diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee7bd73..0051a8a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,7 @@ env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_NAME: dangerzone/dangerzone-staging QT_SELECT: "qt6" # Disable multiple concurrent runs on the same branch @@ -45,36 +46,33 @@ jobs: # This is already built daily by the "build.yml" file # But we also want to include this in the checks that run on each push. build-container-image: - runs-on: ubuntu-24.04 + name: Build, push and sign container image + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: ./.github/workflows/build-push-image.yml + id: build-push with: - fetch-depth: 0 + registry: ${{ env.IMAGE_REGISTRY }} + registry_user: ${{ env.REGISTRY_USER }} + image_name: ${{ env.IMAGE_NAME }} + reproduce: false + registry_token: ${{ secrets.GITHUB_TOKEN }} - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Cache container image - id: cache-container-image + - name: Install Cosign + uses: sigstore/cosign-installer@v3.8.1 + - name: Generate keypair + run: |- + echo "password" + | cosign generate-key-pair --output-key-prefix="dangerzone-tests" + - name: Cache keypair uses: actions/cache@v4 with: - key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: |- - share/container.tar - share/image-id.txt - - - name: Build Dangerzone container image - if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }} - run: | - python3 ./install/common/build-image.py - - - name: Upload container image - uses: actions/upload-artifact@v4 - with: - name: container.tar - path: share/container.tar - + path: "dangerzone-tests.*" + key: v1-test-keypair-${{ github.ref_name }} + enableCrossOsArchive: true + - name: Sign container + run: |- + cosign sign --key dangerzone-test.key ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ steps.build-push.outputs.tag}}@sha256:${{ steps.build-push.outputs.digest_root }} download-tessdata: name: Download and cache Tesseract data runs-on: ubuntu-latest @@ -227,9 +225,7 @@ jobs: uses: actions/cache/restore@v4 with: key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: |- - share/container.tar - share/image-id.txt + path: share/container.tar fail-on-cache-miss: true - name: Build Dangerzone .deb @@ -336,7 +332,6 @@ jobs: key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} path: |- share/container.tar - share/image-id.txt fail-on-cache-miss: true - name: Build Dangerzone .rpm @@ -433,7 +428,6 @@ jobs: key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} path: |- share/container.tar - share/image-id.txt fail-on-cache-miss: true - name: Restore cached tessdata