Loading .github/workflows/docker-publish.yml +20 −20 Original line number Diff line number Diff line Loading @@ -99,23 +99,23 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache # # Install the cosign tool except on PR # # https://github.com/sigstore/cosign-installer # - name: Install cosign # if: github.event_name != 'pull_request' # uses: sigstore/cosign-installer@v3.3.0 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: ${{ github.event_name != 'pull_request' }} uses: sigstore/cosign-installer@v3 # with: # cosign-release: 'v2.2.2' # # Sign the resulting Docker image digest except on PRs. # # This will only write to the public Rekor transparency log when the Docker # # repository is public to avoid leaking data. If you would like to publish # # transparency data even for private images, pass --force to cosign below. # # https://github.com/sigstore/cosign # - name: Sign the published Docker image # if: ${{ github.event_name != 'pull_request' }} # env: # COSIGN_EXPERIMENTAL: "true" # # This step uses the identity token to provision an ephemeral certificate # # against the sigstore community Fulcio instance. # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | grep -E '^(.+):(.+)-(.+)-(.+)$' | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} Dockerfile +6 −3 Original line number Diff line number Diff line # VERSIONS ARG NODE_VERSION=20.11.1 ARG NPM_VERSION=10.4.0 ARG NGINX_VERSION=1.25.4 # --------------> The builder image FROM node:$NODE_VERSION AS builder ENV NODE_ENV production WORKDIR /app ARG NPM_TOKEN # Install NPM with version ARG NPM_VERSION=10.5.0 RUN npm install -g npm@$NPM_VERSION # Install dependencies COPY package*.json ./ ARG NPM_TOKEN RUN echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc && \ npm install -g npm@$NPM_VERSION && \ npm ci --omit=dev && \ rm -f .npmrc # Build app COPY . . RUN npm run build Loading Loading
.github/workflows/docker-publish.yml +20 −20 Original line number Diff line number Diff line Loading @@ -99,23 +99,23 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache # # Install the cosign tool except on PR # # https://github.com/sigstore/cosign-installer # - name: Install cosign # if: github.event_name != 'pull_request' # uses: sigstore/cosign-installer@v3.3.0 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: ${{ github.event_name != 'pull_request' }} uses: sigstore/cosign-installer@v3 # with: # cosign-release: 'v2.2.2' # # Sign the resulting Docker image digest except on PRs. # # This will only write to the public Rekor transparency log when the Docker # # repository is public to avoid leaking data. If you would like to publish # # transparency data even for private images, pass --force to cosign below. # # https://github.com/sigstore/cosign # - name: Sign the published Docker image # if: ${{ github.event_name != 'pull_request' }} # env: # COSIGN_EXPERIMENTAL: "true" # # This step uses the identity token to provision an ephemeral certificate # # against the sigstore community Fulcio instance. # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | grep -E '^(.+):(.+)-(.+)-(.+)$' | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
Dockerfile +6 −3 Original line number Diff line number Diff line # VERSIONS ARG NODE_VERSION=20.11.1 ARG NPM_VERSION=10.4.0 ARG NGINX_VERSION=1.25.4 # --------------> The builder image FROM node:$NODE_VERSION AS builder ENV NODE_ENV production WORKDIR /app ARG NPM_TOKEN # Install NPM with version ARG NPM_VERSION=10.5.0 RUN npm install -g npm@$NPM_VERSION # Install dependencies COPY package*.json ./ ARG NPM_TOKEN RUN echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc && \ npm install -g npm@$NPM_VERSION && \ npm ci --omit=dev && \ rm -f .npmrc # Build app COPY . . RUN npm run build Loading
Dmitriy Safronov <zimniy@cyberbrain.pw>Dmitriy Safronov <zimniy@cyberbrain.pw>