From 82fbc211ff51ff204fb69e8f22efcd3528bbea39 Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Sun, 6 Oct 2024 12:36:19 -0500
Subject: [PATCH 1/4] feat: use negativo17 in lieu of rpmfusion (#282)

* feat: use negativo17 in lieu of rpmfusion

* disable rpmfusion and use proper FROM

* don't enable redundante fedora-nvidia repo
---
 .github/workflows/reusable-build.yml |  1 -
 Containerfile                        |  2 --
 install.sh                           | 21 ++-------------------
 nvidia-install.sh                    | 13 +++++--------
 4 files changed, 7 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 9bc3168b..93c05603 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -223,7 +223,6 @@ jobs:
             FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }}
             KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
             KERNEL_VERSION=${{ env.KERNEL_VERSION }}
-            RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
           extra-args: |
diff --git a/Containerfile b/Containerfile
index bd6d072e..013e4b5b 100644
--- a/Containerfile
+++ b/Containerfile
@@ -16,7 +16,6 @@ ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
 ARG IMAGE_VENDOR="${IMAGE_VENDOR:-ublue-os}"
-ARG RPMFUSION_MIRROR=""
 ARG KERNEL_VERSION="${KERNEL_VERSION:-6.9.7-200.fc40.x86_64}"
 
 RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
@@ -41,7 +40,6 @@ ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
 ARG IMAGE_VENDOR="${IMAGE_VENDOR:-ublue-os}"
-ARG RPMFUSION_MIRROR=""
 
 RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
     --mount=type=bind,from=ctx,src=/,dst=/ctx \
diff --git a/install.sh b/install.sh
index b66706d2..c5c8100b 100755
--- a/install.sh
+++ b/install.sh
@@ -9,19 +9,8 @@ if [ "${KERNEL_FLAVOR}" = "main" ]; then
     exit 0
 fi
 
-# after F41 launches, bump to 42
-if [[ "${FEDORA_MAJOR_VERSION}" -ge 41 ]]; then
-    # note: this is done before single mirror hack to ensure this persists in image and is not reset
-    # pre-release rpmfusion is in a different location
-    sed -i "s%free/fedora/releases%free/fedora/development%" /etc/yum.repos.d/rpmfusion-*.repo
-fi
-
-if [ -n "${RPMFUSION_MIRROR}" ]; then
-    # force use of single rpmfusion mirror
-    echo "Using single rpmfusion mirror: ${RPMFUSION_MIRROR}"
-    sed -i.bak "s%^metalink=%#metalink=%" /etc/yum.repos.d/rpmfusion-*.repo
-    sed -i "s%^#baseurl=http://download1.rpmfusion.org%baseurl=${RPMFUSION_MIRROR}%" /etc/yum.repos.d/rpmfusion-*.repo
-fi
+# disable any remaining rpmfusion repos
+sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/rpmfusion*.repo
 
 # do HWE specific things
 if [ "${KERNEL_FLAVOR}" = "asus" ]; then
@@ -99,10 +88,4 @@ else
     echo "install.sh: post-install for unexpected KERNEL_FLAVOR: ${KERNEL_FLAVOR}"
 fi
 
-if [ -n "${RPMFUSION_MIRROR}" ]; then
-    # reset forced use of single rpmfusion mirror
-    echo "Revert from single rpmfusion mirror: ${RPMFUSION_MIRROR}"
-    rename -v .repo.bak .repo /etc/yum.repos.d/rpmfusion-*repo.bak
-fi
-
 /ctx/build-initramfs.sh
diff --git a/nvidia-install.sh b/nvidia-install.sh
index 8e0d4d75..ca274b14 100755
--- a/nvidia-install.sh
+++ b/nvidia-install.sh
@@ -4,22 +4,19 @@ set -ouex pipefail
 
 RELEASE="$(rpm -E %fedora)"
 
-sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
+# disable any remaining rpmfusion repos
+sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/rpmfusion*.repo
 
-# after F41 launches, bump to 42
-if [[ "${FEDORA_MAJOR_VERSION}" -ge 41 ]]; then
-    # note: this is done before single mirror hack to ensure this persists in image and is not reset
-    # pre-release rpmfusion is in a different location
-    sed -i "s%free/fedora/releases%free/fedora/development%" /etc/yum.repos.d/rpmfusion-*.repo
-fi
+sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
 
 ## nvidia install steps
 rpm-ostree install /tmp/akmods-rpms/ublue-os/ublue-os-nvidia-addons-*.rpm
 
 # enables nvidia repos provided by ublue-os-nvidia-addons
 sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo
-sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo
 sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
+#NOTE: nvidia drivers are already provided by negativo17-fedora-multimedia.repo, no need to enable
+#sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo
 
 source /tmp/akmods-rpms/kmods/nvidia-vars
 

From 2eabc5b00813c098b5def24a6d53d0ba8564cf46 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 9 Oct 2024 18:32:21 -0400
Subject: [PATCH 2/4] build(deps): bump sigstore/cosign-installer from 3.6.0 to
 3.7.0 (#283)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/reusable-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 93c05603..0edebda6 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -285,7 +285,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/cosign-installer@v3.6.0
+      - uses: sigstore/cosign-installer@v3.7.0
         if: github.event_name != 'pull_request'
 
       - name: Sign container image

From 527e668dc443c5c725f83ad4d5e69284ece48e99 Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Sat, 12 Oct 2024 10:06:51 -0500
Subject: [PATCH 3/4] fix: nvidia kernel.conf reflects reality (#286)

This wasn't causing a functional problem but it did cause potential
confusion.

Fixes: #284
---
 Containerfile     | 2 +-
 nvidia-install.sh | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index 013e4b5b..b2273c04 100644
--- a/Containerfile
+++ b/Containerfile
@@ -46,7 +46,7 @@ RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
     --mount=type=bind,from=akmods_nvidia,src=/rpms,dst=/tmp/akmods-rpms \
     mkdir -p /var/lib/alternatives && \
     IMAGE_FLAVOR=nvidia /ctx/image-info.sh && \
-    /ctx/nvidia-install.sh && \
+    NVIDIA_FLAVOR=nvidia /ctx/nvidia-install.sh && \
     /ctx/build-initramfs.sh && \
     mv /var/lib/alternatives /staged-alternatives && \
     /ctx/cleanup.sh && \
diff --git a/nvidia-install.sh b/nvidia-install.sh
index ca274b14..4e2a916c 100755
--- a/nvidia-install.sh
+++ b/nvidia-install.sh
@@ -48,6 +48,14 @@ rpm-ostree install \
 # disables nvidia repos provided by ublue-os-nvidia-addons
 sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/{eyecantcu-supergfxctl,negativo17-fedora-nvidia,nvidia-container-toolkit}.repo
 
+# ensure kernel.conf matches NVIDIA_FLAVOR (which must be nvidia or nvidia-open)
+# kmod-nvidia-common defaults the value to 'nvidia-open' but this will match on $NVIDIA_FLAVOR
+KERNEL_MODULE_TYPE="kernel"
+if [[ "${NVIDIA_FLAVOR}" == "nvidia-open" ]]; then
+  KERNEL_MODULE_TYPE="kernel-open"
+fi
+sed -i "s/^MODULE_VARIANT=.*/MODULE_VARIANT=$KERNEL_MODULE_TYPE/" /etc/nvidia/kernel.conf
+
 systemctl enable nvidia-persistenced.service
 
 systemctl enable ublue-nvctk-cdi.service

From f3806eadebd5b952400957e84a80cf2104050198 Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Sat, 12 Oct 2024 13:51:56 -0500
Subject: [PATCH 4/4] refactor: simpler nvidia kernel.cof fix (#288)

Upon closer inspection our akmod image already fprovides the
KERNEL_MODULE_TYPE variable so need to compute it.

Relates: #286
---
 nvidia-install.sh | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/nvidia-install.sh b/nvidia-install.sh
index 4e2a916c..05308360 100755
--- a/nvidia-install.sh
+++ b/nvidia-install.sh
@@ -49,11 +49,7 @@ rpm-ostree install \
 sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/{eyecantcu-supergfxctl,negativo17-fedora-nvidia,nvidia-container-toolkit}.repo
 
 # ensure kernel.conf matches NVIDIA_FLAVOR (which must be nvidia or nvidia-open)
-# kmod-nvidia-common defaults the value to 'nvidia-open' but this will match on $NVIDIA_FLAVOR
-KERNEL_MODULE_TYPE="kernel"
-if [[ "${NVIDIA_FLAVOR}" == "nvidia-open" ]]; then
-  KERNEL_MODULE_TYPE="kernel-open"
-fi
+# kmod-nvidia-common defaults to 'nvidia-open' but this will match our akmod image
 sed -i "s/^MODULE_VARIANT=.*/MODULE_VARIANT=$KERNEL_MODULE_TYPE/" /etc/nvidia/kernel.conf
 
 systemctl enable nvidia-persistenced.service