From b12334305db1f0a46cbedb0e1d2b4cb5028030b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Wed, 27 Nov 2024 14:44:05 +0100 Subject: [PATCH] Build: Use Github runners to build and sign container images on new tags --- .github/workflows/release-container-image.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/release-container-image.yml diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml new file mode 100644 index 0000000..83f51bd --- /dev/null +++ b/.github/workflows/release-container-image.yml @@ -0,0 +1,49 @@ +# This action listens on new tags, generates a new container image +# sign it and upload it to the container registry. + +name: Publish container image +on: + push: + tags: + - "container-image/**" + branches: + - "test/image-**" + workflow_dispatch: + +permissions: + id-token: write + contents: read + attestations: write + packages: write + +env: + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + IMAGE_NAME: dangerzone/dangerzone + +jobs: + build-container-image: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - name: Build and push the dangerzone image + id: build-image + run: | + sudo apt-get install -y python3-poetry + python3 ./install/common/build-image.py + echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin + gunzip -c share/container.tar.gz | podman load + podman push \ + dangerzone.rocks/dangerzone \ + ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + DIGEST=$(podman images --filter "id=dangerzone.rocks/dangerzone" --format "{{ .Digest }}") + echo ${DIGEST} + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: "${{ steps.build-image.outputs.digest }}" + push-to-registry: true