Merge pull request #427 from goern/issue426 #8

	name: Deliver Container Image
	on:
	push:
	tags:
	- "v*"

	env:
	IMAGE_NAME: paddock
	IMAGE_TAGS: ${{ github.ref_name }}
	IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
	REGISTRY_USER: ${{ github.actor }}
	REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	permissions:
	contents: read

	jobs:
	build:
	name: build and push
	runs-on: ubuntu-latest
	permissions:
	packages: write

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.5.2

	- name: Buildah Action
	id: build_image
	uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12
	with:
	image: ${{ env.IMAGE_NAME }}
	tags: ${{ env.IMAGE_TAGS }}
	oci: true
	context: components/paddock
	containerfiles: \|
	./components/paddock/Containerfile

	- name: Push To GitHub Container Registry
	uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
	id: push_to_ghcr
	with:
	image: ${{ steps.build_image.outputs.image }}
	tags: ${{ steps.build_image.outputs.tags }}
	registry: ${{ env.IMAGE_REGISTRY }}
	username: ${{ env.REGISTRY_USER }}
	password: ${{ env.REGISTRY_PASSWORD }}
	extra-args: \|
	--disable-content-trust

	- name: Echo outputs
	run: \|
	echo "${{ toJSON(steps.push.outputs) }}"

	- name: Install Cosign
	uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # main

Provide feedback