-
Notifications
You must be signed in to change notification settings - Fork 0
55 lines (55 loc) · 1.87 KB
/
build-push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
on:
workflow_call:
inputs:
containerfile:
required: true
type: string
from_tag:
required: true
type: string
release_version:
required: true
type: string
tag_suffix:
required: true
type: string
secrets:
actions_token:
required: true
jobs:
build-push-image:
name: Build and push ostree image
runs-on: ubuntu-24.04
timeout-minutes: 60
permissions:
contents: read
id-token: write
packages: write
steps:
- name: checkout repo
uses: actions/checkout@v4
- name: cosign-installer
uses: sigstore/[email protected]
- name: build image
id: build-base-image
uses: redhat-actions/buildah-build@v2
with:
image: fedora-silverblue-ws
tags: ${{ inputs.release_version }}${{ inputs.tag_suffix }} ${{ github.sha }}${{ inputs.tag_suffix }}
containerfiles: ${{ inputs.containerfile }}
build-args: |
release=${{ inputs.release_version }}
tag=${{ inputs.from_tag }}
- name: push image
id: push-base-image
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-base-image.outputs.image }}
tags: ${{ steps.build-base-image.outputs.tags }}
registry: ghcr.io/${{ github.repository_owner }}
username: ${{ github.repository_owner }}
password: ${{ secrets.actions_token }}
- name: cosign login (rh push-to-registry does not login)
run: cosign login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.actions_token }}
- name: sign base container image with sigstore fulcio and github oidc
run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ steps.build-base-image.outputs.image }}@${{ steps.push-base-image.outputs.digest }}