Automatically build node installer image

.github/workflows/container-image.yml

@@ -3,6 +3,16 @@ name: Build container image
 on:
   workflow_call:
     inputs:
+      image-name:
+        type: string
+        required: true
+      dockerfile:
+        type: string
+        required: true
+      docker-context:
+        type: string
+        required: false
+        default: "."
       push-image:
         type: boolean
         required: true
@@ -59,15 +69,15 @@ jobs:
         id: build-image
         uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
         with:
-          context: .
-          file: ./Dockerfile
+          context: ${{ inputs.docker-context }}
+          file: ${{ inputs.dockerfile }}
           platforms: linux/amd64, linux/arm64
           push: true
           tags: |
-            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }}
+            ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}:${{ env.TAG_NAME }}
       - id: setoutput
         name: Set output parameters
         run: |
-          echo "repository=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT
+          echo "repository=ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}" >> $GITHUB_OUTPUT
           echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT
           echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT

.github/workflows/installer-build.yml

@@ -0,0 +1,44 @@
+name: Build installer image, sign it, and generate SBOMs
+
+on:
+  workflow_call:
+    outputs:
+      digest:
+        description: "Container image digest"
+        value: ${{jobs.build.outputs.digest}}
+
+  push:
+    branches:
+      - "main"
+      - "feat-**"
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image-name: node-installer
+      dockerfile: ./images/installer/Dockerfile
+      push-image: true
+
+  sign:
+    needs: build
+    uses: ./.github/workflows/sign-image.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-repository: ${{ needs.build.outputs.repository }}
+      image-digest: ${{ needs.build.outputs.digest }}
+
+  sbom:
+    needs: build
+    uses: ./.github/workflows/sbom.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-name: node-installer
+      image-digest: ${{ needs.build.outputs.digest }}

.github/workflows/container-build.yml → .github/workflows/manager-build.yml

@@ -1,4 +1,4 @@
-name: Build container image, sign it, and generate SBOMs
+name: Build manager image, sign it, and generate SBOMs
 
 on:
   workflow_call:
@@ -19,6 +19,8 @@ jobs:
       contents: read
       packages: write
     with:
+      image-name: runtime-class-manager
+      dockerfile: ./Dockerfile
       push-image: true
 
   sign:
@@ -28,6 +30,7 @@ jobs:
       packages: write
       id-token: write
     with:
+      image-repository: ${{ needs.build.outputs.repository }}
       image-digest: ${{ needs.build.outputs.digest }}
 
   sbom:
@@ -37,4 +40,5 @@ jobs:
       packages: write
       id-token: write
     with:
+      image-name: runtime-class-manager
       image-digest: ${{ needs.build.outputs.digest }}

.github/workflows/release.yml

@@ -10,21 +10,34 @@ permissions: read-all
 jobs:
   ci:
     uses: ./.github/workflows/ci.yml
-    permissions: read-all
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
+
+  build-manager:
+    name: Build manager image, sign it, and generate SBOMs
+    uses: ./.github/workflows/manager-build.yml
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
 
-  build:
-    name: Build container image, sign it, and generate SBOMs
-    uses: ./.github/workflows/container-build.yml
+  build-installer:
+    name: Build installer image, sign it, and generate SBOMs
+    uses: ./.github/workflows/installer-build.yml
     permissions:
       id-token: write
       packages: write
+      contents: read
 
   release:
     name: Create release
 
     needs:
       - ci
-      - build
+      - build-manager
+      - build-installer
 
     permissions:
       contents: write
@@ -73,7 +86,7 @@ jobs:
       - name: Download SBOM artifact
         uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
-          pattern: sbom-*
+          pattern: "*-sbom-*"
           path: ./
           merge-multiple: true
 
@@ -89,12 +102,19 @@ jobs:
             let path = require('path');
 
             let files = [
-              '${{ github.repository }}-sbom-amd64.spdx',
-              '${{ github.repository }}-sbom-amd64.spdx.cert',
-              '${{ github.repository }}-sbom-amd64.spdx.sig',
-              '${{ github.repository }}-sbom-arm64.spdx',
-              '${{ github.repository }}-sbom-arm64.spdx.cert',
-              '${{ github.repository }}-sbom-arm64.spdx.sig']
+              'runtime-class-manager-sbom-amd64.spdx',
+              'runtime-class-manager-sbom-amd64.spdx.cert',
+              'runtime-class-manager-sbom-amd64.spdx.sig',
+              'runtime-class-manager-sbom-arm64.spdx',
+              'runtime-class-manager-sbom-arm64.spdx.cert',
+              'runtime-class-manager-sbom-arm64.spdx.sig',
+              'node-installer-sbom-amd64.spdx',
+              'node-installer-sbom-amd64.spdx.cert',
+              'node-installer-sbom-amd64.spdx.sig',
+              'node-installer-sbom-arm64.spdx',
+              'node-installer-sbom-arm64.spdx.cert',
+              'node-installer-sbom-arm64.spdx.sig',
+            ]
             const {RELEASE_ID} = process.env
 
             for (const file of files) {

.github/workflows/sbom.yml

@@ -3,6 +3,9 @@ name: Generate SBOMs
 on:
   workflow_call:
     inputs:
+      image-name:
+        type: string
+        required: true
       image-digest:
         type: string
         required: true
@@ -42,30 +45,30 @@ jobs:
           set -e
           DIGEST=$(crane digest \
             --platform "linux/${{ matrix.arch }}" \
-            ghcr.io/${{ github.repository }}@${{ inputs.image-digest }})
+            ghcr.io/${{ github.repository_owner}}/${{ inputs.image-name }}@${{ inputs.image-digest }})
           echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
 
       - name: Create SBOM file
         shell: bash
         run: |
           syft \
             -o spdx-json \
-            --file runtime-class-manager-sbom-${{ matrix.arch }}.spdx \
-            ghcr.io/${{ github.repository }}@${{ env.PLATFORM_DIGEST }}
+            --file ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx \
+            ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}@${{ env.PLATFORM_DIGEST }}
 
       - name: Sign SBOM file
         run: |
           cosign sign-blob --yes \
-            --output-certificate runtime-class-manager-sbom-${{ matrix.arch }}.spdx.cert \
-            --output-signature runtime-class-manager-sbom-${{ matrix.arch }}.spdx.sig \
-            runtime-class-manager-sbom-${{ matrix.arch }}.spdx
+            --output-certificate ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.cert \
+            --output-signature ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.sig \
+            ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx
 
       - name: Attach SBOM file in the container image
         shell: bash
         run: |
           cosign attach \
-            sbom --sbom runtime-class-manager-sbom-${{ matrix.arch }}.spdx \
-            ghcr.io/${{ github.repository }}@${{ env.PLATFORM_DIGEST }}
+            sbom --sbom ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx \
+            ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}@${{ env.PLATFORM_DIGEST }}
 
       - name: Sign SBOM file pushed to OCI registry
         shell: bash
@@ -74,10 +77,10 @@ jobs:
           SBOM_TAG="$(echo ${{ env.PLATFORM_DIGEST }} | sed -e 's/:/-/g').sbom"
 
           cosign sign --yes \
-            ghcr.io/${{ github.repository }}:${SBOM_TAG}
+            ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}:${SBOM_TAG}
 
       - name: Upload SBOMs as artifacts
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
-          name: sbom-${{ matrix.arch }}
-          path: runtime-class-manager-sbom-*
+          name: ${{ inputs.image-name }}-sbom-${{ matrix.arch }}
+          path: ${{ inputs.image-name }}-sbom-*

.github/workflows/sign-image.yml

@@ -3,6 +3,9 @@ name: Sign image
 on:
   workflow_call:
     inputs:
+      image-repository:
+        type: string
+        required: true
       image-digest:
         type: string
         required: true
@@ -29,4 +32,4 @@ jobs:
       - name: Sign container image
         run: |
           cosign sign --yes \
-            ghcr.io/${{ github.repository }}@${{ inputs.image-digest }}
+            ${{ inputs.image-repository }}@${{ inputs.image-digest }}