From eaa26205bb8a2870049716c1f309c3ca92d49fd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20=C5=A0trauch?= Date: Sat, 3 May 2025 00:26:31 +0200 Subject: [PATCH] Adjustments --- .github/workflows/build-iso.yml | 103 ++++++++++++++++++ .github/workflows/build.yml | 182 ++++++++++++++++++++++++++++++++ build_files/build.sh | 4 + cosign.pub | 4 + iso.toml | 2 +- 5 files changed, 294 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/build-iso.yml create mode 100644 .github/workflows/build.yml create mode 100644 cosign.pub diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml new file mode 100644 index 0000000..b8aa38e --- /dev/null +++ b/.github/workflows/build-iso.yml @@ -0,0 +1,103 @@ +--- +name: Build ISOs + +on: + workflow_dispatch: + inputs: + upload-to-s3: + description: "Upload to S3" + required: false + default: false + type: boolean + platform: + required: true + type: choice + options: + - amd64 + - arm64 + pull_request: + branches: + - main + paths: + - './iso.toml' + - './.github/workflows/build-iso.yml' + - './Justfile' + +env: + IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}" + DEFAULT_TAG: "latest" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }} + cancel-in-progress: true + +jobs: + build: + name: Build ISOs + runs-on: ${{ inputs.platform == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04-arm' }} + strategy: + fail-fast: false + permissions: + contents: read + packages: read + id-token: write + + steps: + - name: lower case the image registry in case of any capitalization + run: | + echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} + + - name: Install dependencies + if: inputs.platform == 'arm64' + run: | + set -x + sudo apt update -y + sudo apt install -y \ + podman + + - name: Maximize build space + if: inputs.platform != 'arm64' + uses: ublue-os/remove-unwanted-software@cc0becac701cf642c8f0a6613bbdaf5dc36b259e # v9 + with: + remove-codeql: true + + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Setup Just + uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3 + + - name: Build ISO + id: build + uses: ublue-os/bootc-image-builder-action@main + with: + bootc-image-builder-image: ghcr.io/centos-workstation/bootc-image-builder:latest + use-librepo: true + config-file: ./iso.toml + image: ${{ env.IMAGE_REGISTRY }}:${{ env.DEFAULT_TAG }} + + - name: Upload ISOs and Checksum to Job Artifacts + if: inputs.upload-to-s3 != true && github.event_name != 'pull_request' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + path: ${{ steps.build.outputs.output-directory }} + if-no-files-found: error + retention-days: 0 + compression-level: 0 + overwrite: true + + - name: Upload to S3 + if: inputs.upload-to-s3 == true && github.event_name != 'pull_request' + shell: bash + env: + RCLONE_CONFIG_S3_TYPE: s3 + RCLONE_CONFIG_S3_PROVIDER: ${{ secrets.S3_PROVIDER }} + RCLONE_CONFIG_S3_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }} + RCLONE_CONFIG_S3_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }} + RCLONE_CONFIG_S3_REGION: ${{ secrets.S3_REGION }} + RCLONE_CONFIG_S3_ENDPOINT: ${{ secrets.S3_ENDPOINT }} + SOURCE_DIR: ${{ steps.build.outputs.output-directory }} + run: | + sudo apt-get update + sudo apt-get install -y rclone + rclone copy $SOURCE_DIR S3:${{ secrets.S3_BUCKET_NAME }} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..a83dcf9 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,182 @@ +--- +name: Build Custom Image +on: + pull_request: + branches: + - main + schedule: + - cron: '05 10 * * *' # 10:05am UTC everyday + push: + branches: + - main + paths-ignore: + - '**/README.md' + workflow_dispatch: + +env: + IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names + IMAGE_DESC: "My Customized Universal Blue Image" + IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit + ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # You should put your own image here so that you get a fancy profile image on https://artifacthub.io/! + +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} + cancel-in-progress: true + +jobs: + build_push: + name: Build and push image + runs-on: [dev] + + permissions: + contents: read + packages: write + id-token: write + + steps: + # These stage versions are pinned by https://github.com/renovatebot/renovate + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: + # - name: Maximize build space + # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 + # with: + # remove-codeql: true + + - name: Get current date + id: date + run: | + # This generates a timestamp like what is defined on the ArtifactHub documentation + # E.G: 2022-02-08T15:38:15Z' + # https://artifacthub.io/docs/topics/repositories/container-images/ + # https://linux.die.net/man/1/date + echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT + + # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images + # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. + - name: Image Metadata + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 + id: metadata + with: + # This generates all the tags for your image, you can add custom tags here too! + # By default, it should generate "latest" and "latest.(date here)". + tags: | + type=raw,value=latest + type=raw,value=latest.{{date 'YYYYMMDD'}} + type=raw,value={{date 'YYYYMMDD'}} + type=sha,enable=${{ github.event_name == 'pull_request' }} + type=ref,event=pr + labels: | + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md + org.opencontainers.image.created=${{ steps.date.outputs.date }} + org.opencontainers.image.description=${{ env.IMAGE_DESC }} + org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md + org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} + org.opencontainers.image.vendor=${{ github.repository_owner }} + org.opencontainers.image.version=latest + io.artifacthub.package.deprecated=false + io.artifacthub.package.keywords=bootc,ublue,universal-blue + io.artifacthub.package.license=Apache-2.0 + io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }} + io.artifacthub.package.prerelease=false + containers.bootc=1 + sep-tags: " " + sep-annotations: " " + + - name: Build Image + id: build_image + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 + with: + containerfiles: | + ./Containerfile + # Postfix image name with -custom to make it a little more descriptive + # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format + image: ${{ env.IMAGE_NAME }} + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + oci: false + + # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. + # This does not make your image faster to download, just provides better resumability and fixes a few errors. + # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk + # You can enable it by uncommenting the following lines: + # - name: Run Rechunker + # id: rechunk + # uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 + # with: + # rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' + # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + # prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + # skip_compression: true + # version: ${{ env.CENTOS_VERSION }} + # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator + + # This is necessary so that the podman socket can find the rechunked image on its storage + # - name: Load in podman and tag + # run: | + # IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) + # sudo rm -rf ${{ steps.rechunk.outputs.output }} + # for tag in ${{ steps.metadata.outputs.tags }}; do + # podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag + # done + + # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing + # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work + - name: Login to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 + with: + string: ${{ env.IMAGE_REGISTRY }} + + - name: Lowercase Image + id: image_case + uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 + with: + string: ${{ env.IMAGE_NAME }} + + - name: Push To GHCR + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + id: push + env: + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + with: + registry: ${{ steps.registry_case.outputs.lowercase }} + image: ${{ steps.image_case.outputs.lowercase }} + tags: ${{ steps.metadata.outputs.tags }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + + # This section is optional and only needs to be enabled if you plan on distributing + # your project for others to consume. You will need to create a public and private key + # using Cosign and save the private key as a repository secret in Github for this workflow + # to consume. For more details, review the image signing section of the README. + - name: Install Cosign + uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + + - name: Sign container image + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + run: | + IMAGE_FULL="${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}" + for tag in ${{ steps.metadata.outputs.tags }}; do + cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag + done + env: + TAGS: ${{ steps.push.outputs.digest }} + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} diff --git a/build_files/build.sh b/build_files/build.sh index 46118df..7824b21 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -9,6 +9,9 @@ set -ouex pipefail # List of rpmfusion packages can be found here: # https://mirrors.rpmfusion.org/mirrorlist?path=free/fedora/updates/39/x86_64/repoview/index.html&protocol=https&redirect=1 +# System packages +dnf5 install -y lvm2 mdadm + # Basic packages dnf5 install -y fish htop podman-compose podman-docker tmux vim systemd-networkd dnf5 remove -y NetworkManager @@ -22,4 +25,5 @@ dnf5 install -y distrobox edk2-ovmf incus qemu-system-x86 swtpm zstd systemctl enable podman.socket systemctl enable incus-startup +systemctl enable incus systemctl enable systemd-networkd diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..10e4308 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbnoxWtOVzk5wXKoVnHg9duBWbWrd +2EpWXS3igbFdgApqP6zmijyR/WGZ8PT3l12oSE+eyUrD3bsTbruNlcon+Q== +-----END PUBLIC KEY----- diff --git a/iso.toml b/iso.toml index 21b6913..69b8cf4 100644 --- a/iso.toml +++ b/iso.toml @@ -1,7 +1,7 @@ [customizations.installer.kickstart] contents = """ %post -bootc switch --mutate-in-place --transport registry ghcr.io/yourrepo/yourimage:latest +bootc switch --mutate-in-place --transport registry gitea.ceperka.net/cx/fedora-coreos-incus-image:42 %end """