ci: switch to docker/github-builder to build and sign#473
Conversation
c67b7cf to
5f34395
Compare
87504a2 to
5c4da61
Compare
I don't think GitHub Actions can render this as true nesting with the current workflow shape. We have two reusable workflow levels here: This looks like a known Actions UI limitation. There is a related Community discussion here: https://github.com/orgs/community/discussions/186872. There is also a broader feature request for a structured reusable workflow dependency view here: https://github.com/orgs/community/discussions/51496. That is why I added |
4917d19 to
858a36c
Compare
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
858a36c to
9a96231
Compare

This PR moves package builds onto
docker/github-builderand keeps the release image layout aligned with the signed metadata that the builder now produces. Builds now publish package artifacts with signed provenance and Sigstore bundle material.The first commit reworks the reusable build workflow so each distro package build is delegated to
docker/github-builder, with Bake variables passed through the workflow input and package verification kept in this repository. The second commit updateshack/release.Dockerfileso release metadata files are emitted next to each package using the package artifact basename, such as:docker-buildx-plugin-0.35.0-1.el10.x86_64.provenance.jsondocker-buildx-plugin-0.35.0-1.el10.x86_64.sigstore.jsondocker-buildx-plugin-0.35.0-1.el10.x86_64.sbom.jsonUsing
docker/github-buildercentralizes runner handling, SBOM generation, provenance generation, and OIDC-backed signing instead of carrying that logic in the packaging workflow. Naming release metadata after the package artifact makes the release image easier to consume because every SBOM, provenance file, and Sigstore bundle is tied directly to the package it describes.Package builds now enable signing outside pull requests, which causes the builder to produce signed provenance and Sigstore verification material for the package artifacts. This gives release consumers a clear path from the package file to its SBOM, provenance, and signature bundle without relying on shared generic filenames in each release directory.
A follow-up should look at appending the Sigstore bundle directly into the package artifacts themselves. Keeping the bundle next to the packages is a good first step, but embedding or attaching the verification material at the package format level would make distribution and verification less dependent on external sidecar files.