From 8b2f9f34b4bafdae525334e855f0e4c97e90ea62 Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Tue, 10 Dec 2024 11:50:09 -0800 Subject: [PATCH] add github workflow for debian container build --- .github/workflows/build-debian-toolbox.yml | 108 +++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 .github/workflows/build-debian-toolbox.yml diff --git a/.github/workflows/build-debian-toolbox.yml b/.github/workflows/build-debian-toolbox.yml new file mode 100644 index 0000000..76bf091 --- /dev/null +++ b/.github/workflows/build-debian-toolbox.yml @@ -0,0 +1,108 @@ +name: Build and Push Debian Toolbox Image +on: + schedule: + - cron: "20 22 * * *" # 10:20pm everyday + pull_request: + merge_group: + workflow_dispatch: +env: + IMAGE_NAME: debian-toolbox + IMAGE_TAGS: latest + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }} + cancel-in-progress: true + +jobs: + push-ghcr: + name: Build and push image + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + id-token: write + strategy: + fail-fast: false + steps: + # Checkout push-to-registry action GitHub repository + - name: Checkout Push to Registry action + uses: actions/checkout@v4 + + # - name: Verify Debian toolbox + # uses: EyeCantCU/cosign-action/verify@v0.2.2 + # with: + # containers: ubuntu-toolbox:22.04 + # pubkey: https://raw.githubusercontent.com/toolbx-images/images/main/quay.io-toolbx-images.pub + # registry: quay.io/toolbx-images + + # Build metadata + - name: Image Metadata + uses: docker/metadata-action@v5 + id: meta + with: + images: | + ${{ env.IMAGE_NAME }} + labels: | + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/boxkit/main/README.md + + # Build image using Buildah action + - name: Build Image + id: build_image + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./toolboxes/debian-toolbox/Containerfile.debian + image: ${{ env.IMAGE_NAME }} + tags: ${{ env.IMAGE_TAGS }} + labels: ${{ steps.meta.outputs.labels }} + oci: false + + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@v6 + with: + string: ${{ env.IMAGE_REGISTRY }} + + # Push the image to GHCR (Image Registry) + - name: Push To GHCR + uses: redhat-actions/push-to-registry@v2 + if: github.event_name != 'pull_request' + id: push + env: + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + with: + image: ${{ steps.build_image.outputs.image }} + tags: ${{ steps.build_image.outputs.tags }} + registry: ${{ steps.registry_case.outputs.lowercase }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + if: github.event_name != 'pull_request' + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Sign container + - uses: sigstore/cosign-installer@v3.7.0 + if: github.event_name != 'pull_request' + + - name: Sign container image + if: github.event_name != 'pull_request' + run: | + echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key + wc -c cosign.key + cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} + env: + TAGS: ${{ steps.push.outputs.digest }} + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + + - name: Echo outputs + run: | + echo "${{ toJSON(steps.push.outputs) }}"