01 - Try to upgrade snapshots #1706
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 01 - Try to upgrade snapshots | |
on: | |
schedule: | |
- cron: "42 * * * *" | |
workflow_dispatch: # allow manually triggering builds | |
jobs: | |
snapshot-upgrades: | |
name: Run package upgrades on snapshot tag | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false # stop GH from cancelling all matrix builds if one fails | |
matrix: | |
image: | |
- fedora-kinoite-laptop | |
container: | |
image: ghcr.io/prydom/ostree-buildroot:rawhide | |
options: --privileged | |
steps: | |
- name: Login to registry | |
shell: bash | |
run: | | |
mkdir -p /etc/containers | |
echo '{}' > /etc/containers/auth.json | |
ln -s /etc/containers/auth.json /etc/ostree/auth.json | |
mkdir -p ~/.config/containers | |
ln -s /etc/containers/auth.json ~/.config/containers/auth.json | |
mkdir -p ~/.docker | |
ln -s /etc/containers/auth.json ~/.docker/config.json | |
buildah login ghcr.io --authfile /etc/containers/auth.json -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Build and push | |
id: build-and-push | |
continue-on-error: true # This failing will usually just mean there were no updates | |
shell: bash | |
run: | | |
cd recipes | |
buildah pull ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot | |
buildah build --disable-compression=false \ | |
-t ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot --file ${{ format('Containerfile.{0}-update-snapshot', matrix.image) }} | |
buildah push --digestfile digest --compression-format zstd --remove-signatures \ | |
ghcr.io/${{ github.actor }}/${{ matrix.image }}:snapshot | |
echo "DIGEST=$(cat digest)" >> "$GITHUB_OUTPUT" | |
- name: Sign with cosign | |
if: ${{ steps.build-and-push.outcome == 'success' }} | |
env: | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
DIGEST: ${{ steps.build-and-push.outputs.DIGEST }} | |
shell: bash | |
run: | | |
cosign sign --key=env://COSIGN_PRIVATE_KEY --recursive "ghcr.io/${{ github.actor }}/${{ matrix.image }}@$DIGEST" | |
- name: Pass job | |
shell: bash | |
run: /usr/bin/true |