Merge b78f30527c into 83be5fb151

Add image_uri output in the build-push-image workflow
And use it when getting the container image to build `.rpm` and `.deb` packages.
2025-04-28 09:52:37 +02:00 · 2025-04-25 15:24:56 +00:00 · 2025-04-25 17:24:33 +02:00 · 2025-04-25 17:24:33 +02:00
2 changed files with 27 additions and 7 deletions
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@ -29,6 +29,10 @@ on:
    secrets:
      registry_token:
        required: true
+    outputs:
+      image_uri:
+        description: "The published container image location, with the tag and checksum"
+        value: ${{ jobs.merge.outputs.image_uri }}

 jobs:
  lint:
@ -71,7 +75,7 @@ jobs:

          echo "debian_archive_date=${DEBIAN_ARCHIVE_DATE}" >> $GITHUB_OUTPUT
          echo "source_date_epoch=${SOURCE_DATE_EPOCH}" >> $GITHUB_OUTPUT
-          echo "tag=${DEBIAN_ARCHIVE_DATE}-${TAG}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
          echo "full_image_name=${FULL_IMAGE_NAME}" >> $GITHUB_OUTPUT
          echo "buildkit_image=${BUILDKIT_IMAGE}" >> $GITHUB_OUTPUT

@ -152,6 +156,7 @@ jobs:
      debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
      source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
      image: ${{ needs.build.outputs.image }}
+      image_uri: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.build.outputs.tag }}@${{ steps.image.outputs.digest_root }}"
      tag: ${{ needs.build.outputs.tag }}
      digest_root: ${{ steps.image.outputs.digest_root }}
      digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
@ -285,6 +290,16 @@ jobs:
          path: "${{ inputs.key_name }}.*"
          key: ${{ inputs.key_cache }}
          enableCrossOsArchive: true
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ inputs.registry_user }}
+          password: ${{ secrets.registry_token }}
+
      - name: Sign container
        run: |-
-          cosign sign --key ${{ inputs.key_name }}.key ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@${{ needs.merge.outputs.digest_root }}
+          export IMAGE_URI="${{ needs.merge.image_uri }}"
+          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
+        shell: bash
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -205,13 +205,18 @@ jobs:
        id: date
        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

-      - name: Restore container cache
-        uses: actions/cache/restore@v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: share/container.tar
-          fail-on-cache-miss: true
+          cosign-release: 'v2.5.0'

+      - name: Get the container image from the registry
+        run: |-
+          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
+          cd tmp
+          tar -cvf ../share/container.tar
+          cd ..
+      
      - name: Build Dangerzone .deb
        run: |
          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
Author	SHA1	Message	Date
Alexis Métaireau	202e406539	Merge `b78f30527c` into `83be5fb151`	2025-04-25 15:24:56 +00:00
Alexis Métaireau	b78f30527c	Add image_uri output in the build-push-image workflow And use it when getting the container image to build `.rpm` and `.deb` packages.	2025-04-25 17:24:33 +02:00
Alexis Métaireau	59d3bba835	CI: Add an option to attach container signatures to the registry The `build-push-image.yml` reusable workflow can generate keypairs and sign the container images with them. This is only used by the CI, to test that a valid signature is actually detected as such.	2025-04-25 17:24:33 +02:00