From ab449f031fcf55e85b337376cefc2b0c7ed1bda6 Mon Sep 17 00:00:00 2001
From: gerblesh <101901964+gerblesh@users.noreply.github.com>
Date: Mon, 29 Jan 2024 14:00:33 -0800
Subject: [PATCH] fix: use BlueBuild CLI for image building

---
 .github/workflows/build.yml | 214 +++---------------------------------
 1 file changed, 13 insertions(+), 201 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 74d86e1..8d54a7a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,11 +1,6 @@
-# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
-# The images are also built after pushing changes or pull requests.
-# The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
-# Only the branch called `live` is published.
-
-
-name: build-ublue
-on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
+# build.yml
+name: bluebuild
+on:
   schedule:
     - cron: "30 16 * * *"
   push:
@@ -13,19 +8,13 @@ on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-wor
       - live
       - template
       - main
-    paths-ignore: # don't rebuild if only documentation has changed
+    paths-ignore:
       - "**.md"
   pull_request:
   workflow_dispatch:
-
-env:
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
-# Only deploys the branch named "live". Ignores all other branches, to allow
-# having "development" branches without interfering with GHCR image uploads.
 jobs:
-  push-ghcr:
-    name: Build and push image
+  bluebuild:
+    name: Build Custom Image
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -33,192 +22,15 @@ jobs:
       id-token: write
     strategy:
       fail-fast: false
-
       matrix:
-# !!!
-        # Add recipes for all the images you want to build here.
-        # Don't add module configuration files, you will get errors.
         recipe:
+          # !! Add your recipes here 
           - recipe.yml
-# !!!
-
     steps:
-      # Checkout push-to-registry action GitHub repository
-      - name: Checkout Push to Registry action
-        uses: actions/checkout@v4
-
-      # Confirm that cosign.pub matches SIGNING_SECRET
-      - uses: sigstore/cosign-installer@v3.3.0
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-
-      - name: Check SIGNING_SECRET matches cosign.pub
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        env:
-          COSIGN_EXPERIMENTAL: false
-          COSIGN_PASSWORD: ""
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-        shell: bash
-        run: |
-          echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
-          delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
-          if [ -z "$delta" ]; then
-            echo "cosign.pub matches SIGNING_SECRET"
-          else
-            echo "cosign.pub does not match SIGNING_SECRET"
-            echo "$delta"
-            exit 1
-          fi
-
-      - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/yq@v4.40.5
-
-      - name: Gather image data from recipe
-        run: |
-          echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }})
-          echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV
-          echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
-
-      - name: Verify base image
-        uses: EyeCantCU/cosign-action/verify@v0.2.2
+      - name: Build Custom Image
+        uses: blue-build/github-action@main
         with:
-          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
-
-      - name: Get current version
-        id: labels
-        run: |
-          ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
-          echo "VERSION=$ver" >> $GITHUB_OUTPUT
-
-      - name: Generate tags
-        id: generate-tags
-        shell: bash
-        run: |
-          # Generate a timestamp for creating an image version history
-          TIMESTAMP="$(date +%Y%m%d)"
-          MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)"
-          COMMIT_TAGS=()
-          BUILD_TAGS=()
-          # Have tags for tracking builds during pull request
-          SHA_SHORT="${GITHUB_SHA::7}"
-
-          # Using clever bash string templating, https://stackoverflow.com/q/40771781
-          # don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) --
-          COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}")
-          COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}")
-
-          BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}")
-          # --
-
-          BUILD_TAGS+=("${TIMESTAMP}")
-          BUILD_TAGS+=("latest")
-
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "Generated the following commit tags: "
-              for TAG in "${COMMIT_TAGS[@]}"; do
-                  echo "${TAG}"
-              done
-              alias_tags=("${COMMIT_TAGS[@]}")
-          else
-              alias_tags=("${BUILD_TAGS[@]}")
-          fi
-          echo "Generated the following build tags: "
-          for TAG in "${BUILD_TAGS[@]}"; do
-              echo "${TAG}"
-          done
-          echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
-
-      # Build metadata
-      - name: Image Metadata
-        uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: |
-            ${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
-            org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md
-            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
-
-      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
-      # https://github.com/macbre/push-to-ghcr/issues/12
-      - name: Lowercase Registry
-        id: registry_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_REGISTRY }}
-
-      - name: Lowercase Image
-        id: image_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_NAME }}
-
-      - name: Maximize build space
-        uses: AdityaGarg8/remove-unwanted-software@v2
-        with:
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-
-      # Build image using Buildah action
-      - name: Build Image
-        id: build_image
-        uses: redhat-actions/buildah-build@v2
-        with:
-          containerfiles: |
-            ./Containerfile
-          image: ${{ env.IMAGE_NAME }}
-          tags: |
-            ${{ steps.generate-tags.outputs.alias_tags }}
-          build-args: |
-            IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }}
-            BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }}
-            RECIPE=${{ matrix.recipe }}
-            IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }}
-          labels: ${{ steps.meta.outputs.labels }}
-          oci: false
-
-      # Push the image to GHCR (Image Registry)
-      - name: Push To GHCR
-        uses: redhat-actions/push-to-registry@v2
-        id: push
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        env:
-          REGISTRY_USER: ${{ github.actor }}
-          REGISTRY_PASSWORD: ${{ github.token }}
-        with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Sign container
-      - name: Sign container image
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS}
-        env:
-          TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_EXPERIMENTAL: false
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-
-      - name: Echo outputs
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        run: |
-          echo "${{ toJSON(steps.push.outputs) }}"
+          recipe: ${{ matrix.recipe }}
+          cosign_private_key: ${{ secrets.SIGNING_SECRET }}
+          registry_token: ${{ github.token }}
+          pr_event_number: ${{ github.event.number }}