00 - Do full overlay builds #154
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: my-ostree-build | |
| on: | |
| schedule: | |
| - cron: "00 15 * * *" | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: # don't rebuild if only documentation has changed | |
| - "**.md" | |
| workflow_dispatch: # allow manually triggering builds | |
| jobs: | |
| my-ostree-build: | |
| name: Build Custom Image | |
| runs-on: ubuntu-latest | |
| env: | |
| BB_BUILDKIT_CACHE_GHA: true | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false # stop GH from cancelling all matrix builds if one fails | |
| matrix: | |
| recipe: | |
| # !! Add your recipes here | |
| - fedora-kinoite-laptop.yml | |
| steps: | |
| - name: Build Custom Image | |
| uses: prydom/bluebuild-github-action@enable-docker-container-driver | |
| with: | |
| recipe: ${{ matrix.recipe }} | |
| cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
| registry_token: ${{ github.token }} | |
| pr_event_number: ${{ github.event.number }} | |
| use_unstable_cli: true | |
| rpm-ostree-rechunk: | |
| name: rpm-ostree re-encapsulate | |
| runs-on: ubuntu-latest | |
| needs: my-ostree-build | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - fedora-kinoite-laptop | |
| container: | |
| image: ghcr.io/prydom/ostree-buildroot:rawhide | |
| options: --privileged | |
| env: | |
| # TODO: use value from target-manifest to get branch name instead of assuming Rawhide | |
| RECHUNK_TARGET_TAG: ${{ github.ref_name == github.event.repository.default_branch && 'latest' || format('br-{0}-Rawhide', github.ref_name) }} | |
| steps: | |
| - name: Upgrade packages and install cosign | |
| shell: bash | |
| run: | | |
| dnf upgrade -y | |
| LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") | |
| curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-${LATEST_VERSION}-1.x86_64.rpm" | |
| sudo rpm -i cosign-${LATEST_VERSION}-1.x86_64.rpm | |
| - name: Login to registry | |
| shell: bash | |
| run: | | |
| mkdir -p /etc/containers | |
| echo '{}' > /etc/containers/auth.json | |
| ln -s /etc/containers/auth.json /etc/ostree/auth.json | |
| mkdir -p ~/.config/containers | |
| ln -s /etc/containers/auth.json ~/.config/containers/auth.json | |
| mkdir -p ~/.docker | |
| ln -s /etc/containers/auth.json ~/.docker/config.json | |
| buildah login ghcr.io --authfile /etc/containers/auth.json -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get container manifest | |
| id: target-manifest | |
| shell: bash | |
| run: | | |
| skopeo inspect docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG > target-manifest.json | |
| echo "CONTAINER_IMAGE_VERSION=$(jq -r '.Labels."org.opencontainers.image.version"' target-manifest.json)" >> "$GITHUB_OUTPUT" | |
| - name: Create ostree repo | |
| shell: bash | |
| run: | | |
| mkdir repo | |
| ostree init --repo=repo --mode=bare | |
| - name: Pull container image | |
| shell: bash | |
| run: | | |
| ostree container image pull repo ostree-unverified-image:docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG | |
| - name: Re-encapsulate image | |
| id: re-encapsulate | |
| shell: bash | |
| run: | | |
| skopeo inspect --raw docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked > previous-manifest.json || rm -f previous-manifest.json | |
| PREVIOUS_BUILD_MANIFEST=() | |
| if [ -f "previous-manifest.json" ]; then | |
| PREVIOUS_BUILD_MANIFEST+=("--previous-build-manifest=previous-manifest.json") | |
| fi | |
| export REF=$(ostree refs --repo=repo ostree/container/image) | |
| rpm-ostree compose container-encapsulate --repo=repo \ | |
| --cmd="/usr/bin/bash" \ | |
| --label="containers.bootc=1" \ | |
| --label="ostree.bootable=true" \ | |
| --label="org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ | |
| --label="org.opencontainers.image.title=${{ matrix.image }}" \ | |
| --label="org.opencontainers.image.version=${{ steps.target-manifest.outputs.CONTAINER_IMAGE_VERSION }}" \ | |
| "${PREVIOUS_BUILD_MANIFEST[@]}" \ | |
| ostree/container/image/$REF registry:ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked | tee compose.out | |
| export DIGEST=$(tail -n1 compose.out | grep -Eo 'sha256:[A-Fa-f0-9]+$') | |
| echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Sign image with cosign | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
| DIGEST: ${{ steps.re-encapsulate.outputs.DIGEST }} | |
| shell: bash | |
| run: | | |
| cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" |