Skip to content
Latchkey

Build Docker containers on new tag workflow (sitespeedio/sitespeed.io)

The Build Docker containers on new tag workflow from sitespeedio/sitespeed.io, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: sitespeedio/sitespeed.io.github/workflows/building-docker-release.ymlLicense MITView source

What it does

This is the Build Docker containers on new tag workflow from the sitespeedio/sitespeed.io repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Build Docker containers on new tag
on:
  push:
    tags:
      - 'v*.*.*'
  # workflow_dispatch is needed because release.yml's tag push runs as
  # GITHUB_TOKEN, and GITHUB_TOKEN-triggered push/tag events don't fan out
  # to other workflows. release.yml calls `gh workflow run` against this
  # workflow with `--ref v<version>` so the Docker images for that release
  # actually get built.
  workflow_dispatch:

# id-token: write is the OIDC token that cosign exchanges for a short-lived
# Sigstore certificate. contents: read covers the actions/checkout step.
permissions:
  contents: read
  id-token: write

jobs:
  docker:
    runs-on: ubuntu-24.04
    steps:
      -
        name: Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit
      -
          name: Checkout
          uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
        with:
          image: tonistiigi/binfmt:qemu-v9.2.2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      -
        name: Install cosign
        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      -
        name: Login to DockerHub
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Extract version
        id: extract_version
        run: |
            VERSION_TAG=${GITHUB_REF#refs/tags/}
            echo "Git tag: $VERSION_TAG"

            VERSION=${VERSION_TAG#v}
            echo "Full version without 'v': $VERSION"

            MAJOR_VERSION=${VERSION%%.*}
            echo "Major version: $MAJOR_VERSION"

            echo "SITESPEED_VERSION=$VERSION" >> $GITHUB_OUTPUT
            echo "SITESPEED_MAJOR_VERSION=$MAJOR_VERSION" >> $GITHUB_OUTPUT
      -
        name: Build and push sitespeed.io
        id: build_full
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          # mode=max embeds the full build graph (every step, every input
          # digest) in the SLSA provenance attestation. sbom: true attaches a
          # SPDX SBOM as a separate attestation. Both ship to Docker Hub as
          # OCI artefacts alongside the image and are inspectable with
          # `docker buildx imagetools inspect --format '{{ json . }}'`.
          provenance: mode=max
          sbom: true
          tags: |
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}
            sitespeedio/sitespeed.io:latest
      -
        name: Sign sitespeed.io with cosign
        # cosign signs the digest; every tag that points at the digest
        # (the version, the major, and :latest) is implicitly covered.
        # Keyless: the workflow's OIDC token is exchanged for a short-lived
        # Sigstore cert tied to this repo+workflow+ref. Users verify with
        # `cosign verify --certificate-identity-regexp '...' --certificate-oidc-issuer https://token.actions.githubusercontent.com`.
        env:
          DIGEST: ${{ steps.build_full.outputs.digest }}
        run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
      -
        name: Build and push sitespeed.io+1
        id: build_plus1
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          file: ./docker/Dockerfile-plus1
          build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }}
          push: true
          provenance: mode=max
          sbom: true
          tags: |
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-plus1
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-plus1
      -
        name: Sign sitespeed.io+1 with cosign
        env:
          DIGEST: ${{ steps.build_plus1.outputs.digest }}
        run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
      -
        name: Build and push sitespeed.io-slim
        id: build_slim
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          file: ./Dockerfile-slim
          build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }}
          push: true
          provenance: mode=max
          sbom: true
          tags: |
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-slim
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-slim
      -
        name: Sign sitespeed.io-slim with cosign
        env:
          DIGEST: ${{ steps.build_slim.outputs.digest }}
        run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Build Docker containers on new tag
on:
  push:
    tags:
      - 'v*.*.*'
  # workflow_dispatch is needed because release.yml's tag push runs as
  # GITHUB_TOKEN, and GITHUB_TOKEN-triggered push/tag events don't fan out
  # to other workflows. release.yml calls `gh workflow run` against this
  # workflow with `--ref v<version>` so the Docker images for that release
  # actually get built.
  workflow_dispatch:
 
# id-token: write is the OIDC token that cosign exchanges for a short-lived
# Sigstore certificate. contents: read covers the actions/checkout step.
permissions:
  contents: read
  id-token: write
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  docker:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
      -
        name: Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit
      -
          name: Checkout
          uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
        with:
          image: tonistiigi/binfmt:qemu-v9.2.2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      -
        name: Install cosign
        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      -
        name: Login to DockerHub
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Extract version
        id: extract_version
        run: |
            VERSION_TAG=${GITHUB_REF#refs/tags/}
            echo "Git tag: $VERSION_TAG"
 
            VERSION=${VERSION_TAG#v}
            echo "Full version without 'v': $VERSION"
 
            MAJOR_VERSION=${VERSION%%.*}
            echo "Major version: $MAJOR_VERSION"
 
            echo "SITESPEED_VERSION=$VERSION" >> $GITHUB_OUTPUT
            echo "SITESPEED_MAJOR_VERSION=$MAJOR_VERSION" >> $GITHUB_OUTPUT
      -
        name: Build and push sitespeed.io
        id: build_full
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          # mode=max embeds the full build graph (every step, every input
          # digest) in the SLSA provenance attestation. sbom: true attaches a
          # SPDX SBOM as a separate attestation. Both ship to Docker Hub as
          # OCI artefacts alongside the image and are inspectable with
          # `docker buildx imagetools inspect --format '{{ json . }}'`.
          provenance: mode=max
          sbom: true
          tags: |
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}
            sitespeedio/sitespeed.io:latest
      -
        name: Sign sitespeed.io with cosign
        # cosign signs the digest; every tag that points at the digest
        # (the version, the major, and :latest) is implicitly covered.
        # Keyless: the workflow's OIDC token is exchanged for a short-lived
        # Sigstore cert tied to this repo+workflow+ref. Users verify with
        # `cosign verify --certificate-identity-regexp '...' --certificate-oidc-issuer https://token.actions.githubusercontent.com`.
        env:
          DIGEST: ${{ steps.build_full.outputs.digest }}
        run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
      -
        name: Build and push sitespeed.io+1
        id: build_plus1
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          file: ./docker/Dockerfile-plus1
          build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }}
          push: true
          provenance: mode=max
          sbom: true
          tags: |
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-plus1
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-plus1
      -
        name: Sign sitespeed.io+1 with cosign
        env:
          DIGEST: ${{ steps.build_plus1.outputs.digest }}
        run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
      -
        name: Build and push sitespeed.io-slim
        id: build_slim
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          file: ./Dockerfile-slim
          build-args: version=${{ steps.extract_version.outputs.SITESPEED_VERSION }}
          push: true
          provenance: mode=max
          sbom: true
          tags: |
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_VERSION }}-slim
            sitespeedio/sitespeed.io:${{ steps.extract_version.outputs.SITESPEED_MAJOR_VERSION }}-slim
      -
        name: Sign sitespeed.io-slim with cosign
        env:
          DIGEST: ${{ steps.build_slim.outputs.digest }}
        run: cosign sign --yes "sitespeedio/sitespeed.io@${DIGEST}"
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow