CI: Build and sign an image to be used in the tests

.github/workflows/ci.yml

@@ -16,6 +16,7 @@ env:
   REGISTRY_USER: ${{ github.actor }}
   REGISTRY_PASSWORD: ${{ github.token }}
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_NAME: dangerzone/dangerzone-staging
   QT_SELECT: "qt6"
 
 # Disable multiple concurrent runs on the same branch
@@ -45,36 +46,33 @@ jobs:
   # This is already built daily by the "build.yml" file
   # But we also want to include this in the checks that run on each push.
   build-container-image:
-    runs-on: ubuntu-24.04
+    name: Build, push and sign container image
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: ./.github/workflows/build-push-image.yml
+        id: build-push
         with:
-          fetch-depth: 0
+          registry: ${{ env.IMAGE_REGISTRY }}
+          registry_user: ${{ env.REGISTRY_USER }}
+          image_name: ${{ env.IMAGE_NAME }}
+          reproduce: false
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Get current date
+      - name: Install Cosign
-        id: date
+        uses: sigstore/cosign-installer@v3.8.1
-        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+      - name: Generate keypair
-
+        run: |-
-      - name: Cache container image
+          echo "password"
-        id: cache-container-image
+          | cosign generate-key-pair --output-key-prefix="dangerzone-tests"
+      - name: Cache keypair
         uses: actions/cache@v4
         with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
+          path: "dangerzone-tests.*"
-          path: |-
+          key: v1-test-keypair-${{ github.ref_name }}
-            share/container.tar
+          enableCrossOsArchive: true
-            share/image-id.txt
+      - name: Sign container
-
+        run: |-
-      - name: Build Dangerzone container image
+          cosign sign --key dangerzone-test.key ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ steps.build-push.outputs.tag}}@sha256:${{ steps.build-push.outputs.digest_root }}
-        if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
-        run: |
-          python3 ./install/common/build-image.py
-
-      - name: Upload container image
-        uses: actions/upload-artifact@v4
-        with:
-          name: container.tar
-          path: share/container.tar
-
   download-tessdata:
     name: Download and cache Tesseract data
     runs-on: ubuntu-latest
@@ -227,9 +225,7 @@ jobs:
         uses: actions/cache/restore@v4
         with:
           key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: |-
+          path: share/container.tar
-            share/container.tar
-            share/image-id.txt
           fail-on-cache-miss: true
 
       - name: Build Dangerzone .deb
@@ -336,7 +332,6 @@ jobs:
           key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
           path: |-
             share/container.tar
-            share/image-id.txt
           fail-on-cache-miss: true
 
       - name: Build Dangerzone .rpm
@@ -433,7 +428,6 @@ jobs:
           key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
           path: |-
             share/container.tar
-            share/image-id.txt
           fail-on-cache-miss: true
 
       - name: Restore cached tessdata