From 93b95dbb59ac21a5f4263566e1ee895dd9a9f412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Wed, 27 Nov 2024 14:44:05 +0100 Subject: [PATCH 1/6] Build: Use Github runners to build and sign container images on new tags --- .github/workflows/release-container-image.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/release-container-image.yml diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml new file mode 100644 index 0000000..be05626 --- /dev/null +++ b/.github/workflows/release-container-image.yml @@ -0,0 +1,56 @@ +# This action listens on new tags, generates a new container image +# sign it and upload it to the container registry. + +name: Release container image +on: + push: + tags: + - "container-image/**" + branches: + - "test/image-**" + workflow_dispatch: + +permissions: + id-token: write + packages: write + contents: read + attestations: write + +env: + REGISTRY: ghcr.io/${{ github.repository_owner }} + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + IMAGE_NAME: dangerzone/dangerzone + +jobs: + build-container-image: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: USERNAME + password: ${{ github.token }} + + - name: Build and push the dangerzone image + id: build-image + run: | + sudo apt-get install -y python3-poetry + python3 ./install/common/build-image.py + echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin + + # Load the image with the final name directly + gunzip -c share/container.tar.gz | podman load + FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" + podman tag dangerzone.rocks/dangerzone "$FINAL_IMAGE_NAME" + podman push "$FINAL_IMAGE_NAME" --digestfile=digest + echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT" + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: "${{ steps.build-image.outputs.digest }}" + push-to-registry: true From 1ec51c7b4cc9f1d6375c1a1fb66094a5f561960b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 20 Jan 2025 14:25:26 +0100 Subject: [PATCH 2/6] Checkout with depth:0 otherwise git commands aren't functional --- .github/workflows/release-container-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml index be05626..9947284 100644 --- a/.github/workflows/release-container-image.yml +++ b/.github/workflows/release-container-image.yml @@ -27,6 +27,9 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: From 033e8fef884110e245e318c57989724b7e9755f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 20 Jan 2025 14:46:51 +0100 Subject: [PATCH 3/6] Get the tag from git before retagging it --- .github/workflows/release-container-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml index 9947284..7177e93 100644 --- a/.github/workflows/release-container-image.yml +++ b/.github/workflows/release-container-image.yml @@ -47,7 +47,8 @@ jobs: # Load the image with the final name directly gunzip -c share/container.tar.gz | podman load FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" - podman tag dangerzone.rocks/dangerzone "$FINAL_IMAGE_NAME" + TAG=$(git describe --long --first-parent | tail -c +2) + podman tag dangerzone.rocks/dangerzone:$TAG "$FINAL_IMAGE_NAME" podman push "$FINAL_IMAGE_NAME" --digestfile=digest echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT" From 74f4fbbbdeb1dc5f2a4f09388a88c5b2eeecd5ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 20 Jan 2025 15:16:13 +0100 Subject: [PATCH 4/6] Add the tag to the subject --- .github/workflows/release-container-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml index 7177e93..752c27f 100644 --- a/.github/workflows/release-container-image.yml +++ b/.github/workflows/release-container-image.yml @@ -51,10 +51,11 @@ jobs: podman tag dangerzone.rocks/dangerzone:$TAG "$FINAL_IMAGE_NAME" podman push "$FINAL_IMAGE_NAME" --digestfile=digest echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT" + echo "tag=$TAG" >> "$GITHUB_OUTPUT" - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.build-image.outputs.tag }} subject-digest: "${{ steps.build-image.outputs.digest }}" push-to-registry: true From 02fb6c07a4076ceab8749e50bc158e6c051f1fe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 20 Jan 2025 15:25:51 +0100 Subject: [PATCH 5/6] Remove the tag from the attestation, what we attest is the hash, so no need for it --- .github/workflows/release-container-image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml index 752c27f..7177e93 100644 --- a/.github/workflows/release-container-image.yml +++ b/.github/workflows/release-container-image.yml @@ -51,11 +51,10 @@ jobs: podman tag dangerzone.rocks/dangerzone:$TAG "$FINAL_IMAGE_NAME" podman push "$FINAL_IMAGE_NAME" --digestfile=digest echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT" - echo "tag=$TAG" >> "$GITHUB_OUTPUT" - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.build-image.outputs.tag }} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: "${{ steps.build-image.outputs.digest }}" push-to-registry: true From 3f560fd29adb2f8e479ce4df9c0c43d1d76bf119 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 20 Jan 2025 16:02:18 +0100 Subject: [PATCH 6/6] Add logs --- .github/workflows/release-container-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml index 7177e93..0995261 100644 --- a/.github/workflows/release-container-image.yml +++ b/.github/workflows/release-container-image.yml @@ -29,6 +29,9 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Check it's working + run: | + git describe --long --first-parent - name: Login to GitHub Container Registry uses: docker/login-action@v3