Merge 0d64e475cc into 83be5fb151

.github/workflows/build-push-image.yml

@@ -15,21 +15,11 @@ on:
       reproduce:
         required: true
         type: boolean
-      sign:
-        required: true
-        type: boolean
-      key_name:
-        required: false
-        type: string
-        default: "dangerzone-tests"
-      key_cache:
-        required: false
-        type: string
-        default: "v1-keypair-${{ github.ref_name }}" # unique for the branch / PR
     secrets:
       registry_token:
         required: true
 
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -83,7 +73,6 @@ jobs:
       debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
       image: ${{ needs.prepare.outputs.image }}
-      tag: ${{ needs.prepare.outputs.tag }}
     strategy:
       fail-fast: false
       matrix:
@@ -151,7 +140,6 @@ jobs:
       debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
       image: ${{ needs.build.outputs.image }}
-      tag: ${{ needs.build.outputs.tag }}
       digest_root: ${{ steps.image.outputs.digest_root }}
       digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
       digest_arm64: ${{ steps.image.outputs.digest_arm64 }}
@@ -258,30 +246,3 @@ jobs:
             --platform \
             linux/${{ matrix.platform.name }} \
             ${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }}
-
-  sign:
-    if: ${{ inputs.sign }}
-    runs-on: "ubuntu-latest"
-    env:
-      COSIGN_PASSWORD: "password"
-      COSIGN_YES: true
-    needs:
-      - merge
-    # outputs: add signature location ?
-    steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
-      - name: Check install
-        run: cosign version
-      - name: Generate keypair
-        run: |-
-          cosign generate-key-pair --output-key-prefix="${{ inputs.key_name }}"
-      - name: Cache keypair
-        uses: actions/cache@v4
-        with:
-          path: "${{ inputs.key_name }}.*"
-          key: ${{ inputs.key_cache }}
-          enableCrossOsArchive: true
-      - name: Sign container
-        run: |-
-          cosign sign --key dangerzone-test.key ${{ inputs.registry }}/${{ inputs.registry_user }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@sha256:${{ needs.merge.outputs.digest_root }}

.github/workflows/ci.yml

@@ -11,10 +11,12 @@ on:
 
 permissions:
   packages: write
-  actions: read # for detecting the Github Actions environment.
-  id-token: write # for creating OIDC tokens for signing.
 
 env:
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_NAME: dangerzone/dangerzone-staging
   QT_SELECT: "qt6"
 
 # Disable multiple concurrent runs on the same branch
@@ -45,18 +47,32 @@ jobs:
   # But we also want to include this in the checks that run on each push.
   build-container-image:
     name: Build, push and sign container image
-    uses: ./.github/workflows/build-push-image.yml
-    with:
-      registry: "ghcr.io/${{ github.repository_owner }}"
-      registry_user: ${{ github.actor }}
-      image_name: "dangerzone/dangerzone-staging"
-      reproduce: false
-      sign: true
-      key_name: "dangerzone-tests"
-      key_cache: "v1-test-keypair-${{ github.ref_name }}"
-    secrets:
-      registry_token: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ./.github/workflows/build-push-image.yml
+        id: build-push
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          registry_user: ${{ env.REGISTRY_USER }}
+          image_name: ${{ env.IMAGE_NAME }}
+          reproduce: false
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.1
+      - name: Generate keypair
+        run: |-
+          echo "password"
+          | cosign generate-key-pair --output-key-prefix="dangerzone-tests"
+      - name: Cache keypair
+        uses: actions/cache@v4
+        with:
+          path: "dangerzone-tests.*"
+          key: v1-test-keypair-${{ github.ref_name }}
+          enableCrossOsArchive: true
+      - name: Sign container
+        run: |-
+          cosign sign --key dangerzone-test.key ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ steps.build-push.outputs.tag}}@sha256:${{ steps.build-push.outputs.digest_root }}
   download-tessdata:
     name: Download and cache Tesseract data
     runs-on: ubuntu-latest

.github/workflows/release-container-image.yml

@@ -18,6 +18,5 @@ jobs:
       registry_user: ${{ github.actor }}
       image_name: dangerzone/dangerzone
       reproduce: true
-      sign: false
     secrets:
       registry_token: ${{ secrets.GITHUB_TOKEN }}