generated from blue-build/template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
62 changed files
with
2,126 additions
and
906 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
*.yml linguist-detectable=true | ||
*.yml linguist-language=YAML | ||
|
||
*.yaml linguist-detectable=true | ||
*.yaml linguist-language=YAML | ||
|
||
*.just linguist-detectable=true | ||
*.just linguist-documentation=false | ||
*.just linguist-language=Just | ||
|
||
*.json linguist-detectable=true | ||
*.json linguist-documentation=false | ||
*.json linguist-language=JSON |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: Latest Images | ||
on: | ||
merge_group: | ||
pull_request: | ||
branches: | ||
- main | ||
paths-ignore: | ||
- "**.md" | ||
schedule: | ||
- cron: "50 5 * * 1,2,3,4,5,6" # 5:50 UTC All But Sunday (1 hour after bluefin) | ||
- cron: "50 5 * * 0" # 5:50 UTC Sunday (1 hour after bluefin) | ||
workflow_call: | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build-image-latest: | ||
name: Build Latest Images | ||
uses: ./.github/workflows/bluefin-reusable-build.yml | ||
secrets: inherit | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
brand_name: ["beardy-bluefin"] | ||
with: | ||
image_flavors: '["main", "nvidia", "hwe", "hwe-nvidia"]' | ||
brand_name: ${{ matrix.brand_name }} | ||
stream_name: latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,279 @@ | ||
name: Reusable Build and Push | ||
on: | ||
workflow_call: | ||
inputs: | ||
image_flavors: | ||
description: "JSON string of flavors to build, '[main, nvidia, hwe, hwe-nvidia]'" | ||
default: "['main']" | ||
type: string | ||
brand_name: | ||
description: "The Brand Name: beardy-bluefin" | ||
required: true | ||
default: beardy-bluefin | ||
type: string | ||
stream_name: | ||
description: "The Fedora Version: stable, or latest" | ||
required: true | ||
type: string | ||
outputs: | ||
images: | ||
description: "An array of images built and pushed to the registry" | ||
value: ${{ jobs.check.outputs.images }} | ||
env: | ||
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
build_container: | ||
name: image | ||
runs-on: ubuntu-24.04 | ||
continue-on-error: false | ||
outputs: | ||
image_full: ${{ steps.generate-outputs.outputs.image }} | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
image_flavor: ${{ fromJson(inputs.image_flavors) }} | ||
base_name: ["${{ inputs.brand_name }}", "${{ inputs.brand_name }}-dx"] | ||
stream_name: ["${{ inputs.stream_name }}"] | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
|
||
- name: Install Just | ||
shell: bash | ||
run: | | ||
set -eoux pipefail | ||
JUST_VERSION=$(curl -L https://api.github.com/repos/casey/just/releases/latest | jq -r '.tag_name') | ||
curl -sSLO https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz | ||
tar -zxvf just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz -C /tmp just | ||
sudo mv /tmp/just /usr/local/bin/just | ||
rm -f just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz | ||
- name: Check Just Syntax | ||
shell: bash | ||
run: | | ||
just check | ||
- name: Image Name | ||
shell: bash | ||
run: | | ||
IMAGE_NAME="$(just bluefin::image_name ${{ matrix.base_name }} ${{ matrix.stream_name }} ${{ matrix.image_flavor }})" | ||
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV | ||
- name: Default Tag | ||
shell: bash | ||
run: | | ||
DEFAULT_TAG="$(just bluefin::generate-default-tag \ | ||
${{ matrix.stream_name }} \ | ||
"1")" | ||
echo "Default Tag: ${DEFAULT_TAG}" | ||
echo "DEFAULT_TAG=${DEFAULT_TAG}" >> $GITHUB_ENV | ||
- name: Maximize build space | ||
uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 | ||
with: | ||
remove-codeql: true | ||
|
||
- name: Build Image | ||
id: build-image | ||
shell: bash | ||
run: | | ||
sudo just repo_organization="${{ github.repository_owner }}" \ | ||
bluefin::build-ghcr "${{ matrix.base_name }}" \ | ||
"${{ matrix.stream_name }}" \ | ||
"${{ matrix.image_flavor }}" \ | ||
"" | ||
- name: Rechunk Image | ||
id: rechunk-image | ||
shell: bash | ||
run: | | ||
sudo just bluefin::rechunk "${{ matrix.base_name }}" \ | ||
"${{ matrix.stream_name }}" \ | ||
"${{ matrix.image_flavor }}" \ | ||
"1" | ||
- name: Load Image into Podman | ||
id: load-rechunk | ||
shell: bash | ||
run: | | ||
just bluefin::load-rechunk "${{ matrix.base_name }}" \ | ||
"${{ env.DEFAULT_TAG }}" \ | ||
"${{ matrix.image_flavor }}" | ||
- name: Secureboot Check | ||
id: secureboot | ||
shell: bash | ||
run: | | ||
just bluefin::secureboot "${{ matrix.base_name }}" \ | ||
"${{ env.DEFAULT_TAG }}" \ | ||
"${{ matrix.image_flavor }}" | ||
- name: Generate tags | ||
id: generate-tags | ||
shell: bash | ||
run: | | ||
alias_tags="$(just bluefin::generate-build-tags \ | ||
"${{ matrix.base_name }}" \ | ||
"${{ matrix.stream_name }}" \ | ||
"${{ matrix.image_flavor }}" \ | ||
"" \ | ||
"1" \ | ||
"$(podman inspect ${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} | jq -r '.[].Config.Labels["org.opencontainers.image.version"]')" \ | ||
"${{ github.event_name }}" \ | ||
"${{ github.event.number }}")" | ||
echo "Tags for this Action..." | ||
echo "$alias_tags" | ||
echo "alias_tags=${alias_tags}" >> $GITHUB_OUTPUT | ||
# Tag Images | ||
- name: Tag Images | ||
shell: bash | ||
run: | | ||
set -eoux pipefail | ||
just bluefin::tag-images "${{ env.IMAGE_NAME }}" \ | ||
"${{ env.DEFAULT_TAG }}" \ | ||
"${{ steps.generate-tags.outputs.alias_tags }}" | ||
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | ||
# https://github.com/macbre/push-to-ghcr/issues/12 | ||
- name: Lowercase Registry | ||
id: registry_case | ||
uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 | ||
with: | ||
string: ${{ env.IMAGE_REGISTRY }} | ||
|
||
- name: Login to GitHub Container Registry | ||
if: github.event_name != 'pull_request' | ||
run: | | ||
echo ${{ secrets.GITHUB_TOKEN }} | podman login ghcr.io -u ${{ github.actor }} --password-stdin | ||
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
- name: Push to GHCR | ||
id: push | ||
if: github.event_name != 'pull_request' | ||
uses: Wandalen/wretry.action@ffdd254f4eaf1562b8a2c66aeaa37f1ff2231179 # v3.7.3 | ||
with: | ||
attempt_limit: 3 | ||
attempt_delay: 15000 | ||
command: | | ||
set -euox pipefail | ||
for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do | ||
podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag} | ||
done | ||
if [[ "${{ matrix.image_flavor }}" =~ hwe ]]; then | ||
image_name="${{ env.IMAGE_NAME }}" | ||
asus_name="${image_name/hwe/asus}" | ||
surface_name="${image_name/hwe/surface}" | ||
for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do | ||
podman push ${asus_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${asus_name}:${tag} | ||
podman push ${surface_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${surface_name}:${tag} | ||
done | ||
fi | ||
digest=$(skopeo inspect docker://${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} --format '{{.Digest}}') | ||
echo "digest=${digest}" >> $GITHUB_OUTPUT | ||
- name: Sign container image | ||
if: github.event_name != 'pull_request' | ||
run: | | ||
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} | ||
env: | ||
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} | ||
COSIGN_EXPERIMENTAL: false | ||
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | ||
|
||
- name: Sign container image | ||
if: github.event_name != 'pull_request' && contains(matrix.image_flavor, 'hwe') | ||
shell: bash | ||
run: | | ||
image_name="${{ env.IMAGE_NAME }}" | ||
asus_name="${image_name/hwe/asus}" | ||
surface_name="${image_name/hwe/surface}" | ||
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${asus_name}@${TAGS} | ||
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${surface_name}@${TAGS} | ||
env: | ||
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} | ||
COSIGN_EXPERIMENTAL: false | ||
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | ||
|
||
- name: Generate file containing outputs | ||
if: github.event_name != 'pull_request' | ||
env: | ||
DIGEST: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} | ||
IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
IMAGE_NAME: ${{ env.IMAGE_NAME }} | ||
FEDORA_VERSION: ${{ matrix.stream_name }} | ||
run: echo "${IMAGE_REGISTRY}@${DIGEST}" > "${IMAGE_NAME}-${FEDORA_VERSION}.txt" | ||
|
||
- name: Upload artifact | ||
if: github.event_name != 'pull_request' | ||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | ||
with: | ||
name: image-${{ env.IMAGE_NAME }}-${{ matrix.stream_name }} | ||
retention-days: 1 | ||
if-no-files-found: error | ||
path: | | ||
${{ env.IMAGE_NAME }}-${{ matrix.stream_name }}.txt | ||
check: | ||
name: Check all ${{ matrix.stream_name }} builds successful | ||
if: always() | ||
runs-on: ubuntu-latest | ||
needs: [build_container] | ||
outputs: | ||
images: ${{ steps.generate-outputs.outputs.images }} | ||
steps: | ||
- name: Download artifacts | ||
if: github.event_name != 'pull_request' | ||
id: download-artifacts | ||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | ||
with: | ||
pattern: image-* | ||
merge-multiple: true | ||
|
||
- name: Create output | ||
if: github.event_name != 'pull_request' | ||
id: generate-outputs | ||
env: | ||
JOBS: ${{ toJson(needs) }} | ||
ARTIFACT_PATH: ${{ steps.download-artifacts.outputs.download-path }} | ||
run: | | ||
# Initialize the array | ||
images=() | ||
# Populate the array with each line from each file in the artifacts directory | ||
for file in $ARTIFACT_PATH/*; do | ||
while IFS= read -r line; do | ||
images+=("$line") | ||
done < "$file" | ||
done | ||
# Create the GITHUB_OUTPUT in the format '["image1", "image2", ...]' | ||
echo "images=$(printf '%s\n' "${images[@]}" | jq -R -s -c 'split("\n") | .[:-1]')" >> $GITHUB_OUTPUT | ||
- name: Check Jobs | ||
env: | ||
JOBS: ${{ toJson(needs) }} | ||
run: | | ||
echo "Job status:" | ||
echo $JOBS | jq -r 'to_entries[] | " - \(.key): \(.value.result)"' | ||
for i in $(echo $JOBS | jq -r 'to_entries[] | .value.result'); do | ||
if [ "$i" != "success" ] && [ "$i" != "skipped" ]; then | ||
echo "" | ||
echo "Status check not okay!" | ||
exit 1 | ||
fi | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
name: Stable Images | ||
on: | ||
merge_group: # Make Stable-Daily run on merge groups | ||
pull_request: | ||
branches: | ||
- main | ||
paths-ignore: | ||
- "**.md" | ||
schedule: | ||
- cron: "50 6 * * 1,2,3,4,5,6" # 6:50 UTC everyday (1 hour after bluefin) | ||
- cron: "50 6 * * 0" # 6:50 UTC sunday (1 hour after bluefin) | ||
workflow_call: | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build-image-stable: | ||
name: Build Stable Images | ||
uses: ./.github/workflows/bluefin-reusable-build.yml | ||
secrets: inherit | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
brand_name: ["beardy-bluefin"] | ||
with: | ||
brand_name: ${{ matrix.brand_name }} | ||
stream_name: stable |
Oops, something went wrong.