build-ublue #738

Workflow file for this run

	name: build-ublue
	on:
	pull_request:
	merge_group:
	schedule:
	- cron: '0 14 * * *' # 2pm UTC everyday (timed against official fedora container pushes, and after 'config')
	workflow_dispatch:
	env:
	IMAGE_NAME: akmods
	IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}

	jobs:
	push-ghcr:
	name: akmods
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	packages: write
	id-token: write
	strategy:
	fail-fast: false
	matrix:
	kernel_flavor: [main, asus, 6.7.9-204.fsync, surface]
	cfile_suffix: [common, nvidia]
	major_version: [38, 39, 40]
	nvidia_version: [0, 470, 550]
	exclude:
	- cfile_suffix: common
	nvidia_version: 470
	- cfile_suffix: common
	nvidia_version: 550
	- cfile_suffix: nvidia
	nvidia_version: 0
	- kernel_flavor: 6.7.9-204.fsync
	major_version: 38
	- kernel_flavor: asus
	major_version: 38
	- kernel_flavor: surface
	nvidia_version: 470
	- major_version: 40
	nvidia_version: 470 # rpmfusion packages nvidia 470 for F40 but won't compile yet.
	- major_version: 40
	kernel_flavor: 6.7.9-204.fsync # kernel-fsync packages are not being built for F40 yet.

	steps:
	# Checkout push-to-registry action GitHub repository
	- name: Checkout Push to Registry action
	uses: actions/checkout@v4

	- name: Matrix Variables
	shell: bash
	run: \|
	if [[ "${{ matrix.major_version }}" -ge "41" ]]; then
	# when we are confident of official fedora images we can switch to them
	echo "SOURCE_IMAGE=fedora-silverblue" >> $GITHUB_ENV
	echo "SOURCE_ORG=fedora" >> $GITHUB_ENV
	else
	echo "SOURCE_IMAGE=base" >> $GITHUB_ENV
	echo "SOURCE_ORG=fedora-ostree-desktops" >> $GITHUB_ENV
	fi

	- name: Generate tags
	id: generate-tags
	shell: bash
	run: \|
	# Generate a timestamp for creating an image version history
	TIMESTAMP="$(date +%Y%m%d)"
	if [[ "${{ matrix.cfile_suffix }}" == "nvidia" ]]; then
	VARIANT="${{ matrix.kernel_flavor }}-${{ matrix.major_version }}-${{ matrix.nvidia_version }}"
	else
	VARIANT="${{ matrix.kernel_flavor }}-${{ matrix.major_version }}"
	fi

	COMMIT_TAGS=()
	BUILD_TAGS=()

	# Have tags for tracking builds during pull request
	SHA_SHORT="${GITHUB_SHA::7}"
	COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
	COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")

	BUILD_TAGS=("${VARIANT}" "${VARIANT}-${TIMESTAMP}")

	if [[ "${{ github.event_name }}" == "pull_request" ]]; then
	echo "Generated the following commit tags: "
	for TAG in "${COMMIT_TAGS[@]}"; do
	echo "${TAG}"
	done

	alias_tags=("${COMMIT_TAGS[@]}")
	else
	alias_tags=("${BUILD_TAGS[@]}")
	fi

	echo "Generated the following build tags: "
	for TAG in "${BUILD_TAGS[@]}"; do
	echo "${TAG}"
	done

	echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT

	- name: Retrieve akmods signing key
	run: \|
	mkdir -p certs
	if [[ "${{ github.event_name }}" == "pull_request" ]]; then
	echo "Using test signing key"
	else
	echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
	fi
	# DEBUG: get character count of key
	wc -c certs/private_key.priv

	- name: Get current version
	id: labels
	uses: Wandalen/[email protected]
	with:
	attempt_limit: 3
	attempt_delay: 15000
	command: \|
	set -eo pipefail
	skopeo inspect docker://quay.io/${{ env.SOURCE_ORG }}/${{ env.SOURCE_IMAGE }}:${{ matrix.major_version }} > inspect.json
	ver=$(jq -r '.Labels["org.opencontainers.image.version"]' inspect.json)
	linux=$(jq -r '.Labels["ostree.linux"]' inspect.json)
	if [ -z "$ver" ] \|\| [ "null" = "$ver" ]; then
	echo "inspected image version must not be empty or null"
	exit 1
	fi
	if [ -z "$linux" ] \|\| [ "null" = "$linux" ]; then
	echo "inspected image linux version must not be empty or null"
	exit 1
	fi
	echo "VERSION=$ver" >> $GITHUB_OUTPUT
	echo "LINUX=$linux" >> $GITHUB_OUTPUT

	# Build metadata
	- name: Image Metadata
	uses: docker/metadata-action@v5
	id: meta
	with:
	images: \|
	${{ 'nvidia' == matrix.cfile_suffix && format('{0}-nvidia', env.IMAGE_NAME) \|\| format('{0}', env.IMAGE_NAME) }}
	labels: \|
	org.opencontainers.image.title=${{ env.IMAGE_NAME }}
	org.opencontainers.image.description=A caching layer for pre-built akmod RPMs
	org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
	ostree.linux=${{ steps.labels.outputs.LINUX }}
	io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
	io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4

	- name: Pull build image
	uses: Wandalen/[email protected]
	with:
	attempt_limit: 3
	attempt_delay: 15000
	command: \|
	# pull the base image used for FROM in containerfile so
	# we can retry on that unfortunately common failure case
	podman pull quay.io/${{ env.SOURCE_ORG }}/${{ env.SOURCE_IMAGE }}:${{ matrix.major_version }}

	# Build image using Buildah action
	- name: Build Image
	id: build_image
	uses: redhat-actions/buildah-build@v2
	with:
	containerfiles: \|
	./Containerfile.${{ matrix.cfile_suffix }}
	image: ${{ 'nvidia' == matrix.cfile_suffix && format('{0}-nvidia', env.IMAGE_NAME) \|\| format('{0}', env.IMAGE_NAME) }}
	tags: \|
	${{ steps.generate-tags.outputs.alias_tags }}
	build-args: \|
	SOURCE_IMAGE=${{ env.SOURCE_IMAGE }}
	SOURCE_ORG=${{ env.SOURCE_ORG }}
	KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
	FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
	NVIDIA_MAJOR_VERSION=${{ matrix.nvidia_version }}
	RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }}
	labels: ${{ steps.meta.outputs.labels }}
	oci: false

	# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
	# https://github.com/macbre/push-to-ghcr/issues/12
	- name: Lowercase Registry
	id: registry_case
	uses: ASzc/change-string-case-action@v6
	with:
	string: ${{ env.IMAGE_REGISTRY }}


	- name: Push To GHCR
	uses: Wandalen/[email protected]
	id: push
	if: github.event_name != 'pull_request'
	env:
	REGISTRY_USER: ${{ github.actor }}
	REGISTRY_PASSWORD: ${{ github.token }}
	with:
	action: redhat-actions/push-to-registry@v2
	attempt_limit: 3
	attempt_delay: 15000
	with: \|
	image: ${{ steps.build_image.outputs.image }}
	tags: ${{ steps.build_image.outputs.tags }}
	registry: ${{ steps.registry_case.outputs.lowercase }}
	username: ${{ env.REGISTRY_USER }}
	password: ${{ env.REGISTRY_PASSWORD }}
	extra-args: \|
	--disable-content-trust

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	if: github.event_name != 'pull_request'
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Sign container
	- uses: sigstore/[email protected]
	if: github.event_name != 'pull_request'

	- name: Sign container image
	if: github.event_name != 'pull_request'
	run: \|
	cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
	env:
	TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
	COSIGN_EXPERIMENTAL: false
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

	- name: Echo outputs
	if: github.event_name != 'pull_request'
	run: \|
	echo "${{ toJSON(steps.push.outputs) }}"

	check:
	name: Check all builds successful
	runs-on: ubuntu-latest
	needs: [push-ghcr]
	steps:
	- name: Exit
	shell: bash
	run: exit 0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build-ublue #738

Workflow file

build-ublue #738

Jobs

Run details

Workflow file for this run