Skip to content

ci: self-contained build + sign for challenger-go (RFC-044.4 WS3a follow-up)#26

Merged
devkoriel merged 1 commit into
mainfrom
ci/self-contained-build-sign
Jun 17, 2026
Merged

ci: self-contained build + sign for challenger-go (RFC-044.4 WS3a follow-up)#26
devkoriel merged 1 commit into
mainfrom
ci/self-contained-build-sign

Conversation

@devkoriel

Copy link
Copy Markdown
Contributor

What

Replaces docker.yml's delegation to the private docker-build-and-publish.yaml
reusable with an in-repo build (faithful port for challenger-go) plus this repo's
embedded signer.

Why

This repo is public; it cannot call the private actions-workflows reusables, so the
old docker.yml (which delegated the entire build+publish+sign to
docker-build-and-publish.yaml@main) was broken on public and could not run at all.

The new workflow:

  • builds + pushes ghcr.io/chronicleprotocol/challenger-go inline (same actions, SHA
    pins, build-args APP_NAME/APP_VERSION, platforms, and metadata tagging as the
    private reusable used for this app), then
  • signs via chronicleprotocol/challenger/.github/workflows/sign-image.yaml@main. The
    @main pin makes the keyless SAN sign-image.yaml@refs/heads/main, matching the
    Kyverno verify-chronicle-release-images enforce identity.

No behavior change to the produced image (same Dockerfile, args, platforms); only the
build/sign now run in-repo instead of via the unreachable private reusable.

Test plan

  • workflow_dispatch with a version: confirm challenger-go:<version> + :sha-...
    are built/pushed and signed.
  • cosign verify ghcr.io/chronicleprotocol/challenger-go@<digest> against
    .../challenger/.github/workflows/sign-image.yaml@refs/heads/main passes.
  • Pod admission of the new image is allowed by the enforce IVP.

@devkoriel devkoriel merged commit be74564 into main Jun 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant