00 - Do full overlay builds #235

Workflow file for this run

	name: 00 - Do full overlay builds
	on:
	schedule:
	- cron: "12 15 * * 6"
	push:
	branches:
	- main
	paths-ignore:
	- "README.md"
	- ".gitignore"
	- ".github/**"
	- "rpm-builds/**"
	- "buildroot/**"
	workflow_dispatch: # allow manually triggering builds
	jobs:
	my-ostree-build:
	name: Build Custom Image
	runs-on: ubuntu-latest
	env:
	BB_BUILDKIT_CACHE_GHA: true
	permissions:
	contents: read
	packages: write
	id-token: write
	strategy:
	fail-fast: false # stop GH from cancelling all matrix builds if one fails
	matrix:
	recipe:
	# !! Add your recipes here
	- fedora-kinoite-laptop.yml
	steps:
	- name: Build Custom Image
	uses: prydom/bluebuild-github-action@enable-docker-container-driver
	with:
	recipe: ${{ matrix.recipe }}
	cosign_private_key: ${{ secrets.SIGNING_SECRET }}
	registry_token: ${{ github.token }}
	pr_event_number: ${{ github.event.number }}
	use_unstable_cli: true
	rpm-ostree-rechunk:
	name: rpm-ostree re-encapsulate
	runs-on: ubuntu-latest
	needs: my-ostree-build
	permissions:
	contents: read
	packages: write
	id-token: write
	strategy:
	fail-fast: false
	matrix:
	image:
	- fedora-kinoite-laptop
	container:
	image: ghcr.io/prydom/ostree-buildroot:rawhide
	options: --privileged
	env:
	# TODO: use value from target-manifest to get branch name instead of assuming Rawhide
	RECHUNK_TARGET_TAG: ${{ github.ref_name == github.event.repository.default_branch && 'latest' \|\| format('br-{0}-Rawhide', github.ref_name) }}
	steps:
	- name: Login to registry
	shell: bash
	run: \|
	mkdir -p /etc/containers
	echo '{}' > /etc/containers/auth.json
	ln -sr /etc/containers/auth.json /etc/ostree/auth.json
	mkdir -p ~/.config/containers
	ln -sr /etc/containers/auth.json ~/.config/containers/auth.json
	mkdir -p ~/.docker
	ln -sr /etc/containers/auth.json ~/.docker/config.json
	buildah login ghcr.io --authfile /etc/containers/auth.json -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
	- name: Get container manifest
	id: target-manifest
	shell: bash
	run: \|
	skopeo inspect docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG > target-manifest.json
	echo "CONTAINER_IMAGE_VERSION=$(jq -r '.Labels."org.opencontainers.image.version"' target-manifest.json)" >> "$GITHUB_OUTPUT"
	- name: Create ostree repo
	shell: bash
	run: \|
	mkdir repo
	ostree init --repo=repo --mode=bare
	- name: Pull container image
	shell: bash
	run: \|
	ostree container image pull repo ostree-unverified-image:docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG
	- name: Checkout image and recommit to re-label
	shell: bash
	run: \|
	set -x
	export REF="$(ostree refs --repo=repo ostree/container/image)"

	ostree checkout --repo=repo \
	--require-hardlinks \
	"ostree/container/image/$REF" checkout

	mkdir -m 000 -p checkout/nix

	ostree commit \
	"--branch=relabeled" \
	--repo=repo \
	--bootable \
	--consume \
	"--selinux-policy=$PWD/checkout" \
	checkout
	- name: Re-encapsulate image
	id: re-encapsulate
	shell: bash
	run: \|
	skopeo inspect --raw docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked > previous-manifest.json \|\| rm -f previous-manifest.json

	PREVIOUS_BUILD_MANIFEST=()
	if [ -f "previous-manifest.json" ]; then
	PREVIOUS_BUILD_MANIFEST+=("--previous-build-manifest=previous-manifest.json")
	fi

	rpm-ostree compose container-encapsulate --repo=repo \
	--cmd="/usr/bin/bash" \
	--label="containers.bootc=1" \
	--label="ostree.bootable=true" \
	--label="org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
	--label="org.opencontainers.image.title=${{ matrix.image }}" \
	--label="org.opencontainers.image.version=${{ steps.target-manifest.outputs.CONTAINER_IMAGE_VERSION }}" \
	"${PREVIOUS_BUILD_MANIFEST[@]}" \
	relabeled registry:ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked \| tee compose.out
	export DIGEST=$(tail -n1 compose.out \| grep -Eo 'sha256:[A-Fa-f0-9]+$')
	echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT"
	- name: Sign image with cosign
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
	DIGEST: ${{ steps.re-encapsulate.outputs.DIGEST }}
	shell: bash
	run: \|
	cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST"
	- name: Delete ostree repo
	shell: bash
	run: \|
	rm -rf repo
	- name: Recompress image with zstd
	id: re-compress
	shell: bash
	run: \|
	mkdir ostree-image
	skopeo copy --dest-compress --dest-compress-format zstd --remove-signatures \
	docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked dir:ostree-image
	skopeo copy --preserve-digests --digestfile recompress.digest \
	dir:ostree-image docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-recompressed
	echo "DIGEST=$(cat recompress.digest)" >> "$GITHUB_OUTPUT"
	- name: Sign (recompressed) image with cosign
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
	DIGEST: ${{ steps.re-compress.outputs.DIGEST }}
	shell: bash
	run: \|
	cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST"
	- name: Replace snapshot tag (if on default branch)
	env:
	DIGEST: ${{ steps.re-compress.outputs.DIGEST }}
	shell: bash
	if: ${{ github.ref_name == github.event.repository.default_branch }}
	run: \|
	skopeo copy "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

00 - Do full overlay builds #235

Workflow file

00 - Do full overlay builds #235

Jobs

Run details

Workflow file for this run