230 lines
10 KiB
YAML
230 lines
10 KiB
YAML
---
|
|
name: Build container image
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
schedule:
|
|
- cron: '05 10 * * *' # 10:05am UTC everyday
|
|
push:
|
|
branches:
|
|
- main
|
|
paths-ignore:
|
|
- '**/README.md'
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
IMAGE_DESC: "My personalized operating system. Powered by uBlue tooling/template."
|
|
IMAGE_KEYWORDS: "bootc,ublue,universal-blue"
|
|
IMAGE_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # Put your own image here for a fancy profile on https://artifacthub.io/!
|
|
IMAGE_NAME: "${{ github.event.repository.name }}" # output image name, usually same as repo name
|
|
IMAGE_REGISTRY: "git.hydrosaber.com/${{ github.repository_owner }}" # do not edit
|
|
DEFAULT_TAG: "latest"
|
|
FEDORA_VERSION: 42
|
|
BASE_IMAGE: "quay.io/fedora-ostree-desktops/base-atomic"
|
|
CONTAINER_CACHE_PATH: "/var/lib/containers"
|
|
DNF_CACHE_PATH: "/var/cache/dnf"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
build_push:
|
|
name: Build and push image
|
|
runs-on: ubuntu-24.04
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Prepare environment
|
|
run: |
|
|
# Lowercase the image uri
|
|
echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV}
|
|
echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV}
|
|
# make directory for caches
|
|
mkdir -p ${{ env.DNF_CACHE_PATH }}
|
|
mkdir -p ${{ env.CONTAINER_CACHE_PATH }}
|
|
|
|
- name: Set tag to pr if pull request
|
|
if: github.event_name == 'pull_request'
|
|
env:
|
|
PULL_REQUEST_NUMBER: ${{ github.event.number }}
|
|
run: |
|
|
echo "DEFAULT_TAG=pr-${PULL_REQUEST_NUMBER}" >> ${GITHUB_ENV}
|
|
|
|
- name: Setup Podman
|
|
shell: bash
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y podman skopeo
|
|
|
|
- name: Install dependencies
|
|
shell: bash
|
|
run: |
|
|
sudo apt-get install -y iptables
|
|
|
|
# These stage versions are pinned by https://github.com/renovatebot/renovate
|
|
- name: Checkout
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
|
|
|
|
- name: Get current date
|
|
id: date
|
|
run: |
|
|
# This generates a timestamp like what is defined on the ArtifactHub documentation
|
|
# E.G: 2022-02-08T15:38:15Z'
|
|
# https://artifacthub.io/docs/topics/repositories/container-images/
|
|
# https://linux.die.net/man/1/date
|
|
echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT
|
|
echo "MONTH_YEAR=$(date -u +%Y%m)" >> ${GITHUB_ENV}
|
|
|
|
- name: Get base-atomic image digest
|
|
shell: bash
|
|
env:
|
|
FULL_BASE_IMAGE: "docker://${{ env.BASE_IMAGE }}:${{ env.FEDORA_VERSION }}"
|
|
run: |
|
|
echo "DIGEST=$(skopeo inspect \
|
|
${FULL_BASE_IMAGE} --format '{{.Digest}}' | \
|
|
sed -e "s/^sha256://" | head -c 12)" >> ${GITHUB_ENV}
|
|
|
|
- name: Restore base-atomic container cache
|
|
id: cache-base-atomic-restore
|
|
uses: actions/cache/restore@v4
|
|
with:
|
|
path: |
|
|
${{ env.CONTAINER_CACHE_PATH }}
|
|
key: "${{ env.DIGEST }}-atomic-base-image"
|
|
|
|
- name: Pull atomic base image
|
|
if: steps.cache-base-atomic-restore.outputs.cache-hit != 'true'
|
|
env:
|
|
FULL_BASE_IMAGE: "docker://${{ env.BASE_IMAGE }}:${{ env.FEDORA_VERSION }}"
|
|
continue-on-error: true
|
|
shell: bash
|
|
run: |
|
|
buildah pull ${FULL_BASE_IMAGE}
|
|
|
|
- name: Save base-atomic container cache
|
|
id: cache-base-atomic-save
|
|
if: steps.cache-base-atomic-restore.outputs.cache-hit != 'true' && github.event_name == 'pull_request'
|
|
uses: actions/cache/save@v4
|
|
with:
|
|
path: |
|
|
${{ env.CONTAINER_CACHE_PATH }}
|
|
key: "${{ env.DIGEST }}-atomic-base-image"
|
|
|
|
- name: Cache dnf cache
|
|
id: dnf-cache
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ${{ env.DNF_CACHE_PATH }}
|
|
key: "${{ env.MONTH_YEAR }}-dnf"
|
|
|
|
# Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images
|
|
# The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not.
|
|
- name: Image Metadata
|
|
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5
|
|
id: metadata
|
|
with:
|
|
tags: |
|
|
type=raw,value=${{ env.DEFAULT_TAG }}
|
|
type=raw,value={{date 'YYYYMMDD'}}
|
|
type=sha,enable=${{ github.event_name == 'pull_request' }}
|
|
labels: |
|
|
org.opencontainers.image.created=${{ steps.date.outputs.date }}
|
|
org.opencontainers.image.description=${{ env.IMAGE_DESC }}
|
|
org.opencontainers.image.documentation=https://git.hydrosaber.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/src/branch/main/README.md
|
|
org.opencontainers.image.source=https://git.hydrosaber.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/src/branch/main/Containerfile
|
|
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
|
|
org.opencontainers.image.url=https://git.hydrosaber.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
|
|
org.opencontainers.image.vendor=${{ github.repository_owner }}
|
|
org.opencontainers.image.version=${{ env.DEFAULT_TAG }}.{{date 'YYYYMMDD'}}
|
|
io.artifacthub.package.deprecated=false
|
|
io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }}
|
|
io.artifacthub.package.license=Apache-2.0
|
|
io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }}
|
|
io.artifacthub.package.prerelease=false
|
|
containers.bootc=1
|
|
sep-tags: " "
|
|
sep-annotations: " "
|
|
|
|
- name: Build Image
|
|
id: build_image
|
|
shell: bash
|
|
run: |
|
|
buildah bud \
|
|
--format docker \
|
|
-v "${{ env.DNF_CACHE_PATH }}:/var/cache/libdnf5:rw,Z" \
|
|
-v "${{ env.CONTAINER_CACHE_PATH }}:/var/lib/containers:rw,Z" \
|
|
--tag "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" \
|
|
--build-arg BASE_IMAGE=${{ env.BASE_IMAGE }} \
|
|
--build-arg FEDORA_VERSION=${{ env.FEDORA_VERSION }} \
|
|
-f ./Containerfile
|
|
|
|
- name: Run Rechunker
|
|
id: rechunk
|
|
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
|
|
uses: hhd-dev/rechunk@5fbe1d3a639615d2548d83bc888360de6267b1a2 # v1.2.4
|
|
with:
|
|
rechunk: 'ghcr.io/hhd-dev/rechunk:v1.2.2'
|
|
ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
|
|
prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
|
|
skip_compression: false
|
|
version: ${{ env.CENTOS_VERSION }}
|
|
labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator
|
|
|
|
## This is necessary so that the podman socket can find the rechunked image on its storage
|
|
- name: Load in podman and tag
|
|
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
|
|
run: |
|
|
IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
|
|
sudo rm -rf ${{ steps.rechunk.outputs.output }}
|
|
for tag in ${{ steps.metadata.outputs.tags }}; do
|
|
podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
|
|
done
|
|
|
|
# These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing
|
|
# They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work
|
|
- name: Login to Container Registry
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
|
|
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
|
|
with:
|
|
registry: git.hydrosaber.com
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.PACKAGE_BUILDER_TOKEN }}
|
|
|
|
- name: Push To git.hydrosaber.com
|
|
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
|
|
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
|
|
id: push
|
|
env:
|
|
REGISTRY_USER: ${{ github.actor }}
|
|
REGISTRY_PASSWORD: ${{ secrets.PACKAGE_BUILDER_TOKEN }}
|
|
with:
|
|
registry: ${{ env.IMAGE_REGISTRY }}
|
|
image: ${{ env.IMAGE_NAME }}
|
|
tags: ${{ steps.metadata.outputs.tags }}
|
|
username: ${{ env.REGISTRY_USER }}
|
|
password: ${{ env.REGISTRY_PASSWORD }}
|
|
|
|
# This section is optional and only needs to be enabled if you plan on distributing
|
|
# your project for others to consume. You will need to create a public and private key
|
|
# using Cosign and save the private key as a repository secret in Github for this workflow
|
|
# to consume. For more details, review the image signing section of the README.
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
|
|
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
|
|
|
|
- name: Sign container image
|
|
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
|
|
run: |
|
|
IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}"
|
|
printf "" | cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL@$DIGEST
|
|
env:
|
|
DIGEST: ${{ steps.push.outputs.digest }}
|
|
COSIGN_EXPERIMENTAL: false
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
|