Resolve "Upload the Docker image to an image registry" (#52)

.github/workflows/_build.yaml

@@ -21,6 +21,7 @@ on:
 jobs:
   Build:
     runs-on: ${{ inputs.os }}
+    name: Build the Python package for ${{ inputs.os }} ${{ inputs.python-version }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/_build_docker.yaml

@@ -1,6 +1,5 @@
-##    Checks the code logic, style and more
 # -*- coding: utf-8 -*-
-# Copyright (C) 2023 Benjamin Thomas Schwertfeger
+# Copyright (C) 2025 Benjamin Thomas Schwertfeger
 # GitHub: https://github.com/btschwertfeger
 #
 # Workflow to build the docker image.
@@ -9,42 +8,25 @@ name: Build Docker Image
 
 on:
   workflow_call:
-    inputs:
-      TAG:
-        type: string
-        required: true
-    # secrets:
-    #   DOCKERHUB_USERNAME:
-    #     required: true
-    #   DOCKERHUB_TOKEN:
-    #     required: true
+
+permissions:
+  contents: read
 
 jobs:
   Build:
+    name: Build Docker image
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      # - name: Login to Docker Hub
-      #   uses: docker/login-action@v2
-      #   with:
-      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
-      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v5
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          python-version: 3.11
+          fetch-depth: 0 # IMPORTANT: otherwise the current tag does not get fetched and the build version gets worse
 
-      - name: Install dependencies
-        run: python -m pip install --upgrade pip
-
-      - name: Build the package
-        run: python -m pip wheel -w dist --no-deps .
-
-      - name: Build the Image
-        run: DOCKER_BUILDKIT=1 docker build . --file Dockerfile --tag btschwertfeger/kraken-infinity-grid:${{ inputs.TAG }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: Dockerfile
+          push: false
+          tags: |
+            btschwertfeger/kraken-infinity-grid:dev

.github/workflows/_codecov.yaml

@@ -32,7 +32,9 @@ jobs:
     env:
       OS: ${{ inputs.os }}
       PYTHON: ${{ inputs.python-version }}
-
+    environment:
+      name: codecov
+      url: https://app.codecov.io/github/btschwertfeger/kraken-infinity-grid/
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
@@ -71,7 +73,7 @@ jobs:
           uv pip install ".[test,dev]"
 
       - name: Generate coverage report
-        run: pytest -vv --cov --cov-report=xml:coverage.xml tests
+        run: pytest -vv --cov=kraken_infinity_grid --cov-report=xml:coverage.xml tests
 
       - name: Export coverage report
         uses: actions/upload-artifact@v4

.github/workflows/_docker_publish.yaml

@@ -0,0 +1,72 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 2025 Benjamin Thomas Schwertfeger
+# GitHub: https://github.com/btschwertfeger
+#
+# Workflow to build and push the Docker image.
+
+name: Build and push Docker image
+
+on:
+  workflow_call:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  Build:
+    name: Build and push Docker image to Docker Hub and GitHub's Docker registry
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0 # IMPORTANT: otherwise the current tag does not get fetched and the build version gets worse
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: |
+            btschwertfeger/kraken-infinity-grid
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/_pypi_publish.yaml

@@ -18,7 +18,7 @@ permissions: read-all
 
 jobs:
   publish-to-pypi:
-    name: Publish Python distribution to PyPI
+    name: Publish Python distribution to pypi.org
     runs-on: ubuntu-latest
     permissions:
       id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing

.github/workflows/_pypi_test_publish.yaml

@@ -18,7 +18,7 @@ permissions: read-all
 
 jobs:
   publish-to-test-pypi:
-    name: Publish Python distribution to Test PyPI
+    name: Publish Python distribution to test.pypi.org
     runs-on: ubuntu-latest
     permissions:
       id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing

.github/workflows/cicd.yaml

@@ -55,11 +55,8 @@ jobs:
   ##    Build the Docker image
   ##
   Build-Docker:
-    if: success() && github.ref != 'refs/heads/master'
     needs: [Pre-Commit]
     uses: ./.github/workflows/_build_docker.yaml
-    with:
-      TAG: dev
 
   ## ===========================================================================
   ##    Build the documentation
@@ -91,8 +88,9 @@ jobs:
   ##
   CodeCov:
     if: |
-      (success() && github.actor == 'btschwertfeger')
-      && (github.event_name == 'push' || github.event_name == 'release')
+      success()
+      && github.actor == 'btschwertfeger'
+      && github.event_name != 'schedule'
     needs:
       - Test
     uses: ./.github/workflows/_codecov.yaml
@@ -108,14 +106,15 @@ jobs:
   ##
   UploadTestPyPI:
     if: |
-      (success() && github.ref == 'refs/heads/master')
+      success()
+      && github.ref == 'refs/heads/master'
       && (github.event_name == 'push' || github.event_name == 'release')
     needs:
       - Build
       - Build-Doc
+      - Build-Docker
       - CodeCov
       - CodeQL
-    name: Upload development version to Test PyPI
     uses: ./.github/workflows/_pypi_test_publish.yaml
     secrets:
       API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}
@@ -131,9 +130,28 @@ jobs:
     needs:
       - Build
       - Build-Doc
+      - Build-Docker
       - CodeCov
       - CodeQL
-    name: Upload release to PyPI
     uses: ./.github/workflows/_pypi_publish.yaml
     secrets:
       API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+
+  ## ===========================================================================
+  ##    Upload the package GitHub's Docker registry
+  ##
+  UploadDockerImage:
+    if: |
+      success()
+      && github.actor == 'btschwertfeger'
+      && (
+        (github.event_name == 'push' && github.ref == 'refs/heads/master')
+        || github.event_name == 'release'
+      )
+    needs:
+      - Build
+      - Build-Doc
+      - Build-Docker
+      - CodeCov
+      - CodeQL
+    uses: ./.github/workflows/_docker_publish.yaml

Makefile

@@ -7,10 +7,11 @@ UV ?= uv
 PYTHON := python
 PYTEST := $(UV) run pytest
 PYTEST_OPTS := -vv --junit-xml=pytest.xml
-PYTEST_COV_OPTS := $(PYTEST_OPTS) --cov --cov-report=xml:coverage.xml --cov-report=term-missing
+PYTEST_COV_OPTS := $(PYTEST_OPTS) --cov=kraken_infinity_grid --cov-report=xml:coverage.xml --cov-report=term-missing
 TEST_DIR := tests
 
 ## ======= H E L P =======
+## help		Show this help message
 .PHONY: help
 help:
 	@grep "^##" Makefile | sed -e "s/##//"
@@ -62,7 +63,7 @@ wip:
 	@rm .cache/tests/*.log || true
 	$(PYTEST) -m "wip" -vv $(TEST_DIR)
 
-## coverage		Run all tests and generate the coverage report
+## coverage       Run all tests and generate the coverage report
 ##
 .PHONY: coverage
 coverage:
@@ -111,7 +112,7 @@ clean:
 	find tools -name "__pycache__" | xargs rm -rf
 	find tests -name "*.log" | xargs rm -rf
 
-## check-uv		Check if uv is installed
+## check-uv       Check if uv is installed
 ##
 .PHONY: check-uv
 check-uv:

README.md

@@ -11,6 +11,7 @@
 [![CI/CD](https://github.com/btschwertfeger/kraken-infinity-grid/actions/workflows/cicd.yaml/badge.svg?branch=master)](https://github.com/btschwertfeger/kraken-infinity-grid/actions/workflows/cicd.yaml)
 [![codecov](https://codecov.io/gh/btschwertfeger/kraken-infinity-grid/branch/master/badge.svg)](https://app.codecov.io/gh/btschwertfeger/kraken-infinity-grid)
 
+[![OpenSSF ScoreCard](https://img.shields.io/ossf-scorecard/github.com/btschwertfeger/kraken-infinity-grid?label=openssf%20scorecard&style=flat)](https://securityscorecards.dev/viewer/?uri=github.com/btschwertfeger/kraken-infinity-grid)
 [![release](https://shields.io/github/release-date/btschwertfeger/kraken-infinity-grid)](https://github.com/btschwertfeger/kraken-infinity-grid/releases)
 [![release](https://img.shields.io/pypi/v/kraken-infinity-grid)](https://pypi.org/project/kraken-infinity-grid/)
 [![Documentation Status Stable](https://readthedocs.org/projects/kraken-infinity-grid/badge/?version=stable)](https://kraken-infinity-grid.readthedocs.io/en/stable)

pyproject.toml

@@ -79,7 +79,8 @@ markers = [
 asyncio_default_fixture_loop_scope = "function"
 
 [tool.coverage.run]
-source = ["src/kraken_infinity_grid"]
+source = ["."]
+
 omit = ["*tests*", "_version.py"]
 
 [tool.coverage.report]