fix: container signing, remove Webapp-Manager #40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build m2os | |
| on: | |
| schedule: | |
| - cron: "41 6 * * 2" # 6:41 UTC every Tuesday | |
| push: | |
| branches: | |
| - main | |
| merge_group: | |
| workflow_dispatch: | |
| env: | |
| IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
| IMAGE_NAME: m2os | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| push-ghcr: | |
| name: Build Images | |
| runs-on: ubuntu-24.04 | |
| continue-on-error: false | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - bluefin | |
| - bluefin-nvidia | |
| - aurora | |
| - aurora-nvidia | |
| - bazzite-deck-gnome | |
| - bazzite-gnome-nvidia | |
| steps: | |
| - name: Build Variables | |
| id: labels | |
| uses: Wandalen/wretry.action@v3.5.0 | |
| with: | |
| attempt_limit: 3 | |
| attempt_delay: 15000 | |
| command: | | |
| set -eo pipefail | |
| KERNEL_RELEASE=$(skopeo inspect docker://ghcr.io/ublue-os/${{ matrix.image }}:stable | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]') | |
| fedora_version=$(echo $KERNEL_RELEASE | grep -oP 'fc\K[0-9]+') | |
| ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ matrix.image }}:stable | jq -r '.Labels["org.opencontainers.image.version"]') | |
| echo "fedora_version=$fedora_version" >> $GITHUB_OUTPUT | |
| if [ -z "$ver" ] || [ "null" = "$ver" ]; then | |
| echo "inspected image version must not be empty or null" | |
| exit 1 | |
| fi | |
| if [[ ${{ matrix.image }} =~ "bazzite" ]]; then | |
| kernel_flavor=fsync | |
| upstream_repo=bazzite | |
| else | |
| kernel_flavor=coreos | |
| upstream_repo=bluefin | |
| fi | |
| echo "version=$ver" >> $GITHUB_ENV | |
| echo "kernel_release=${KERNEL_RELEASE}" >> $GITHUB_ENV | |
| echo "fedora_version=${fedora_version}" >> $GITHUB_ENV | |
| echo "kernel_flavor=${kernel_flavor}" >> $GITHUB_ENV | |
| echo "upstream_repo=${upstream_repo}" >> $GITHUB_ENV | |
| - name: Verify Base Image | |
| uses: EyeCantCU/cosign-action/verify@v0.2.2 | |
| with: | |
| containers: ${{ matrix.image }}:stable | |
| pubkey: https://raw.githubusercontent.com/ublue-os/${{ env.upstream_repo }}/main/cosign.pub | |
| registry: ghcr.io/ublue-os | |
| - name: Checkout Push to Registry Action | |
| uses: actions/checkout@v4 | |
| - name: Maximize Build Space | |
| if: matrix.image == 'bazzite-gnome-nvidia' | |
| uses: ublue-os/remove-unwanted-software@v7 | |
| - name: Generate Tags | |
| id: generate_tags | |
| shell: bash | |
| run: | | |
| TIMESTAMP="$(date +%Y%m%d)" | |
| if [[ "${{ matrix.image }}" =~ "bazzite-deck" ]]; then | |
| tag="bazzite-deck" | |
| elif [[ "${{ matrix.image }}" =~ "bazzite" ]]; then | |
| tag="bazzite" | |
| else | |
| tag=${{ matrix.image }} | |
| fi | |
| BUILD_TAGS+=("${tag}" "${tag}-${TIMESTAMP}") | |
| for TAG in "${BUILD_TAGS[@]}"; do | |
| echo "${TAG}" | |
| done | |
| echo "default_tag=${tag}" >> "$GITHUB_OUTPUT" | |
| echo "build_tags=${BUILD_TAGS[*]}" >> "$GITHUB_OUTPUT" | |
| - name: Pull Images | |
| uses: Wandalen/wretry.action@v3.5.0 | |
| with: | |
| attempt_limit: 3 | |
| attempt_delay: 15000 | |
| command: | | |
| podman pull ghcr.io/ublue-os/${{ matrix.image }}:stable | |
| podman pull ghcr.io/ublue-os/akmods:${{ env.kernel_flavor }}-${{ env.fedora_version }} | |
| - name: Image Metadata | |
| uses: docker/metadata-action@v5 | |
| id: meta | |
| with: | |
| images: ${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.description=m2os is my OCI image built from ublue projects. It mainly extends bazzite/bluefin for my uses. | |
| org.opencontainers.image.version=${{ env.version }} | |
| ostree.linux=${{ env.kernel_release }}.x86_64 | |
| - name: Build Image | |
| id: build_image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| containerfiles: | | |
| ./Containerfile | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: ${{ steps.generate_tags.outputs.build_tags }} | |
| build-args: | | |
| IMAGE=${{ matrix.image }} | |
| FEDORA_VERSION=${{ env.fedora_version }} | |
| KERNEL_FLAVOR=${{ env.kernel_flavor }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| oci: false | |
| - name: Lowercase Registry | |
| id: registry_case | |
| uses: ASzc/change-string-case-action@v6 | |
| with: | |
| string: ${{ env.IMAGE_REGISTRY }} | |
| - name: Push to GHCR | |
| uses: Wandalen/wretry.action@v3.5.0 | |
| id: push | |
| if: github.event_name != 'pull_request' | |
| env: | |
| REGISTRY_USER: ${{ github.actor }} | |
| REGISTRY_PASSWORD: ${{ github.token }} | |
| with: | |
| action: redhat-actions/push-to-registry@v2 | |
| attempt_limit: 3 | |
| attempt_delay: 15000 | |
| with: | | |
| image: ${{ steps.build_image.outputs.image }} | |
| tags: ${{ steps.build_image.outputs.tags }} | |
| registry: ${{ steps.registry_case.outputs.lowercase }} | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ env.REGISTRY_PASSWORD }} | |
| extra-args: | | |
| --disable-content-trust | |
| --compression-format=zstd:chunked | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: sigstore/cosign-installer@v3.5.0 | |
| if: github.event_name != 'pull_request' | |
| - name: Sign Container Image | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${tags} | |
| env: | |
| tags: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
| - name: Echo Outputs | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo "${{ toJSON(steps.push.outputs) }}" |