Skip to content
This repository has been archived by the owner on May 6, 2023. It is now read-only.

fix: update cosign section and align with other action changes #54

Merged
merged 1 commit into from
Mar 2, 2023
Merged

fix: update cosign section and align with other action changes #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 62 additions & 36 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ on:
- '**.md'
- '**.txt'
schedule:
- cron: '21 20 * * *' # 9:20pm everyday
- cron: '20 20 * * *' # 8:20pm everyday
push:
branches:
- main
paths-ignore:
- '**.md'
- '**.txt'
- '**.txt'
env:
IMAGE_NAME: ubuntu
IMAGE_BASE_NAME: ubuntu
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}

jobs:
Expand All @@ -29,36 +29,61 @@ jobs:
strategy:
fail-fast: false
matrix:
image_name: [base]
major_version: [37]
include:
- major_version: 37
is_latest: true
is_stable: true
is_latest_version: true
is_stable_version: true
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v3

- name: Matrix Variables
run: |
echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.image_name, env.IMAGE_BASE_NAME) }}" >> $GITHUB_ENV

- name: Generate tags
id: generate-tags
shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
alias_tags=()
# Only perform the follow code when the action is spawned from a Pull Request
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
MAJOR_VERSION="${{ matrix.major_version }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="$(git rev-parse --short HEAD)"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${MAJOR_VERSION}")
COMMIT_TAGS+=("${SHA_SHORT}-${MAJOR_VERSION}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
COMMIT_TAGS+=("pr-${{ github.event.number }}")
COMMIT_TAGS+=("${SHA_SHORT}")
fi

BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION}-${TIMESTAMP}")

if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
BUILD_TAGS+=("${TIMESTAMP}")
BUILD_TAGS+=("latest")
fi

if [[ "${{ github.event_name }}" == "pull_request" ]]; then
alias_tags+=("pr-${{ github.event.number }}")
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
# The following is run when the timer is triggered or a merge/push to main
echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT
alias_tags+=("${{ matrix.major_version }}")
if [[ "${{ matrix.is_latest }}" == "true" ]]; then
alias_tags+=("latest")
fi
if [[ "${{ matrix.is_stable }}" == "true" ]]; then
alias_tags+=("stable")
fi
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT

# Build metadata
Expand All @@ -67,9 +92,12 @@ jobs:
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
$IMAGE_NAME
labels: |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ubuntu/main/README.md
org.opencontainers.image.title=$IMAGE_NAME
org.opencontainers.image.description=A base $IMAGE_NAME image with batteries included
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ubuntu/ubuntu/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4

# Build image using Buildah action
- name: Build Image
Expand All @@ -81,9 +109,8 @@ jobs:
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
${{ steps.generate-tags.outputs.date }}
${{ steps.generate-tags.outputs.sha_short }}
build-args: |
IMAGE_NAME=${{ matrix.image_name }}
FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
Expand All @@ -100,6 +127,7 @@ jobs:
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
Expand All @@ -112,32 +140,30 @@ jobs:
extra-args: |
--disable-content-trust

# Sign container
- uses: sigstore/cosign-installer@main

# Only needed when running `cosign sign` using a key
- name: Write signing key to disk
run: |
echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
# DEBUG: get character count of key
wc -c cosign.key
env:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

# Sign container
- uses: sigstore/[email protected]
if: github.event_name != 'pull_request'

- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
wc -c cosign.key
cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

- name: Echo outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
echo "${{ toJSON(steps.push.outputs) }}"
5 changes: 3 additions & 2 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,15 @@ FROM ghcr.io/ublue-os/base:${FEDORA_MAJOR_VERSION}
COPY etc /etc
COPY usr /usr

COPY --from=ghcr.io/ublue-os/udev-rules:latest /ublue-os-udev-rules /
#COPY --from=ghcr.io/ublue-os/udev-rules:latest /ublue-os-udev-rules /

RUN rpm-ostree override remove gnome-extensions-app
RUN wget https://github.com/terrapkg/subatomic-repos/raw/main/terra.repo -O /etc/yum.repos.d/terra.repo
RUN wget https://copr.fedorainfracloud.org/coprs/kylegospo/gnome-vrr/repo/fedora-$(rpm -E %fedora)/kylegospo-gnome-vrr-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_kylegospo-gnome-vrr.repo
RUN wget https://copr.fedorainfracloud.org/coprs/sunwire/input-remapper/repo/fedora-37/sunwire-input-remapper-fedora-37.repo -O /etc/yum.repos.d/sunwire-input-remapper-fedora-37.repo
RUN wget https://copr.fedorainfracloud.org/coprs/kylegospo/webapp-manager/repo/fedora-37/kylegospo-webapp-manager-fedora-37.repo -O /etc/yum.repos.d/kylegospo-webapp-manager-fedora-37.repo
RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:kylegospo:gnome-vrr mutter gnome-control-center gnome-control-center-filesystem
RUN rpm-ostree override remove gnome-software-rpm-ostree
RUN rpm-ostree override remove gnome-software-rpm-ostree
RUN rpm-ostree install blackbox-terminal gnome-shell-extension-appindicator gnome-shell-extension-dash-to-dock \
gnome-shell-extension-blur-my-shell gnome-shell-extension-gsconnect nautilus-gsconnect \
just libgda libgda-sqlite libratbag-ratbagd openssl podman-docker python3-input-remapper \
Expand Down