ci: Split image publishing into separate workflow for security

cgwalters · cgwalters · commit 094c39d7188b · 2025-12-05T07:37:50.000-05:00
Previously, the CI workflow granted packages:write permission at the workflow level, making GITHUB_TOKEN with write access available to all jobs including those running on pull requests. While the actual push steps were gated with conditionals, malicious PR code could use the token to push arbitrary images to ghcr.io. Split image publishing into a dedicated build-and-publish.yml workflow that only runs on push to main, with no PR execution. This follows GitHub security best practices by isolating write credentials from untrusted PR code. The new workflow builds and publishes all image variants using a simple matrix with explicit exclude for centos-9 UKI (broken per #1812). Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -0,0 +1,62 @@
+name: Build and Publish Images
+
+permissions:
+  packages: write
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch: {}
+
+env:
+  CARGO_TERM_COLOR: always
+  LIBVIRT_DEFAULT_URI: "qemu:///session"
+  DEV_IMAGE: ghcr.io/bootc-dev/dev-bootc
+
+jobs:
+  # Build and publish container images to ghcr.io
+  publish-images:
+    strategy:
+      matrix:
+        test_os: [fedora-42, fedora-43, fedora-44, centos-9, centos-10]
+        variant: [ostree, composefs-sealeduki-sdboot]
+        exclude:
+          # centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)
+          - test_os: centos-9
+            variant: composefs-sealeduki-sdboot
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+
+      - name: Setup env
+        run: |
+          BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
+          echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
+          echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
+
+          if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
+            BUILDROOTBASE=$(just pullspec-for-os buildroot-base ${{ matrix.test_os }})
+            echo "BOOTC_buildroot_base=${BUILDROOTBASE}" >> $GITHUB_ENV
+          fi
+
+      - name: Build container
+        run: just build-integration-test-image
+
+      - name: Login to ghcr.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push container image
+        run: |
+          if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
+            TAG="${{ matrix.test_os }}-uki"
+          else
+            TAG="${{ matrix.test_os }}"
+          fi
+          podman tag localhost/bootc ${{ env.DEV_IMAGE }}:${TAG}
+          podman push ${{ env.DEV_IMAGE }}:${TAG}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,7 +10,6 @@ name: CI
 
 permissions:
   actions: read
-  packages: write
 
 on:
   push:
@@ -159,20 +158,6 @@ jobs:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-ostree-${{ env.ARCH }}
           path: /var/tmp/tmt
 
-      - name: Login to ghcr.io
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: redhat-actions/podman-login@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Push container image
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: |
-          podman tag localhost/bootc ${{ env.DEV_IMAGE }}:${{ matrix.test_os }}
-          podman push ${{ env.DEV_IMAGE }}:${{ matrix.test_os }}
-
   # This variant does composefs testing
   test-integration-cfs:
     continue-on-error: ${{ matrix.experimental }}
@@ -229,20 +214,6 @@ jobs:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-cfs-${{ env.ARCH }}
           path: /var/tmp/tmt
 
-      - name: Login to ghcr.io
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: redhat-actions/podman-login@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Push container image
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: |
-          podman tag localhost/bootc ${{ env.DEV_IMAGE }}:stream10-uki
-          podman push ${{ env.DEV_IMAGE }}:stream10-uki
-
   # Sentinel job for required checks - configure this job name in repository settings
   required-checks:
     if: always()
