-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (156 loc) · 6.37 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: 00 - Do full overlay builds
on:
schedule:
- cron: "12 15 * * 6"
push:
branches:
- main
paths-ignore:
- "README.md"
- ".gitignore"
- ".github/**"
- "rpm-builds/**"
- "buildroot/**"
workflow_dispatch: # allow manually triggering builds
jobs:
my-ostree-build:
name: Build Custom Image
runs-on: ubuntu-latest
env:
BB_BUILDKIT_CACHE_GHA: true
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false # stop GH from cancelling all matrix builds if one fails
matrix:
recipe:
# !! Add your recipes here
- fedora-kinoite-laptop.yml
steps:
- name: Build Custom Image
uses: prydom/bluebuild-github-action@enable-docker-container-driver
with:
recipe: ${{ matrix.recipe }}
cosign_private_key: ${{ secrets.SIGNING_SECRET }}
registry_token: ${{ github.token }}
pr_event_number: ${{ github.event.number }}
use_unstable_cli: true
rpm-ostree-rechunk:
name: rpm-ostree re-encapsulate
runs-on: ubuntu-latest
needs: my-ostree-build
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image:
- fedora-kinoite-laptop
container:
image: ghcr.io/prydom/ostree-buildroot:rawhide
options: --privileged
env:
# TODO: use value from target-manifest to get branch name instead of assuming Rawhide
RECHUNK_TARGET_TAG: ${{ github.ref_name == github.event.repository.default_branch && 'latest' || format('br-{0}-Rawhide', github.ref_name) }}
steps:
- name: Login to registry
shell: bash
run: |
mkdir -p /etc/containers
echo '{}' > /etc/containers/auth.json
ln -s /etc/containers/auth.json /etc/ostree/auth.json
mkdir -p ~/.config/containers
ln -s /etc/containers/auth.json ~/.config/containers/auth.json
mkdir -p ~/.docker
ln -s /etc/containers/auth.json ~/.docker/config.json
buildah login ghcr.io --authfile /etc/containers/auth.json -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
- name: Get container manifest
id: target-manifest
shell: bash
run: |
skopeo inspect docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG > target-manifest.json
echo "CONTAINER_IMAGE_VERSION=$(jq -r '.Labels."org.opencontainers.image.version"' target-manifest.json)" >> "$GITHUB_OUTPUT"
- name: Create ostree repo
shell: bash
run: |
mkdir repo
ostree init --repo=repo --mode=bare
- name: Pull container image
shell: bash
run: |
ostree container image pull repo ostree-unverified-image:docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG
- name: Checkout image and recommit to re-label
shell: bash
run: |
set -x
export REF="$(ostree refs --repo=repo ostree/container/image)"
ostree checkout --repo=repo \
--require-hardlinks \
"ostree/container/image/$REF" checkout
mkdir -m 000 -p checkout/nix
ostree commit \
"--branch=relabeled" \
--repo=repo \
--bootable \
--consume \
"--selinux-policy=$PWD/checkout" \
checkout
- name: Re-encapsulate image
id: re-encapsulate
shell: bash
run: |
skopeo inspect --raw docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked > previous-manifest.json || rm -f previous-manifest.json
PREVIOUS_BUILD_MANIFEST=()
if [ -f "previous-manifest.json" ]; then
PREVIOUS_BUILD_MANIFEST+=("--previous-build-manifest=previous-manifest.json")
fi
rpm-ostree compose container-encapsulate --repo=repo \
--cmd="/usr/bin/bash" \
--label="containers.bootc=1" \
--label="ostree.bootable=true" \
--label="org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
--label="org.opencontainers.image.title=${{ matrix.image }}" \
--label="org.opencontainers.image.version=${{ steps.target-manifest.outputs.CONTAINER_IMAGE_VERSION }}" \
"${PREVIOUS_BUILD_MANIFEST[@]}" \
relabeled registry:ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked | tee compose.out
export DIGEST=$(tail -n1 compose.out | grep -Eo 'sha256:[A-Fa-f0-9]+$')
echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Sign image with cosign
env:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
DIGEST: ${{ steps.re-encapsulate.outputs.DIGEST }}
shell: bash
run: |
cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST"
- name: Delete ostree repo
shell: bash
run: |
rm -rf repo
- name: Recompress image with zstd
id: re-compress
shell: bash
run: |
mkdir ostree-image
skopeo copy --dest-compress --dest-compress-format zstd --remove-signatures \
docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked dir:ostree-image
skopeo copy --preserve-digests --digestfile recompress.digest \
dir:ostree-image docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-recompressed
echo "DIGEST=$(cat recompress.digest)" >> "$GITHUB_OUTPUT"
- name: Sign (recompressed) image with cosign
env:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
DIGEST: ${{ steps.re-compress.outputs.DIGEST }}
shell: bash
run: |
cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST"
- name: Replace snapshot tag (if on default branch)
env:
DIGEST: ${{ steps.re-compress.outputs.DIGEST }}
shell: bash
if: ${{ github.ref_name == github.event.repository.default_branch }}
run: |
skopeo copy "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot"