fix: update cosign action (#94)

2025-11-08 06:15:21 +00:00 · 2023-03-02 21:25:43 -05:00
parent 0c7bc17666
commit 0aff9bac37
1 changed files with 58 additions and 28 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,6 @@
 name: build-ublue
 on:
  pull_request:
-    types:
-      - labeled
    branches:
      - main
    paths-ignore:
@@ -17,14 +15,13 @@ on:
      - '**.md'
      - '**.txt'
 env:
-    IMAGE_NAME: base
+    IMAGE_BASE_NAME: base
    IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}

 jobs:
  push-ghcr:
    name: Build and push image
    runs-on: ubuntu-22.04
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-build') || github.event_name != 'pull_request'
    permissions:
      contents: read
      packages: write
@@ -32,49 +29,76 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
+        image_name: [silverblue]
        major_version: [37]
        include:
          - major_version: 37
-            is_latest: true
-            is_stable: true
+            is_latest_version: true
+            is_stable_version: true
    steps: 
      # Checkout push-to-registry action GitHub repository
      - name: Checkout Push to Registry action
        uses: actions/checkout@v3

+      - name: Matrix Variables
+        run: |
+          echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.image_name, env.IMAGE_BASE_NAME) }}" >> $GITHUB_ENV
+
      - name: Generate tags
        id: generate-tags
        shell: bash
        run: |
-          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-          alias_tags=()
-          # Only perform the follow code when the action is spawned from a Pull Request
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            alias_tags+=("pr-${{ github.event.number }}")
-          else
-            # The following is run when the timer is triggered or a merge/push to main
-            echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT
-            alias_tags+=("${{ matrix.major_version }}")
-            if [[ "${{ matrix.is_latest }}" == "true" ]]; then
-              alias_tags+=("latest")
-            fi
-            if [[ "${{ matrix.is_stable }}" == "true" ]]; then
-              alias_tags+=("stable")
-            fi
+          # Generate a timestamp for creating an image version history
+          TIMESTAMP="$(date +%Y%m%d)"
+          MAJOR_VERSION="${{ matrix.major_version }}"
+          COMMIT_TAGS=()
+          BUILD_TAGS=()
+          # Have tags for tracking builds during pull request
+          SHA_SHORT="$(git rev-parse --short HEAD)"
+          COMMIT_TAGS+=("pr-${{ github.event.number }}-${MAJOR_VERSION}")
+          COMMIT_TAGS+=("${SHA_SHORT}-${MAJOR_VERSION}")
+          if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
+             [[ "${{ matrix.is_stable_version }}" == "true" ]]; then
+              COMMIT_TAGS+=("pr-${{ github.event.number }}")
+              COMMIT_TAGS+=("${SHA_SHORT}")
          fi
+
+          BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION}-${TIMESTAMP}")
+
+          if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
+             [[ "${{ matrix.is_stable_version }}" == "true" ]]; then
+              BUILD_TAGS+=("${TIMESTAMP}")
+              BUILD_TAGS+=("latest")
+          fi
+
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+              echo "Generated the following commit tags: "
+              for TAG in "${COMMIT_TAGS[@]}"; do
+                  echo "${TAG}"
+              done
+              alias_tags=("${COMMIT_TAGS[@]}")
+          else
+              alias_tags=("${BUILD_TAGS[@]}")
+          fi
+          echo "Generated the following build tags: "
+          for TAG in "${BUILD_TAGS[@]}"; do
+              echo "${TAG}"
+          done
          echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
-        
+
      # Build metadata
      - name: Image Metadata
        uses: docker/metadata-action@v4
        id: meta
        with:
          images: |
-            ${{ env.IMAGE_NAME }}
+            $IMAGE_NAME
          labels: |
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/base/main/README.md
+            org.opencontainers.image.title=$IMAGE_NAME
+            org.opencontainers.image.description=A base $IMAGE_NAME image with batteries included
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/base/base/README.md
            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
-      
+
      # Build image using Buildah action
      - name: Build Image
        id: build_image
@@ -85,9 +109,8 @@ jobs:
          image: ${{ env.IMAGE_NAME }}
          tags: |
            ${{ steps.generate-tags.outputs.alias_tags }}
-            ${{ steps.generate-tags.outputs.date }}
-            ${{ steps.generate-tags.outputs.sha_short }}
          build-args: |
+            IMAGE_NAME=${{ matrix.image_name }}
            FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
          labels: ${{ steps.meta.outputs.labels }}
          oci: false
@@ -135,12 +158,19 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

+      # Sign container
+      - uses: sigstore/cosign-installer@v3.0.1
+        if: github.event_name != 'pull_request'
+
      - name: Sign container image
        run: |
-          cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
+          wc -c cosign.key
+          cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
        env:
          TAGS: ${{ steps.push.outputs.digest }}
          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

      - name: Echo outputs
        run: |