Build to image to quay.io, ISOs to S3, sign with KMS

Author: alexiri

.github/actions/config/action.yml

@@ -1,11 +1,6 @@
 ---
 name: Set Environment Variables
 
-inputs:
-  SIGNING_SECRET:
-    description: "The secret used for signing the image. If not provided, the image will not be signed."
-    required: false
-
 outputs:
   LATEST_TAG:
     description: "The latest tag based on the event type"
@@ -46,10 +41,10 @@ runs:
           echo "LATEST_TAG=latest" >> $GITHUB_OUTPUT
         fi
 
-        REGISTRY=ghcr.io
-        REGISTRY_USER=${{ github.actor }}
-        IMAGE_PATH=${{ github.repository_owner }}
-        IMAGE_NAME=${{ github.event.repository.name }}
+        REGISTRY=quay.io
+        REGISTRY_USER="almalinuxorg+airibarr_bot"
+        IMAGE_PATH="almalinuxorg"
+        IMAGE_NAME="atomic-workstation"
         PLATFORMS="amd64"
 
         echo "REGISTRY=${REGISTRY}" >> $GITHUB_OUTPUT
@@ -59,13 +54,4 @@ runs:
         echo "IMAGE_REF=${REGISTRY}/${IMAGE_PATH}/${IMAGE_NAME}" >> $GITHUB_OUTPUT
         echo "PLATFORMS=${PLATFORMS}" >> $GITHUB_OUTPUT
 
-        # This is a workaround so that the expansion of SIGNING_SECRET doesn't break the if statement
-        SECRET=$(cat <<EOF
-        ${{ inputs.SIGNING_SECRET }}
-        EOF
-        )
-        if [ -z "${SECRET}" ]; then
-          echo "IS_SIGNED=false" >> $GITHUB_OUTPUT
-        else
-          echo "IS_SIGNED=true" >> $GITHUB_OUTPUT
-        fi
+        echo "IS_SIGNED=true" >> $GITHUB_OUTPUT

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,24 @@
+name: Dependabot auto-approve
+on: pull_request_target
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2.4.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{ contains(steps.metadata.outputs.package-ecosystem, 'docker') }}
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }}

.github/workflows/build-iso.yml

@@ -10,7 +10,6 @@ concurrency:
 
 jobs:
   set-env:
-    if: github.repository != 'AlmaLinux/atomic-respin-template'
     runs-on: ubuntu-latest
     outputs:
       LATEST_TAG: ${{ steps.set.outputs.LATEST_TAG }}
@@ -28,12 +27,10 @@ jobs:
       - name: Set environment variables
         uses: ./.github/actions/config
         id: set
-        with:
-          SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
 
   build-iso:
     name: Build ISO
-    needs: [set-env]
+    needs: set-env
     uses: AlmaLinux/atomic-ci/.github/workflows/build-iso.yml@v6
     with:
       image-name: "${{ needs.set-env.outputs.IMAGE_NAME }}"
@@ -44,10 +41,15 @@ jobs:
       platforms: ${{ needs.set-env.outputs.PLATFORMS }}
       REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
       REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
+      upload-to-github: false
       upload-to-cloudflare: false
-      # bucket: ${{ secrets.R2_BUCKET }}
+      upload-to-s3: true
+      bucket: "almalinux-atomic"
+      aws-default-region: "us-east-1"
     secrets:
-      REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      # R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-      # ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-      # SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+      REGISTRY_TOKEN: ${{ secrets.QUAY_PASSWORD }}
+      AWS_ROLE_ARN: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/SIG_Atomic_GHA
+    permissions:
+      id-token: write
+      contents: read
+      packages: write

.github/workflows/build.yml

@@ -16,7 +16,6 @@ concurrency:
 
 jobs:
   set-env:
-    if: github.repository != 'AlmaLinux/atomic-respin-template'
     runs-on: ubuntu-latest
     outputs:
       LATEST_TAG: ${{ steps.set.outputs.LATEST_TAG }}
@@ -34,8 +33,6 @@ jobs:
       - name: Set environment variables
         uses: ./.github/actions/config
         id: set
-        with:
-          SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
 
   build-image:
     name: Build image
@@ -51,9 +48,12 @@ jobs:
       image-path: ${{ needs.set-env.outputs.IMAGE_PATH }}
       REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
       REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
+      KMS_KEY_ID: SIG_Atomic_Container_Signing_GH_CI
+      AWS_REGION: us-east-1
+      generate-sbom: false
     secrets:
-      REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
+      REGISTRY_TOKEN: ${{ secrets.QUAY_PASSWORD }}
+      AWS_ROLE_ARN: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/SIG_Atomic_GHA
     permissions:
       contents: read
       packages: write
@@ -69,7 +69,7 @@ jobs:
 
     steps:
       - name: Login to Container Registry
-        run: echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ needs.set-env.outputs.REGISTRY_USER }} --password-stdin ${{ needs.set-env.outputs.REGISTRY }}
+        run: echo ${{ secrets.QUAY_PASSWORD }} | podman login -u ${{ needs.set-env.outputs.REGISTRY_USER }} --password-stdin ${{ needs.set-env.outputs.REGISTRY }}
 
       - name: Test container
         run: |
@@ -95,12 +95,13 @@ jobs:
       image: ${{ needs.build-image.outputs.image-ref }}@${{ needs.build-image.outputs.digest }}
       tag: |
         ${{ needs.set-env.outputs.LATEST_TAG }}
+        ${{ needs.build-image.outputs.major-version }}
         ${{ needs.build-image.outputs.redhat-version-id }}
         ${{ needs.build-image.outputs.version }}
       REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
       REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
     secrets:
-      REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      REGISTRY_TOKEN: ${{ secrets.QUAY_PASSWORD }}
     permissions:
       packages: write