From 78acf44e6be23180da41da37fa3e70a3a3c94a96 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Thu, 2 Mar 2023 17:49:02 -0500 Subject: [PATCH] fix: update cosign section and align with other action changes (#54) --- .github/workflows/build.yml | 98 +++++++++++++++++++++++-------------- Containerfile | 5 +- 2 files changed, 65 insertions(+), 38 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7b3bae1c..27b8ab48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,15 +7,15 @@ on: - '**.md' - '**.txt' schedule: - - cron: '21 20 * * *' # 9:20pm everyday + - cron: '20 20 * * *' # 8:20pm everyday push: branches: - main paths-ignore: - '**.md' - - '**.txt' + - '**.txt' env: - IMAGE_NAME: ubuntu + IMAGE_BASE_NAME: ubuntu IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} jobs: @@ -29,36 +29,61 @@ jobs: strategy: fail-fast: false matrix: + image_name: [base] major_version: [37] include: - major_version: 37 - is_latest: true - is_stable: true + is_latest_version: true + is_stable_version: true steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v3 + - name: Matrix Variables + run: | + echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.image_name, env.IMAGE_BASE_NAME) }}" >> $GITHUB_ENV + - name: Generate tags id: generate-tags shell: bash run: | - echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - alias_tags=() - # Only perform the follow code when the action is spawned from a Pull Request + # Generate a timestamp for creating an image version history + TIMESTAMP="$(date +%Y%m%d)" + MAJOR_VERSION="${{ matrix.major_version }}" + COMMIT_TAGS=() + BUILD_TAGS=() + # Have tags for tracking builds during pull request + SHA_SHORT="$(git rev-parse --short HEAD)" + COMMIT_TAGS+=("pr-${{ github.event.number }}-${MAJOR_VERSION}") + COMMIT_TAGS+=("${SHA_SHORT}-${MAJOR_VERSION}") + if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ + [[ "${{ matrix.is_stable_version }}" == "true" ]]; then + COMMIT_TAGS+=("pr-${{ github.event.number }}") + COMMIT_TAGS+=("${SHA_SHORT}") + fi + + BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION}-${TIMESTAMP}") + + if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ + [[ "${{ matrix.is_stable_version }}" == "true" ]]; then + BUILD_TAGS+=("${TIMESTAMP}") + BUILD_TAGS+=("latest") + fi + if [[ "${{ github.event_name }}" == "pull_request" ]]; then - alias_tags+=("pr-${{ github.event.number }}") + echo "Generated the following commit tags: " + for TAG in "${COMMIT_TAGS[@]}"; do + echo "${TAG}" + done + alias_tags=("${COMMIT_TAGS[@]}") else - # The following is run when the timer is triggered or a merge/push to main - echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT - alias_tags+=("${{ matrix.major_version }}") - if [[ "${{ matrix.is_latest }}" == "true" ]]; then - alias_tags+=("latest") - fi - if [[ "${{ matrix.is_stable }}" == "true" ]]; then - alias_tags+=("stable") - fi + alias_tags=("${BUILD_TAGS[@]}") fi + echo "Generated the following build tags: " + for TAG in "${BUILD_TAGS[@]}"; do + echo "${TAG}" + done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT # Build metadata @@ -67,9 +92,12 @@ jobs: id: meta with: images: | - ${{ env.IMAGE_NAME }} + $IMAGE_NAME labels: | - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ubuntu/main/README.md + org.opencontainers.image.title=$IMAGE_NAME + org.opencontainers.image.description=A base $IMAGE_NAME image with batteries included + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ubuntu/ubuntu/README.md + io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 # Build image using Buildah action - name: Build Image @@ -81,9 +109,8 @@ jobs: image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} - ${{ steps.generate-tags.outputs.date }} - ${{ steps.generate-tags.outputs.sha_short }} build-args: | + IMAGE_NAME=${{ matrix.image_name }} FEDORA_MAJOR_VERSION=${{ matrix.major_version }} labels: ${{ steps.meta.outputs.labels }} oci: false @@ -100,6 +127,7 @@ jobs: - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push + if: github.event_name != 'pull_request' env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -112,32 +140,30 @@ jobs: extra-args: | --disable-content-trust - # Sign container - - uses: sigstore/cosign-installer@main - - # Only needed when running `cosign sign` using a key - - name: Write signing key to disk - run: | - echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key - # DEBUG: get character count of key - wc -c cosign.key - env: - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - - name: Login to GitHub Container Registry uses: docker/login-action@v2 + if: github.event_name != 'pull_request' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + # Sign container + - uses: sigstore/cosign-installer@v3.0.1 + if: github.event_name != 'pull_request' + - name: Sign container image + if: github.event_name != 'pull_request' run: | - cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} + echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key + wc -c cosign.key + cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Echo outputs + if: github.event_name != 'pull_request' run: | - echo "${{ toJSON(steps.push.outputs) }}" + echo "${{ toJSON(steps.push.outputs) }}" \ No newline at end of file diff --git a/Containerfile b/Containerfile index 115382c8..f039465a 100644 --- a/Containerfile +++ b/Containerfile @@ -6,14 +6,15 @@ FROM ghcr.io/ublue-os/base:${FEDORA_MAJOR_VERSION} COPY etc /etc COPY usr /usr -COPY --from=ghcr.io/ublue-os/udev-rules:latest /ublue-os-udev-rules / +#COPY --from=ghcr.io/ublue-os/udev-rules:latest /ublue-os-udev-rules / +RUN rpm-ostree override remove gnome-extensions-app RUN wget https://github.com/terrapkg/subatomic-repos/raw/main/terra.repo -O /etc/yum.repos.d/terra.repo RUN wget https://copr.fedorainfracloud.org/coprs/kylegospo/gnome-vrr/repo/fedora-$(rpm -E %fedora)/kylegospo-gnome-vrr-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_kylegospo-gnome-vrr.repo RUN wget https://copr.fedorainfracloud.org/coprs/sunwire/input-remapper/repo/fedora-37/sunwire-input-remapper-fedora-37.repo -O /etc/yum.repos.d/sunwire-input-remapper-fedora-37.repo RUN wget https://copr.fedorainfracloud.org/coprs/kylegospo/webapp-manager/repo/fedora-37/kylegospo-webapp-manager-fedora-37.repo -O /etc/yum.repos.d/kylegospo-webapp-manager-fedora-37.repo RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:kylegospo:gnome-vrr mutter gnome-control-center gnome-control-center-filesystem -RUN rpm-ostree override remove gnome-software-rpm-ostree +RUN rpm-ostree override remove gnome-software-rpm-ostree RUN rpm-ostree install blackbox-terminal gnome-shell-extension-appindicator gnome-shell-extension-dash-to-dock \ gnome-shell-extension-blur-my-shell gnome-shell-extension-gsconnect nautilus-gsconnect \ just libgda libgda-sqlite libratbag-ratbagd openssl podman-docker python3-input-remapper \