-
Notifications
You must be signed in to change notification settings - Fork 1
69 lines (61 loc) · 2.05 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: build-custom-silverblue
on:
pull_request:
merge_group:
schedule:
- cron: '5 3 * * *' # 3am-ish UTC everyday (timed against official fedora container pushes)
workflow_dispatch:
jobs:
build-custom-silverblue:
name: Build, sign, then push
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.0'
- name: Build image
id: build
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
image: custom-silverblue
tags: |
${{ github.sha }}
40
- name: Log in to GitHub Container Registry
uses: redhat-actions/podman-login@v1
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io/${{ github.repository_owner }}
- name: Push to GitHub Container Registry
uses: redhat-actions/push-to-registry@v2
id: push
if: ${{ github.event_name != 'pull_request' }}
with:
image: ${{ steps.build.outputs.image }}
tags: ${{ steps.build.outputs.tags }}
registry: ghcr.io/${{ github.repository_owner }}
- name: Sign the published OCI image
if: ${{ github.event_name != 'pull_request' }}
env:
digest: ${{ steps.push.outputs.digest }}
fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }}
run: >
echo "${fully_qualified_image_names_json}"
| jq -r '.[]'
| xargs -I {} cosign sign --yes "{}@${digest}"
- name: Echo outputs for auditing
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"