Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/main'
Browse files Browse the repository at this point in the history
  • Loading branch information
@bleggett
bleggett committed Jul 30, 2024
2 parents 8b040a1 + 7233dfa commit 4f89e9b
Show file tree
Hide file tree
Showing 115 changed files with 9,081 additions and 2,032 deletions.
41 changes: 28 additions & 13 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:
- fedora_version: 40
is_latest_version: true
is_stable_version: true
kernel_flavor: fsync # must match a kernel_flavor from akmods repo
kernel_flavor: fsync # must match a kernel_flavor from akmods repo
steps:
- name: Define env.IMAGE_FLAVOR
run: |
Expand All @@ -85,22 +85,26 @@ jobs:
echo "IMAGE_NAME=${{ format('{0}{1}-{2}', 'drelbsos', '${DESKTOP}', env.IMAGE_FLAVOR) }}" >> $GITHUB_ENV
fi
- name: Define env.SHA_HEAD_SHORT
run: |
echo "SHA_HEAD_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV
- name: Verify main image
uses: EyeCantCU/cosign-action/verify@v0.2.2
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: ${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/${{ matrix.base_image_flavor }}/main/cosign.pub
registry: ${{ env.PULL_IMAGE_REGISTRY }}

- name: Verify akmods image
uses: EyeCantCU/cosign-action/verify@v0.2.2
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
registry: ${{ env.PULL_IMAGE_REGISTRY }}

- name: Verify akmods-nvidia image
uses: EyeCantCU/cosign-action/verify@v0.2.2
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
Expand Down Expand Up @@ -244,19 +248,30 @@ jobs:
FEDORA_VERSION=${{ matrix.fedora_version }}
KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
IMAGE_BRANCH=${{ github.ref_name }}
SHA_HEAD_SHORT=${{ env.SHA_HEAD_SHORT }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
extra-args: |
--target=${{ matrix.base_name }}
# - name: Sign kernel
# uses: ublue-os/[email protected]
# with:
# image: ${{ steps.build_image.outputs.image }}
# default-tag: ${{ env.DEFAULT_TAG }}
# privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }}
# pubkey: /etc/pki/akmods/certs/akmods-ublue.der
# tags: ${{ steps.build_image.outputs.tags }}
# - name: Check Secureboot
# shell: bash
# run: |
# set -x
# if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
# sudo apt update
# sudo apt install sbsigntool curl openssl
# fi
# podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
# podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz .
# podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
# sbverify --list vmlinuz
# curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
# curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
# openssl x509 -in kernel-sign.der -out kernel-sign.crt
# openssl x509 -in akmods.der -out akmods.crt
# sbverify --cert kernel-sign.crt vmlinuz || exit 1
# sbverify --cert akmods.crt vmlinuz || exit 1

# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
Expand Down Expand Up @@ -288,7 +303,7 @@ jobs:
--disable-content-trust
- name: Sign container image
uses: EyeCantCU/cosign-action/sign@v0.2.2
uses: EyeCantCU/cosign-action/sign@v0.3.0
if: github.event_name != 'pull_request'
with:
containers: ${{ env.IMAGE_NAME }}
Expand Down
48 changes: 48 additions & 0 deletions .github/workflows/sign_image.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Sign Image

# A workflow to sign an image on demand

on:
workflow_dispatch:
inputs:
image:
description: 'Image to sign, including the tag'
required: true

jobs:
sign:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Get digest
id: get-digest
env:
IMAGE_TO_SIGN: ${{ inputs.image }}
run: |
digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}')
name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}')
echo "DIGEST=$digest" >> $GITHUB_OUTPUT
echo "NAME=$name" >> $GITHUB_OUTPUT
- name: Setup Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Sign Image
env:
SIGNING_KEY: ${{ secrets.SIGNING_SECRET }}
IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }}
IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }}
run: |
cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST
Loading

0 comments on commit 4f89e9b

Please sign in to comment.