ci(install-proof): bind KIN_NO_SETUP to sh, not curl (FIR-1012) (#44) #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: Apache-2.0 | |
| # Copyright 2026 Firelock, LLC | |
| name: Daemon Image | |
| # Builds and pushes the kin-daemon container image to the Kin Artifact Registry. | |
| # On every push to main it keeps a fresh SHA-tagged (and :latest) image available | |
| # for the hosted rollout (kinlab deploy.yml consumes KINLAB_KIN_DAEMON_IMAGE); | |
| # workflow_dispatch builds the same image on demand. Auth is keyless via the | |
| # firelock-ai org Workload Identity Federation provider (no service-account keys). | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| concurrency: | |
| group: daemon-image-${{ github.ref }} | |
| cancel-in-progress: false | |
| env: | |
| IMAGE: us-central1-docker.pkg.dev/kin-ecosystem/kin-ecosystem/kin-daemon | |
| jobs: | |
| build-push: | |
| name: Build + push kin-daemon image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Authenticate to Google Cloud (keyless WIF) | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: ${{ secrets.WIF_PROVIDER }} | |
| service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v3 | |
| - name: Configure Docker for Artifact Registry | |
| run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push (linux/amd64) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: true | |
| platforms: linux/amd64 | |
| # Single-arch manifest (no attestation index) for predictable GKE pulls. | |
| provenance: false | |
| tags: | | |
| ${{ env.IMAGE }}:${{ github.sha }} | |
| ${{ env.IMAGE }}:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Summary | |
| run: | | |
| { | |
| echo "Pushed \`${IMAGE}:${GITHUB_SHA}\`" | |
| echo "Pushed \`${IMAGE}:latest\`" | |
| } >> "$GITHUB_STEP_SUMMARY" |