Add image_uri output in the build-push-image workflow

And use it when getting the container image to build `.rpm` and `.deb` packages.
CI: Add an option to attach container signatures to the registry
2025-04-28 18:02:38 +02:00 · 2025-04-25 17:24:33 +02:00 · 2025-04-25 17:24:33 +02:00
2 changed files with 27 additions and 7 deletions
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@ -29,6 +29,10 @@ on:
    secrets:
      registry_token:
        required: true
+    outputs:
+      image_uri:
+        description: "The published container image location, with the tag and checksum"
+        value: ${{ jobs.merge.outputs.image_uri }}

 jobs:
  lint:
@ -71,7 +75,7 @@ jobs:

          echo "debian_archive_date=${DEBIAN_ARCHIVE_DATE}" >> $GITHUB_OUTPUT
          echo "source_date_epoch=${SOURCE_DATE_EPOCH}" >> $GITHUB_OUTPUT
-          echo "tag=${DEBIAN_ARCHIVE_DATE}-${TAG}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
          echo "full_image_name=${FULL_IMAGE_NAME}" >> $GITHUB_OUTPUT
          echo "buildkit_image=${BUILDKIT_IMAGE}" >> $GITHUB_OUTPUT

@ -152,6 +156,7 @@ jobs:
      debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
      source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
      image: ${{ needs.build.outputs.image }}
+      image_uri: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.build.outputs.tag }}@${{ steps.image.outputs.digest_root }}"
      tag: ${{ needs.build.outputs.tag }}
      digest_root: ${{ steps.image.outputs.digest_root }}
      digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
@ -285,6 +290,16 @@ jobs:
          path: "${{ inputs.key_name }}.*"
          key: ${{ inputs.key_cache }}
          enableCrossOsArchive: true
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ inputs.registry_user }}
+          password: ${{ secrets.registry_token }}
+
      - name: Sign container
        run: |-
-          cosign sign --key ${{ inputs.key_name }}.key ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@${{ needs.merge.outputs.digest_root }}
+          export IMAGE_URI="${{ needs.merge.image_uri }}"
+          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
+        shell: bash
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -205,12 +205,17 @@ jobs:
        id: date
        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

-      - name: Restore container cache
-        uses: actions/cache/restore@v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
        with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: share/container.tar
-          fail-on-cache-miss: true
+          cosign-release: 'v2.5.0'
+
+      - name: Get the container image from the registry
+        run: |-
+          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
+          cd tmp
+          tar -cvf ../share/container.tar
+          cd ..
      
      - name: Build Dangerzone .deb
        run: |