arm
          push: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          annotations: ${{ steps.meta.outputs.annotations }}
          # See https://github.com/docker/build-push-action/issues/900#issuecomment-1625431663
          provenance: false
          build-args: |
            VERSION=${{ env.VERSION }}

      - name: Push to ghcr.io
        run: docker push -a ${{ env.IMAGE_NAME }}

      # - name: Generate artifact attestation
      #   uses: actions/attest-build-provenance@v2.1.0
      #   with:
      #     subject-name: ${{ env.IMAGE_NAME}}
      #     subject-digest: ${{ steps.push.outputs.digest }}
      #     push-to-registry: true