Skip to content

ci: switch to docker/github-builder to build and sign#473

Draft
crazy-max wants to merge 2 commits into
mainfrom
github-builder
Draft

ci: switch to docker/github-builder to build and sign#473
crazy-max wants to merge 2 commits into
mainfrom
github-builder

Conversation

@crazy-max

@crazy-max crazy-max commented Jul 8, 2026

Copy link
Copy Markdown
Member

This PR moves package builds onto docker/github-builder and keeps the release image layout aligned with the signed metadata that the builder now produces. Builds now publish package artifacts with signed provenance and Sigstore bundle material.

The first commit reworks the reusable build workflow so each distro package build is delegated to docker/github-builder, with Bake variables passed through the workflow input and package verification kept in this repository. The second commit updates hack/release.Dockerfile so release metadata files are emitted next to each package using the package artifact basename, such as:

  • docker-buildx-plugin-0.35.0-1.el10.x86_64.provenance.json
  • docker-buildx-plugin-0.35.0-1.el10.x86_64.sigstore.json
  • docker-buildx-plugin-0.35.0-1.el10.x86_64.sbom.json

Using docker/github-builder centralizes runner handling, SBOM generation, provenance generation, and OIDC-backed signing instead of carrying that logic in the packaging workflow. Naming release metadata after the package artifact makes the release image easier to consume because every SBOM, provenance file, and Sigstore bundle is tied directly to the package it describes.

Package builds now enable signing outside pull requests, which causes the builder to produce signed provenance and Sigstore verification material for the package artifacts. This gives release consumers a clear path from the package file to its SBOM, provenance, and signature bundle without relying on shared generic filenames in each release directory.

A follow-up should look at appending the Sigstore bundle directly into the package artifacts themselves. Keeping the bundle next to the packages is a good first step, but embedding or attaching the verification material at the package format level would make distribution and verification less dependent on external sidecar files.

@crazy-max crazy-max force-pushed the github-builder branch 2 times, most recently from c67b7cf to 5f34395 Compare July 8, 2026 10:18
Comment thread .github/workflows/.build.yml Fixed
@crazy-max crazy-max force-pushed the github-builder branch 2 times, most recently from c3186b2 to 87504a2 Compare July 8, 2026 10:34
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@vvoland vvoland self-requested a review July 8, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants