fix: correct cosign-action name #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build m2os | |
on: | |
schedule: | |
- cron: "41 6 * * 2" # 6:41 UTC every Tuesday | |
push: | |
branches: | |
- main | |
merge_group: | |
workflow_dispatch: | |
env: | |
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
IMAGE_NAME: m2os | |
jobs: | |
push-ghcr: | |
name: Build Images | |
runs-on: ubuntu-latest | |
continue-on-error: false | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- bluefin | |
- aurora | |
- bazzite-gnome-nvidia | |
steps: | |
- name: Build Variables | |
id: labels | |
uses: Wandalen/wretry.action@v3.5.0 | |
with: | |
attempt_limit: 3 | |
attempt_delay: 15000 | |
command: | | |
set -eo pipefail | |
KERNEL_RELEASE=$(skopeo inspect docker://ghcr.io/ublue-os/${{ matrix.image }}:stable | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]') | |
fedora_version=$(echo $KERNEL_RELEASE | grep -oP 'fc\K[0-9]+') | |
ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ matrix.image }}:stable | jq -r '.Labels["org.opencontainers.image.version"]') | |
echo "fedora_version=$fedora_version" >> $GITHUB_OUTPUT | |
if [ -z "$ver" ] || [ "null" = "$ver" ]; then | |
echo "inspected image version must not be empty or null" | |
exit 1 | |
fi | |
if [[ ${{ matrix.image }} == "bluefin" || ${{ matrix.image }} == "aurora" ]]; then | |
kernel_flavor=coreos | |
upstream_repo=bluefin | |
elif [[ ${{ matrix.image }} == "bazzite-gnome-nvidia" ]]; then | |
kernel_flavor=fsync | |
upstrem_repo=bazzite | |
fi | |
echo "version=$ver" >> $GITHUB_OUTPUT | |
echo "kernel_release=${KERNEL_RELEASE}" >> $GITHUB_OUTPUT | |
echo "kernel_flavor=${kernel_flavor}" >> $GITHUB_OUTPUT | |
echo "upstream_repo=${upstream_repo}" >> $GITHUB_OUTPUT | |
- name: Verify Base Image | |
uses: EyeCantCU/cosign-action/verify@v0.2.2 | |
with: | |
containers: ${{ matrix.image }}:stable | |
pubkey: https://raw.githubusercontent.com/ublue-os/${{ steps.labels.outputs.upstream_repo }}/main/cosign.pub | |
registry: ghcr.io/ublue-os | |
- name: Verify Akmods Image | |
uses: EyeCantCU/cosign-action/verify@v0.2.2 | |
with: | |
containers: akmods:${{ steps.labels.outputs.fedora_version }}-${{ steps.labels.outputs.kernel_flavor }} | |
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub | |
registry: ghcr.io/ublue-os | |
- name: Checkout Push to Registry Action | |
uses: actions/checkout@v4 | |
- name: Maximize Build Space | |
if: matrix.image == 'bazzite-gnome-nvidia' | |
uses: ublue-os/remove-unwanted-software@v7 | |
- name: Generate Tags | |
id: generate_tags | |
shell: bash | |
run: | | |
TIMESTAMP="$(date +%Y%m%d)" | |
if [[ "${{ matrix.image }}" == "bazzite-gnome-nvidia" ]]; then | |
tag="gaming-desktop" | |
else | |
tag=${{ matrix.image }} | |
fi | |
BUILD_TAGS+=("${tag}" "${tag}-${TIMESTAMP}") | |
for TAG in "${BUILD_TAGS[@]}"; do | |
echo "${TAG}" | |
done | |
echo "default_tag=${tag}" >> "$GITHUB_OUTPUT" | |
echo "build_tags=${BUILD_TAGS[*]}" >> "$GITHUB_OUTPUT" | |
- name: Pull Images | |
uses: Wandalen/wretry.action@v3.5.0 | |
with: | |
attempt_limit: 3 | |
attempt_delay: 15000 | |
command: podman pull ghcr.io/ublue-os/${{ matrix.image }}:stable | |
podman pull ghcr.io/ublue-os/akmods:${{ steps.labels.outputs.fedora_version }}-${{ steps.labels.outputs.kernel_flavor }} | |
- name: Image Metadata | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: ${{ env.IMAGE_NAME }} | |
labels: | | |
org.opencontainers.image.title=${{ env.IMAGE_NAME }} | |
org.opencontainers.image.description=m2os is my OCI image built from ublue projects. It mainly extends bazzite/bluefin for my uses. | |
org.opencontainers.image.version=${{ steps.labels.outputs.version }} | |
ostree.linux=${{ steps.labels.outputs.kernel_release }}.x86_64 | |
- name: Build Image | |
id: build_image | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
containerfiles: | | |
./Containerfile | |
image: ${{ env.IMAGE_NAME }} | |
tags: ${{ steps.generate_tags.outputs.build_tags }} | |
build-args: | | |
IMAGE=${{ matrix.image }} | |
FEDORA_VERSION=${{ steps.labels.outputs.fedora_version }} | |
KERNEL_FLAVOR=${{ steps.labels.outputs.kernel_flavor }} | |
labels: ${{ steps.meta.outputs.labels }} | |
oci: false | |
- name: Lowercase Registry | |
id: registry_case | |
uses: ASzc/change-string-case-action@v6 | |
with: | |
string: ${{ env.IMAGE_REGISTRY }} | |
- name: Push to GHCR | |
uses: Wandalen/wretry.action@v3.5.0 | |
id: push | |
if: github.event_name != 'pull_request' | |
env: | |
REGISTRY_USER: ${{ github.actor }} | |
REGISTRY_PASSWORD: ${{ github.token }} | |
with: | |
action: redhat-actions/push-to-registry@v2 | |
attempt_limit: 3 | |
attempt_delay: 15000 | |
with: | | |
image: ${{ steps.build_image.outputs.image }} | |
tags: ${{ steps.build_image.outputs.tags }} | |
registry: ${{ steps.registry_case.outputs.lowercase }} | |
username: ${{ env.REGISTRY_USER }} | |
password: ${{ env.REGISTRY_PASSWORD }} | |
extra-args: | | |
--disable-content-trust | |
--compression-format=zstd:chunked | |
- name: Sign Container Image | |
uses: EyeCantCU/cosign-action/sign@v0.2.2 | |
if: github.event_name != 'pull_request' | |
with: | |
containers: ${{ env.IMAGE_NAME }} | |
registry: ${{ env.IMAGE_REGISTRY }} | |
registry-token: ${{ secrets.GITHUB_TOKEN }} | |
signing-secret: ${{ secrets.SIGNING_SECRET }} | |
tags: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} | |
- name: Echo Outputs | |
if: github.event_name != 'pull_request' | |
run: | | |
echo "${{ toJSON(steps.push.outputs) }}" |