00 - Do full overlay builds #215
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 00 - Do full overlay builds | |
on: | |
schedule: | |
- cron: "12 15 * * 6" | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- "README.md" | |
- ".gitignore" | |
- ".github/**" | |
- "rpm-builds/**" | |
- "buildroot/**" | |
workflow_dispatch: # allow manually triggering builds | |
jobs: | |
my-ostree-build: | |
name: Build Custom Image | |
runs-on: ubuntu-latest | |
env: | |
BB_BUILDKIT_CACHE_GHA: true | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false # stop GH from cancelling all matrix builds if one fails | |
matrix: | |
recipe: | |
# !! Add your recipes here | |
- fedora-kinoite-laptop.yml | |
steps: | |
- name: Build Custom Image | |
uses: prydom/bluebuild-github-action@enable-docker-container-driver | |
with: | |
recipe: ${{ matrix.recipe }} | |
cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
registry_token: ${{ github.token }} | |
pr_event_number: ${{ github.event.number }} | |
use_unstable_cli: true | |
rpm-ostree-rechunk: | |
name: rpm-ostree re-encapsulate | |
runs-on: ubuntu-latest | |
needs: my-ostree-build | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- fedora-kinoite-laptop | |
container: | |
image: ghcr.io/prydom/ostree-buildroot:rawhide | |
options: --privileged | |
env: | |
# TODO: use value from target-manifest to get branch name instead of assuming Rawhide | |
RECHUNK_TARGET_TAG: ${{ github.ref_name == github.event.repository.default_branch && 'latest' || format('br-{0}-Rawhide', github.ref_name) }} | |
steps: | |
- name: Login to registry | |
shell: bash | |
run: | | |
mkdir -p /etc/containers | |
echo '{}' > /etc/containers/auth.json | |
ln -s /etc/containers/auth.json /etc/ostree/auth.json | |
mkdir -p ~/.config/containers | |
ln -s /etc/containers/auth.json ~/.config/containers/auth.json | |
mkdir -p ~/.docker | |
ln -s /etc/containers/auth.json ~/.docker/config.json | |
buildah login ghcr.io --authfile /etc/containers/auth.json -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} | |
- name: Get container manifest | |
id: target-manifest | |
shell: bash | |
run: | | |
skopeo inspect docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG > target-manifest.json | |
echo "CONTAINER_IMAGE_VERSION=$(jq -r '.Labels."org.opencontainers.image.version"' target-manifest.json)" >> "$GITHUB_OUTPUT" | |
- name: Create ostree repo | |
shell: bash | |
run: | | |
mkdir repo | |
ostree init --repo=repo --mode=bare | |
- name: Pull container image | |
shell: bash | |
run: | | |
ostree container image pull repo ostree-unverified-image:docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG | |
- name: Checkout image and recommit to re-label | |
shell: bash | |
run: | | |
set -x | |
export REF="$(ostree refs --repo=repo ostree/container/image)" | |
ostree checkout --repo=repo \ | |
--require-hardlinks \ | |
"ostree/container/image/$REF" checkout | |
mkdir -m 000 -p checkout/nix | |
ostree commit \ | |
"--branch=relabeled" \ | |
--repo=repo \ | |
--bootable \ | |
--consume \ | |
"--selinux-policy=$PWD/checkout" \ | |
checkout | |
- name: Re-encapsulate image | |
id: re-encapsulate | |
shell: bash | |
run: | | |
skopeo inspect --raw docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked > previous-manifest.json || rm -f previous-manifest.json | |
PREVIOUS_BUILD_MANIFEST=() | |
if [ -f "previous-manifest.json" ]; then | |
PREVIOUS_BUILD_MANIFEST+=("--previous-build-manifest=previous-manifest.json") | |
fi | |
rpm-ostree compose container-encapsulate --repo=repo \ | |
--cmd="/usr/bin/bash" \ | |
--label="containers.bootc=1" \ | |
--label="ostree.bootable=true" \ | |
--label="org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ | |
--label="org.opencontainers.image.title=${{ matrix.image }}" \ | |
--label="org.opencontainers.image.version=${{ steps.target-manifest.outputs.CONTAINER_IMAGE_VERSION }}" \ | |
"${PREVIOUS_BUILD_MANIFEST[@]}" \ | |
relabeled registry:ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked | tee compose.out | |
export DIGEST=$(tail -n1 compose.out | grep -Eo 'sha256:[A-Fa-f0-9]+$') | |
echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT" | |
- name: Sign image with cosign | |
env: | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
DIGEST: ${{ steps.re-encapsulate.outputs.DIGEST }} | |
shell: bash | |
run: | | |
cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" | |
- name: Delete ostree repo | |
shell: bash | |
run: | | |
rm -rf repo | |
- name: Recompress image with zstd | |
id: re-compress | |
shell: bash | |
run: | | |
mkdir ostree-image | |
skopeo copy --dest-compress --dest-compress-format zstd --remove-signatures \ | |
docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-rechunked dir:ostree-image | |
skopeo copy --preserve-digests --digestfile recompress.digest \ | |
dir:ostree-image docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:$RECHUNK_TARGET_TAG-recompressed | |
echo "DIGEST=$(cat recompress.digest)" >> "$GITHUB_OUTPUT" | |
- name: Sign (recompressed) image with cosign | |
env: | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
DIGEST: ${{ steps.re-compress.outputs.DIGEST }} | |
shell: bash | |
run: | | |
cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" | |
- name: Replace snapshot tag (if on default branch) | |
env: | |
DIGEST: ${{ steps.re-compress.outputs.DIGEST }} | |
shell: bash | |
if: ${{ github.ref_name == github.event.repository.default_branch }} | |
run: | | |
skopeo copy "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" "docker://ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot" |