name: Release
on:
push:
tags:
- 'v*'
jobs:
linting:
name: Linting
uses: ./.github/workflows/lint.yml
tests:
name: Tests
uses: ./.github/workflows/test.yml
release:
name: Release Container
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Log in to GitHub Container Registry
uses: docker/login-action@v184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract tag version
id: tag
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Set repository owner lowercase
id: repo_owner
run: echo "OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Extract metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/plotting-mcp
tags: |
type=ref,event=tag
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ steps.tag.outputs.VERSION }}
- name: Build and push container
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Sign container image
env:
REGISTRY: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/plotting-mcp
run: |
TAG=$(echo "${{ steps.tag.outputs.VERSION }}" | sed 's/+/_/g')
# Sign the tagged image
cosign sign -y $REGISTRY:$TAG
# Sign the latest tag if building from a tag
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
cosign sign -y $REGISTRY:latest
fi
