Build: Use Github runners to build and sign container images on new tags #10

	# This action listens on new tags, generates a new container image
	# sign it and upload it to the container registry.

	name: Release container image
	on:
	push:
	tags:
	- "container-image/**"
	branches:
	- "test/image-**"
	workflow_dispatch:

	permissions:
	id-token: write
	packages: write
	contents: read
	attestations: write

	env:
	REGISTRY: ghcr.io/${{ github.repository_owner }}
	REGISTRY_USER: ${{ github.actor }}
	REGISTRY_PASSWORD: ${{ github.token }}
	IMAGE_NAME: dangerzone/dangerzone

	jobs:
	build-container-image:
	runs-on: ubuntu-24.04
	steps:
	- uses: actions/checkout@v4
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: USERNAME
	password: ${{ github.token }}

	- name: Build and push the dangerzone image
	id: build-image
	run: \|
	sudo apt-get install -y python3-poetry
	python3 ./install/common/build-image.py
	echo ${{ github.token }} \| podman login ghcr.io -u USERNAME --password-stdin

	# Load the image with the final name directly
	gunzip -c share/container.tar.gz \| podman load
	FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
	podman tag dangerzone.rocks/dangerzone "$FINAL_IMAGE_NAME"
	podman push "$FINAL_IMAGE_NAME" --digestfile=digest
	echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT"

	- name: Generate artifact attestation
	uses: actions/attest-build-provenance@v1
	with:
	subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	subject-digest: "${{ steps.build-image.outputs.digest }}"
	push-to-registry: true

Provide feedback