Merge b78f30527c into 83be5fb151

Add image_uri output in the build-push-image workflow
And use it when getting the container image to build `.rpm` and `.deb` packages.
2025-04-28 18:02:38 +02:00 · 2025-04-25 15:24:56 +00:00 · 2025-04-25 17:24:33 +02:00 · 2025-04-25 17:24:33 +02:00
2 changed files with 27 additions and 7 deletions
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@ -29,6 +29,10 @@ on:
    secrets:
      registry_token:
        required: true
    outputs:
      image_uri:
        description: "The published container image location, with the tag and checksum"
        value: ${{ jobs.merge.outputs.image_uri }}
 jobs:
  lint:
@ -71,7 +75,7 @@ jobs:
          echo "debian_archive_date=${DEBIAN_ARCHIVE_DATE}" >> $GITHUB_OUTPUT
          echo "source_date_epoch=${SOURCE_DATE_EPOCH}" >> $GITHUB_OUTPUT
-          echo "tag=${DEBIAN_ARCHIVE_DATE}-${TAG}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
          echo "full_image_name=${FULL_IMAGE_NAME}" >> $GITHUB_OUTPUT
          echo "buildkit_image=${BUILDKIT_IMAGE}" >> $GITHUB_OUTPUT
@ -152,6 +156,7 @@ jobs:
      debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
      source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
      image: ${{ needs.build.outputs.image }}
      image_uri: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.build.outputs.tag }}@${{ steps.image.outputs.digest_root }}"
      tag: ${{ needs.build.outputs.tag }}
      digest_root: ${{ steps.image.outputs.digest_root }}
      digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
@ -285,6 +290,16 @@ jobs:
          path: "${{ inputs.key_name }}.*"
          key: ${{ inputs.key_cache }}
          enableCrossOsArchive: true
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ inputs.registry_user }}
          password: ${{ secrets.registry_token }}
      - name: Sign container
        run: |-
-          cosign sign --key ${{ inputs.key_name }}.key ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@${{ needs.merge.outputs.digest_root }}
+          export IMAGE_URI="${{ needs.merge.image_uri }}"
          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
        shell: bash
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -205,13 +205,18 @@ jobs:
        id: date
        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
-      - name: Restore container cache
+      - name: Install Cosign
-        uses: actions/cache/restore@v4
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
+          cosign-release: 'v2.5.0'
          path: share/container.tar
          fail-on-cache-miss: true
      - name: Get the container image from the registry
        run: |-
          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
          cd tmp
          tar -cvf ../share/container.tar
          cd ..
      - name: Build Dangerzone .deb
        run: |
          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
Author	SHA1	Message	Date
Alexis Métaireau	202e406539	Merge `b78f30527c` into `83be5fb151`	2025-04-25 15:24:56 +00:00
Alexis Métaireau	b78f30527c	Add image_uri output in the build-push-image workflow And use it when getting the container image to build `.rpm` and `.deb` packages.	2025-04-25 17:24:33 +02:00
Alexis Métaireau	59d3bba835	CI: Add an option to attach container signatures to the registry The `build-push-image.yml` reusable workflow can generate keypairs and sign the container images with them. This is only used by the CI, to test that a valid signature is actually detected as such.	2025-04-25 17:24:33 +02:00