ci: fixup GHCR publishing (#535)

* ci: add packages permission to docker-build job

* plumb the version correctly

* fix syntax

* shorten description

* remove buildx setup

* continue to remove things

* drop all buildx nonsense

* try a matrix

* fix arm runner

* fix runner again

* tweakage

* remove dry-run

* re-add arm build

* generated labels

* docker hell

* fix merge permissions

* docker: only tag where necessary

* re-pin actions

* record changes

.github/workflows/docker.yml

@@ -7,55 +7,131 @@ on:
         description: 'The version of zizmor to build against'
         required: true
 
-      dry-run:
-        description: 'Whether to perform a dry run'
-        required: false
-        type: boolean
-        default: false
+permissions: {}
+
+env:
+  ZIZMOR_IMAGE: ghcr.io/woodruffw/zizmor
 
 jobs:
-  docker-build:
-    name: Build and publish Docker image
-    runs-on: ubuntu-latest
-    env:
-      ZIZMOR_IMAGE: ghcr.io/woodruffw/zizmor
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+            platform-pair: linux-amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64
+            platform-pair: linux-arm64
+
+    name: Build and publish Docker image (${{ matrix.image.runner }})
+
+    runs-on: ${{ matrix.image.runner }}
+
     environment:
       name: docker
+
     permissions:
       contents: read
+      packages: write
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
         with:
           cache-binary: false
+
       - name: Extract Docker metadata
         id: docker-metadata
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
         with:
           images: "${{ env.ZIZMOR_IMAGE }}"
-          tags: |
-            # use the release tag for the image tag too
-            type=ref, event=tag
-      - name: Login to GHRC
+
+      - name: Login to GHCR
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
         if: github.repository_owner == 'woodruffw'
         with:
           registry: ghcr.io
           username: "${{ github.repository_owner }}"
           password: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Build and push Docker image
+
+      - name: Build and push by digest
+        id: build
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
         with:
-          context: .
-          push: ${{ !github.event.inputs.dry-run }}
-          tags: ${{ steps.docker-metadata.outputs.tags }}
-          build-args: |
-            ZIZMOR_VERSION=${{ github.event.inputs.version }}
-          platforms: linux/amd64,linux/arm64
-          # Build provenance attestations
-          provenance: true
+          platforms: ${{ matrix.image.platform }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+          outputs: type=image,"name=${{ env.ZIZMOR_IMAGE }}",push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${DIGEST}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+
+      - name: Upload digest
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        with:
+          name: digests-${{ matrix.image.platform-pair }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    needs: build
+    runs-on: ubuntu-latest
+
+    environment:
+      name: docker
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
+        if: github.repository_owner == 'woodruffw'
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
+        with:
+          cache-binary: false
+
+      - name: Extract Docker metadata
+        id: docker-metadata
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+        with:
+          images: "${{ env.ZIZMOR_IMAGE }}"
+          tags: |
+            type=raw,value=${{ github.event.inputs.version }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.ZIZMOR_IMAGE }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect "${ZIZMOR_IMAGE}:${VERSION}"
+        env:
+          VERSION: ${{ steps.docker-metadata.outputs.version }}

docs/release-notes.md

@@ -9,6 +9,12 @@ of `zizmor`.
 
 ## Next (UNRELEASED)
 
+### New Features 🌈
+
+* `zizmor` now has official Docker images! You can find them on the
+  GitHub Container Registry under
+  [`ghcr.io/woodruffw/zizmor`](https://ghcr.io/woodruffw/zizmor) (#532)
+
 ### Improvements 🌱
 
 * SARIF outputs are now slightly more aligned with GitHub Code Scanning