From 2a3115361882f74f4f5c79f4f906b75fa966f0e5 Mon Sep 17 00:00:00 2001
From: Jared Allard <jaredallard@users.noreply.github.com>
Date: Thu, 16 May 2024 19:26:05 -0700
Subject: [PATCH] ci: rebuild CI base image daily and on push

---
 .github/workflows/docker.yaml | 54 +++++++++++++++++++++++++++++++++++
 update-base-image.sh          | 23 ---------------
 2 files changed, 54 insertions(+), 23 deletions(-)
 create mode 100644 .github/workflows/docker.yaml
 delete mode 100755 update-base-image.sh

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
new file mode 100644
index 0000000..3c2878e
--- /dev/null
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,54 @@
+name: "Docker"
+
+on:
+  push:
+    branches:
+      - "main"
+  schedule:
+    # https://crontab.guru/#@daily
+    - cron: "0 0 * * *"
+
+jobs:
+  updater-base-image:
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: jaredallard/overlay
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        id: push
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+        with:
+          context: .
+          push: true
+          sbom: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:updater
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/update-base-image.sh b/update-base-image.sh
deleted file mode 100755
index 0f91334..0000000
--- a/update-base-image.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-# Rebuilds the base image used by the tools in this repository and
-# pushes it upstream.
-set -euo pipefail
-
-# PUSH determines if we should push the image to the remote or not.
-PUSH=false
-if [[ "${1:-}" == "--push" ]]; then
-  PUSH=true
-fi
-
-args=(
-  "--tag" "ghcr.io/jaredallard/overlay:updater"
-  "$(pwd)"
-)
-
-if [[ "$PUSH" == "true" ]]; then
-  args+=("--platform" "linux/amd64,linux/arm64" "--push")
-else
-  args+=("--load")
-fi
-
-exec docker buildx build "${args[@]}"