feat: add image build to ghcr.io

.alpine.pkgs

@@ -0,0 +1 @@
+tar crane hugo git cosign bash openssl jq yq

.github/workflows/push.yml

@@ -3,6 +3,10 @@ on:
     branches:
       - main
   workflow_dispatch: {}
+permissions:
+  id-token: write
+  contents: write
+  packages: write
 jobs:
   push-to-balena-cloud:
     runs-on: ubuntu-latest
@@ -29,3 +33,24 @@ jobs:
         if: ${{ always() }}
         run: |
           rm -rfv .balena-key
+  publish-to-ghcr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - id: run-info
+        name: collect job run info
+        env:
+          CONTAINER_REPO: ghcr.io/${{ github.repository }}
+        run: |
+          echo "container-repo=${CONTAINER_REPO,,}" >> $GITHUB_OUTPUT
+      - name: Setup Hugo
+        uses: peaceiris/actions-hugo@v3
+        with:
+          hugo-version: 'latest'
+          extended: true
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
+      - name: build
+        env:
+          CONTAINER_REPO: ${{ steps.run-info.outputs.container-repo }}
+        run: ./hack/publish.sh --sign

hack/image.yaml

@@ -0,0 +1 @@
+image: registry.gitlab.com/bobymcbobs/go-http-server:1.11.0 # {"$imagepolicy": "flux-system:registry-gitlab-com-bobymcbobs-go-http-server"}

hack/publish.sh

@@ -0,0 +1,52 @@
+#!/bin/bash -x
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+cd "$(git rev-parse --show-toplevel)" || exit 0
+
+LOCAL_REGISTRY="localhost:5001/$(pwd | md5sum | head -c6)"
+BASE_IMAGE="$(< ./hack/image.yaml yq e .image -P)"
+TAG="${TAG:-v$(git show -s --format=%cd --date=format:'%s')-$(git rev-parse HEAD | head -c8)}"
+SIGN=false
+
+# NOTE budget /bin/sh way
+if echo "${@:-}" | grep -q '\-\-sign'; then
+    SIGN=true
+fi
+
+cosign verify \
+    --certificate-identity-regexp 'https://gitlab.com/BobyMCbobs/go-http-server//.gitlab-ci.yml@(refs/heads/main|refs/tags/.*)' \
+    --certificate-oidc-issuer-regexp 'https://gitlab.com' \
+    "$BASE_IMAGE" \
+    -o text
+
+rm -rf public output
+hugo
+
+# bit of a hack
+# perhaps there's a way to say
+# to tar to pack dir into a new dir?
+mkdir -p output/var/run
+mv public output/var/run/ko
+chmod -R 0755 output/
+
+IMAGE_ARM64="$(crane append --platform=linux/arm64 \
+    --base="$BASE_IMAGE" \
+    --new_layer=<(cd output && tar --exclude=".DS_Store" -f - -c .) \
+    --new_tag="${CONTAINER_REPO:-$LOCAL_REGISTRY}")"
+IMAGE_AMD64="$(crane append --platform=linux/amd64 \
+    --base="$BASE_IMAGE" \
+    --new_layer=<(cd output && tar --exclude=".DS_Store" -f - -c .) \
+    --new_tag="${CONTAINER_REPO:-$LOCAL_REGISTRY}")"
+IMAGE="$(crane index append \
+    -m "${IMAGE_ARM64}" \
+    -m "${IMAGE_AMD64}" \
+    -t "${CONTAINER_REPO:-$LOCAL_REGISTRY}:$TAG")"
+
+if [ "$SIGN" = true ]; then
+    cosign sign -y --recursive "$IMAGE"
+fi
+
+echo "Published image to: $IMAGE"