ci: switch to docker/github-builder to build and sign#473
Draft
crazy-max wants to merge 2 commits into
Draft
Conversation
c67b7cf to
5f34395
Compare
c3186b2 to
87504a2
Compare
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR moves package builds onto
docker/github-builderand keeps the release image layout aligned with the signed metadata that the builder now produces. Builds now publish package artifacts with signed provenance and Sigstore bundle material.The first commit reworks the reusable build workflow so each distro package build is delegated to
docker/github-builder, with Bake variables passed through the workflow input and package verification kept in this repository. The second commit updateshack/release.Dockerfileso release metadata files are emitted next to each package using the package artifact basename, such as:docker-buildx-plugin-0.35.0-1.el10.x86_64.provenance.jsondocker-buildx-plugin-0.35.0-1.el10.x86_64.sigstore.jsondocker-buildx-plugin-0.35.0-1.el10.x86_64.sbom.jsonUsing
docker/github-buildercentralizes runner handling, SBOM generation, provenance generation, and OIDC-backed signing instead of carrying that logic in the packaging workflow. Naming release metadata after the package artifact makes the release image easier to consume because every SBOM, provenance file, and Sigstore bundle is tied directly to the package it describes.Package builds now enable signing outside pull requests, which causes the builder to produce signed provenance and Sigstore verification material for the package artifacts. This gives release consumers a clear path from the package file to its SBOM, provenance, and signature bundle without relying on shared generic filenames in each release directory.
A follow-up should look at appending the Sigstore bundle directly into the package artifacts themselves. Keeping the bundle next to the packages is a good first step, but embedding or attaching the verification material at the package format level would make distribution and verification less dependent on external sidecar files.