chore: more formatting fixes #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reusable Build and Push | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| fedora_version: | ||
| description: 'The Fedora Version: gts, stable, or latest" | ||
| required: true | ||
| type: string | ||
| brand_name: | ||
| description: "'aurora' or 'bluefin'" | ||
| required: true | ||
| type: string | ||
| outputs: | ||
| images: | ||
| description: 'An array of images built and pushed to the registry' | ||
| value: ${{ jobs.check.outputs.images }} | ||
| env: | ||
| IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }} | ||
| cancel-in-progress: true | ||
| jobs: | ||
| build_container: | ||
| name: image | ||
| runs-on: ubuntu-22.04 | ||
| continue-on-error: false | ||
| outputs: | ||
| image_full: ${{ steps.generate-outputs.outputs.image }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| image_flavor: | ||
| - main | ||
| - nvidia | ||
| - asus | ||
| - asus-nvidia | ||
| - surface | ||
| - surface-nvidia | ||
| base_name: | ||
| - ${{ inputs.brand_name }} | ||
| - ${{ inputs.brand_name }}-dx | ||
| fedora_version: | ||
| - ${{ inputs.fedora_version }} | ||
| include: | ||
| exclude: | ||
| - fedora_version: gts | ||
| image_flavor: asus | ||
| - fedora_version: gts | ||
| image_flavor: asus-nvidia | ||
| - fedora_version: stable | ||
| image_flavor: asus | ||
| - fedora_version: stable | ||
| image_flavor: asus-nvidia | ||
| - fedora_version: stable | ||
| image_flavor: surface | ||
| - fedora_version: stable | ||
| image_flavor: surface-nvidia | ||
| - fedora_version: beta | ||
| image_flavor: asus | ||
| - fedora_version: beta | ||
| image_flavor: asus-nvidia | ||
| - fedora_version: beta | ||
| image_flavor: surface | ||
| - fedora_version: beta | ||
| image_flavor: surface-nvidia | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | ||
| - name: Matrix Variables | ||
| run: | | ||
| # IMAGE_NAME | ||
| if [[ "${{ matrix.image_flavor }}" == "main" ]]; then | ||
| echo "IMAGE_NAME=${{ matrix.base_name }}" >> $GITHUB_ENV | ||
| else | ||
| echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_flavor) }}" >> $GITHUB_ENV | ||
| fi | ||
| # BASE_IMAGE_NAME | ||
| if [[ "${{ matrix.base_name }}" =~ "bluefin" ]]; then | ||
| echo "BASE_IMAGE_NAME"="silverblue" >> $GITHUB_ENV | ||
| elif [[ "${{ matrix.base_name }}" =~ "aurora" ]]; then | ||
| echo "BASE_IMAGE_NAME"="kinoite" >> $GITHUB_ENV | ||
| fi | ||
| # TARGET_NAME | ||
| if [[ "${{ matrix.base_name }}" =~ "dx" ]]; then | ||
| echo "TARGET_NAME"="dx" >> $GITHUB_ENV | ||
| else | ||
| echo "TARGET_NAME"="base" >> $GITHUB_ENV | ||
| fi | ||
| # AKMODS_FLAVOR | ||
| if [[ "${{ matrix.image_flavor }}" =~ "asus" ]]; then | ||
| echo "AKMODS_FLAVOR=asus" >> $GITHUB_ENV | ||
| elif [[ "${{ matrix.image_flavor }}" =~ "surface" ]]; then | ||
| echo "AKMODS_FLAVOR=surface" >> $GITHUB_ENV | ||
| echo "KERNEL_SUFFIX=surface" >> $GITHUB_ENV | ||
| elif [[ "${{ matrix.fedora_version }}" == "stable" || \ | ||
| "${{ matrix.fedora_version }}" == "gts" ]]; then | ||
| echo "AKMODS_FLAVOR=coreos" >> $GITHUB_ENV | ||
| else | ||
| echo "AKMODS_FLAVOR=main" >> $GITHUB_ENV | ||
| fi | ||
| # Env for matrix.image_flavor | ||
| if [[ "${{ matrix.image_flavor }}" == "nvidia" ]] && \ | ||
| [[ "${{ matrix.fedora_version }}" == "stable" || \ | ||
| "${{ matrix.fedora_version }}" == "gts" ]]; then | ||
| echo "image_flavor=main" >> $GITHUB_ENV | ||
| echo "coreos_type=nvidia" >> $GITHUB_ENV | ||
| elif [[ "${{ matrix.image_flavor }}" == "main" ]] && \ | ||
| [[ "${{ matrix.fedora_version }}" == "stable" || \ | ||
| "${{ matrix.fedora_version }}" == "gts" ]]; then | ||
| echo "image_flavor=${{ matrix.image_flavor }}" >> $GITHUB_ENV | ||
| echo "coreos_type=main" >> $GITHUB_ENV | ||
| else | ||
| echo "image_flavor=${{ matrix.image_flavor }}" >> $GITHUB_ENV | ||
| fi | ||
| - name: Get Current Fedora Version | ||
| id: labels | ||
| shell: bash | ||
| run: | | ||
| set -eo pipefail | ||
| if [[ ${{ matrix.fedora_version }} == "stable" ]]; then | ||
| KERNEL_RELEASE=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:stable | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]') | ||
| if [[ ${{ matrix.fedora_version }} == "gts" ]]; then | ||
| coreos_kernel_release=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:stable | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]') | ||
| major_minor_patch=$(echo "$coreos_kernel_release" | cut -d '-' -f 1) | ||
| coreos_fedora_version=$(echo $coreos_kernel_release | grep -oP 'fc\K[0-9]+') | ||
| KERNEL_RELEASE="${major_minor_patch}-200.fc$(($coreos_fedora_version - 1))" | ||
| else | ||
| KERNEL_RELEASE=$(skopeo inspect docker://ghcr.io/ublue-os/silverblue-${{ env.image_flavor }}:${{ matrix.fedora_version }} | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]') | ||
| fi | ||
| fedora_version=$(echo $KERNEL_RELEASE | grep -oP 'fc\K[0-9]+') | ||
| echo "kernel_release=$KERNEL_RELEASE" >> $GITHUB_OUTPUT | ||
| echo "fedora_version=$fedora_version" >> $GITHUB_OUTPUT | ||
| ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.BASE_IMAGE_NAME }}-${{ env.image_flavor }}:$fedora_version | jq -r '.Labels["org.opencontainers.image.version"]') | ||
| if [ -z "$ver" ] || [ "null" = "$ver" ]; then | ||
| echo "inspected image version must not be empty or null" | ||
| exit 1 | ||
| fi | ||
| echo "VERSION=$ver" >> $GITHUB_OUTPUT | ||
| - name: Verify base image | ||
| uses: EyeCantCU/cosign-action/verify@11f8c114a5e67c7a663c9dfcaf76d85429d254bc # v0.2.2 | ||
| with: | ||
| containers: ${{ env.BASE_IMAGE_NAME}}-${{ env.image_flavor }}:${{ steps.labels.outputs.fedora_version }} | ||
| - name: Verify Chainguard images | ||
| if: matrix.base_name != 'bluefin' && matrix.base_name != 'aurora' | ||
| uses: EyeCantCU/cosign-action/verify@11f8c114a5e67c7a663c9dfcaf76d85429d254bc # v0.2.2 | ||
| with: | ||
| containers: dive, flux, helm, ko, minio, kubectl | ||
| cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main | ||
| oidc-issuer: https://token.actions.githubusercontent.com | ||
| registry: cgr.dev/chainguard | ||
| - name: Maximize build space | ||
| if: contains(matrix.base_name, '-dx') && (github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request') | ||
| uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 | ||
| - name: Check just syntax | ||
| uses: ublue-os/just-action@961e70ef33d8e0ef5ecf19dbb20739f3c0ce873b # v1 | ||
| - name: Generate tags | ||
| id: generate-tags | ||
| shell: bash | ||
| run: | | ||
| # Generate a timestamp for creating an image version history | ||
| TIMESTAMP="$(date +%Y%m%d)" | ||
| FEDORA_VERSION="${{ matrix.fedora_version }}" | ||
| if [[ "${{ matrix.fedora_version }}" == "stable" ]]; then | ||
| IS_LATEST_VERSION=false | ||
| IS_STABLE_VERSION=true | ||
| IS_GTS_VERSION=false | ||
| IS_COREOS=true | ||
| elif [[ "${{ matrix.fedora_version }}" == "gts" ]]; then | ||
| IS_LATEST_VERSION=false | ||
| IS_STABLE_VERSION=true | ||
| IS_GTS_VERSION=true | ||
| IS_COREOS=false | ||
| elif [[ "${{ matrix.fedora_version }}" == "latest" ]]; then | ||
| IS_LATEST_VERSION=true | ||
| IS_STABLE_VERSION=true | ||
| IS_GTS_VERSION=false | ||
| IS_COREOS=false | ||
| elif [[ "${{ matrix.fedora_version }}" == "beta" ]]; then | ||
| IS_LATEST_VERSION=false | ||
| IS_STABLE_VERSION=false | ||
| IS_GTS_VERSION=false | ||
| IS_COREOS=false | ||
| fi | ||
| COMMIT_TAGS=() | ||
| BUILD_TAGS=() | ||
| # Have tags for tracking builds during pull request | ||
| SHA_SHORT="${GITHUB_SHA::7}" | ||
| COMMIT_TAGS+=("pr-${{ github.event.number }}-${FEDORA_VERSION}") | ||
| COMMIT_TAGS+=("${SHA_SHORT}-${FEDORA_VERSION}") | ||
| if [[ "$IS_LATEST_VERSION" == "true" ]] && \ | ||
| [[ "$IS_STABLE_VERSION" == "true" ]]; then | ||
| COMMIT_TAGS+=("pr-${{ github.event.number }}") | ||
| COMMIT_TAGS+=("${SHA_SHORT}") | ||
| fi | ||
| if [[ ${{ matrix.fedora_version }} == "stable" ]]; then | ||
| BUILD_TAGS=("${FEDORA_VERSION}" "${FEDORA_VERSION}-${TIMESTAMP}") | ||
| else | ||
| BUILD_TAGS=("${{ steps.labels.outputs.fedora_version }}" "${{ steps.labels.outputs.fedora_version }}-${TIMESTAMP}") | ||
| fi | ||
| if [[ ${{ github.ref_name }} == "testing" ]]; then | ||
| if [[ ${{ matrix.fedora_version }} == "stable" ]]; then | ||
| BUILD_TAGS=("${FEDORA_VERSION}" "${FEDORA_VERSION}-${TIMESTAMP}") | ||
| else | ||
| BUILD_TAGS=("${{ steps.labels.outputs.fedora_version }}" "${{ steps.labels.outputs.fedora_version }}-${TIMESTAMP}") | ||
| fi | ||
| if [[ "$IS_LATEST_VERSION" == "true" ]] && \ | ||
| [[ "$IS_STABLE_VERSION" == "true" ]]; then | ||
| BUILD_TAGS+=("testing") | ||
| echo "DEFAULT_TAG=testing" >> $GITHUB_ENV | ||
| elif [[ "$IS_GTS_VERSION" == "true" ]]; then | ||
| BUILD_TAGS+=("gts-testing") | ||
| echo "DEFAULT_TAG=gts-testing" >> $GITHUB_ENV | ||
| elif [[ "$IS_COREOS" == "true" ]]; then | ||
| echo "DEFAULT_TAG=stable-testing" >> $GITHUB_ENV | ||
| fi | ||
| else | ||
| if [[ "$IS_LATEST_VERSION" == "true" ]] && \ | ||
| [[ "$IS_STABLE_VERSION" == "true" ]]; then | ||
| BUILD_TAGS+=("latest") | ||
| echo "DEFAULT_TAG=latest" >> $GITHUB_ENV | ||
| elif [[ "$IS_GTS_VERSION" == "true" ]]; then | ||
| BUILD_TAGS+=("gts") | ||
| echo "DEFAULT_TAG=gts" >> $GITHUB_ENV | ||
| elif [[ "$IS_COREOS" == "true" ]]; then | ||
| echo "DEFAULT_TAG=stable" >> $GITHUB_ENV | ||
| fi | ||
| fi | ||
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
| echo "Generated the following commit tags: " | ||
| for TAG in "${COMMIT_TAGS[@]}"; do | ||
| echo "${TAG}" | ||
| done | ||
| alias_tags=("${COMMIT_TAGS[@]}") | ||
| echo "DEFAULT_TAG=${SHA_SHORT}-${FEDORA_VERSION}" >> $GITHUB_ENV | ||
| else | ||
| alias_tags=("${BUILD_TAGS[@]}") | ||
| fi | ||
| echo "Generated the following build tags: " | ||
| for TAG in "${BUILD_TAGS[@]}"; do | ||
| echo "${TAG}" | ||
| done | ||
| echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT | ||
| # Build metadata | ||
| - name: Image Metadata | ||
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 | ||
| id: meta | ||
| with: | ||
| images: | | ||
| ${{ env.IMAGE_NAME }} | ||
| labels: | | ||
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | ||
| org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} | ||
| org.opencontainers.image.description=An interpretation of the Ubuntu spirit built on Fedora technology | ||
| ostree.linux=${{ steps.labels.outputs.kernel_release }}.x86_64 | ||
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md | ||
| io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 | ||
| # Build image using Buildah action | ||
| - name: Build Image | ||
| id: build_image | ||
| if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request' | ||
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | ||
| with: | ||
| containerfiles: | | ||
| ./Containerfile | ||
| image: ${{ env.IMAGE_NAME }} | ||
| tags: | | ||
| ${{ steps.generate-tags.outputs.alias_tags }} | ||
| build-args: | | ||
| BASE_IMAGE_NAME=${{ env.BASE_IMAGE_NAME }} | ||
| IMAGE_NAME=${{ env.IMAGE_NAME }} | ||
| IMAGE_FLAVOR=${{ env.image_flavor }} | ||
| IMAGE_VENDOR=${{ github.repository_owner }} | ||
| FEDORA_MAJOR_VERSION=${{ steps.labels.outputs.fedora_version }} | ||
| TARGET_BASE=${{ matrix.target_base }} | ||
| AKMODS_FLAVOR=${{ env.AKMODS_FLAVOR }} | ||
| COREOS_TYPE=${{ env.coreos_type }} | ||
| KERNEL=${{ steps.labels.outputs.kernel_release }} | ||
| UBLUE_IMAGE_TAG=${{ matrix.fedora_version }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| oci: false | ||
| # TODO(GH-280) | ||
| # extra-args: | | ||
| # --target=${{ matrix.target_name || matrix.base_name }} | ||
| extra-args: | | ||
| --target=${{ env.TARGET_NAME }} | ||
| - name: Sign kernel | ||
| uses: ublue-os/kernel-signer@ba1d52542bbfd0db42a528f52a114e12667169e5 # v0.2.3 | ||
| if: github.event_name != 'pull_request' | ||
| with: | ||
| image: ${{ steps.build_image.outputs.image }} | ||
| default-tag: ${{ env.DEFAULT_TAG }} | ||
| privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }} | ||
| pubkey: /etc/pki/akmods/certs/akmods-ublue.der | ||
| tags: ${{ steps.build_image.outputs.tags }} | ||
| kernel_suffix: ${{ env.KERNEL_SUFFIX }} | ||
| strip: false | ||
| # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | ||
| # https://github.com/macbre/push-to-ghcr/issues/12 | ||
| - name: Lowercase Registry | ||
| id: registry_case | ||
| uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 | ||
| with: | ||
| string: ${{ env.IMAGE_REGISTRY }} | ||
| # Push the image to GHCR (Image Registry) | ||
| - name: Push To GHCR | ||
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | ||
| id: push | ||
| if: github.event_name != 'pull_request' | ||
| env: | ||
| REGISTRY_USER: ${{ github.actor }} | ||
| REGISTRY_PASSWORD: ${{ github.token }} | ||
| with: | ||
| image: ${{ steps.build_image.outputs.image }} | ||
| tags: ${{ steps.build_image.outputs.tags }} | ||
| registry: ${{ steps.registry_case.outputs.lowercase }} | ||
| username: ${{ env.REGISTRY_USER }} | ||
| password: ${{ env.REGISTRY_PASSWORD }} | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 | ||
| if: github.event_name != 'pull_request' | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| # Sign container | ||
| - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | ||
| if: github.event_name != 'pull_request' | ||
| - name: Sign container image | ||
| if: github.event_name != 'pull_request' | ||
| run: | | ||
| cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} | ||
| env: | ||
| TAGS: ${{ steps.push.outputs.digest }} | ||
| COSIGN_EXPERIMENTAL: false | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | ||
| - name: Generate file containing outputs | ||
| if: github.event_name != 'pull_request' | ||
| env: | ||
| DIGEST: ${{ steps.push.outputs.digest }} | ||
| IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
| IMAGE_NAME: ${{ env.IMAGE_NAME }} | ||
| IMAGE_FLAVOR: ${{ env.image_flavor }} | ||
| FEDORA_VERSION: ${{ matrix.fedora_version }} | ||
| run: echo "${IMAGE_REGISTRY}@${DIGEST}" > "${IMAGE_NAME}-${IMAGE_FLAVOR}-${FEDORA_VERSION}.txt" | ||
| - name: Upload artifact | ||
| if: github.event_name != 'pull_request' | ||
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 | ||
| with: | ||
| name: image-${{ env.IMAGE_NAME }}-${{ env.image_flavor }}-${{ matrix.fedora_version }} | ||
| retention-days: 1 | ||
| if-no-files-found: error | ||
| path: | | ||
| ${{ env.IMAGE_NAME }}-${{ env.image_flavor }}-${{ matrix.fedora_version }}.txt | ||
| check: | ||
| name: Check all ${{ inputs.brand_name }} ${{ inputs.fedora_version }} builds successful | ||
| if: always() | ||
| runs-on: ubuntu-latest | ||
| needs: [build_container] | ||
| outputs: | ||
| images: ${{ steps.generate-outputs.outputs.images }} | ||
| steps: | ||
| - name: Download artifacts | ||
| if: github.event_name != 'pull_request' | ||
| id: download-artifacts | ||
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 | ||
| with: | ||
| pattern: image-* | ||
| merge-multiple: true | ||
| - name: Create output | ||
| if: github.event_name != 'pull_request' | ||
| id: generate-outputs | ||
| env: | ||
| JOBS: ${{ toJson(needs) }} | ||
| ARTIFACT_PATH: ${{ steps.download-artifacts.outputs.download-path }} | ||
| run: | | ||
| # Initialize the array | ||
| images=() | ||
| # Populate the array with each line from each file in the artifacts directory | ||
| for file in $ARTIFACT_PATH/*; do | ||
| while IFS= read -r line; do | ||
| images+=("$line") | ||
| done < "$file" | ||
| done | ||
| # Create the GITHUB_OUTPUT in the format '["image1", "image2", ...]' | ||
| echo "images=$(printf '%s\n' "${images[@]}" | jq -R -s -c 'split("\n") | .[:-1]')" >> $GITHUB_OUTPUT | ||
| - name: Check Jobs | ||
| env: | ||
| JOBS: ${{ toJson(needs) }} | ||
| run: | | ||
| echo "Job status:" | ||
| echo $JOBS | jq -r 'to_entries[] | " - \(.key): \(.value.result)"' | ||
| for i in $(echo $JOBS | jq -r 'to_entries[] | .value.result'); do | ||
| if [ "$i" != "success" ] && [ "$i" != "skipped" ]; then | ||
| echo "" | ||
| echo "Status check not okay!" | ||
| exit 1 | ||
| fi | ||
| done | ||
| # build_iso: | ||
| # name: iso | ||
| # needs: [check] | ||
| # if: github.ref_name == 'testing' && inputs.fedora_version != '40' | ||
| # # Eventually would be nice for building images in PRs | ||
| # #if: ${{ endsWith(github.event.pull_request.title, '[ISO]') }} | ||
| # uses: ./.github/workflows/reusable-build-iso.yml | ||
| # secrets: inherit | ||
| # with: | ||
| # brand_name: ${{ inputs.brand_name }} | ||
| # fedora_version: ${{ inputs.fedora_version }} | ||
