refactor: update GH actions building container image

Update the GitHub actions used to build and release the container image. The new ones are copy&paste from the kubewarden-controller. Signed-off-by: Flavio Castelli <[email protected]>
kubewarden · Jul 18, 2023 · e75bfdc · e75bfdc
1 parent 6be2466
commit e75bfdc
Show file tree

Hide file tree

Showing 4 changed files with 209 additions and 274 deletions.
diff --git a/.github/workflows/tests.yml → .github/workflows/ci.yml b/.github/workflows/tests.yml → .github/workflows/ci.yml
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -0,0 +1,51 @@
+name: Build container image every change.
+
+on:
+  workflow_call:
+    outputs:
+      digest:
+        description: "Container image digest"
+        value: ${{jobs.build.outputs.digest}}
+  push:
+    branches:
+      - "*"
+
+jobs:
+  build:
+    name: Build
+    uses: .github/workflows/container-image.yml
+    permissions:
+      packages: write
+    with:
+      push-image: true
+
+  sign:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write
+    needs: build
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: sigstore/[email protected]
+      - name: Sign the images
+        run: |
+          cosign sign \
+            ${{needs.build.outputs.repository}}@${{needs.build.outputs.digest}}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - uses: sigstore/[email protected]
+      - name: Sign the SBOM
+        run: |
+          tag=$(echo '${{needs.build.outputs.digest}}' | sed 's/:/-/g')
+          cosign sign \
+            "${{needs.build.outputs.repository}}:$tag.sbom"
+        env:
+          COSIGN_EXPERIMENTAL: 1