testing(orora): new cosign biz

bayou-brogrammer · Feb 13, 2024 · fd7f54e · fd7f54e
1 parent 8619149
commit fd7f54e
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 65 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,12 @@
 # To get started with Dependabot version updates, you'll need to specify which
 # package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
+# Please see the documentation for more information:
 # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://containers.dev/guide/dependabot
 
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
+ - package-ecosystem: "devcontainers"
+   directory: "/"
+   schedule:
+     interval: weekly
diff --git a/.github/workflows/build_docker.yml b/.github/workflows/build_docker.yml
@@ -4,14 +4,14 @@ on:
   workflow_dispatch:
 
   schedule:
-    - cron: '40 14 * * *'  # 14:30 UTC everyday (2:30 PM UTC everyday) (8:30 AM CST everyday)
+    - cron: "40 14 * * *" # 14:30 UTC everyday (2:30 PM UTC everyday) (8:30 AM CST everyday)
 
   pull_request:
     branches:
       - main
       - testing
     paths-ignore:
-      - '**.md'
+      - "**.md"
 
   push:
     branches:
@@ -20,7 +20,7 @@ on:
     tags:
       - "v*.*.*"
     paths-ignore:
-      - '**.md'
+      - "**.md"
 
 concurrency:
   cancel-in-progress: true
@@ -36,7 +36,7 @@ env:
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
 jobs:
-  push-ghcr:
+  build:
     name: Build and Push using Docker Buildx
     runs-on: ubuntu-latest
 
@@ -50,6 +50,10 @@ jobs:
       matrix:
         base_name: [orora]
         major_version: [39]
+
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+
     steps:
       - name: Git Checkout
         uses: actions/checkout@v4
@@ -64,7 +68,7 @@ jobs:
           buildkitd-flags: --debug
       - name: Check just syntax
         uses: ublue-os/just-action@v1
-      
+
       # Image verification
       - name: Verify base image
         uses: EyeCantCU/cosign-action/[email protected]
@@ -151,34 +155,52 @@ jobs:
             IMAGE_VENDOR=${{ github.repository_owner }}
             FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
 
-      - uses: sigstore/[email protected]
-        if: github.event_name != 'pull_request'
+      # - uses: sigstore/cosign-installer@v3
+      #   if: github.event_name != 'pull_request'
+
+      # - name: Sign container image
+      #   if: github.event_name != 'pull_request'
+      #   run: |
+      #     cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+      #   env:
+      #     COSIGN_EXPERIMENTAL: false
+      #     TAGS: ${{ steps.build_push.outputs.digest }}
+      #     COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      # - name: Echo outputs
+      #   if: github.event_name != 'pull_request'
+      #   # echo "${{ toJSON(steps.build_push.outputs) }}"
+      #   run: |
+      #     echo "${{ steps.build_push.outputs }}"
+
+  sign:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
 
-      - name: Sign container image
-        if: github.event_name != 'pull_request'
-        run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
-        env:
-          COSIGN_EXPERIMENTAL: false
-          TAGS: ${{ steps.build_push.outputs.digest }}
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+    permissions:
+      id-token: write
+      packages: write
 
-      - name: Echo outputs
+    steps:
+      - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        # echo "${{ toJSON(steps.build_push.outputs) }}"
-        run: |
-          echo "${{ steps.build_push.outputs }}"
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-  check:
-    name: Check all builds successful
-    if: ${{ !cancelled() }}
-    runs-on: ubuntu-latest
-    needs: [push-ghcr]
-    steps:
-      - name: Exit on failure
-        if: ${{ needs.push-ghcr.result == 'failure' }}
-        shell: bash
-        run: exit 1
-      - name: Exit
-        shell: bash
-        run: exit 0
+      - uses: sigstore/cosign-installer@v3
+
+      - name: Sign the images
+        run: cosign sign -y ${TAGS}
+        env:
+          TAGS: ${{needs.build.outputs.tags}}
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Verify the pushed tags
+        run: cosign verify ${TAGS}
+        env:
+          TAGS: ${{needs.build.outputs.tags}}
+          COSIGN_EXPERIMENTAL: 1
diff --git a/.github/workflows/release-iso.yml b/.github/workflows/release-iso.yml
@@ -1,35 +1,42 @@
 on:
   push:
     paths:
-      - 'boot_menu.yml'
-      - '.github/workflows/release-iso.yml'
+      - "boot_menu.yml"
+      - ".github/workflows/release-iso.yml"
   workflow_dispatch:
 
+env:
+  ISO_NAME: "OroraOS"
+
 name: release-iso
 jobs:
   release-iso:
     name: Generate and Release ISOs
     runs-on: ubuntu-latest
     permissions:
       contents: write
-    container: 
+    container:
       image: fedora:39
       options: --privileged
     steps:
       - uses: actions/checkout@v4
-      - name: Generate ISO  
+
+      - name: Generate ISO
         uses: ublue-os/[email protected]
         id: isogenerator
         with:
-          image-name: ${{ github.event.repository.name }}
+          kickstart-file-path: ""
           installer-repo: releases
           installer-major-version: 39
           boot-menu-path: boot_menu.yml
+          image-name: ${{ github.event.repository.name }}
+
       - name: install github CLI
         run: |
           sudo dnf install 'dnf-command(config-manager)' -y
           sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
           sudo dnf install gh -y
+
       - name: Upload ISO
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -38,10 +45,10 @@ jobs:
             gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs --no-run-if-empty -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
             gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
           else
-            gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
+            gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ${{ env.ISO_NAME }} -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
           fi
+
       - name: Upload SHA256SUM
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        run:
-          gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
+        run: gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
diff --git a/Dockerfile b/Dockerfile
@@ -10,14 +10,12 @@ ARG BASE_IMAGE="${BASE_HUB}/${SOURCE_IMAGE}"
 
 # Docker cannot sub variables in COPY commands, so we need to define the image name here.
 FROM ${BASE_HUB}/akmods:${AKMODS_FLAVOR}-${FEDORA_MAJOR_VERSION} AS orora-akmods
-FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS orora-builder
+FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} as orora
 
 # ==================================================================================================================================================== #
 #                                                                 orora image section
 # ==================================================================================================================================================== #
 
-FROM orora-builder AS base
-
 ARG IMAGE_FLAVOR
 ARG AKMODS_FLAVOR
 ARG BASE_IMAGE_NAME
@@ -158,14 +156,6 @@ RUN rm -f /etc/yum.repos.d/charm.repo \
 # ==================================================================================================================================================== #
 #                                                         orora-dx developer edition image section
 # ==================================================================================================================================================== #
-
-FROM orora-builder AS base-dx
-
-ARG IMAGE_FLAVOR
-ARG BASE_IMAGE_NAME
-ARG FEDORA_MAJOR_VERSION
-ARG IMAGE_NAME="${IMAGE_NAME}"
-ARG IMAGE_VENDOR="${IMAGE_VENDOR}"
 ARG PACKAGE_LIST="orora-dx"
 
 # dx specific files come from the dx directory in this repo
@@ -215,15 +205,6 @@ systemctl enable docker.socket && \
   systemctl disable pmlogger.service
 EOF
 
-FROM orora-builder AS orora
-
-COPY scripts /tmp/scripts
-
-COPY --from=base usr /usr
-COPY --from=base etc /etc
-COPY --from=base-dx usr /usr
-COPY --from=base-dx etc /etc
-
 RUN /tmp/scripts/workarounds.sh
 
 # # Clean up repos, everything is on the image so we don't need them

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -0,0 +1,10 @@
+group "default" {
+  targets = ["orora"]
+}
+
+target "orora" {
+  dockerfile = "Dockerfile"
+  platforms = ["linux/amd64"]
+  tags = ["orora-bluefin:latest"]
+  build-args=[]
+}