CI: Build and sign an image to be used in the tests

2025-04-28 18:02:38 +02:00 · 2025-04-22 17:45:53 +02:00 · 2025-04-22 17:45:53 +02:00 · 0d64e475cc
commit 0d64e475cc
parent dce91eaa26
1 changed files with 24 additions and 30 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -16,6 +16,7 @@ env:
  REGISTRY_USER: ${{ github.actor }}
  REGISTRY_PASSWORD: ${{ github.token }}
  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_NAME: dangerzone/dangerzone-staging
  QT_SELECT: "qt6"

 # Disable multiple concurrent runs on the same branch
@ -45,36 +46,33 @@ jobs:
  # This is already built daily by the "build.yml" file
  # But we also want to include this in the checks that run on each push.
  build-container-image:
-    runs-on: ubuntu-24.04
+    name: Build, push and sign container image
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: ./.github/workflows/build-push-image.yml
+        id: build-push
        with:
-          fetch-depth: 0
+          registry: ${{ env.IMAGE_REGISTRY }}
+          registry_user: ${{ env.REGISTRY_USER }}
+          image_name: ${{ env.IMAGE_NAME }}
+          reproduce: false
+          registry_token: ${{ secrets.GITHUB_TOKEN }}

-      - name: Get current date
-        id: date
-        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
-
-      - name: Cache container image
-        id: cache-container-image
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.1
+      - name: Generate keypair
+        run: |-
+          echo "password"
+          | cosign generate-key-pair --output-key-prefix="dangerzone-tests"
+      - name: Cache keypair
        uses: actions/cache@v4
        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: |-
-            share/container.tar
-            share/image-id.txt
-
-      - name: Build Dangerzone container image
-        if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
-        run: |
-          python3 ./install/common/build-image.py
-
-      - name: Upload container image
-        uses: actions/upload-artifact@v4
-        with:
-          name: container.tar
-          path: share/container.tar
-
+          path: "dangerzone-tests.*"
+          key: v1-test-keypair-${{ github.ref_name }}
+          enableCrossOsArchive: true
+      - name: Sign container
+        run: |-
+          cosign sign --key dangerzone-test.key ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ steps.build-push.outputs.tag}}@sha256:${{ steps.build-push.outputs.digest_root }}
  download-tessdata:
    name: Download and cache Tesseract data
    runs-on: ubuntu-latest
@ -227,9 +225,7 @@ jobs:
        uses: actions/cache/restore@v4
        with:
          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: |-
-            share/container.tar
-            share/image-id.txt
+          path: share/container.tar
          fail-on-cache-miss: true

      - name: Build Dangerzone .deb
@ -336,7 +332,6 @@ jobs:
          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
          path: |-
            share/container.tar
-            share/image-id.txt
          fail-on-cache-miss: true

      - name: Build Dangerzone .rpm
@ -433,7 +428,6 @@ jobs:
          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
          path: |-
            share/container.tar
-            share/image-id.txt
          fail-on-cache-miss: true

      - name: Restore cached tessdata