Skip to content

Commit

Permalink
Extract build logic into a reusable workflow
Browse files Browse the repository at this point in the history
Closes #10
  • Loading branch information
samhclark committed Oct 20, 2024
1 parent 6000b30 commit d443c52
Show file tree
Hide file tree
Showing 2 changed files with 107 additions and 68 deletions.
80 changes: 12 additions & 68 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,78 +6,22 @@ on:
- cron: '5 3 * * *' # 3am-ish UTC everyday (timed against official fedora container pushes)
workflow_dispatch:

env:
REGISTRY: ghcr.io

jobs:
build-custom-silverblue:
name: Build, sign, then push
runs-on: ubuntu-24.04
uses: ./.github/workflows/reusable-build.yaml
permissions:
attestations: write
contents: read
id-token: write
packages: write

steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Build image
id: build
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
with:
containerfiles: |
./Containerfile
image: custom-silverblue
tags: |
${{ github.sha }}
40
- name: Log in to GitHub Container Registry
uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}

- name: Push to GitHub Container Registry
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
id: push
if: ${{ github.event_name != 'pull_request' }}
with:
image: ${{ steps.build.outputs.image }}
tags: ${{ steps.build.outputs.tags }}
registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}

- name: Generate artifact attestation
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true

- name: Sign the published OCI image
if: ${{ github.event_name != 'pull_request' }}
env:
digest: ${{ steps.push.outputs.digest }}
fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
run: >
echo "${fully_qualified_image_names_json}"
| jq -r '.[]'
| xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}"
- name: Echo outputs for auditing
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
with:
containerfile_path: ./Containerfile
registry: ghcr.io
namespace: samhclark
image_name: custom-silverblue
tags: |
${{ github.sha }}
40
secrets:
cosign_password: ${{ secrets.COSIGN_PASSWORD }}
cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
95 changes: 95 additions & 0 deletions .github/workflows/reusable-build.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
on:
workflow_call:
inputs:
containerfile_path:
required: true
type: string
registry:
required: true
type: string
namespace:
required: true
type: string
image_name:
required: true
type: string
tags:
required: true
type: string
secrets:
cosign_password:
required: true
cosign_private_key:
required: true


jobs:
build-custom-silverblue:
name: Build, sign, then push
runs-on: ubuntu-24.04
permissions:
attestations: write
contents: read
id-token: write
packages: write

steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Build image
id: build
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
with:
containerfiles: |
${{ inputs.containerfile_path }}
image: ${{ inputs.image_name }}
tags: ${{ inputs.tags }}

- name: Log in to Container Registry
uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ${{ inputs.registry }}/${{ inputs.namespace }}

- name: Push to Container Registry
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
id: push
if: ${{ github.event_name != 'pull_request' }}
with:
image: ${{ steps.build.outputs.image }}
tags: ${{ steps.build.outputs.tags }}
registry: ${{ inputs.registry }}/${{ inputs.namespace }}

- name: Generate artifact attestation
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: ${{ inputs.registry }}/${{ inputs.namespace }}/${{ steps.build.outputs.image }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true

- name: Sign the published OCI image
if: ${{ github.event_name != 'pull_request' }}
env:
digest: ${{ steps.push.outputs.digest }}
fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }}
COSIGN_PASSWORD: ${{ secrets.cosign_password }}
COSIGN_PRIVATE_KEY: ${{ secrets.cosign_private_key }}
run: >
echo "${fully_qualified_image_names_json}"
| jq -r '.[]'
| xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}"
- name: Echo outputs for auditing
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"

0 comments on commit d443c52

Please sign in to comment.