Adjustments

2025-05-03 00:26:31 +02:00 · 2025-05-03 00:26:31 +02:00 · eaa26205bb
commit eaa26205bb
parent 68942d6221
5 changed files with 294 additions and 1 deletions
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@ -0,0 +1,103 @@
 ---
 name: Build ISOs
 on:
  workflow_dispatch:
    inputs:
      upload-to-s3:
        description: "Upload to S3"
        required: false
        default: false
        type: boolean
      platform:
        required: true
        type: choice
        options:
          - amd64
          - arm64
  pull_request:
    branches:
      - main
    paths:
      - './iso.toml'
      - './.github/workflows/build-iso.yml'
      - './Justfile'
 env:
  IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}"
  DEFAULT_TAG: "latest"
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  build:
    name: Build ISOs
    runs-on: ${{ inputs.platform == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04-arm' }}
    strategy:
      fail-fast: false
    permissions:
      contents: read
      packages: read
      id-token: write
    steps:
      - name: lower case the image registry in case of any capitalization
        run: |
          echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV}
      - name: Install dependencies
        if: inputs.platform == 'arm64'
        run: |
          set -x
          sudo apt update -y
          sudo apt install -y \
            podman
      - name: Maximize build space
        if: inputs.platform != 'arm64'
        uses: ublue-os/remove-unwanted-software@cc0becac701cf642c8f0a6613bbdaf5dc36b259e # v9
        with:
          remove-codeql: true
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Setup Just
        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3
      - name: Build ISO
        id: build
        uses: ublue-os/bootc-image-builder-action@main
        with:
          bootc-image-builder-image: ghcr.io/centos-workstation/bootc-image-builder:latest
          use-librepo: true
          config-file: ./iso.toml
          image: ${{ env.IMAGE_REGISTRY }}:${{ env.DEFAULT_TAG }}
      - name: Upload ISOs and Checksum to Job Artifacts
        if: inputs.upload-to-s3 != true && github.event_name != 'pull_request'
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          path: ${{ steps.build.outputs.output-directory }}
          if-no-files-found: error
          retention-days: 0
          compression-level: 0
          overwrite: true
      - name: Upload to S3
        if: inputs.upload-to-s3 == true && github.event_name != 'pull_request'
        shell: bash
        env:
          RCLONE_CONFIG_S3_TYPE: s3
          RCLONE_CONFIG_S3_PROVIDER: ${{ secrets.S3_PROVIDER }}
          RCLONE_CONFIG_S3_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
          RCLONE_CONFIG_S3_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
          RCLONE_CONFIG_S3_REGION: ${{ secrets.S3_REGION }}
          RCLONE_CONFIG_S3_ENDPOINT: ${{ secrets.S3_ENDPOINT }}
          SOURCE_DIR: ${{ steps.build.outputs.output-directory }}
        run: |
          sudo apt-get update
          sudo apt-get install -y rclone
          rclone copy $SOURCE_DIR S3:${{ secrets.S3_BUCKET_NAME }}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,182 @@
 ---
 name: Build Custom Image
 on:
  pull_request:
    branches:
      - main
  schedule:
    - cron: '05 10 * * *'  # 10:05am UTC everyday
  push:
    branches:
      - main
    paths-ignore:
      - '**/README.md'
  workflow_dispatch:
 env:
  IMAGE_NAME: "${{ github.event.repository.name }}"  # the name of the image produced by this build, matches repo names
  IMAGE_DESC: "My Customized Universal Blue Image"
  IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}"  # do not edit
  ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4"  # You should put your own image here so that you get a fancy profile image on https://artifacthub.io/!
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }}
  cancel-in-progress: true
 jobs:
  build_push:
    name: Build and push image
    runs-on: [dev]
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      # These stage versions are pinned by https://github.com/renovatebot/renovate
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines:
      # - name: Maximize build space
      #   uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7
      #   with:
      #     remove-codeql: true
      - name: Get current date
        id: date
        run: |
          # This generates a timestamp like what is defined on the ArtifactHub documentation
          # E.G: 2022-02-08T15:38:15Z'
          # https://artifacthub.io/docs/topics/repositories/container-images/
          # https://linux.die.net/man/1/date
          echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT
      # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images
      # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not.
      - name: Image Metadata
        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
        id: metadata
        with:
          # This generates all the tags for your image, you can add custom tags here too!
          # By default, it should generate "latest" and "latest.(date here)".
          tags: |
            type=raw,value=latest
            type=raw,value=latest.{{date 'YYYYMMDD'}}
            type=raw,value={{date 'YYYYMMDD'}}
            type=sha,enable=${{ github.event_name == 'pull_request' }}
            type=ref,event=pr
          labels: |
            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
            org.opencontainers.image.created=${{ steps.date.outputs.date }}
            org.opencontainers.image.description=${{ env.IMAGE_DESC }}
            org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
            org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile
            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
            org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
            org.opencontainers.image.vendor=${{ github.repository_owner }}
            org.opencontainers.image.version=latest
            io.artifacthub.package.deprecated=false
            io.artifacthub.package.keywords=bootc,ublue,universal-blue
            io.artifacthub.package.license=Apache-2.0
            io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }}
            io.artifacthub.package.prerelease=false
            containers.bootc=1
          sep-tags: " "
          sep-annotations: " "
      - name: Build Image
        id: build_image
        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
        with:
          containerfiles: |
            ./Containerfile
          # Postfix image name with -custom to make it a little more descriptive
          # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format
          image: ${{ env.IMAGE_NAME }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          oci: false
      # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published.
      # This does not make your image faster to download, just provides better resumability and fixes a few errors.
      # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk
      # You can enable it by uncommenting the following lines:
      # - name: Run Rechunker
      #   id: rechunk
      #   uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1
      #   with:
      #     rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1'
      #     ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
      #     prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
      #     skip_compression: true
      #     version: ${{ env.CENTOS_VERSION }}
      #     labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator
      # This is necessary so that the podman socket can find the rechunked image on its storage
      # - name: Load in podman and tag
      #   run: |
      #     IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
      #     sudo rm -rf ${{ steps.rechunk.outputs.output }}
      #     for tag in ${{ steps.metadata.outputs.tags }}; do
      #       podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
      #     done
      # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing
      # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work
      - name: Login to GitHub Container Registry
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
        if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
      # https://github.com/macbre/push-to-ghcr/issues/12
      - name: Lowercase Registry
        id: registry_case
        uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6
        with:
          string: ${{ env.IMAGE_REGISTRY }}
      - name: Lowercase Image
        id: image_case
        uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6
        with:
          string: ${{ env.IMAGE_NAME }}
      - name: Push To GHCR
        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
        if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
        id: push
        env:
          REGISTRY_USER: ${{ github.actor }}
          REGISTRY_PASSWORD: ${{ github.token }}
        with:
          registry: ${{ steps.registry_case.outputs.lowercase }}
          image: ${{ steps.image_case.outputs.lowercase }}
          tags: ${{ steps.metadata.outputs.tags }}
          username: ${{ env.REGISTRY_USER }}
          password: ${{ env.REGISTRY_PASSWORD }}
      # This section is optional and only needs to be enabled if you plan on distributing
      # your project for others to consume. You will need to create a public and private key
      # using Cosign and save the private key as a repository secret in Github for this workflow
      # to consume. For more details, review the image signing section of the README.
      - name: Install Cosign
        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
        if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
      - name: Sign container image
        if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
        run: |
          IMAGE_FULL="${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}"
          for tag in ${{ steps.metadata.outputs.tags }}; do
            cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag
          done
        env:
          TAGS: ${{ steps.push.outputs.digest }}
          COSIGN_EXPERIMENTAL: false
          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
--- a/build_files/build.sh
+++ b/build_files/build.sh
@ -9,6 +9,9 @@ set -ouex pipefail
 # List of rpmfusion packages can be found here:
 # https://mirrors.rpmfusion.org/mirrorlist?path=free/fedora/updates/39/x86_64/repoview/index.html&protocol=https&redirect=1
 # System packages
 dnf5 install -y lvm2 mdadm
 # Basic packages
 dnf5 install -y fish htop podman-compose podman-docker tmux vim systemd-networkd
 dnf5 remove -y NetworkManager
@ -22,4 +25,5 @@ dnf5 install -y distrobox edk2-ovmf incus qemu-system-x86 swtpm zstd
 systemctl enable podman.socket
 systemctl enable incus-startup
 systemctl enable incus
 systemctl enable systemd-networkd
--- a/cosign.pub
+++ b/cosign.pub
@ -0,0 +1,4 @@
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbnoxWtOVzk5wXKoVnHg9duBWbWrd
 2EpWXS3igbFdgApqP6zmijyR/WGZ8PT3l12oSE+eyUrD3bsTbruNlcon+Q==
 -----END PUBLIC KEY-----
--- a/iso.toml
+++ b/iso.toml
@ -1,7 +1,7 @@
 [customizations.installer.kickstart]
 contents = """
 %post
-bootc switch --mutate-in-place --transport registry ghcr.io/yourrepo/yourimage:latest
+bootc switch --mutate-in-place --transport registry gitea.ceperka.net/cx/fedora-coreos-incus-image:42
 %end
 """