From be8810523e2b8e0c2cc5ae46281014e9f910c9d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:51:00 +0000 Subject: [PATCH 1/8] build(deps): bump mikefarah/yq from 4.40.4 to 4.40.5 (#207) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.4 to 4.40.5. - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/v4.40.4...v4.40.5) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec476cb..7449206 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: fi - name: Add yq (for reading recipe.yml) - uses: mikefarah/yq@v4.40.4 + uses: mikefarah/yq@v4.40.5 - name: Gather image data from recipe run: | From b597ecd833fb2a477fee8d6d1ca26ca9ec4ce795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:59:24 +0000 Subject: [PATCH 2/8] build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#208) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.2.0...v3.3.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7449206..2f961cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,7 +55,7 @@ jobs: uses: actions/checkout@v4 # Confirm that cosign.pub matches SIGNING_SECRET - - uses: sigstore/cosign-installer@v3.2.0 + - uses: sigstore/cosign-installer@v3.3.0 if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - name: Check SIGNING_SECRET matches cosign.pub From d6806f9327c84406d4f63c3d7c533b55c858e589 Mon Sep 17 00:00:00 2001 From: xyny <60004820+xynydev@users.noreply.github.com> Date: Wed, 27 Dec 2023 10:20:53 +0000 Subject: [PATCH 3/8] chore: migrate justfile to import https://github.com/ublue-os/config/issues/178 --- config/files/usr/share/ublue-os/just/60-custom.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/files/usr/share/ublue-os/just/60-custom.just b/config/files/usr/share/ublue-os/just/60-custom.just index bd38c97..b077bd3 100644 --- a/config/files/usr/share/ublue-os/just/60-custom.just +++ b/config/files/usr/share/ublue-os/just/60-custom.just @@ -1,2 +1,2 @@ -!include 100-bling.just +import 100-bling.just # Include some of your custom scripts here! From f35d3c25445c4963e99c35b043d154a68998f971 Mon Sep 17 00:00:00 2001 From: xyny <60004820+xynydev@users.noreply.github.com> Date: Sun, 31 Dec 2023 10:39:17 +0000 Subject: [PATCH 4/8] fix: add single quotes for paths --- config/files/usr/share/ublue-os/just/60-custom.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/files/usr/share/ublue-os/just/60-custom.just b/config/files/usr/share/ublue-os/just/60-custom.just index b077bd3..9fbf492 100644 --- a/config/files/usr/share/ublue-os/just/60-custom.just +++ b/config/files/usr/share/ublue-os/just/60-custom.just @@ -1,2 +1,2 @@ -import 100-bling.just +import '100-bling.just' # Include some of your custom scripts here! From 52e6a456ad47d52ccd45b10a5164e8d6359b725a Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 31 Dec 2023 03:41:45 -0700 Subject: [PATCH 5/8] feat(ci): Verify base image with cosign before building (#211) * feat(ci): Verify base image with cosign before building Validates the integrity of the base image being built from via cosign before continuing to build. Ensures we only build with signed images * fix(ci): Extract base image name from base image URL for verification --- .github/workflows/build.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2f961cf..34638af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,13 +43,6 @@ jobs: # !!! steps: - - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v1 - with: - remove-dotnet: 'true' - remove-android: 'true' - remove-haskell: 'true' - # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 @@ -84,7 +77,14 @@ jobs: echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV - echo "BASE_IMAGE_URL=$(yq '.base-image' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV + BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }}) + echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV + echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV + + - name: Verify base image + uses: EyeCantCU/cosign-action/verify@v0.2.1 + with: + containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - name: Get current version id: labels @@ -158,6 +158,13 @@ jobs: with: string: ${{ env.IMAGE_NAME }} + - name: Maximize build space + uses: AdityaGarg8/remove-unwanted-software@v1 + with: + remove-dotnet: 'true' + remove-android: 'true' + remove-haskell: 'true' + # Build image using Buildah action - name: Build Image id: build_image From 4963395cd11a91753ae5c356f35a4614da4cf9d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 18:25:34 +0000 Subject: [PATCH 6/8] build(deps): bump EyeCantCU/cosign-action from 0.2.1 to 0.2.2 (#220) Bumps [EyeCantCU/cosign-action](https://github.com/eyecantcu/cosign-action) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/eyecantcu/cosign-action/releases) - [Changelog](https://github.com/EyeCantCU/cosign-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/eyecantcu/cosign-action/compare/v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: EyeCantCU/cosign-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 34638af..e8f2c16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -82,7 +82,7 @@ jobs: echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - name: Verify base image - uses: EyeCantCU/cosign-action/verify@v0.2.1 + uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} From 6b2584ff0cc73b82984bbc3b5ed7ce2cd5f5add6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 18:32:57 +0000 Subject: [PATCH 7/8] build(deps): bump AdityaGarg8/remove-unwanted-software from 1 to 2 (#219) Bumps [AdityaGarg8/remove-unwanted-software](https://github.com/adityagarg8/remove-unwanted-software) from 1 to 2. - [Release notes](https://github.com/adityagarg8/remove-unwanted-software/releases) - [Commits](https://github.com/adityagarg8/remove-unwanted-software/compare/v1...v2) --- updated-dependencies: - dependency-name: AdityaGarg8/remove-unwanted-software dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e8f2c16..74d86e1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -159,7 +159,7 @@ jobs: string: ${{ env.IMAGE_NAME }} - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v1 + uses: AdityaGarg8/remove-unwanted-software@v2 with: remove-dotnet: 'true' remove-android: 'true' From 80b3ac0ffdf8624086ea95ce7a1181a1bc5f08ce Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:23:15 +0100 Subject: [PATCH 8/8] feat: Bump ISO generator to v2.3.0 (#221) Installs secure boot/akmod key on all images --- .github/workflows/release-iso.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-iso.yml b/.github/workflows/release-iso.yml index 90afd21..4ad0a4f 100644 --- a/.github/workflows/release-iso.yml +++ b/.github/workflows/release-iso.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Generate ISO - uses: ublue-os/isogenerator@v2.2.0 + uses: ublue-os/isogenerator@v2.3.0 id: isogenerator with: image-name: ${{ github.event.repository.name }}