Skip to content

Commit

Permalink
refactor: adopt m2giles workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@bsherman
bsherman committed Oct 23, 2024
1 parent b6aeb84 commit 5b9e69d
Show file tree
Hide file tree
Showing 6 changed files with 300 additions and 153 deletions.
257 changes: 257 additions & 0 deletions .github/workflows/build-desktop.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,257 @@
name: Build bOS-desktops
on:
workflow_call:
inputs:
tag_version:
description: "The Tag Version for the Build"
required: true
type: string

env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_NAME: bos
IMAGE_STYLED: bOS

jobs:
push-ublue:
name: Build Desktop Images
runs-on: ubuntu-24.04
continue-on-error: false
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image:
#- bazzite-deck-gnome
#- bazzite-gnome
#- bazzite-gnome-nvidia
- bluefin
- bluefin-nvidia
tag_version:
- ${{ inputs.tag_version }}

steps:
- name: Build Variables
id: build-vars
uses: Wandalen/[email protected]
with:
attempt_limit: 3
attempt_delay: 15000
command: |
set -eoux pipefail
image="${{ matrix.image }}"
base_image=${{ matrix.image }}
tag_version=${{ matrix.tag_version }}
if [[ "$tag_version" == "stable" && ! "${image}" =~ bazzite ]]; then
tag_version="${tag_version}-daily"
fi
if [[ "$tag_version" == "beta" && ${image} =~ bazzite ]]; then
tag_version="unstable"
fi
if [[ ! "${image}" =~ cosmic ]]; then
KERNEL_RELEASE=$(skopeo inspect docker://ghcr.io/ublue-os/"${base_image}:${tag_version}" | jq -r '.Labels["ostree.linux"]')
fedora_version=$(echo $KERNEL_RELEASE | grep -oP 'fc\K[0-9]+')
ver=$(skopeo inspect docker://ghcr.io/ublue-os/"${base_image}:$tag_version" | jq -r '.Labels["org.opencontainers.image.version"]')
fi
case "${image}" in
"bluefin"*|"aurora"*)
upstream_repo=bluefin
;;
"bazzite"*)
upstream_repo=bazzite
;;
*)
echo "Invalid Choice. Exiting..."
exit 1
;;
esac
if [ -z "$ver" ] || [ "null" = "$ver" ]; then
echo "inspected image version must not be empty or null"
exit 1
fi
echo "version=$ver" >> $GITHUB_ENV
echo "tag_version=$tag_version" >> $GITHUB_ENV
echo "kernel_release=${KERNEL_RELEASE}" >> $GITHUB_ENV
echo "fedora_version=${fedora_version}" >> $GITHUB_ENV
echo "upstream_repo=${upstream_repo}" >> $GITHUB_ENV
echo "image=${image}" >> $GITHUB_ENV
echo "base_image=${base_image}" >> $GITHUB_ENV
- name: Verify Base Image
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: ${{ env.base_image }}:${{ env.tag_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/${{ env.upstream_repo }}/main/cosign.pub
registry: ghcr.io/ublue-os

- name: Pull Images
uses: Wandalen/[email protected]
id: pull
with:
attempt_limit: 3
attempt_delay: 15000
command: |
set -eoux pipefail
sudo podman pull ghcr.io/ublue-os/${{ env.base_image }}:${{ env.tag_version }}
sudo podman pull ghcr.io/hhd-dev/rechunk:v0.8.6
- name: Checkout Push to Registry Action
uses: actions/checkout@v4

- name: Generate Tags
id: generate_tags
shell: bash
run: |
TIMESTAMP="$(date +%Y%m%d)"
case "${{ env.image }}" in
"bazzite-deck"*)
tag="bazzite-deck"
;;
"bazzite-gnome-nvidia"*)
tag="bazzite-nvidia"
;;
"bazzite"*)
tag="bazzite"
;;
*)
tag="${{ env.image }}"
esac
if [[ "${{ matrix.tag_version }}" == "beta" ]]; then
tag=${tag}-beta
fi
BUILD_TAGS+=("${tag}" "${tag}-${TIMESTAMP}")
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "default_tag=${tag}" >> "$GITHUB_OUTPUT"
echo "build_tags=${BUILD_TAGS[*]}" >> "$GITHUB_OUTPUT"
- name: Maximize Build Space
uses: ublue-os/remove-unwanted-software@v7

- name: Build Image
id: build_image
shell: bash
run: |
sudo buildah build \
--format "docker" \
--build-arg IMAGE=${{ env.image }} \
--build-arg BASE_IMAGE=${{ env.base_image }} \
--build-arg TAG_VERSION=${{ env.tag_version }} \
--tag raw-img .
- name: Remove old Images
run: |
set -eoux pipefail
sudo podman image rm ghcr.io/ublue-os/${{ env.base_image }}:${{ env.tag_version }}
- name: Rechunk Image
id: rechunk
uses: hhd-dev/[email protected]
with:
ref: "raw-img"
prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.generate_tags.outputs.default_tag }}"
version: "${{ env.version }}"
rechunk: "ghcr.io/hhd-dev/rechunk:v0.8.6"
labels: |
org.opencontainers.image.title=${{ env.IMAGE_STYLED }}
org.opencontainers.image.description=${{ env.IMAGE_STYLED }} is my customized image of various ublue projects
org.opencontainers.image.version=${{ env.version }}
# ostree.linux should already be set on our upstream
# ostree.linux=${{ env.kernel_release }}

- name: Load into Podman and Tag
shell: bash
run: |
set -eoux pipefail
IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
sudo rm -rf ${{ steps.rechunk.outputs.output }}
for tag in ${{ steps.generate_tags.outputs.build_tags }}; do
podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
done
podman tag $IMAGE rechunked-img
- name: Check Secureboot
id: secureboot
shell: bash
run: |
set -x
if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
sudo apt update
sudo apt install sbsigntool curl openssl
fi
TMP=$(podman create rechunked-img bash)
podman cp $TMP:/usr/lib/modules/${{ env.kernel_release }}/vmlinuz .
podman rm $TMP
# podman run --rm rechunked-img /bin/bash -c "cat /usr/lib/modules/*/vmlinuz" > vmlinuz
sbverify --list vmlinuz
curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
openssl x509 -in kernel-sign.der -out kernel-sign.crt
openssl x509 -in akmods.der -out akmods.crt
sbverify --cert kernel-sign.crt vmlinuz || exit 1
sbverify --cert akmods.crt vmlinuz || exit 1
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}

- name: Push to GHCR
uses: Wandalen/[email protected]
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
action: redhat-actions/push-to-registry@v2
attempt_limit: 3
attempt_delay: 15000
with: |
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.generate_tags.outputs.build_tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: sigstore/[email protected]
if: github.event_name != 'pull_request'

- name: Sign Container Image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

- name: Echo Outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
Loading

0 comments on commit 5b9e69d

Please sign in to comment.