samhclark · samhclark · Oct 20, 2024 · Oct 20, 2024
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -6,78 +6,22 @@ on:
     - cron: '5 3 * * *'  # 3am-ish UTC everyday (timed against official fedora container pushes)
   workflow_dispatch:
 
-env:
-  REGISTRY: ghcr.io
-
 jobs:
   build-custom-silverblue:
-    name: Build, sign, then push
-    runs-on: ubuntu-24.04
+    uses: ./.github/workflows/reusable-build.yaml
     permissions:
       attestations: write
       contents: read
       id-token: write
       packages: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-
-      - name: Install cosign
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
-        with:
-          cosign-release: 'v2.4.1'
-
-      - name: Build image
-        id: build
-        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
-        with:
-          containerfiles: |
-            ./Containerfile
-          image: custom-silverblue
-          tags: |
-            ${{ github.sha }}
-            40
-
-      - name: Log in to GitHub Container Registry
-        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}
-
-      - name: Push to GitHub Container Registry
-        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
-        id: push
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          image: ${{ steps.build.outputs.image }}
-          tags: ${{ steps.build.outputs.tags }}
-          registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}
-
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
-
-      - name: Sign the published OCI image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          digest: ${{ steps.push.outputs.digest }}
-          fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} 
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-        run: >
-          echo "${fully_qualified_image_names_json}" 
-          | jq -r '.[]' 
-          | xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}"
-
-      - name: Echo outputs for auditing
-        if: github.event_name != 'pull_request'
-        run: |
-          echo "${{ toJSON(steps.push.outputs) }}"
+    with:
+      containerfile_path: ./Containerfile
+      registry: ghcr.io
+      namespace: samhclark
+      image_name: custom-silverblue
+      tags: |
+        ${{ github.sha }}
+        40
+    secrets:
+      cosign_password: ${{ secrets.COSIGN_PASSWORD }}
+      cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
@@ -0,0 +1,95 @@
+on:
+  workflow_call:
+    inputs: 
+      containerfile_path:
+        required: true
+        type: string
+      registry:
+        required: true
+        type: string
+      namespace:
+        required: true
+        type: string
+      image_name:
+        required: true
+        type: string
+      tags:
+        required: true
+        type: string
+    secrets:
+      cosign_password:
+        required: true
+      cosign_private_key:
+        required: true
+
+
+jobs:
+  build-custom-silverblue:
+    name: Build, sign, then push
+    runs-on: ubuntu-24.04
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Build image
+        id: build
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
+        with:
+          containerfiles: |
+            ${{ inputs.containerfile_path }}
+          image: ${{ inputs.image_name }}
+          tags: ${{ inputs.tags }}
+
+      - name: Log in to Container Registry
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ${{ inputs.registry }}/${{ inputs.namespace }}
+
+      - name: Push to Container Registry
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
+        id: push
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image: ${{ steps.build.outputs.image }}
+          tags: ${{ steps.build.outputs.tags }}
+          registry: ${{ inputs.registry }}/${{ inputs.namespace }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          subject-name: ${{ inputs.registry }}/${{ inputs.namespace }}/${{ steps.build.outputs.image }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Sign the published OCI image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          digest: ${{ steps.push.outputs.digest }}
+          fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} 
+          COSIGN_PASSWORD: ${{ secrets.cosign_password }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.cosign_private_key }}
+        run: >
+          echo "${fully_qualified_image_names_json}" 
+          | jq -r '.[]' 
+          | xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}"
+
+      - name: Echo outputs for auditing
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "${{ toJSON(steps.push.outputs) }}"