Merge branch 'bluefin-main' #44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Image | |
| on: | |
| # merge_group: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 6 * * *" # at 06:00 UTC (midnight CST) | |
| pull_request: | |
| branches: | |
| - main | |
| - testing | |
| paths-ignore: | |
| - "**.md" | |
| push: | |
| branches: | |
| - main | |
| - testing | |
| tags: | |
| - "v*.*.*" | |
| paths-ignore: | |
| - "**.md" | |
| concurrency: | |
| cancel-in-progress: true | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| IMAGE_FLAVOR: asus | |
| AKMODS_FLAVOR: asus | |
| FEDORA_MAJOR_VERSION: 39 | |
| IMAGE_NAME: orora-bluefin | |
| IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
| jobs: | |
| build: | |
| name: Build and Push | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tags: ${{ steps.meta.outputs.tags }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout Push to Registry action | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| buildkitd-flags: --debug | |
| # Image verification | |
| - name: Verify base image | |
| uses: EyeCantCU/cosign-action/verify@v0.2.2 | |
| with: | |
| containers: silverblue-${{ env.IMAGE_FLAVOR }}:${{ env.FEDORA_MAJOR_VERSION }} | |
| - name: Verify Chainguard images | |
| uses: EyeCantCU/cosign-action/verify@v0.2.2 | |
| with: | |
| registry: cgr.dev/chainguard | |
| containers: dive, flux, helm, ko, minio, kubectl | |
| oidc-issuer: https://token.actions.githubusercontent.com | |
| cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main | |
| - name: Maximize build space | |
| uses: ublue-os/remove-unwanted-software@v6 | |
| with: | |
| remove-large-packages: false | |
| - name: Get Current Fedora Version | |
| id: labels | |
| shell: bash | |
| run: | | |
| set -eo pipefail | |
| ver=$(skopeo inspect docker://ghcr.io/ublue-os/silverblue-${{ env.IMAGE_FLAVOR }}:${{ env.FEDORA_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') | |
| if [ -z "$ver" ] || [ "null" = "$ver" ]; then | |
| echo "inspected image version must not be empty or null" | |
| exit 1 | |
| fi | |
| echo "VERSION=$ver" >> $GITHUB_OUTPUT | |
| - name: Login to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Setup Caching | |
| - name: Cache var-cache-apt | |
| id: cache-var-cache-apt | |
| uses: actions/cache@v3 | |
| with: | |
| path: var-cache-apt | |
| key: var-cache-apt-${{ hashFiles('Dockerfile') }} | |
| - name: Cache var-lib-apt | |
| id: cache-var-lib-apt | |
| uses: actions/cache@v3 | |
| with: | |
| path: var-lib-apt | |
| key: var-lib-apt-${{ hashFiles('Dockerfile') }} | |
| - name: inject var-cache-apt into docker | |
| uses: reproducible-containers/buildkit-cache-dance@v2.1.4 | |
| with: | |
| cache-source: var-cache-apt | |
| cache-target: /var/cache/apt | |
| skip-extraction: ${{ steps.cache-var-cache-apt.outputs.cache-hit }} | |
| - name: inject var-lib-apt into docker | |
| uses: reproducible-containers/buildkit-cache-dance@v2.1.4 | |
| with: | |
| cache-source: var-lib-apt | |
| cache-target: /var/lib/apt | |
| skip-extraction: ${{ steps.cache-var-lib-apt.outputs.cache-hit }} | |
| # Metadata | |
| - name: Image Metadata | |
| uses: docker/metadata-action@v5 | |
| id: meta | |
| with: | |
| images: | | |
| ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} | |
| tags: | | |
| type=ref,event=tag | |
| type=sha,format=short | |
| type=ref,event=branch | |
| type=schedule,pattern=nightly | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| build-args: | | |
| IMAGE_NAME=${{ env.IMAGE_NAME }} | |
| IMAGE_FLAVOR=${{ env.IMAGE_FLAVOR }} | |
| AKMODS_FLAVOR=${{ env.AKMODS_FLAVOR }} | |
| IMAGE_VENDOR=${{ github.repository_owner }} | |
| FEDORA_MAJOR_VERSION=${{ env.FEDORA_MAJOR_VERSION }} | |
| sign: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| id-token: write | |
| packages: write | |
| steps: | |
| - name: Login to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: sigstore/cosign-installer@v3 | |
| - name: Sign the images | |
| run: cosign sign -y ${TAGS} | |
| env: | |
| TAGS: ${{needs.build.outputs.tags}} | |
| - name: Verify the pushed tags | |
| run: | | |
| cosign verify \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| --certificate-identity-regexp "${{ github.server_url }}/${{ github.repository }}" \ | |
| ${TAGS} | |
| env: | |
| TAGS: ${{needs.build.outputs.tags}} |