From e72d5afc246e45530bf9c56c1605c66ed1d11f11 Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Tue, 18 Jun 2024 21:01:49 -0400 Subject: [PATCH] feat: Sign kernel with our akmods key (#588) Signed-off-by: RJ Sampson --- .github/workflows/reusable-build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index d13ef848..904c4c63 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -103,9 +103,11 @@ jobs: [[ "${IS_STABLE_VERSION}" == "true" ]]; then BUILD_TAGS+=("${TIMESTAMP}") BUILD_TAGS+=("latest") + echo "DEFAULT_TAG=latest" >> $GITHUB_ENV elif [[ "${IS_GTS_VERSION}" == "true" ]]; then BUILD_TAGS+=("gts-${TIMESTAMP}") BUILD_TAGS+=("gts") + echo "DEFAULT_TAG=gts" >> $GITHUB_ENV fi if [[ "${{ github.event_name }}" == "pull_request" ]]; then @@ -114,6 +116,7 @@ jobs: echo "${TAG}" done alias_tags=("${COMMIT_TAGS[@]}") + echo "DEFAULT_TAG=${SHA_SHORT}-${VARIANT}" >> $GITHUB_ENV else alias_tags=("${BUILD_TAGS[@]}") fi @@ -183,6 +186,16 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false + - name: Sign kernel + uses: ublue-os/kernel-signer@v0.2.3 + with: + image: ${{ steps.build_image.outputs.image }} + default-tag: ${{ env.DEFAULT_TAG }} + privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }} + pubkey: /etc/pki/akmods/certs/akmods-ublue.der + tags: ${{ steps.build_image.outputs.tags }} + strip: false + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry