Skip to content

workflows: add --recursive flag to signing process (all) #81

workflows: add --recursive flag to signing process (all)

workflows: add --recursive flag to signing process (all) #81

Workflow file for this run

name: "AlmaLinux: Build and push toolbx images"
permissions: read-all
on:
pull_request:
branches:
- main
paths:
- almalinux/**
- .github/workflows/almalinux.yaml
push:
branches:
- main
paths:
- almalinux/**
- .github/workflows/almalinux.yaml
schedule:
- cron: '0 0 * * MON'
env:
distro: 'almalinux'
distro_pretty: 'AlmaLinux'
latest_release: '9'
platforms: 'linux/amd64, linux/arm64'
registry: 'quay.io/toolbx-images'
# Prevent multiple workflow runs from racing to ensure that pushes are made
# sequentialy for the main branch. Also cancel in progress workflow runs for
# pull requests only.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
build-push-images:
strategy:
matrix:
release: ['8', '9']
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU for multi-arch builds
shell: bash
run: |
sudo apt update
sudo apt install qemu-user-static
- name: Build container image
uses: redhat-actions/buildah-build@v2
if: env.latest_release != matrix.release
with:
platforms: ${{ env.platforms }}
context: ${{ env.distro }}/${{ matrix.release }}
image: ${{ env.distro }}-toolbox
tags: ${{ matrix.release }}
containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
layers: false
oci: true
- name: Build container image (latest tag)
uses: redhat-actions/buildah-build@v2
if: env.latest_release == matrix.release
with:
platforms: ${{ env.platforms }}
context: ${{ env.distro }}/${{ matrix.release }}
image: ${{ env.distro }}-toolbox
tags: ${{ matrix.release }} latest
containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
layers: false
oci: true
- name: Push to Container Registry
uses: redhat-actions/push-to-registry@v2
id: push
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
with:
username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_SECRET }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: ${{ matrix.release }}
- name: Push to Container Registry (latest tag)
uses: redhat-actions/push-to-registry@v2
id: push-latest
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
with:
username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_SECRET }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: ${{ matrix.release }} latest
- name: Login to Container Registry
uses: redhat-actions/podman-login@v1
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
with:
registry: ${{ env.registry }}
username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_SECRET }}
- uses: sigstore/[email protected]
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
- name: Sign container image
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
- name: Sign container image (latest)
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}