diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000000000000000000000000000000000000..772a3ba0eccc2b257376c6cfa2dd9628295dd311
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,121 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+ push:
+ branches: [ "main" ]
+ # Publish semver tags as releases.
+ tags: [ 'v*.*.*' ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ # Use docker.io for Docker Hub if empty
+ REGISTRY: ghcr.io
+ # github.repository as <account>/<repo>
+ IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ # This is used to complete the identity challenge
+ # with sigstore/fulcio when running outside of PRs.
+ id-token: write
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ # Workaround: https://github.com/docker/build-push-action/issues/461
+ - name: Setup Docker buildx
+ uses: docker/setup-buildx-action@v2
+
+ # Login against a Docker registry except on PR
+ # https://github.com/docker/login-action
+ - name: Log into registry ${{ env.REGISTRY }}
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@v2
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ # Extract metadata (tags, labels) for Docker
+ # https://github.com/docker/metadata-action
+ - name: Extract Docker metadata
+ id: meta
+ uses: docker/metadata-action@v4
+ with:
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+ tags: |
+ type=ref,event=branch
+ type=ref,event=pr
+ type=semver,pattern={{version}}
+ type=semver,pattern={{major}}.{{minor}}
+ type=semver,pattern={{major}}
+ type=ref,event=branch,prefix=,suffix=-{{sha}}-{{date 'x'}}
+
+ # Cache dependencies
+ # https://github.com/actions/cache
+ - name: Cache Docker layers
+ uses: actions/cache@v3
+ with:
+ path: /tmp/.buildx-cache
+ key: ${{ runner.os }}-multi-buildx-${{ github.sha }}
+ restore-keys: |
+ ${{ runner.os }}-multi-buildx
+
+ # Build and push Docker image with Buildx (don't push on PR)
+ # https://github.com/docker/build-push-action
+ - name: Build and push Docker image
+ id: build-and-push
+ uses: docker/build-push-action@v4
+ with:
+ context: .
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=local,src=/tmp/.buildx-cache
+ # Note the mode=max here
+ # More: https://github.com/moby/buildkit#--export-cache-options
+ # And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
+ cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
+
+ # Temp fix / Disabled on self-hosted runner
+ # https://github.com/docker/build-push-action/issues/252
+ # https://github.com/moby/buildkit/issues/1896
+ - name: Move cache
+ run: |
+ rm -rf /tmp/.buildx-cache
+ mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+
+ # # Install the cosign tool except on PR
+ # # https://github.com/sigstore/cosign-installer
+ # - name: Install cosign
+ # if: github.event_name != 'pull_request'
+ # uses: sigstore/cosign-installer@v3.3.0
+ # with:
+ # cosign-release: 'v2.2.2'
+
+ # # Sign the resulting Docker image digest except on PRs.
+ # # This will only write to the public Rekor transparency log when the Docker
+ # # repository is public to avoid leaking data. If you would like to publish
+ # # transparency data even for private images, pass --force to cosign below.
+ # # https://github.com/sigstore/cosign
+ # - name: Sign the published Docker image
+ # if: ${{ github.event_name != 'pull_request' }}
+ # env:
+ # COSIGN_EXPERIMENTAL: "true"
+ # # This step uses the identity token to provision an ephemeral certificate
+ # # against the sigstore community Fulcio instance.
+ # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}