Skip to content

build-custom-silverblue #120

build-custom-silverblue

build-custom-silverblue #120

Workflow file for this run

name: build-custom-silverblue
on:
pull_request:
merge_group:
schedule:
- cron: '5 3 * * *' # 3am-ish UTC everyday (timed against official fedora container pushes)
workflow_dispatch:
jobs:
build-custom-silverblue:
name: Build, sign, then push
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.0'
- name: Build image
id: build
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
image: custom-silverblue
tags: |
${{ github.sha }}
40
- name: Log in to GitHub Container Registry
uses: redhat-actions/podman-login@v1
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io/${{ github.repository_owner }}
- name: Push to GitHub Container Registry
uses: redhat-actions/push-to-registry@v2
id: push
if: ${{ github.event_name != 'pull_request' }}
with:
image: ${{ steps.build.outputs.image }}
tags: ${{ steps.build.outputs.tags }}
registry: ghcr.io/${{ github.repository_owner }}
- name: Sign the published OCI image
if: ${{ github.event_name != 'pull_request' }}
env:
digest: ${{ steps.push.outputs.digest }}
fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }}
run: >
echo "${fully_qualified_image_names_json}"
| jq -r '.[]'
| xargs -I {} cosign sign --yes "{}@${digest}"
- name: Echo outputs for auditing
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"