Feature/container signing (#3)

* fix: enable ublue-nvctk-cdi by default for nvidia images (ublue-os#103)

* fix: run depmod after installing ZFS RPMs

With zfs 2.1.x, depmod ran automatically. Though unclear why, it no longer
seems to occur when installing zfs 2.2.x RPMs in a container build (it does
still work automatically on a non image-based Fedora system).

Manually running depmod, as in this commit, ensures the 2.2.x kmods load
as expected.

* docs: reflect zfs 2.2 change

* chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (ublue-os#104)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: add package with secure boot public signing key

Add the new package from `ucore-kmods` which includes the signing key.
This enables a user to import the signing key as a MOK using:

sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der

Closes ublue-os#82

* docs: add SecureBoot info to README

* docs: update SecureBoot to include zfs

Relates: ublue-os#16

* feat: enable signed images

These files should enable rpm-ostreed/container tooling to validate
signed images when using appropriate references. It will require signed
images for ghcr.io/ublue-os images.

Relates: ublue-os#101

* chore(ci): resume use of latest tag for stable image

I intentionally stopped publishing a `:latest` tag back on April 1st. It
was not intended to be an April Fool's joke, but rather a cleanup to
best practices of not using that tag. However, the old images did not
expire, so the old `:latest` continues to exist, confusing both users
and our website's image discovery code.

I suppose it turned out to be a long lived April Fool's joke after all!

This resumes the publishing of the tag, ensuring it matches the `:stable`
tag, and only on the `ucore` image. There will be no `:latest` for nvidia,
zfs or testing images, nor `fedora-coreos` or `ucore-hci`.

* chore(ci): bash variables only work when using proper braces

* chore(ci): move to reusable workflow (ublue-os#114)

Convert to a reusable workflow such that stable and testing builds can happen on separate schedules and so that stable builds are all that gate merge success, allowing testing to be more unstable.

* chore(ci): use Containerfile targets for ucore-hci (ublue-os#115)

This should allow faster overall builds of ucore and ucore-hci by building in parallel, and removes the need to publish ucore to GHCR even for PRs just to allow ucore-hci to build successfully.

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Benjamin Sherman <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/build-stable.yml

@@ -0,0 +1,14 @@
+name: stable
+on:
+  pull_request:
+  merge_group:
+  schedule:
+    - cron: '40 23 * * *' # 11:45PM UTC everyday (approx 1.5 hours after coreos images publish)
+  workflow_dispatch:
+
+jobs:
+  build-stable:
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      coreos_version: stable

.github/workflows/build-testing.yml

@@ -0,0 +1,14 @@
+name: testing
+on:
+  pull_request:
+  merge_group:
+  schedule:
+    - cron: '55 23 * * *' # 11:45PM UTC everyday (approx 1.75 hours after coreos images publish)
+  workflow_dispatch:
+
+jobs:
+  build-testing:
+    uses: ./.github/workflows/reusable-build.yml
+    secrets: inherit
+    with:
+      coreos_version: testing