# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds. # The images are also built after pushing changes or pull requests. # The builds can also be triggered manually in the Actions tab thanks to workflow dispatch. # Only the branch called `live` is published. name: build-ublue on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows schedule: - cron: "30 16 * * *" push: branches: - live - template - main paths-ignore: # don't rebuild if only documentation has changed - "**.md" pull_request: workflow_dispatch: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} # Only deploys the branch named "live". Ignores all other branches, to allow # having "development" branches without interfering with GHCR image uploads. jobs: push-ghcr: name: Build and push image runs-on: ubuntu-22.04 permissions: contents: read packages: write id-token: write strategy: fail-fast: false matrix: # !!! # Add recipes for all the images you want to build here. # Don't add module configuration files, you will get errors. recipe: - recipe.yml # !!! steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 # Confirm that cosign.pub matches SIGNING_SECRET - uses: sigstore/cosign-installer@v3.3.0 if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - name: Check SIGNING_SECRET matches cosign.pub if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' env: COSIGN_EXPERIMENTAL: false COSIGN_PASSWORD: "" COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} shell: bash run: | echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub" delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub) if [ -z "$delta" ]; then echo "cosign.pub matches SIGNING_SECRET" else echo "cosign.pub does not match SIGNING_SECRET" echo "$delta" exit 1 fi - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.40.5 - name: Gather image data from recipe run: | echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }}) echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - name: Verify base image uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - name: Get current version id: labels run: | ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') echo "VERSION=$ver" >> $GITHUB_OUTPUT - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)" COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request SHA_SHORT="${GITHUB_SHA::7}" # Using clever bash string templating, https://stackoverflow.com/q/40771781 # don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) -- COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}") COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}") BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}") # -- BUILD_TAGS+=("${TIMESTAMP}") BUILD_TAGS+=("latest") if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " for TAG in "${COMMIT_TAGS[@]}"; do echo "${TAG}" done alias_tags=("${COMMIT_TAGS[@]}") else alias_tags=("${BUILD_TAGS[@]}") fi echo "Generated the following build tags: " for TAG in "${BUILD_TAGS[@]}"; do echo "${TAG}" done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | ${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v6 with: string: ${{ env.IMAGE_REGISTRY }} - name: Lowercase Image id: image_case uses: ASzc/change-string-case-action@v6 with: string: ${{ env.IMAGE_NAME }} - name: Maximize build space uses: AdityaGarg8/remove-unwanted-software@v2 with: remove-dotnet: 'true' remove-android: 'true' remove-haskell: 'true' # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }} BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }} RECIPE=${{ matrix.recipe }} IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }} labels: ${{ steps.meta.outputs.labels }} oci: false # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust - name: Login to GitHub Container Registry uses: docker/login-action@v3 if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Sign container - name: Sign container image if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' run: | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Echo outputs if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' run: | echo "${{ toJSON(steps.push.outputs) }}"