Use updates repo for kernel - part 2 #205
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 00 - Do full overlay builds | |
on: | |
schedule: | |
- cron: "12 15 * * 6" | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- "README.md" | |
- ".gitignore" | |
- ".github/**" | |
- "rpm-builds/**" | |
- "buildroot/**" | |
workflow_dispatch: # allow manually triggering builds | |
jobs: | |
my-ostree-build: | |
name: Build Custom Image | |
runs-on: ubuntu-latest | |
env: | |
BB_BUILDKIT_CACHE_GHA: true | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false # stop GH from cancelling all matrix builds if one fails | |
matrix: | |
recipe: | |
# !! Add your recipes here | |
- fedora-kinoite-laptop.yml | |
steps: | |
- name: Build Custom Image | |
uses: prydom/bluebuild-github-action@enable-docker-container-driver | |
with: | |
recipe: ${{ matrix.recipe }} | |
cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
registry_token: ${{ github.token }} | |
pr_event_number: ${{ github.event.number }} | |
use_unstable_cli: true | |
rpm-ostree-rechunk: | |
name: rpm-ostree re-encapsulate | |
runs-on: ubuntu-latest | |
needs: my-ostree-build | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- fedora-kinoite-laptop | |
container: | |
image: ghcr.io/prydom/ostree-buildroot:rawhide | |
options: --privileged | |
env: | |
# TODO: use value from target-manifest to get branch name instead of assuming Rawhide | |
RECHUNK_TARGET_TAG: ${{ github.ref_name == github.event.repository.default_branch && 'latest' || format('br-{0}-Rawhide', github.ref_name) }} | |
steps: | |
- name: Upgrade packages and install cosign | |
shell: bash | |
run: | | |
dnf upgrade -y | |
LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") | |
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-${LATEST_VERSION}-1.x86_64.rpm" | |
sudo rpm -i cosign-${LATEST_VERSION}-1.x86_64.rpm | |
- name: Login to registry | |
shell: bash | |
run: | | |
mkdir -p /etc/containers | |
echo '{}' > /etc/containers/auth.json | |
ln -s /etc/containers/auth.json /etc/ostree/auth.json | |
mkdir -p ~/.config/containers | |
ln -s /etc/containers/auth.json ~/.config/containers/auth.json | |
mkdir -p ~/.docker | |
ln -s /etc/containers/auth.json ~/.docker/config.json | |
buildah login ghcr.io --authfile /etc/containers/auth.json -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} | |
- name: Get container manifest | |
id: target-manifest | |
shell: bash | |
run: | | |
skopeo inspect docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG > target-manifest.json | |
echo "CONTAINER_IMAGE_VERSION=$(jq -r '.Labels."org.opencontainers.image.version"' target-manifest.json)" >> "$GITHUB_OUTPUT" | |
- name: Create ostree repo | |
shell: bash | |
run: | | |
mkdir repo | |
ostree init --repo=repo --mode=bare | |
- name: Pull container image | |
shell: bash | |
run: | | |
ostree container image pull repo ostree-unverified-image:docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG | |
- name: Checkout image and recommit to re-label | |
shell: bash | |
run: | | |
set -x | |
export REF="$(ostree refs --repo=repo ostree/container/image)" | |
ostree checkout --repo=repo \ | |
--require-hardlinks \ | |
"ostree/container/image/$REF" checkout | |
mkdir -m 000 -p checkout/nix | |
ostree commit \ | |
"--branch=relabeled" \ | |
--repo=repo \ | |
--bootable \ | |
--consume \ | |
"--selinux-policy=$PWD/checkout" \ | |
checkout | |
- name: Re-encapsulate image | |
id: re-encapsulate | |
shell: bash | |
run: | | |
skopeo inspect --raw docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked > previous-manifest.json || rm -f previous-manifest.json | |
PREVIOUS_BUILD_MANIFEST=() | |
if [ -f "previous-manifest.json" ]; then | |
PREVIOUS_BUILD_MANIFEST+=("--previous-build-manifest=previous-manifest.json") | |
fi | |
rpm-ostree compose container-encapsulate --repo=repo \ | |
--cmd="/usr/bin/bash" \ | |
--label="containers.bootc=1" \ | |
--label="ostree.bootable=true" \ | |
--label="org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ | |
--label="org.opencontainers.image.title=${{ matrix.image }}" \ | |
--label="org.opencontainers.image.version=${{ steps.target-manifest.outputs.CONTAINER_IMAGE_VERSION }}" \ | |
"${PREVIOUS_BUILD_MANIFEST[@]}" \ | |
relabeled registry:ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked | tee compose.out | |
export DIGEST=$(tail -n1 compose.out | grep -Eo 'sha256:[A-Fa-f0-9]+$') | |
echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT" | |
- name: Sign image with cosign | |
env: | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
DIGEST: ${{ steps.re-encapsulate.outputs.DIGEST }} | |
shell: bash | |
run: | | |
cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" | |
- name: Replace snapshot tag (if on default branch) | |
env: | |
DIGEST: ${{ steps.re-encapsulate.outputs.DIGEST }} | |
shell: bash | |
if: ${{ github.ref_name == github.event.repository.default_branch }} | |
run: | | |
skopeo copy "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot" |