feat: build base images rather than main images (#12)

* feat: change scope to build base images, not main images

* fix: remove duplicate env

* fix: add git submodule for base images

* fix: path to silverblue and kinoite manifests

* chore: build base images weekly

* chore: remove latest tag

.github/dependabot.yaml

@@ -6,6 +6,10 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directory: "**/*"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gitsubmodule"
+    directory: "**/*"
     schedule:
       interval: "weekly"

.github/workflows/build-40.yaml

@@ -1,18 +1,94 @@
-name: ublue bootc 40
+name: Build
+
 on:
   pull_request:
-  merge_group:
-  schedule:
-    - cron: '5 15 * * *'  # 3pm-ish UTC everyday (timed against official fedora container pushes)
-  workflow_dispatch:
   push:
     branches:
       - main
+  schedule:
+    # Weekly on Monday at 00:00
+    - cron: '0 0 * * 1'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
-  build:
-    name: build
-    uses: ./.github/workflows/reusable-build.yaml
-    secrets: inherit
-    with:
-      fedora_version: 40
+  build-atomic:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    env:
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/${{ matrix.images }}-bootc
+      FEDORA_VERSION: 40
+    strategy:
+      fail-fast: false
+      matrix:
+        images:
+          - base
+          - budgie
+          - cinnamon
+          - deepin
+          - silverblue
+          - kinoite
+          - lxqt
+          - mate
+          - sway
+          - xfce
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v7
+
+      - name: Install Just
+        uses: extractions/setup-just@v1
+
+      - name: Update podman
+        run: |
+          # from https://askubuntu.com/questions/1414446/whats-the-recommended-way-of-installing-podman-4-in-ubuntu-22-04
+          ubuntu_version='22.04'
+          key_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}/Release.key"
+          sources_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}"
+          echo "deb $sources_url/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list
+          curl -fsSL $key_url | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
+          sudo apt update
+          sudo apt install -y podman
+
+      - name: Build Image
+        run: |
+          just build-atomic ${{ matrix.images }}
+          podman tag localhost/fedora-bootc-atomic-${{ matrix.images }}:latest ${{ env.IMAGE_NAME }}:${{ env.FEDORA_VERSION }}
+          podman tag localhost/fedora-bootc-atomic-${{ matrix.images }}:latest ${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+      - name: Run Image
+        run: podman run --rm -it ${{ env.IMAGE_NAME }}:${{ github.sha }} bootc --help
+
+      - name: Push Image
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule'
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+            ${{ env.IMAGE_NAME }}:${{ env.FEDORA_VERSION }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Sign container
+      - uses: sigstore/[email protected]
+        if: github.event_name != 'pull_request'
+
+      - name: Sign container image
+        if: github.event_name != 'pull_request'
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_NAME }}@${{ github.sha }}
+        env:
+          TAGS: ${{ steps.build_image.outputs.digest }}
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

.gitignore

@@ -0,0 +1,2 @@
+fedora-comps/
+.osbuild/output/**

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "base-images"]
+	path = base-images
+	url = https://gitlab.com/fedora/bootc/base-images

.osbuild/config.toml

@@ -0,0 +1,5 @@
+[[customizations.user]]
+name = "alice"
+password = "bob"
+key = "ssh-rsa AAA ... [email protected]"
+groups = ["wheel"]

Containerfile

@@ -1,15 +1,17 @@
-ARG BASE_IMAGE="quay.io/fedora/fedora-bootc"
-ARG FEDORA_VERSION="${FEDORA_VERSION:-40}"
-ARG FEDORA_EDITION="${FEDORA_EDITION:-silverblue}"
+FROM quay.io/fedora/fedora:40 as repos
 
-FROM ${BASE_IMAGE}:${FEDORA_VERSION}
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
+ARG MANIFEST=fedora-bootc-full.yaml
 
-ARG FEDORA_VERSION
-ARG FEDORA_EDITION
+COPY --from=repos /etc/dnf/vars /etc/dnf/vars
+COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
 
-COPY scripts/ /tmp/scripts
-COPY packages.json /tmp/packages.json
+COPY . /src
+WORKDIR /src
+RUN rm -vf /src/*.repo
+COPY --from=repos /etc/yum.repos.d/*.repo /src
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image \
+  --image-config fedora-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive
 
-RUN chmod +x /tmp/scripts/*.sh /tmp/scripts/_${FEDORA_EDITION}/*.sh && \
-    /tmp/scripts/setup.sh --version ${FEDORA_VERSION} --desktop ${FEDORA_EDITION} && \
-    /tmp/scripts/cleanup.sh --version ${FEDORA_VERSION} --desktop ${FEDORA_EDITION}
+FROM oci-archive:./out.ociarchive
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive