ci: refactor rootfs build automation

Signed-off-by: Austin Vazquez <[email protected]>

.github/dependabot.yaml

@@ -14,3 +14,11 @@ updates:
   commit-message:
     prefix: "ci"
     include: "scope"
+- package-ecosystem: "gomod"
+  directory: "/rootfs/cosign"
+  dependency-type: direct
+  schedule:
+    interval: "daily"
+  commit-message:
+    prefix: "build"
+    include: "scope"

.github/workflows/rootfs.yaml

@@ -5,61 +5,112 @@ on:
     branches:
       - main
     paths:
-      - 'Dockerfile'
+      - 'rootfs/Dockerfile'
+      - 'rootfs/cosign/go.mod'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'rootfs/Dockerfile'
+      - 'rootfs/cosign/go.mod'
   workflow_dispatch:
 
 permissions:
-  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
-  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
-  id-token: write
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   build-rootfs-image:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         # finch only supports amd64 for windows
         arch: ['amd64']
         platform: ['common']
+
+    outputs:
+      timestamp: ${{ steps.vars.outputs.timestamp }}
+
     steps:
-      - name: Generate Timestamp
-        id: timestamp
-        run: echo "value=$(date +%s)" >> $GITHUB_OUTPUT
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          aws-region: ${{ secrets.REGION }}
-          role-to-assume: ${{ secrets.ROLE }}
-          role-session-name: rootfs-ecr-image-upload-session
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: checkout repo
+      - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+
+      - name: Set build variables
+        id: vars
+        run: |
+          echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
+          cosign_tag=$(cd rootfs/cosign && go list -m github.com/sigstore/cosign/v2 | cut -d " " -f 2)
+          echo "cosign_version=${cosign_tag#v}" >> $GITHUB_OUTPUT
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
       - name: Build Image
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
+          context: rootfs/
+          file: rootfs/Dockerfile
           platforms: linux/${{ matrix.arch }}
           push: false
           load: true # load the image into Docker so we can create a container from it
           tags: finch-rootfs-image-production:intermediate
+          build-args: |
+            COSIGN_VERSION=${{ steps.vars.outputs.cosign_version }}
+
+  push-rootfs-image:
+    if: github.repository == 'runfinch/finch-core' && github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    needs: build-rootfs-image
+
+    permissions:
+      # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+      # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      id-token: write
+      contents: write
+      pull-requests: write
+
+    strategy:
+      matrix:
+        # finch only supports amd64 for windows
+        arch: ['amd64']
+        platform: ['common']
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: ${{ secrets.REGION }}
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Tag and Push Container Image
         run: |
-          TIMESTAMP=${{ steps.timestamp.outputs.value }}
+          TIMESTAMP=${{ needs.build-rootfs-image.outputs.timestamp }}
 
           docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
           docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
+
       - name: Create, Compress, and Upload Rootfs
         run: |
-          TIMESTAMP=${{ steps.timestamp.outputs.value }}
+          TIMESTAMP=${{ needs.build-rootfs-image.outputs.timestamp }}
 
           docker container create --platform linux/${{ matrix.arch }} --name ${{ matrix.arch }}-rootfs finch-rootfs-image-production:intermediate
           docker container export -o finch-rootfs-production-${{ matrix.arch }}.tar ${{ matrix.arch }}-rootfs
@@ -87,12 +138,12 @@ jobs:
           ${ARTIFACT_KEY}_512_DIGEST=$sha512_digest
           EOL
 
-      - name: create pr
+      - name: Create PR
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           signoff: true
-          branch: create-rootfs-${{ matrix.arch }}-${{ steps.timestamp.outputs.value }}
+          branch: create-rootfs-${{ matrix.arch }}-${{ needs.build-rootfs-image.outputs.timestamp }}
           delete-branch: true
           title: 'build(deps): Update windows rootfs'
           add-paths: deps/rootfs.conf

rootfs/.dockerignore

@@ -0,0 +1 @@
+cosign/

Dockerfile → rootfs/Dockerfile

@@ -7,18 +7,19 @@ WORKDIR /work
 RUN dnf update --best -y
 
 # download and install cosign
-RUN curl -L -O https://github.com/sigstore/cosign/releases/download/v2.2.4/cosign-2.2.4-1.x86_64.rpm && \
-    curl -L -O https://github.com/sigstore/cosign/releases/download/v2.2.4/cosign-2.2.4-1.x86_64.rpm-keyless.pem && \
-    curl -L -O https://github.com/sigstore/cosign/releases/download/v2.2.4/cosign-2.2.4-1.x86_64.rpm-keyless.sig && \
-    rpm -ivh cosign-2.2.4-1.x86_64.rpm
+ARG COSIGN_VERSION
+RUN curl -L -O https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-${COSIGN_VERSION}-1.x86_64.rpm && \
+    curl -L -O https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-${COSIGN_VERSION}-1.x86_64.rpm-keyless.pem && \
+    curl -L -O https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-${COSIGN_VERSION}-1.x86_64.rpm-keyless.sig && \
+    rpm -ivh cosign-${COSIGN_VERSION}-1.x86_64.rpm
 
 # use cosign to verify itself
 RUN cosign verify-blob \
-    --certificate cosign-2.2.4-1.x86_64.rpm-keyless.pem \
-    --signature cosign-2.2.4-1.x86_64.rpm-keyless.sig \
+    --certificate cosign-${COSIGN_VERSION}-1.x86_64.rpm-keyless.pem \
+    --signature cosign-${COSIGN_VERSION}-1.x86_64.rpm-keyless.sig \
     --certificate-identity [email protected] \
     --cert-oidc-issuer https://accounts.google.com \
-    cosign-2.2.4-1.x86_64.rpm
+    cosign-${COSIGN_VERSION}-1.x86_64.rpm
 
 FROM public.ecr.aws/docker/library/fedora:40
 
@@ -44,11 +45,12 @@ RUN dnf install -y \
   fuse-sshfs \
   btrfs-progs
 
-COPY --from=build /work/cosign-2.2.4-1.x86_64.rpm /work/cosign-2.2.4-1.x86_64.rpm
+ARG COSIGN_VERSION
+COPY --from=build /work/cosign-${COSIGN_VERSION}-1.x86_64.rpm /work/cosign-${COSIGN_VERSION}-1.x86_64.rpm
 
 # install cosign
-RUN rpm -ivh cosign-2.2.4-1.x86_64.rpm && \
-    rm -rf cosign-2.2.4-1.x86_64.rpm
+RUN rpm -ivh cosign-${COSIGN_VERSION}-1.x86_64.rpm && \
+    rm -rf cosign-${COSIGN_VERSION}-1.x86_64.rpm
 
 RUN systemctl enable cloud-init cloud-init-local cloud-config cloud-final