diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74d86e1..8d54a7a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,11 +1,6 @@ -# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds. -# The images are also built after pushing changes or pull requests. -# The builds can also be triggered manually in the Actions tab thanks to workflow dispatch. -# Only the branch called `live` is published. - - -name: build-ublue -on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows +# build.yml +name: bluebuild +on: schedule: - cron: "30 16 * * *" push: @@ -13,19 +8,13 @@ on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-wor - live - template - main - paths-ignore: # don't rebuild if only documentation has changed + paths-ignore: - "**.md" pull_request: workflow_dispatch: - -env: - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - -# Only deploys the branch named "live". Ignores all other branches, to allow -# having "development" branches without interfering with GHCR image uploads. jobs: - push-ghcr: - name: Build and push image + bluebuild: + name: Build Custom Image runs-on: ubuntu-22.04 permissions: contents: read @@ -33,192 +22,15 @@ jobs: id-token: write strategy: fail-fast: false - matrix: -# !!! - # Add recipes for all the images you want to build here. - # Don't add module configuration files, you will get errors. recipe: + # !! Add your recipes here - recipe.yml -# !!! - steps: - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action - uses: actions/checkout@v4 - - # Confirm that cosign.pub matches SIGNING_SECRET - - uses: sigstore/cosign-installer@v3.3.0 - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - - - name: Check SIGNING_SECRET matches cosign.pub - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - env: - COSIGN_EXPERIMENTAL: false - COSIGN_PASSWORD: "" - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - shell: bash - run: | - echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub" - delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub) - if [ -z "$delta" ]; then - echo "cosign.pub matches SIGNING_SECRET" - else - echo "cosign.pub does not match SIGNING_SECRET" - echo "$delta" - exit 1 - fi - - - name: Add yq (for reading recipe.yml) - uses: mikefarah/yq@v4.40.5 - - - name: Gather image data from recipe - run: | - echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV - echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV - echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV - BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }}) - echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV - echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - - - name: Verify base image - uses: EyeCantCU/cosign-action/verify@v0.2.2 + - name: Build Custom Image + uses: blue-build/github-action@main with: - containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - - - name: Get current version - id: labels - run: | - ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') - echo "VERSION=$ver" >> $GITHUB_OUTPUT - - - name: Generate tags - id: generate-tags - shell: bash - run: | - # Generate a timestamp for creating an image version history - TIMESTAMP="$(date +%Y%m%d)" - MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)" - COMMIT_TAGS=() - BUILD_TAGS=() - # Have tags for tracking builds during pull request - SHA_SHORT="${GITHUB_SHA::7}" - - # Using clever bash string templating, https://stackoverflow.com/q/40771781 - # don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) -- - COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}") - COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}") - - BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}") - # -- - - BUILD_TAGS+=("${TIMESTAMP}") - BUILD_TAGS+=("latest") - - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "Generated the following commit tags: " - for TAG in "${COMMIT_TAGS[@]}"; do - echo "${TAG}" - done - alias_tags=("${COMMIT_TAGS[@]}") - else - alias_tags=("${BUILD_TAGS[@]}") - fi - echo "Generated the following build tags: " - for TAG in "${BUILD_TAGS[@]}"; do - echo "${TAG}" - done - echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@v5 - id: meta - with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} - org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md - io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - - # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. - # https://github.com/macbre/push-to-ghcr/issues/12 - - name: Lowercase Registry - id: registry_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_REGISTRY }} - - - name: Lowercase Image - id: image_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_NAME }} - - - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v2 - with: - remove-dotnet: 'true' - remove-android: 'true' - remove-haskell: 'true' - - # Build image using Buildah action - - name: Build Image - id: build_image - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./Containerfile - image: ${{ env.IMAGE_NAME }} - tags: | - ${{ steps.generate-tags.outputs.alias_tags }} - build-args: | - IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }} - BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }} - RECIPE=${{ matrix.recipe }} - IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }} - labels: ${{ steps.meta.outputs.labels }} - oci: false - - # Push the image to GHCR (Image Registry) - - name: Push To GHCR - uses: redhat-actions/push-to-registry@v2 - id: push - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - with: - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ steps.registry_case.outputs.lowercase }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Sign container - - name: Sign container image - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS} - env: - TAGS: ${{ steps.push.outputs.digest }} - COSIGN_EXPERIMENTAL: false - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - - - name: Echo outputs - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - run: | - echo "${{ toJSON(steps.push.outputs) }}" + recipe: ${{ matrix.recipe }} + cosign_private_key: ${{ secrets.SIGNING_SECRET }} + registry_token: ${{ github.token }} + pr_event_number: ${{ github.event.number }}