almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

CI: Add an option to attach container signatures to the registry

Browse source 
The `build-push-image.yml` reusable workflow can generate keypairs and
sign the container images with them.

This is only used by the CI, to test that a valid signature is actually
detected as such.
This commit is contained in:
Alexis Métaireau 2025-04-22 17:45:53 +02:00
parent dce91eaa26
commit 11ff9f0f46
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
3 changed files with 56 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
.github/workflows/build-push-image.yml vendored
View file

@ -15,11 +15,21 @@ on:
reproduce: reproduce:
required: true required: true
type: boolean type: boolean
sign:
required: true
type: boolean
key_name:
required: false
type: string
default: "dangerzone-tests"
key_cache:
required: false
type: string
default: "v1-keypair-${{ github.ref_name }}" # unique for the branch / PR
secrets: secrets:
registry_token: registry_token:
required: true required: true
jobs: jobs:
lint: lint:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -73,6 +83,7 @@ jobs:
debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }} debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }}
source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }} source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
image: ${{ needs.prepare.outputs.image }} image: ${{ needs.prepare.outputs.image }}
tag: ${{ needs.prepare.outputs.tag }}
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -140,6 +151,7 @@ jobs:
debian_archive_date: ${{ needs.build.outputs.debian_archive_date }} debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
source_date_epoch: ${{ needs.build.outputs.source_date_epoch }} source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
image: ${{ needs.build.outputs.image }} image: ${{ needs.build.outputs.image }}
tag: ${{ needs.build.outputs.tag }}
digest_root: ${{ steps.image.outputs.digest_root }} digest_root: ${{ steps.image.outputs.digest_root }}
digest_amd64: ${{ steps.image.outputs.digest_amd64 }} digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
digest_arm64: ${{ steps.image.outputs.digest_arm64 }} digest_arm64: ${{ steps.image.outputs.digest_arm64 }}
@ -246,3 +258,30 @@ jobs:
--platform \ --platform \
linux/${{ matrix.platform.name }} \ linux/${{ matrix.platform.name }} \
${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }} ${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }}
sign:
if: ${{ inputs.sign }}
runs-on: "ubuntu-latest"
env:
COSIGN_PASSWORD: "password"
COSIGN_YES: true
needs:
- merge
# outputs: add signature location ?
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
- name: Check install
run: cosign version
- name: Generate keypair
run: |-
cosign generate-key-pair --output-key-prefix="${{ inputs.key_name }}"
- name: Cache keypair
uses: actions/cache@v4
with:
path: "${{ inputs.key_name }}.*"
key: ${{ inputs.key_cache }}
enableCrossOsArchive: true
- name: Sign container
run: |-
cosign sign --key dangerzone-test.key ${{ inputs.registry }}/${{ inputs.registry_user }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@sha256:${{ needs.merge.outputs.digest_root }}

52
.github/workflows/ci.yml vendored
View file

@ -11,11 +11,10 @@ on:
permissions: permissions:
packages: write packages: write
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
env: env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
QT_SELECT: "qt6" QT_SELECT: "qt6"
# Disable multiple concurrent runs on the same branch # Disable multiple concurrent runs on the same branch
@ -45,35 +44,18 @@ jobs:
# This is already built daily by the "build.yml" file # This is already built daily by the "build.yml" file
# But we also want to include this in the checks that run on each push. # But we also want to include this in the checks that run on each push.
build-container-image: build-container-image:
runs-on: ubuntu-24.04 name: Build, push and sign container image
steps: uses: ./.github/workflows/build-push-image.yml
- uses: actions/checkout@v4 with:
with: registry: "ghcr.io/${{ github.repository_owner }}"
fetch-depth: 0 registry_user: ${{ github.actor }}
image_name: "dangerzone/dangerzone-staging"
- name: Get current date reproduce: false
id: date sign: true
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT key_name: "dangerzone-tests"
key_cache: "v1-test-keypair-${{ github.ref_name }}"
- name: Cache container image secrets:
id: cache-container-image registry_token: ${{ secrets.GITHUB_TOKEN }}
uses: actions/cache@v4
with:
key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
path: |-
share/container.tar
share/image-id.txt
- name: Build Dangerzone container image
if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
run: |
python3 ./install/common/build-image.py
- name: Upload container image
uses: actions/upload-artifact@v4
with:
name: container.tar
path: share/container.tar
download-tessdata: download-tessdata:
name: Download and cache Tesseract data name: Download and cache Tesseract data
@ -227,9 +209,7 @@ jobs:
uses: actions/cache/restore@v4 uses: actions/cache/restore@v4
with: with:
key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
path: |- path: share/container.tar
share/container.tar
share/image-id.txt
fail-on-cache-miss: true fail-on-cache-miss: true
- name: Build Dangerzone .deb - name: Build Dangerzone .deb
@ -336,7 +316,6 @@ jobs:
key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
path: |- path: |-
share/container.tar share/container.tar
share/image-id.txt
fail-on-cache-miss: true fail-on-cache-miss: true
- name: Build Dangerzone .rpm - name: Build Dangerzone .rpm
@ -433,7 +412,6 @@ jobs:
key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
path: |- path: |-
share/container.tar share/container.tar
share/image-id.txt
fail-on-cache-miss: true fail-on-cache-miss: true
- name: Restore cached tessdata - name: Restore cached tessdata

1
.github/workflows/release-container-image.yml vendored
View file

@ -18,5 +18,6 @@ jobs:
registry_user: ${{ github.actor }} registry_user: ${{ github.actor }}
image_name: dangerzone/dangerzone image_name: dangerzone/dangerzone
reproduce: true reproduce: true
sign: false
secrets: secrets:
registry_token: ${{ secrets.GITHUB_TOKEN }} registry_token: ${{ secrets.GITHUB_TOKEN }}