Skip to content

Commit

Permalink
blow up the world
Browse files Browse the repository at this point in the history
  • Loading branch information
detiber committed Dec 15, 2024
1 parent 1e20931 commit 8da35c1
Show file tree
Hide file tree
Showing 62 changed files with 2,126 additions and 906 deletions.
13 changes: 13 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
*.yml linguist-detectable=true
*.yml linguist-language=YAML

*.yaml linguist-detectable=true
*.yaml linguist-language=YAML

*.just linguist-detectable=true
*.just linguist-documentation=false
*.just linguist-language=Just

*.json linguist-detectable=true
*.json linguist-documentation=false
*.json linguist-language=JSON
6 changes: 5 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,8 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
interval: "weekly"
- package-ecosystem: "devcontainers"
directory: "/"
schedule:
interval: weekly
4 changes: 2 additions & 2 deletions .github/workflows/base-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@
matrix:
include:
- base: bootc
containerfile: bootc/Containerfile
containerfile: variants/bootc/Containerfile
name: "${{ github.event.repository.name }}-bootc" # the name of the image produced by this build, matches repo name appended with '-bootc'
description: "bootc-based base image for bearded developers"

- base: ublue
containerfile: ublue-image-template/Containerfile
containerfile: variants/ublue/Containerfile
name: "${{ github.event.repository.name }}-ublue" # the name of the image produced by this build, matches repo name appended with '-ublue'
description: "ublue-based base image for bearded developers"
steps:
Expand Down
27 changes: 27 additions & 0 deletions .github/workflows/bluefin-latest.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Latest Images
on:
merge_group:
pull_request:
branches:
- main
paths-ignore:
- "**.md"
schedule:
- cron: "50 5 * * 1,2,3,4,5,6" # 5:50 UTC All But Sunday (1 hour after bluefin)
- cron: "50 5 * * 0" # 5:50 UTC Sunday (1 hour after bluefin)
workflow_call:
workflow_dispatch:

jobs:
build-image-latest:
name: Build Latest Images
uses: ./.github/workflows/bluefin-reusable-build.yml
secrets: inherit
strategy:
fail-fast: false
matrix:
brand_name: ["beardy-bluefin"]
with:
image_flavors: '["main", "nvidia", "hwe", "hwe-nvidia"]'
brand_name: ${{ matrix.brand_name }}
stream_name: latest
279 changes: 279 additions & 0 deletions .github/workflows/bluefin-reusable-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,279 @@
name: Reusable Build and Push
on:
workflow_call:
inputs:
image_flavors:
description: "JSON string of flavors to build, '[main, nvidia, hwe, hwe-nvidia]'"
default: "['main']"
type: string
brand_name:
description: "The Brand Name: beardy-bluefin"
required: true
default: beardy-bluefin
type: string
stream_name:
description: "The Fedora Version: stable, or latest"
required: true
type: string
outputs:
images:
description: "An array of images built and pushed to the registry"
value: ${{ jobs.check.outputs.images }}
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}

concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }}
cancel-in-progress: true

jobs:
build_container:
name: image
runs-on: ubuntu-24.04
continue-on-error: false
outputs:
image_full: ${{ steps.generate-outputs.outputs.image }}
strategy:
fail-fast: false
matrix:
image_flavor: ${{ fromJson(inputs.image_flavors) }}
base_name: ["${{ inputs.brand_name }}", "${{ inputs.brand_name }}-dx"]
stream_name: ["${{ inputs.stream_name }}"]

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Install Just
shell: bash
run: |
set -eoux pipefail
JUST_VERSION=$(curl -L https://api.github.com/repos/casey/just/releases/latest | jq -r '.tag_name')
curl -sSLO https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz
tar -zxvf just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz -C /tmp just
sudo mv /tmp/just /usr/local/bin/just
rm -f just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz
- name: Check Just Syntax
shell: bash
run: |
just check
- name: Image Name
shell: bash
run: |
IMAGE_NAME="$(just bluefin::image_name ${{ matrix.base_name }} ${{ matrix.stream_name }} ${{ matrix.image_flavor }})"
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
- name: Default Tag
shell: bash
run: |
DEFAULT_TAG="$(just bluefin::generate-default-tag \
${{ matrix.stream_name }} \
"1")"
echo "Default Tag: ${DEFAULT_TAG}"
echo "DEFAULT_TAG=${DEFAULT_TAG}" >> $GITHUB_ENV
- name: Maximize build space
uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7
with:
remove-codeql: true

- name: Build Image
id: build-image
shell: bash
run: |
sudo just repo_organization="${{ github.repository_owner }}" \
bluefin::build-ghcr "${{ matrix.base_name }}" \
"${{ matrix.stream_name }}" \
"${{ matrix.image_flavor }}" \
""
- name: Rechunk Image
id: rechunk-image
shell: bash
run: |
sudo just bluefin::rechunk "${{ matrix.base_name }}" \
"${{ matrix.stream_name }}" \
"${{ matrix.image_flavor }}" \
"1"
- name: Load Image into Podman
id: load-rechunk
shell: bash
run: |
just bluefin::load-rechunk "${{ matrix.base_name }}" \
"${{ env.DEFAULT_TAG }}" \
"${{ matrix.image_flavor }}"
- name: Secureboot Check
id: secureboot
shell: bash
run: |
just bluefin::secureboot "${{ matrix.base_name }}" \
"${{ env.DEFAULT_TAG }}" \
"${{ matrix.image_flavor }}"
- name: Generate tags
id: generate-tags
shell: bash
run: |
alias_tags="$(just bluefin::generate-build-tags \
"${{ matrix.base_name }}" \
"${{ matrix.stream_name }}" \
"${{ matrix.image_flavor }}" \
"" \
"1" \
"$(podman inspect ${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} | jq -r '.[].Config.Labels["org.opencontainers.image.version"]')" \
"${{ github.event_name }}" \
"${{ github.event.number }}")"
echo "Tags for this Action..."
echo "$alias_tags"
echo "alias_tags=${alias_tags}" >> $GITHUB_OUTPUT
# Tag Images
- name: Tag Images
shell: bash
run: |
set -eoux pipefail
just bluefin::tag-images "${{ env.IMAGE_NAME }}" \
"${{ env.DEFAULT_TAG }}" \
"${{ steps.generate-tags.outputs.alias_tags }}"
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6
with:
string: ${{ env.IMAGE_REGISTRY }}

- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
run: |
echo ${{ secrets.GITHUB_TOKEN }} | podman login ghcr.io -u ${{ github.actor }} --password-stdin
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push to GHCR
id: push
if: github.event_name != 'pull_request'
uses: Wandalen/wretry.action@ffdd254f4eaf1562b8a2c66aeaa37f1ff2231179 # v3.7.3
with:
attempt_limit: 3
attempt_delay: 15000
command: |
set -euox pipefail
for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag}
done
if [[ "${{ matrix.image_flavor }}" =~ hwe ]]; then
image_name="${{ env.IMAGE_NAME }}"
asus_name="${image_name/hwe/asus}"
surface_name="${image_name/hwe/surface}"
for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
podman push ${asus_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${asus_name}:${tag}
podman push ${surface_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${surface_name}:${tag}
done
fi
digest=$(skopeo inspect docker://${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} --format '{{.Digest}}')
echo "digest=${digest}" >> $GITHUB_OUTPUT
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

- name: Sign container image
if: github.event_name != 'pull_request' && contains(matrix.image_flavor, 'hwe')
shell: bash
run: |
image_name="${{ env.IMAGE_NAME }}"
asus_name="${image_name/hwe/asus}"
surface_name="${image_name/hwe/surface}"
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${asus_name}@${TAGS}
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${surface_name}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

- name: Generate file containing outputs
if: github.event_name != 'pull_request'
env:
DIGEST: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
IMAGE_NAME: ${{ env.IMAGE_NAME }}
FEDORA_VERSION: ${{ matrix.stream_name }}
run: echo "${IMAGE_REGISTRY}@${DIGEST}" > "${IMAGE_NAME}-${FEDORA_VERSION}.txt"

- name: Upload artifact
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: image-${{ env.IMAGE_NAME }}-${{ matrix.stream_name }}
retention-days: 1
if-no-files-found: error
path: |
${{ env.IMAGE_NAME }}-${{ matrix.stream_name }}.txt
check:
name: Check all ${{ matrix.stream_name }} builds successful
if: always()
runs-on: ubuntu-latest
needs: [build_container]
outputs:
images: ${{ steps.generate-outputs.outputs.images }}
steps:
- name: Download artifacts
if: github.event_name != 'pull_request'
id: download-artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
pattern: image-*
merge-multiple: true

- name: Create output
if: github.event_name != 'pull_request'
id: generate-outputs
env:
JOBS: ${{ toJson(needs) }}
ARTIFACT_PATH: ${{ steps.download-artifacts.outputs.download-path }}
run: |
# Initialize the array
images=()
# Populate the array with each line from each file in the artifacts directory
for file in $ARTIFACT_PATH/*; do
while IFS= read -r line; do
images+=("$line")
done < "$file"
done
# Create the GITHUB_OUTPUT in the format '["image1", "image2", ...]'
echo "images=$(printf '%s\n' "${images[@]}" | jq -R -s -c 'split("\n") | .[:-1]')" >> $GITHUB_OUTPUT
- name: Check Jobs
env:
JOBS: ${{ toJson(needs) }}
run: |
echo "Job status:"
echo $JOBS | jq -r 'to_entries[] | " - \(.key): \(.value.result)"'
for i in $(echo $JOBS | jq -r 'to_entries[] | .value.result'); do
if [ "$i" != "success" ] && [ "$i" != "skipped" ]; then
echo ""
echo "Status check not okay!"
exit 1
fi
done
26 changes: 26 additions & 0 deletions .github/workflows/bluefin-stable.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Stable Images
on:
merge_group: # Make Stable-Daily run on merge groups
pull_request:
branches:
- main
paths-ignore:
- "**.md"
schedule:
- cron: "50 6 * * 1,2,3,4,5,6" # 6:50 UTC everyday (1 hour after bluefin)
- cron: "50 6 * * 0" # 6:50 UTC sunday (1 hour after bluefin)
workflow_call:
workflow_dispatch:

jobs:
build-image-stable:
name: Build Stable Images
uses: ./.github/workflows/bluefin-reusable-build.yml
secrets: inherit
strategy:
fail-fast: false
matrix:
brand_name: ["beardy-bluefin"]
with:
brand_name: ${{ matrix.brand_name }}
stream_name: stable
Loading

0 comments on commit 8da35c1

Please sign in to comment.