Add image_uri output in the build-push-image workflow

And use it when getting the container image to build `.rpm` and `.deb` packages.

.github/workflows/build-push-image.yml

@@ -15,10 +15,24 @@ on:
       reproduce:
         required: true
         type: boolean
+      sign:
+        required: true
+        type: boolean
+      key_name:
+        required: false
+        type: string
+        default: "dangerzone-tests"
+      key_cache:
+        required: false
+        type: string
+        default: "v1-keypair-${{ github.ref_name }}" # unique for the branch / PR
     secrets:
       registry_token:
         required: true
-
+    outputs:
+      image_uri:
+        description: "The published container image location, with the tag and checksum"
+        value: ${{ jobs.merge.outputs.image_uri }}
 
 jobs:
   lint:
@@ -44,6 +58,7 @@ jobs:
       debian_archive_date: ${{ steps.params.outputs.debian_archive_date }}
       source_date_epoch: ${{ steps.params.outputs.source_date_epoch }}
       image: ${{ steps.params.outputs.full_image_name }}
+      tag: ${{ steps.params.outputs.tag }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -60,7 +75,7 @@ jobs:
 
           echo "debian_archive_date=${DEBIAN_ARCHIVE_DATE}" >> $GITHUB_OUTPUT
           echo "source_date_epoch=${SOURCE_DATE_EPOCH}" >> $GITHUB_OUTPUT
-          echo "tag=${DEBIAN_ARCHIVE_DATE}-${TAG}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
           echo "full_image_name=${FULL_IMAGE_NAME}" >> $GITHUB_OUTPUT
           echo "buildkit_image=${BUILDKIT_IMAGE}" >> $GITHUB_OUTPUT
 
@@ -73,6 +88,7 @@ jobs:
       debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
       image: ${{ needs.prepare.outputs.image }}
+      tag: ${{ needs.prepare.outputs.tag }}
     strategy:
       fail-fast: false
       matrix:
@@ -140,6 +156,8 @@ jobs:
       debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
       image: ${{ needs.build.outputs.image }}
+      image_uri: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.build.outputs.tag }}@${{ steps.image.outputs.digest_root }}"
+      tag: ${{ needs.build.outputs.tag }}
       digest_root: ${{ steps.image.outputs.digest_root }}
       digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
       digest_arm64: ${{ steps.image.outputs.digest_arm64 }}
@@ -246,3 +264,42 @@ jobs:
             --platform \
             linux/${{ matrix.platform.name }} \
             ${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }}
+
+  sign:
+    if: ${{ inputs.sign }}
+    runs-on: "ubuntu-latest"
+    env:
+      COSIGN_PASSWORD: "password"
+      COSIGN_YES: true
+    needs:
+      - merge
+    # outputs: add signature location ?
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+        with:
+          cosign-release: 'v2.5.0'
+      - name: Check install
+        run: cosign version
+      - name: Generate keypair
+        run: |-
+          cosign generate-key-pair --output-key-prefix="${{ inputs.key_name }}"
+      - name: Cache keypair
+        uses: actions/cache@v4
+        with:
+          path: "${{ inputs.key_name }}.*"
+          key: ${{ inputs.key_cache }}
+          enableCrossOsArchive: true
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ inputs.registry_user }}
+          password: ${{ secrets.registry_token }}
+
+      - name: Sign container
+        run: |-
+          export IMAGE_URI="${{ needs.merge.image_uri }}"
+          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
+        shell: bash

.github/workflows/ci.yml

@@ -11,11 +11,10 @@ on:
 
 permissions:
   packages: write
+  actions: read # for detecting the Github Actions environment.
+  id-token: write # for creating OIDC tokens for signing.
 
 env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
   QT_SELECT: "qt6"
 
 # Disable multiple concurrent runs on the same branch
@@ -45,35 +44,18 @@ jobs:
   # This is already built daily by the "build.yml" file
   # But we also want to include this in the checks that run on each push.
   build-container-image:
-    runs-on: ubuntu-24.04
+    name: Build, push and sign container image
-    steps:
+    uses: ./.github/workflows/build-push-image.yml
-      - uses: actions/checkout@v4
+    with:
-        with:
+      registry: "ghcr.io/${{ github.repository_owner }}"
-          fetch-depth: 0
+      registry_user: ${{ github.actor }}
-
+      image_name: "dangerzone/dangerzone-staging"
-      - name: Get current date
+      reproduce: false
-        id: date
+      sign: true
-        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+      key_name: "dangerzone-tests"
-
+      key_cache: "v1-test-keypair-${{ github.ref_name }}"
-      - name: Cache container image
+    secrets:
-        id: cache-container-image
+      registry_token: ${{ secrets.GITHUB_TOKEN }}
-        uses: actions/cache@v4
-        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: |-
-            share/container.tar
-            share/image-id.txt
-
-      - name: Build Dangerzone container image
-        if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
-        run: |
-          python3 ./install/common/build-image.py
-
-      - name: Upload container image
-        uses: actions/upload-artifact@v4
-        with:
-          name: container.tar
-          path: share/container.tar
 
   download-tessdata:
     name: Download and cache Tesseract data
@@ -223,15 +205,18 @@ jobs:
         id: date
         run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
 
-      - name: Restore container cache
+      - name: Install Cosign
-        uses: actions/cache/restore@v4
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
         with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
+          cosign-release: 'v2.5.0'
-          path: |-
-            share/container.tar
-            share/image-id.txt
-          fail-on-cache-miss: true
 
+      - name: Get the container image from the registry
+        run: |-
+          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
+          cd tmp
+          tar -cvf ../share/container.tar
+          cd ..
+      
       - name: Build Dangerzone .deb
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
@@ -336,7 +321,6 @@ jobs:
           key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
           path: |-
             share/container.tar
-            share/image-id.txt
           fail-on-cache-miss: true
 
       - name: Build Dangerzone .rpm
@@ -433,7 +417,6 @@ jobs:
           key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
           path: |-
             share/container.tar
-            share/image-id.txt
           fail-on-cache-miss: true
 
       - name: Restore cached tessdata

.github/workflows/release-container-image.yml

@@ -18,5 +18,6 @@ jobs:
       registry_user: ${{ github.actor }}
       image_name: dangerzone/dangerzone
       reproduce: true
+      sign: false
     secrets:
       registry_token: ${{ secrets.GITHUB_TOKEN }}