CI: Get and cache the signed container image

2025-04-29 10:12:38 +02:00 · 2025-04-25 17:50:32 +02:00 · 2025-04-25 17:50:32 +02:00 · b77583b95a
commit b77583b95a
parent b78f30527c
2 changed files with 32 additions and 18 deletions
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@ -271,6 +271,7 @@ jobs:
    env:
      COSIGN_PASSWORD: "password"
      COSIGN_YES: true
+      IMAGE_URI: ${{ needs.merge.outputs.image_uri }}
    needs:
      - merge
    # outputs: add signature location ?
@ -300,6 +301,22 @@ jobs:

      - name: Sign container
        run: |-
-          export IMAGE_URI="${{ needs.merge.image_uri }}"
+          export IMAGE_URI="${{ needs.merge.outputs.image_uri }}"
          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
        shell: bash
+
+      - name: Get the container image from the registry
+        # It contains the image and the signatures
+        run: |-
+          cosign save ${{ needs.merge.outputs.image_uri }} --dir tmp
+          cd tmp
+          tar -cvf ../share/container.tar
+          cd ..
+
+      - name: Cache container image
+        id: cache-container-image
+        uses: actions/cache@v4
+        with:
+          key: v6-container-${{ needs.merge.outputs.image_uri }}
+          path: |-
+            share/container.tar
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -205,17 +205,14 @@ jobs:
        id: date
        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

-      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
-        with:
-          cosign-release: 'v2.5.0'
      
-      - name: Get the container image from the registry
-        run: |-
-          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
-          cd tmp
-          tar -cvf ../share/container.tar
-          cd ..
+      - name: Restore container image
+        uses: actions/cache/restore@v4
+        with:
+          path: share/container.tar
+          enableCrossOsArchive: true
+          fail-on-cache-miss: true
+          key: v6-container-${{ needs.build-container-image.outputs.image_uri }}

      - name: Build Dangerzone .deb
        run: |
@ -318,10 +315,10 @@ jobs:
      - name: Restore container image
        uses: actions/cache/restore@v4
        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: |-
-            share/container.tar
+          path: share/container.tar
+          enableCrossOsArchive: true
          fail-on-cache-miss: true
+          key: v6-container-${{ needs.build-container-image.outputs.image_uri }}

      - name: Build Dangerzone .rpm
        run: |
@ -414,10 +411,10 @@ jobs:
      - name: Restore container image
        uses: actions/cache/restore@v4
        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: |-
-            share/container.tar
+          path: share/container.tar
+          enableCrossOsArchive: true
          fail-on-cache-miss: true
+          key: v6-container-${{ needs.build-container-image.outputs.image_uri }}

      - name: Restore cached tessdata
        uses: actions/cache/restore@v4