Resolve "Upload the Docker image to an image registry"

.github/workflows/_build.yaml

@@ -21,6 +21,7 @@ on:
 jobs:
   Build:
     runs-on: ${{ inputs.os }}
+    name: Build the Python package for ${{ inputs.os }} ${{ inputs.python-version }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/_build_docker.yaml

@@ -1,6 +1,5 @@
-##    Checks the code logic, style and more
 # -*- coding: utf-8 -*-
-# Copyright (C) 2023 Benjamin Thomas Schwertfeger
+# Copyright (C) 2025 Benjamin Thomas Schwertfeger
 # GitHub: https://github.com/btschwertfeger
 #
 # Workflow to build the docker image.
@@ -9,42 +8,25 @@ name: Build Docker Image
 
 on:
   workflow_call:
-    inputs:
-      TAG:
-        type: string
-        required: true
-    # secrets:
-    #   DOCKERHUB_USERNAME:
-    #     required: true
-    #   DOCKERHUB_TOKEN:
-    #     required: true
+
+permissions:
+  contents: read
 
 jobs:
   Build:
+    name: Build Docker image
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      # - name: Login to Docker Hub
-      #   uses: docker/login-action@v2
-      #   with:
-      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
-      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v5
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          python-version: 3.11
+          fetch-depth: 0 # IMPORTANT: otherwise the current tag does not get fetched and the build version gets worse
 
-      - name: Install dependencies
-        run: python -m pip install --upgrade pip
-
-      - name: Build the package
-        run: python -m pip wheel -w dist --no-deps .
-
-      - name: Build the Image
-        run: DOCKER_BUILDKIT=1 docker build . --file Dockerfile --tag btschwertfeger/kraken-infinity-grid:${{ inputs.TAG }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: Dockerfile
+          push: false
+          tags: |
+            btschwertfeger/kraken-infinity-grid:dev

.github/workflows/_codecov.yaml

@@ -32,7 +32,9 @@ jobs:
     env:
       OS: ${{ inputs.os }}
       PYTHON: ${{ inputs.python-version }}
-
+    environment:
+      name: codecov
+      url: https://app.codecov.io/github/btschwertfeger/kraken-infinity-grid/
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/_docker_publish.yaml

@@ -0,0 +1,75 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 2025 Benjamin Thomas Schwertfeger
+# GitHub: https://github.com/btschwertfeger
+#
+# Workflow to build and push the Docker image.
+
+name: Build and push Docker image
+
+on:
+  workflow_call:
+    secrets:
+      GITHUB_TOKEN:
+        required: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  Build:
+    name: Build and push Docker image to Docker Hub and GitHub's Docker registry
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0 # IMPORTANT: otherwise the current tag does not get fetched and the build version gets worse
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: |
+            btschwertfeger/kraken-infinity-grid
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/_pypi_publish.yaml

@@ -18,7 +18,7 @@ permissions: read-all
 
 jobs:
   publish-to-pypi:
-    name: Publish Python distribution to PyPI
+    name: Publish Python distribution to pypi.org
     runs-on: ubuntu-latest
     permissions:
       id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing

.github/workflows/_pypi_test_publish.yaml

@@ -18,7 +18,7 @@ permissions: read-all
 
 jobs:
   publish-to-test-pypi:
-    name: Publish Python distribution to Test PyPI
+    name: Publish Python distribution to test.pypi.org
     runs-on: ubuntu-latest
     permissions:
       id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing

.github/workflows/cicd.yaml

@@ -55,11 +55,8 @@ jobs:
   ##    Build the Docker image
   ##
   Build-Docker:
-    if: success() && github.ref != 'refs/heads/master'
     needs: [Pre-Commit]
     uses: ./.github/workflows/_build_docker.yaml
-    with:
-      TAG: dev
 
   ## ===========================================================================
   ##    Build the documentation
@@ -113,9 +110,9 @@ jobs:
     needs:
       - Build
       - Build-Doc
+      - Build-Docker
       - CodeCov
       - CodeQL
-    name: Upload development version to Test PyPI
     uses: ./.github/workflows/_pypi_test_publish.yaml
     secrets:
       API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}
@@ -131,9 +128,29 @@ jobs:
     needs:
       - Build
       - Build-Doc
+      - Build-Docker
       - CodeCov
       - CodeQL
-    name: Upload release to PyPI
     uses: ./.github/workflows/_pypi_publish.yaml
     secrets:
       API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+
+  ## ===========================================================================
+  ##    Upload the package GitHub's Docker registry
+  ##
+  UploadDockerImage:
+    if: |
+      (success() && github.actor == 'btschwertfeger')
+      && (
+        (github.event_name == 'push' && github.ref == 'refs/heads/master')
+        || github.event_name == 'release'
+      )
+    needs:
+      - Build
+      - Build-Doc
+      - Build-Docker
+      - CodeCov
+      - CodeQL
+    uses: ./.github/workflows/_docker_publish.yaml
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

pyproject.toml

@@ -79,7 +79,7 @@ markers = [
 asyncio_default_fixture_loop_scope = "function"
 
 [tool.coverage.run]
-source = ["src/kraken_infinity_grid"]
+source = ["src"]
 omit = ["*tests*", "_version.py"]
 
 [tool.coverage.report]