Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Publish the PHAR for Releases" | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-phar: | |
| # See build-phar.yml for a list of the permissions and why they are needed | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| uses: ./.github/workflows/build-phar.yml | |
| release-phar: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-phar | |
| permissions: | |
| # contents:write is required to upload the binaries to the release. | |
| contents: write | |
| steps: | |
| - name: Fetch built PHAR from artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pie-${{ github.sha }}.phar | |
| - name: Verify the PHAR | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh attestation verify pie.phar --repo ${{ github.repository }} | |
| - name: Upload binaries to release | |
| uses: softprops/action-gh-release@v2 | |
| if: ${{startsWith(github.ref, 'refs/tags/') }} | |
| with: | |
| files: pie.phar | |
| docker-binary-only-image: | |
| needs: build-phar | |
| name: Docker binary-only image | |
| runs-on: ubuntu-latest | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| permissions: | |
| # attestations:write is required for build provenance attestation. | |
| attestations: write | |
| # id-token:write is required for build provenance attestation. | |
| id-token: write | |
| # packages:write is required to publish Docker images to GitHub's registry. | |
| packages: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Fetch built PHAR from artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pie-${{ github.sha }}.phar | |
| - name: Verify the PHAR | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh attestation verify pie.phar --repo ${{ github.repository }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| flavor: | | |
| latest=false | |
| images: ghcr.io/${{ github.repository }} | |
| # @TODO v1.0 Consider introducing more granular tags (major and major.minor) | |
| # @see https://github.com/php/pie/pull/122#pullrequestreview-2477496308 | |
| # @see https://github.com/php/pie/pull/122#discussion_r1867331273 | |
| tags: | | |
| type=raw,value=bin | |
| type=semver,pattern={{version}}-bin | |
| - name: Build and push Docker image | |
| id: build-and-push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| file: Dockerfile | |
| target: standalone-binary | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
| push-to-registry: true |