diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a6c0ae2..808a973 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -6,78 +6,22 @@ on: - cron: '5 3 * * *' # 3am-ish UTC everyday (timed against official fedora container pushes) workflow_dispatch: -env: - REGISTRY: ghcr.io - jobs: build-custom-silverblue: - name: Build, sign, then push - runs-on: ubuntu-24.04 + uses: ./.github/workflows/reusable-build.yaml permissions: attestations: write contents: read id-token: write packages: write - - steps: - - name: Checkout - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - - name: Install cosign - if: ${{ github.event_name != 'pull_request' }} - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - with: - cosign-release: 'v2.4.1' - - - name: Build image - id: build - uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 - with: - containerfiles: | - ./Containerfile - image: custom-silverblue - tags: | - ${{ github.sha }} - 40 - - - name: Log in to GitHub Container Registry - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 - if: ${{ github.event_name != 'pull_request' }} - with: - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - registry: ${{ env.REGISTRY }}/${{ github.repository_owner }} - - - name: Push to GitHub Container Registry - uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 - id: push - if: ${{ github.event_name != 'pull_request' }} - with: - image: ${{ steps.build.outputs.image }} - tags: ${{ steps.build.outputs.tags }} - registry: ${{ env.REGISTRY }}/${{ github.repository_owner }} - - - name: Generate artifact attestation - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 - if: ${{ github.event_name != 'pull_request' }} - with: - subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - - - name: Sign the published OCI image - if: ${{ github.event_name != 'pull_request' }} - env: - digest: ${{ steps.push.outputs.digest }} - fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - run: > - echo "${fully_qualified_image_names_json}" - | jq -r '.[]' - | xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}" - - - name: Echo outputs for auditing - if: github.event_name != 'pull_request' - run: | - echo "${{ toJSON(steps.push.outputs) }}" + with: + containerfile_path: ./Containerfile + registry: ghcr.io + namespace: samhclark + image_name: custom-silverblue + tags: | + ${{ github.sha }} + 40 + secrets: + cosign_password: ${{ secrets.COSIGN_PASSWORD }} + cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }} \ No newline at end of file diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml new file mode 100644 index 0000000..2fede20 --- /dev/null +++ b/.github/workflows/reusable-build.yaml @@ -0,0 +1,95 @@ +on: + workflow_call: + inputs: + containerfile_path: + required: true + type: string + registry: + required: true + type: string + namespace: + required: true + type: string + image_name: + required: true + type: string + tags: + required: true + type: string + secrets: + cosign_password: + required: true + cosign_private_key: + required: true + + +jobs: + build-custom-silverblue: + name: Build, sign, then push + runs-on: ubuntu-24.04 + permissions: + attestations: write + contents: read + id-token: write + packages: write + + steps: + - name: Checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: Install cosign + if: ${{ github.event_name != 'pull_request' }} + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Build image + id: build + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 + with: + containerfiles: | + ${{ inputs.containerfile_path }} + image: ${{ inputs.image_name }} + tags: ${{ inputs.tags }} + + - name: Log in to Container Registry + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 + if: ${{ github.event_name != 'pull_request' }} + with: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ${{ inputs.registry }}/${{ inputs.namespace }} + + - name: Push to Container Registry + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 + id: push + if: ${{ github.event_name != 'pull_request' }} + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: ${{ inputs.registry }}/${{ inputs.namespace }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + if: ${{ github.event_name != 'pull_request' }} + with: + subject-name: ${{ inputs.registry }}/${{ inputs.namespace }}/${{ steps.build.outputs.image }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Sign the published OCI image + if: ${{ github.event_name != 'pull_request' }} + env: + digest: ${{ steps.push.outputs.digest }} + fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} + COSIGN_PASSWORD: ${{ secrets.cosign_password }} + COSIGN_PRIVATE_KEY: ${{ secrets.cosign_private_key }} + run: > + echo "${fully_qualified_image_names_json}" + | jq -r '.[]' + | xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}" + + - name: Echo outputs for auditing + if: github.event_name != 'pull_request' + run: | + echo "${{ toJSON(steps.push.outputs) }}"