Merge 11ff9f0f46 into 83be5fb151

The `build-push-image.yml` reusable workflow can generate keypairs and
sign the container images with them.

This is only used by the CI, to test that a valid signature is actually
detected as such.

.github/workflows/build-push-image.yml

@@ -15,11 +15,21 @@ on:
       reproduce:
         required: true
         type: boolean
+      sign:
+        required: true
+        type: boolean
+      key_name:
+        required: false
+        type: string
+        default: "dangerzone-tests"
+      key_cache:
+        required: false
+        type: string
+        default: "v1-keypair-${{ github.ref_name }}" # unique for the branch / PR
     secrets:
       registry_token:
         required: true
 
-
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -73,6 +83,7 @@ jobs:
       debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
       image: ${{ needs.prepare.outputs.image }}
+      tag: ${{ needs.prepare.outputs.tag }}
     strategy:
       fail-fast: false
       matrix:
@@ -140,6 +151,7 @@ jobs:
       debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
       image: ${{ needs.build.outputs.image }}
+      tag: ${{ needs.build.outputs.tag }}
       digest_root: ${{ steps.image.outputs.digest_root }}
       digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
       digest_arm64: ${{ steps.image.outputs.digest_arm64 }}
@@ -246,3 +258,30 @@ jobs:
             --platform \
             linux/${{ matrix.platform.name }} \
             ${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }}
+
+  sign:
+    if: ${{ inputs.sign }}
+    runs-on: "ubuntu-latest"
+    env:
+      COSIGN_PASSWORD: "password"
+      COSIGN_YES: true
+    needs:
+      - merge
+    # outputs: add signature location ?
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+      - name: Check install
+        run: cosign version
+      - name: Generate keypair
+        run: |-
+          cosign generate-key-pair --output-key-prefix="${{ inputs.key_name }}"
+      - name: Cache keypair
+        uses: actions/cache@v4
+        with:
+          path: "${{ inputs.key_name }}.*"
+          key: ${{ inputs.key_cache }}
+          enableCrossOsArchive: true
+      - name: Sign container
+        run: |-
+          cosign sign --key dangerzone-test.key ${{ inputs.registry }}/${{ inputs.registry_user }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@sha256:${{ needs.merge.outputs.digest_root }}

.github/workflows/ci.yml

@@ -11,12 +11,10 @@ on:
 
 permissions:
   packages: write
+  actions: read # for detecting the Github Actions environment.
+  id-token: write # for creating OIDC tokens for signing.
 
 env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-  IMAGE_NAME: dangerzone/dangerzone-staging
   QT_SELECT: "qt6"
 
 # Disable multiple concurrent runs on the same branch
@@ -47,32 +45,18 @@ jobs:
   # But we also want to include this in the checks that run on each push.
   build-container-image:
     name: Build, push and sign container image
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/build-push-image.yml
-    steps:
+    with:
-      - uses: ./.github/workflows/build-push-image.yml
+      registry: "ghcr.io/${{ github.repository_owner }}"
-        id: build-push
+      registry_user: ${{ github.actor }}
-        with:
+      image_name: "dangerzone/dangerzone-staging"
-          registry: ${{ env.IMAGE_REGISTRY }}
+      reproduce: false
-          registry_user: ${{ env.REGISTRY_USER }}
+      sign: true
-          image_name: ${{ env.IMAGE_NAME }}
+      key_name: "dangerzone-tests"
-          reproduce: false
+      key_cache: "v1-test-keypair-${{ github.ref_name }}"
-          registry_token: ${{ secrets.GITHUB_TOKEN }}
+    secrets:
+      registry_token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.8.1
-      - name: Generate keypair
-        run: |-
-          echo "password"
-          | cosign generate-key-pair --output-key-prefix="dangerzone-tests"
-      - name: Cache keypair
-        uses: actions/cache@v4
-        with:
-          path: "dangerzone-tests.*"
-          key: v1-test-keypair-${{ github.ref_name }}
-          enableCrossOsArchive: true
-      - name: Sign container
-        run: |-
-          cosign sign --key dangerzone-test.key ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ steps.build-push.outputs.tag}}@sha256:${{ steps.build-push.outputs.digest_root }}
   download-tessdata:
     name: Download and cache Tesseract data
     runs-on: ubuntu-latest

.github/workflows/release-container-image.yml

@@ -18,5 +18,6 @@ jobs:
       registry_user: ${{ github.actor }}
       image_name: dangerzone/dangerzone
       reproduce: true
+      sign: false
     secrets:
       registry_token: ${{ secrets.GITHUB_TOKEN }}