From d1de2b61c7b2dca40bf7e4907def1503e2be0c4b Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 26 Sep 2024 21:35:57 +0100
Subject: [PATCH 01/10] fix(ci): update rechunk action inputs (#1697)

---
 .github/workflows/reusable-build.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 38e7f55f852..77d6cb4c271 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -384,7 +384,7 @@ jobs:
           string: ${{ env.IMAGE_REGISTRY }}
 
       - name: Prepare Rechunk
-        if: inputs.rechunk == 'true' && github.event_name != 'pull_request'
+        if: inputs.rechunk == true && github.event_name != 'pull_request'
         run: |
           sudo apt update && sudo apt install systemd-container
           sudo podman image scp $(whoami)@localhost::${{ steps.build_image.outputs.image }}:${{ env.DEFAULT_TAG }} root@localhost::
@@ -392,7 +392,7 @@ jobs:
 
       - name: Rechunk Image
         id: rechunk
-        if: inputs.rechunk == 'true' && github.event_name != 'pull_request'
+        if: inputs.rechunk == true && github.event_name != 'pull_request'
         uses: hhd-dev/rechunk@v0.8.6
         with:
           rechunk: ghcr.io/hhd-dev/rechunk:v0.8.6
@@ -403,7 +403,7 @@ jobs:
 
       # Overwrite the image with the chuncked image
       - name: Load Rechunked Image
-        if: inputs.rechunk == 'true' && github.event_name != 'pull_request'
+        if: inputs.rechunk == true && github.event_name != 'pull_request'
         run: |
           sudo podman rmi $(sudo podman image ls -qa) --force
           IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})

From b77949144ba64bfc90ce55968a480e4ea7d7c13f Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 26 Sep 2024 22:10:51 +0100
Subject: [PATCH 02/10] chore: switch to building using sudo

---
 .github/workflows/reusable-build.yml | 110 +++++++++++++--------------
 1 file changed, 53 insertions(+), 57 deletions(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 38e7f55f852..96195e82ab2 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -319,41 +319,49 @@ jobs:
           command: |
             # pull the base image used for FROM in containerfile so
             # we can retry on that unfortunately common failure case
-            podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.BASE_IMAGE_NAME }}-${{ env.image_flavor }}:${{ env.fedora_version }}
-            podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.AKMODS_FLAVOR }}-${{ env.fedora_version }}
-            podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.AKMODS_FLAVOR }}-${{ env.fedora_version }}
-            podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:coreos-stable-${{ env.fedora_version }}
-            podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.AKMODS_FLAVOR }}-kernel:${{ env.kernel_release }}
-
-      # Build image using Buildah action
-      - name: Build Image
+            sudo podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.BASE_IMAGE_NAME }}-${{ env.image_flavor }}:${{ env.fedora_version }}
+            sudo podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.AKMODS_FLAVOR }}-${{ env.fedora_version }}
+            sudo podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.AKMODS_FLAVOR }}-${{ env.fedora_version }}
+            sudo podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:coreos-stable-${{ env.fedora_version }}
+            sudo podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.AKMODS_FLAVOR }}-kernel:${{ env.kernel_release }}
+
+      - nane: Build Image
         id: build_image
         if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request'
-        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
-        with:
-          containerfiles: |
-            ./Containerfile
-          image: ${{ env.IMAGE_NAME }}
-          tags: |
-            ${{ steps.generate-tags.outputs.alias_tags }}
-          build-args: |
-            BASE_IMAGE_NAME=${{ env.BASE_IMAGE_NAME }}
-            IMAGE_NAME=${{ env.IMAGE_NAME }}
-            IMAGE_FLAVOR=${{ env.image_flavor }}
-            IMAGE_VENDOR=${{ github.repository_owner }}
-            FEDORA_MAJOR_VERSION=${{ env.fedora_version }}
-            TARGET_BASE=${{ matrix.target_base }}
-            AKMODS_FLAVOR=${{ env.AKMODS_FLAVOR }}
-            NVIDIA_TYPE=${{ env.nvidia_type }}
-            KERNEL=${{ env.kernel_release }}
-            UBLUE_IMAGE_TAG=${{ matrix.fedora_version }}
-          labels: ${{ steps.meta.outputs.labels }}
-          oci: false
-          # TODO(GH-280)
-          # extra-args: |
-          #   --target=${{ matrix.target_name || matrix.base_name }}
-          extra-args: |
-            --target=${{ env.TARGET_NAME }}
+        run: |
+          BUILD_ARGS=()
+          BUILD_ARGS+=("--build-arg" "BASE_IMAGE_NAME=${{ env.BASE_IMAGE_NAME }}")
+          BUILD_ARGS+=("--build-arg" "IMAGE_NAME=${{ env.IMAGE_NAME }}")
+          BUILD_ARGS+=("--build-arg" "IMAGE_FLAVOR=${{ env.image_flavor }}")
+          BUILD_ARGS+=("--build-arg" "IMAGE_VENDOR=${{ github.repository_owner }}")
+          BUILD_ARGS+=("--build-arg" "FEDORA_MAJOR_VERSION=${{ env.fedora_version }}")
+          BUILD_ARGS+=("--build-arg" "TARGET_BASE=${{ env.TARGET_BASE }}")
+          BUILD_ARGS+=("--build-arg" "AKMODS_FLAVOR=${{ env.AKMODS_FLAVOR }}")
+          BUILD_ARGS+=("--build-arg" "NVIDIA_TYPE=${{ env.nvidia_type }}")
+          BUILD_ARGS+=("--build-arg" "KERNEL=${{ env.kernel_release }}")
+          BUILD_ARGS+=("--build-arg" "UBLUE_IMAGE_TAG=${{ matrix.fedora_version }}")
+
+          TAG_ARGS=()
+          for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
+            TAG_ARGS+=("--tag" "${{ env.IMAGE_NAME }}:${tag}")
+          done
+
+          LABEL_ARGS=()
+          for label in ${{ steps.meta.outputs.labels }}; do
+            LABEL_ARGS+=("--label" "${label}")
+          done
+
+          podman build --format docker --target ${{ env.TARGET_NAME }} \
+            "${BUILD_ARGS[@]}" \
+            "${TAG_ARGS[@]}" \
+            "${LABEL_ARGS[@]}" \
+            .
+
+          podman image ls
+
+          echo "image=${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT
+          echo "tags=${{ steps.generate-tags.outputs.alias_tags }}" >> $GITHUB_OUTPUT
+
 
       - name: Check Secureboot
         if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request'
@@ -383,13 +391,6 @@ jobs:
         with:
           string: ${{ env.IMAGE_REGISTRY }}
 
-      - name: Prepare Rechunk
-        if: inputs.rechunk == 'true' && github.event_name != 'pull_request'
-        run: |
-          sudo apt update && sudo apt install systemd-container
-          sudo podman image scp $(whoami)@localhost::${{ steps.build_image.outputs.image }}:${{ env.DEFAULT_TAG }} root@localhost::
-          podman rmi $(podman image ls -qa) --force
-
       - name: Rechunk Image
         id: rechunk
         if: inputs.rechunk == 'true' && github.event_name != 'pull_request'
@@ -406,27 +407,12 @@ jobs:
         if: inputs.rechunk == 'true' && github.event_name != 'pull_request'
         run: |
           sudo podman rmi $(sudo podman image ls -qa) --force
-          IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
+          IMAGE=$(sudo podman pull ${{ steps.rechunk.outputs.ref }})
           sudo rm -rf ${{ steps.rechunk.outputs.output }}
           for tag in ${{ steps.build_image.outputs.tags }}; do
-            podman tag $IMAGE ${{ env.IMAGE_NAME }}:${tag}
+            sudo podman tag $IMAGE ${{ env.IMAGE_NAME }}:${tag}
           done
 
-      # Push the image to GHCR (Image Registry)
-      - name: Push To GHCR
-        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
-        id: push
-        if: github.event_name != 'pull_request'
-        env:
-          REGISTRY_USER: ${{ github.actor }}
-          REGISTRY_PASSWORD: ${{ github.token }}
-        with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         if: github.event_name != 'pull_request'
@@ -435,6 +421,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Push to GHCR
+        id: push
+        if: github.event_name != 'pull_request'
+        run: |
+          for tag in ${{ steps.build_image.outputs.tags }}; do
+            podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag}
+          done
+          digest=$(skopeo inspect docker://${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} --format '{{.Digest}}')
+          echo "digest=${digest}" >> $GITHUB_OUTPUT
+
       # Sign container
       - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
         if: github.event_name != 'pull_request'

From 0673e1f92e7d5303f6db2db53f2ca6383e370ea4 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 26 Sep 2024 22:13:34 +0100
Subject: [PATCH 03/10] fix: update yaml name key typo

---
 .github/workflows/reusable-build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 6f56a328fea..89ab3f76e99 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -310,7 +310,7 @@ jobs:
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
 
-      - name: Pull  images
+      - name: Pull images
         if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request'
         uses: Wandalen/wretry.action@6feedb7dedadeb826de0f45ff482b53b379a7844 # v3.5.0
         with:
@@ -325,7 +325,7 @@ jobs:
             sudo podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:coreos-stable-${{ env.fedora_version }}
             sudo podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.AKMODS_FLAVOR }}-kernel:${{ env.kernel_release }}
 
-      - nane: Build Image
+      - name: Build Image
         id: build_image
         if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request'
         run: |

From a03ac4ca631e693ca18c834eacbb51f865e058b9 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 26 Sep 2024 22:19:12 +0100
Subject: [PATCH 04/10] fix: update labels and tags arrays and temporarily
 disable unwanted builds

---
 .github/workflows/build-beta-aurora.yml    | 54 ++++++++++-----------
 .github/workflows/build-beta-bluefin.yml   | 54 ++++++++++-----------
 .github/workflows/build-coreos-aurora.yml  | 40 ++++++++--------
 .github/workflows/build-coreos-bluefin.yml | 40 ++++++++--------
 .github/workflows/build-gts-bluefin.yml    | 40 ++++++++--------
 .github/workflows/build-latest-aurora.yml  | 56 +++++++++++-----------
 .github/workflows/reusable-build.yml       | 18 +++----
 7 files changed, 152 insertions(+), 150 deletions(-)

diff --git a/.github/workflows/build-beta-aurora.yml b/.github/workflows/build-beta-aurora.yml
index 84d6a68d7aa..8cfe1254f27 100644
--- a/.github/workflows/build-beta-aurora.yml
+++ b/.github/workflows/build-beta-aurora.yml
@@ -1,28 +1,28 @@
-name: Aurora Beta
-on:
-  # merge_group:
-  # pull_request:
-  #   branches:
-  #     - main
-  #     - testing
-  #   paths-ignore:
-  #     - "**.md"
-  #     - "system_files/silverblue/**"
-  # push:
-  #   branches:
-  #     - main
-  #   paths-ignore:
-  #     - "**.md"
-  #     - "system_files/silverblue/**"
-  # schedule:
-  #   - cron: "40 4 * * *" # 4:40 UTC everyday
-  workflow_dispatch:
+# name: Aurora Beta
+# on:
+#   # merge_group:
+#   # pull_request:
+#   #   branches:
+#   #     - main
+#   #     - testing
+#   #   paths-ignore:
+#   #     - "**.md"
+#   #     - "system_files/silverblue/**"
+#   # push:
+#   #   branches:
+#   #     - main
+#   #   paths-ignore:
+#   #     - "**.md"
+#   #     - "system_files/silverblue/**"
+#   # schedule:
+#   #   - cron: "40 4 * * *" # 4:40 UTC everyday
+#   workflow_dispatch:
 
-jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yml
-    secrets: inherit
-    with:
-      brand_name: aurora
-      fedora_version: beta
+# jobs:
+#   build:
+#     name: build
+#     uses: ./.github/workflows/reusable-build.yml
+#     secrets: inherit
+#     with:
+#       brand_name: aurora
+#       fedora_version: beta
diff --git a/.github/workflows/build-beta-bluefin.yml b/.github/workflows/build-beta-bluefin.yml
index 9e20f414a7b..617a4ef2b60 100644
--- a/.github/workflows/build-beta-bluefin.yml
+++ b/.github/workflows/build-beta-bluefin.yml
@@ -1,28 +1,28 @@
-name: Bluefin Beta
-on:
-  # merge_group:
-  # pull_request:
-  #   branches:
-  #     - main
-  #     - testing
-  #   paths-ignore:
-  #     - "**.md"
-  #     - "system_files/silverblue/**"
-  # push:
-  #   branches:
-  #     - main
-  #   paths-ignore:
-  #     - "**.md"
-  #     - "system_files/silverblue/**"
-  # schedule:
-  #   - cron: "40 4 * * *" # 4:40 UTC everyday
-  workflow_dispatch:
+# name: Bluefin Beta
+# on:
+#   # merge_group:
+#   # pull_request:
+#   #   branches:
+#   #     - main
+#   #     - testing
+#   #   paths-ignore:
+#   #     - "**.md"
+#   #     - "system_files/silverblue/**"
+#   # push:
+#   #   branches:
+#   #     - main
+#   #   paths-ignore:
+#   #     - "**.md"
+#   #     - "system_files/silverblue/**"
+#   # schedule:
+#   #   - cron: "40 4 * * *" # 4:40 UTC everyday
+#   workflow_dispatch:
 
-jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yml
-    secrets: inherit
-    with:
-      brand_name: bluefin
-      fedora_version: beta
+# jobs:
+#   build:
+#     name: build
+#     uses: ./.github/workflows/reusable-build.yml
+#     secrets: inherit
+#     with:
+#       brand_name: bluefin
+#       fedora_version: beta
diff --git a/.github/workflows/build-coreos-aurora.yml b/.github/workflows/build-coreos-aurora.yml
index 8a9093e0791..40422d745d5 100644
--- a/.github/workflows/build-coreos-aurora.yml
+++ b/.github/workflows/build-coreos-aurora.yml
@@ -1,21 +1,21 @@
-name: Aurora Stable
-on:
-  pull_request:
-    branches:
-      - main
-      - testing
-    paths-ignore:
-      - '**.md'
-      - 'system_files/silverblue/**'
-  schedule:
-    - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
-  workflow_dispatch:
+# name: Aurora Stable
+# on:
+#   pull_request:
+#     branches:
+#       - main
+#       - testing
+#     paths-ignore:
+#       - '**.md'
+#       - 'system_files/silverblue/**'
+#   schedule:
+#     - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
+#   workflow_dispatch:
 
-jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yml
-    secrets: inherit
-    with:
-      brand_name: aurora
-      fedora_version: stable
+# jobs:
+#   build:
+#     name: build
+#     uses: ./.github/workflows/reusable-build.yml
+#     secrets: inherit
+#     with:
+#       brand_name: aurora
+#       fedora_version: stable
diff --git a/.github/workflows/build-coreos-bluefin.yml b/.github/workflows/build-coreos-bluefin.yml
index 18d6e80b1d7..886c3a38e6f 100644
--- a/.github/workflows/build-coreos-bluefin.yml
+++ b/.github/workflows/build-coreos-bluefin.yml
@@ -1,21 +1,21 @@
-name: Bluefin Stable
-on:
-  pull_request:
-    branches:
-      - main
-      - testing
-    paths-ignore:
-      - '**.md'
-      - 'system_files/kinoite/**'
-  schedule:
-    - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
-  workflow_dispatch:
+# name: Bluefin Stable
+# on:
+#   pull_request:
+#     branches:
+#       - main
+#       - testing
+#     paths-ignore:
+#       - '**.md'
+#       - 'system_files/kinoite/**'
+#   schedule:
+#     - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
+#   workflow_dispatch:
 
-jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yml
-    secrets: inherit
-    with:
-      brand_name: bluefin
-      fedora_version: stable
+# jobs:
+#   build:
+#     name: build
+#     uses: ./.github/workflows/reusable-build.yml
+#     secrets: inherit
+#     with:
+#       brand_name: bluefin
+#       fedora_version: stable
diff --git a/.github/workflows/build-gts-bluefin.yml b/.github/workflows/build-gts-bluefin.yml
index 053055a02df..4abef409484 100644
--- a/.github/workflows/build-gts-bluefin.yml
+++ b/.github/workflows/build-gts-bluefin.yml
@@ -1,21 +1,21 @@
-name: Bluefin GTS
-on:
-  pull_request:
-    branches:
-      - main
-      - testing
-    paths-ignore:
-      - '**.md'
-      - 'system_files/kinoite/**'
-  schedule:
-    - cron: '41 5 * * 0'  # 5:41 UTC Weekly on Sundays
-  workflow_dispatch:
+# name: Bluefin GTS
+# on:
+#   pull_request:
+#     branches:
+#       - main
+#       - testing
+#     paths-ignore:
+#       - '**.md'
+#       - 'system_files/kinoite/**'
+#   schedule:
+#     - cron: '41 5 * * 0'  # 5:41 UTC Weekly on Sundays
+#   workflow_dispatch:
 
-jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yml
-    secrets: inherit
-    with:
-      brand_name: bluefin
-      fedora_version: gts
+# jobs:
+#   build:
+#     name: build
+#     uses: ./.github/workflows/reusable-build.yml
+#     secrets: inherit
+#     with:
+#       brand_name: bluefin
+#       fedora_version: gts
diff --git a/.github/workflows/build-latest-aurora.yml b/.github/workflows/build-latest-aurora.yml
index 4a51c0deef0..f36a755d698 100644
--- a/.github/workflows/build-latest-aurora.yml
+++ b/.github/workflows/build-latest-aurora.yml
@@ -1,29 +1,29 @@
-name: Aurora Latest
-on:
-  merge_group:
-  pull_request:
-    branches:
-      - main
-      - testing
-    paths-ignore:
-      - '**.md'
-      - 'system_files/silverblue/**'
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - '**.md'
-      - 'system_files/silverblue/**'
-  schedule:
-    - cron: '40 4 * * *'  # 4:40 UTC everyday
-  workflow_dispatch:
+# name: Aurora Latest
+# on:
+#   merge_group:
+#   pull_request:
+#     branches:
+#       - main
+#       - testing
+#     paths-ignore:
+#       - '**.md'
+#       - 'system_files/silverblue/**'
+#   push:
+#     branches:
+#       - main
+#     paths-ignore:
+#       - '**.md'
+#       - 'system_files/silverblue/**'
+#   schedule:
+#     - cron: '40 4 * * *'  # 4:40 UTC everyday
+#   workflow_dispatch:
 
-jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yml
-    secrets: inherit
-    with:
-      brand_name: aurora
-      fedora_version: latest
-      rechunk: true
+# jobs:
+#   build:
+#     name: build
+#     uses: ./.github/workflows/reusable-build.yml
+#     secrets: inherit
+#     with:
+#       brand_name: aurora
+#       fedora_version: latest
+#       rechunk: true
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 89ab3f76e99..201f778c943 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -38,14 +38,14 @@ jobs:
       matrix:
         image_flavor:
           - main
-          - nvidia
-          - asus
-          - asus-nvidia
-          - surface
-          - surface-nvidia
+          # - nvidia
+          # - asus
+          # - asus-nvidia
+          # - surface
+          # - surface-nvidia
         base_name:
           - ${{ inputs.brand_name }}
-          - ${{ inputs.brand_name }}-dx
+          # - ${{ inputs.brand_name }}-dx
         fedora_version:
           - ${{ inputs.fedora_version }}
         exclude:
@@ -342,12 +342,14 @@ jobs:
           BUILD_ARGS+=("--build-arg" "UBLUE_IMAGE_TAG=${{ matrix.fedora_version }}")
 
           TAG_ARGS=()
-          for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
+          IFS=' ' read -r -a tags_array <<< "${{ steps.generate-tags.outputs.alias_tags }}"
+          for tag in "${tags_array[@]}"; do
             TAG_ARGS+=("--tag" "${{ env.IMAGE_NAME }}:${tag}")
           done
 
           LABEL_ARGS=()
-          for label in ${{ steps.meta.outputs.labels }}; do
+          IFS=' ' read -r -a labels_array <<< "${{ steps.meta.outputs.labels }}"
+          for label in "${labels_array[@]}"; do
             LABEL_ARGS+=("--label" "${label}")
           done
 

From d10101fa384008a98c4f0b76544f182cc1d81839 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 26 Sep 2024 22:31:03 +0100
Subject: [PATCH 05/10] [ci skip] fix: run the builds as sudo

---
 .github/workflows/reusable-build.yml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 201f778c943..b828fe09512 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -329,6 +329,8 @@ jobs:
         id: build_image
         if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request'
         run: |
+          set -euox pipefail
+
           BUILD_ARGS=()
           BUILD_ARGS+=("--build-arg" "BASE_IMAGE_NAME=${{ env.BASE_IMAGE_NAME }}")
           BUILD_ARGS+=("--build-arg" "IMAGE_NAME=${{ env.IMAGE_NAME }}")
@@ -353,13 +355,13 @@ jobs:
             LABEL_ARGS+=("--label" "${label}")
           done
 
-          podman build --format docker --target ${{ env.TARGET_NAME }} \
+          sudo podman build --format docker --target ${{ env.TARGET_NAME }} \
             "${BUILD_ARGS[@]}" \
             "${TAG_ARGS[@]}" \
             "${LABEL_ARGS[@]}" \
             .
 
-          podman image ls
+          sudo podman image ls
 
           echo "image=${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT
           echo "tags=${{ steps.generate-tags.outputs.alias_tags }}" >> $GITHUB_OUTPUT
@@ -374,9 +376,9 @@ jobs:
             sudo apt update
             sudo apt install sbsigntool curl openssl
           fi
-          podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
-          podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz .
-          podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
+          sudo podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
+          sudo podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz .
+          sudo podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
           sbverify --list vmlinuz
           curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
           curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
@@ -427,6 +429,8 @@ jobs:
         id: push
         if: github.event_name != 'pull_request'
         run: |
+          set -euox pipefail
+
           for tag in ${{ steps.build_image.outputs.tags }}; do
             podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag}
           done

From a362ed57b57a1b2882346039f1094221c4eae98b Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 26 Sep 2024 22:44:37 +0100
Subject: [PATCH 06/10] fix: do not fail on podman rm

---
 .github/workflows/reusable-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index b828fe09512..c398079097a 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -378,7 +378,7 @@ jobs:
           fi
           sudo podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
           sudo podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz .
-          sudo podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
+          sudo podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) || true
           sbverify --list vmlinuz
           curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
           curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der

From 494dc05014b9334ecff1045c415b135c36ec4d8b Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Fri, 27 Sep 2024 16:41:18 +0100
Subject: [PATCH 07/10] fix: kill the secureboot container process

---
 .github/workflows/reusable-build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index c398079097a..b8a71186df4 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -379,6 +379,7 @@ jobs:
           sudo podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
           sudo podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz .
           sudo podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) || true
+          sudo kill -9 $(sudo podman inspect --format '{{.State.Pid}}' ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)) || true
           sbverify --list vmlinuz
           curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
           curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der

From 457655ecc2dc87d90b56f78960b372de9a00b0e5 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Fri, 27 Sep 2024 20:01:21 +0100
Subject: [PATCH 08/10] fix: run push as sudo

---
 .github/workflows/reusable-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index b8a71186df4..887f5456599 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -433,7 +433,7 @@ jobs:
           set -euox pipefail
 
           for tag in ${{ steps.build_image.outputs.tags }}; do
-            podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag}
+            sudo podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag}
           done
           digest=$(skopeo inspect docker://${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} --format '{{.Digest}}')
           echo "digest=${digest}" >> $GITHUB_OUTPUT

From 06baa0c3317d36c9e07e8e0907e9d01b89b809d1 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Fri, 27 Sep 2024 20:25:06 +0100
Subject: [PATCH 09/10] fix: podman login to GHCR

---
 .github/workflows/build-latest-bluefin.yml | 1 +
 .github/workflows/reusable-build.yml       | 8 +++-----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-latest-bluefin.yml b/.github/workflows/build-latest-bluefin.yml
index 9ef35430ad6..dbbabf58e55 100644
--- a/.github/workflows/build-latest-bluefin.yml
+++ b/.github/workflows/build-latest-bluefin.yml
@@ -26,3 +26,4 @@ jobs:
     with:
       brand_name: bluefin
       fedora_version: latest
+      rechunk: true
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 887f5456599..9e5bb8506b9 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -419,12 +419,10 @@ jobs:
           done
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         if: github.event_name != 'pull_request'
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo ${{ secrets.GITHUB_TOKEN }} | podman login ghcr.io -u ${{ github.actor }} --password-stdin
+          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Push to GHCR
         id: push

From 7121639d05c543c90d58631cfcf97439d0a537f8 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Fri, 27 Sep 2024 21:01:26 +0100
Subject: [PATCH 10/10] chore: enable all builds

---
 .github/workflows/build-beta-aurora.yml    | 54 ++++++++++----------
 .github/workflows/build-beta-bluefin.yml   | 54 ++++++++++----------
 .github/workflows/build-coreos-aurora.yml  | 40 +++++++--------
 .github/workflows/build-coreos-bluefin.yml | 40 +++++++--------
 .github/workflows/build-gts-bluefin.yml    | 40 +++++++--------
 .github/workflows/build-latest-aurora.yml  | 58 +++++++++++-----------
 .github/workflows/reusable-build.yml       | 12 ++---
 7 files changed, 149 insertions(+), 149 deletions(-)

diff --git a/.github/workflows/build-beta-aurora.yml b/.github/workflows/build-beta-aurora.yml
index 8cfe1254f27..84d6a68d7aa 100644
--- a/.github/workflows/build-beta-aurora.yml
+++ b/.github/workflows/build-beta-aurora.yml
@@ -1,28 +1,28 @@
-# name: Aurora Beta
-# on:
-#   # merge_group:
-#   # pull_request:
-#   #   branches:
-#   #     - main
-#   #     - testing
-#   #   paths-ignore:
-#   #     - "**.md"
-#   #     - "system_files/silverblue/**"
-#   # push:
-#   #   branches:
-#   #     - main
-#   #   paths-ignore:
-#   #     - "**.md"
-#   #     - "system_files/silverblue/**"
-#   # schedule:
-#   #   - cron: "40 4 * * *" # 4:40 UTC everyday
-#   workflow_dispatch:
+name: Aurora Beta
+on:
+  # merge_group:
+  # pull_request:
+  #   branches:
+  #     - main
+  #     - testing
+  #   paths-ignore:
+  #     - "**.md"
+  #     - "system_files/silverblue/**"
+  # push:
+  #   branches:
+  #     - main
+  #   paths-ignore:
+  #     - "**.md"
+  #     - "system_files/silverblue/**"
+  # schedule:
+  #   - cron: "40 4 * * *" # 4:40 UTC everyday
+  workflow_dispatch:
 
-# jobs:
-#   build:
-#     name: build
-#     uses: ./.github/workflows/reusable-build.yml
-#     secrets: inherit
-#     with:
-#       brand_name: aurora
-#       fedora_version: beta
+jobs:
+  build:
+    name: build
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      brand_name: aurora
+      fedora_version: beta
diff --git a/.github/workflows/build-beta-bluefin.yml b/.github/workflows/build-beta-bluefin.yml
index 617a4ef2b60..9e20f414a7b 100644
--- a/.github/workflows/build-beta-bluefin.yml
+++ b/.github/workflows/build-beta-bluefin.yml
@@ -1,28 +1,28 @@
-# name: Bluefin Beta
-# on:
-#   # merge_group:
-#   # pull_request:
-#   #   branches:
-#   #     - main
-#   #     - testing
-#   #   paths-ignore:
-#   #     - "**.md"
-#   #     - "system_files/silverblue/**"
-#   # push:
-#   #   branches:
-#   #     - main
-#   #   paths-ignore:
-#   #     - "**.md"
-#   #     - "system_files/silverblue/**"
-#   # schedule:
-#   #   - cron: "40 4 * * *" # 4:40 UTC everyday
-#   workflow_dispatch:
+name: Bluefin Beta
+on:
+  # merge_group:
+  # pull_request:
+  #   branches:
+  #     - main
+  #     - testing
+  #   paths-ignore:
+  #     - "**.md"
+  #     - "system_files/silverblue/**"
+  # push:
+  #   branches:
+  #     - main
+  #   paths-ignore:
+  #     - "**.md"
+  #     - "system_files/silverblue/**"
+  # schedule:
+  #   - cron: "40 4 * * *" # 4:40 UTC everyday
+  workflow_dispatch:
 
-# jobs:
-#   build:
-#     name: build
-#     uses: ./.github/workflows/reusable-build.yml
-#     secrets: inherit
-#     with:
-#       brand_name: bluefin
-#       fedora_version: beta
+jobs:
+  build:
+    name: build
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      brand_name: bluefin
+      fedora_version: beta
diff --git a/.github/workflows/build-coreos-aurora.yml b/.github/workflows/build-coreos-aurora.yml
index 40422d745d5..8a9093e0791 100644
--- a/.github/workflows/build-coreos-aurora.yml
+++ b/.github/workflows/build-coreos-aurora.yml
@@ -1,21 +1,21 @@
-# name: Aurora Stable
-# on:
-#   pull_request:
-#     branches:
-#       - main
-#       - testing
-#     paths-ignore:
-#       - '**.md'
-#       - 'system_files/silverblue/**'
-#   schedule:
-#     - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
-#   workflow_dispatch:
+name: Aurora Stable
+on:
+  pull_request:
+    branches:
+      - main
+      - testing
+    paths-ignore:
+      - '**.md'
+      - 'system_files/silverblue/**'
+  schedule:
+    - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
+  workflow_dispatch:
 
-# jobs:
-#   build:
-#     name: build
-#     uses: ./.github/workflows/reusable-build.yml
-#     secrets: inherit
-#     with:
-#       brand_name: aurora
-#       fedora_version: stable
+jobs:
+  build:
+    name: build
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      brand_name: aurora
+      fedora_version: stable
diff --git a/.github/workflows/build-coreos-bluefin.yml b/.github/workflows/build-coreos-bluefin.yml
index 886c3a38e6f..18d6e80b1d7 100644
--- a/.github/workflows/build-coreos-bluefin.yml
+++ b/.github/workflows/build-coreos-bluefin.yml
@@ -1,21 +1,21 @@
-# name: Bluefin Stable
-# on:
-#   pull_request:
-#     branches:
-#       - main
-#       - testing
-#     paths-ignore:
-#       - '**.md'
-#       - 'system_files/kinoite/**'
-#   schedule:
-#     - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
-#   workflow_dispatch:
+name: Bluefin Stable
+on:
+  pull_request:
+    branches:
+      - main
+      - testing
+    paths-ignore:
+      - '**.md'
+      - 'system_files/kinoite/**'
+  schedule:
+    - cron: '41 5 * * 2'  # 5:41 UTC every Tuesday
+  workflow_dispatch:
 
-# jobs:
-#   build:
-#     name: build
-#     uses: ./.github/workflows/reusable-build.yml
-#     secrets: inherit
-#     with:
-#       brand_name: bluefin
-#       fedora_version: stable
+jobs:
+  build:
+    name: build
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      brand_name: bluefin
+      fedora_version: stable
diff --git a/.github/workflows/build-gts-bluefin.yml b/.github/workflows/build-gts-bluefin.yml
index 4abef409484..053055a02df 100644
--- a/.github/workflows/build-gts-bluefin.yml
+++ b/.github/workflows/build-gts-bluefin.yml
@@ -1,21 +1,21 @@
-# name: Bluefin GTS
-# on:
-#   pull_request:
-#     branches:
-#       - main
-#       - testing
-#     paths-ignore:
-#       - '**.md'
-#       - 'system_files/kinoite/**'
-#   schedule:
-#     - cron: '41 5 * * 0'  # 5:41 UTC Weekly on Sundays
-#   workflow_dispatch:
+name: Bluefin GTS
+on:
+  pull_request:
+    branches:
+      - main
+      - testing
+    paths-ignore:
+      - '**.md'
+      - 'system_files/kinoite/**'
+  schedule:
+    - cron: '41 5 * * 0'  # 5:41 UTC Weekly on Sundays
+  workflow_dispatch:
 
-# jobs:
-#   build:
-#     name: build
-#     uses: ./.github/workflows/reusable-build.yml
-#     secrets: inherit
-#     with:
-#       brand_name: bluefin
-#       fedora_version: gts
+jobs:
+  build:
+    name: build
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      brand_name: bluefin
+      fedora_version: gts
diff --git a/.github/workflows/build-latest-aurora.yml b/.github/workflows/build-latest-aurora.yml
index e418c7fa423..4a51c0deef0 100644
--- a/.github/workflows/build-latest-aurora.yml
+++ b/.github/workflows/build-latest-aurora.yml
@@ -1,29 +1,29 @@
-# name: Aurora Latest
-# on:
-#   merge_group:
-#   pull_request:
-#     branches:
-#       - main
-#       - testing
-#     paths-ignore:
-#       - '**.md'
-#       - 'system_files/silverblue/**'
-#   push:
-#     branches:
-#       - main
-#     paths-ignore:
-#       - '**.md'
-#       - 'system_files/silverblue/**'
-#   schedule:
-#     - cron: '40 4 * * *'  # 4:40 UTC everyday
-#   workflow_dispatch:
-#
-# jobs:
-#   build:
-#     name: build
-#     uses: ./.github/workflows/reusable-build.yml
-#     secrets: inherit
-#     with:
-#       brand_name: aurora
-#       fedora_version: latest
-#       rechunk: true
+name: Aurora Latest
+on:
+  merge_group:
+  pull_request:
+    branches:
+      - main
+      - testing
+    paths-ignore:
+      - '**.md'
+      - 'system_files/silverblue/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'system_files/silverblue/**'
+  schedule:
+    - cron: '40 4 * * *'  # 4:40 UTC everyday
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: build
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      brand_name: aurora
+      fedora_version: latest
+      rechunk: true
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 9e5bb8506b9..5e5bdac3a96 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -38,14 +38,14 @@ jobs:
       matrix:
         image_flavor:
           - main
-          # - nvidia
-          # - asus
-          # - asus-nvidia
-          # - surface
-          # - surface-nvidia
+          - nvidia
+          - asus
+          - asus-nvidia
+          - surface
+          - surface-nvidia
         base_name:
           - ${{ inputs.brand_name }}
-          # - ${{ inputs.brand_name }}-dx
+          - ${{ inputs.brand_name }}-dx
         fedora_version:
           - ${{ inputs.fedora_version }}
         exclude: