generated from ublue-os/image-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rework build to use the latest version of the image
template. Much cleaner than before.
- Loading branch information
Showing
10 changed files
with
461 additions
and
245 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| "extends": [ | ||
| "config:recommended" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,157 +1,176 @@ | ||
| --- | ||
| name: build-ublue-custom | ||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| schedule: | ||
| - cron: '00 10 * * 01' # 10:00am UTC (2am Pacific) every Monday | ||
| push: | ||
| branches: | ||
| - main | ||
| paths-ignore: | ||
| - '**/README.md' | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| MY_IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names | ||
| MY_IMAGE_DESC: "HyprBlue Custom Image, based on bluefin-dx-nvidia" | ||
| IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build_push: | ||
| name: Build And Push Image | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
|
|
||
| steps: | ||
| # Checkout push-to-registry action GitHub repository | ||
| - name: Checkout Push To Registry Action | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Maximize Build Space | ||
| uses: ublue-os/remove-unwanted-software@v8 | ||
|
|
||
| - name: Generate Tags | ||
| id: generate-tags | ||
| shell: bash | ||
| run: | | ||
| # Generate a timestamp for creating an image version history | ||
| TIMESTAMP="$(date +%Y%m%d)" | ||
| COMMIT_TAGS=() | ||
| BUILD_TAGS=() | ||
| # Have tags for tracking builds during pull request | ||
| SHA_SHORT="${GITHUB_SHA::7}" | ||
| COMMIT_TAGS+=("pr-${{ github.event.number }}") | ||
| COMMIT_TAGS+=("${SHA_SHORT}") | ||
| # Append matching timestamp tags to keep a version history | ||
| for TAG in "${BUILD_TAGS[@]}"; do | ||
| BUILD_TAGS+=("${TAG}-${TIMESTAMP}") | ||
| done | ||
| BUILD_TAGS+=("${TIMESTAMP}") | ||
| BUILD_TAGS+=("latest") | ||
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
| echo "Generated the following commit tags: " | ||
| for TAG in "${COMMIT_TAGS[@]}"; do | ||
| echo "${TAG}" | ||
| name: Build HyprBlue Custom Image | ||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| schedule: | ||
| - cron: '05 10 * * *' # 10:05am UTC everyday to pull latest from parent image | ||
| push: | ||
| branches: | ||
| - main | ||
| paths-ignore: | ||
| - '**/README.md' | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names | ||
| MY_IMAGE_DESC: "HyprBlue Custom Image, based on bluefin-dx-nvidia" | ||
| IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit | ||
| ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/11263?s=200&v=4" | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build_push: | ||
| name: Build and push image | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
|
|
||
| steps: | ||
| # These stage versions are pinned by https://github.com/renovatebot/renovate | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
|
|
||
| # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: | ||
| # - name: Maximize build space | ||
| # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 | ||
| # with: | ||
| # remove-codeql: true | ||
|
|
||
| - name: Get current date | ||
| id: date | ||
| run: | | ||
| # This generates a timestamp like what is defined on the ArtifactHub documentation | ||
| # E.G: 2022-02-08T15:38:15Z' | ||
| # https://artifacthub.io/docs/topics/repositories/container-images/ | ||
| # https://linux.die.net/man/1/date | ||
| echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT | ||
| # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images | ||
| # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. | ||
| - name: Image Metadata | ||
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 | ||
| id: metadata | ||
| with: | ||
| # This generates all the tags for your image, you can add custom tags here too! | ||
| # By default, it should generate "latest" and "latest.(date here)". | ||
| tags: | | ||
| type=raw,value=latest | ||
| type=raw,value=latest.{{date 'YYYYMMDD'}} | ||
| type=raw,value={{date 'YYYYMMDD'}} | ||
| type=sha,enable=${{ github.event_name == 'pull_request' }} | ||
| type=ref,event=pr | ||
| labels: | | ||
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | ||
| org.opencontainers.image.created=${{ steps.date.outputs.date }} | ||
| org.opencontainers.image.description=${{ env.IMAGE_DESC }} | ||
| org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | ||
| org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile | ||
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | ||
| org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | ||
| org.opencontainers.image.vendor=${{ github.repository_owner }} | ||
| org.opencontainers.image.version=latest | ||
| io.artifacthub.package.deprecated=false | ||
| io.artifacthub.package.keywords=bootc,ublue,universal-blue | ||
| io.artifacthub.package.license=Apache-2.0 | ||
| io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }} | ||
| io.artifacthub.package.prerelease=false | ||
| containers.bootc=1 | ||
| sep-tags: " " | ||
| sep-annotations: " " | ||
|
|
||
| - name: Build Image | ||
| id: build_image | ||
| uses: redhat-actions/buildah-build@v2 | ||
| with: | ||
| containerfiles: | | ||
| ./Containerfile | ||
| # Postfix image name with -custom to make it a little more descriptive | ||
| # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format | ||
| image: ${{ env.IMAGE_NAME }} | ||
| tags: ${{ steps.metadata.outputs.tags }} | ||
| labels: ${{ steps.metadata.outputs.labels }} | ||
| oci: false | ||
|
|
||
| # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. | ||
| # This does not make your image faster to download, just provides better resumability and fixes a few errors. | ||
| # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk | ||
| # You can enable it by uncommenting the following lines: | ||
| # - name: Run Rechunker | ||
| # id: rechunk | ||
| # uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 | ||
| # with: | ||
| # rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' | ||
| # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | ||
| # prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | ||
| # skip_compression: true | ||
| # version: ${{ env.CENTOS_VERSION }} | ||
| # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator | ||
|
|
||
| # This is necessary so that the podman socket can find the rechunked image on its storage | ||
| # - name: Load in podman and tag | ||
| # run: | | ||
| # IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) | ||
| # sudo rm -rf ${{ steps.rechunk.outputs.output }} | ||
| # for tag in ${{ steps.metadata.outputs.tags }}; do | ||
| # podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag | ||
| # done | ||
|
|
||
| # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing | ||
| # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | ||
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | ||
| # https://github.com/macbre/push-to-ghcr/issues/12 | ||
| - name: Lowercase Registry | ||
| id: registry_case | ||
| uses: ASzc/change-string-case-action@v6 | ||
| with: | ||
| string: ${{ env.IMAGE_REGISTRY }} | ||
|
|
||
| - name: Push To GHCR | ||
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | ||
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | ||
| id: push | ||
| env: | ||
| REGISTRY_USER: ${{ github.actor }} | ||
| REGISTRY_PASSWORD: ${{ github.token }} | ||
| with: | ||
| registry: ${{ steps.registry_case.outputs.lowercase }} | ||
| image: ${{ env.IMAGE_NAME }} | ||
| tags: ${{ steps.metadata.outputs.tags }} | ||
| username: ${{ env.REGISTRY_USER }} | ||
| password: ${{ env.REGISTRY_PASSWORD }} | ||
|
|
||
| # This section is optional and only needs to be enabled if you plan on distributing | ||
| # your project for others to consume. You will need to create a public and private key | ||
| # using Cosign and save the private key as a repository secret in Github for this workflow | ||
| # to consume. For more details, review the image signing section of the README. | ||
| - name: Install Cosign | ||
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | ||
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | ||
|
|
||
| - name: Sign container image | ||
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | ||
| run: | | ||
| IMAGE_FULL="${{ steps.registry_case.outputs.lowercase }}/${IMAGE_NAME}" | ||
| for tag in ${{ steps.metadata.outputs.tags }}; do | ||
| cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag | ||
| done | ||
| alias_tags=("${COMMIT_TAGS[@]}") | ||
| else | ||
| alias_tags=("${BUILD_TAGS[@]}") | ||
| fi | ||
| echo "Generated the following build tags: " | ||
| for TAG in "${BUILD_TAGS[@]}"; do | ||
| echo "${TAG}" | ||
| done | ||
| echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT | ||
| # Build metadata | ||
| - name: Image Metadata | ||
| uses: docker/metadata-action@v5 | ||
| id: meta | ||
| with: | ||
| images: | | ||
| ${{ env.MY_IMAGE_NAME }} | ||
| labels: | | ||
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md | ||
| org.opencontainers.image.description=${{ env.MY_IMAGE_DESC }} | ||
| org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }} | ||
| # Build image using Buildah action | ||
| - name: Build Image | ||
| id: build_image | ||
| uses: redhat-actions/buildah-build@v2 | ||
| with: | ||
| containerfiles: | | ||
| ./Containerfile | ||
| # Postfix image name with -custom to make it a little more descriptive | ||
| # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format | ||
| image: ${{ env.MY_IMAGE_NAME }} | ||
| tags: | | ||
| ${{ steps.generate-tags.outputs.alias_tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| oci: false | ||
|
|
||
| # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | ||
| # https://github.com/macbre/push-to-ghcr/issues/12 | ||
| - name: Lowercase Registry | ||
| id: registry_case | ||
| uses: ASzc/change-string-case-action@v6 | ||
| with: | ||
| string: ${{ env.IMAGE_REGISTRY }} | ||
|
|
||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Push Image to GHCR | ||
| uses: redhat-actions/push-to-registry@v2 | ||
| id: push | ||
| env: | ||
| REGISTRY_USER: ${{ github.actor }} | ||
| REGISTRY_PASSWORD: ${{ github.token }} | ||
| with: | ||
| image: ${{ steps.build_image.outputs.image }} | ||
| tags: ${{ steps.build_image.outputs.tags }} | ||
| registry: ${{ steps.registry_case.outputs.lowercase }} | ||
| username: ${{ env.REGISTRY_USER }} | ||
| password: ${{ env.REGISTRY_PASSWORD }} | ||
| extra-args: | | ||
| --compression-format=zstd | ||
| # This section is optional and only needs to be enabled if you plan on distributing | ||
| # your project for others to consume. You will need to create a public and private key | ||
| # using Cosign and save the private key as a repository secret in Github for this workflow | ||
| # to consume. For more details, review the image signing section of the README. | ||
|
|
||
| # Sign container | ||
| - uses: sigstore/[email protected] | ||
| if: github.event_name != 'pull_request' | ||
|
|
||
| - name: Sign Container Image | ||
| if: github.event_name != 'pull_request' | ||
| run: | | ||
| cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} | ||
| env: | ||
| TAGS: ${{ steps.push.outputs.digest }} | ||
| COSIGN_EXPERIMENTAL: false | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | ||
| env: | ||
| TAGS: ${{ steps.push.outputs.digest }} | ||
| COSIGN_EXPERIMENTAL: false | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,2 @@ | ||
| cosign.key | ||
| _build_* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,54 +1,8 @@ | ||
|
|
||
| ## BUILD ARGS | ||
| # These allow changing the produced image by passing different build args to adjust | ||
| # the source from which your image is built. | ||
| # Build args can be provided on the commandline when building locally with: | ||
| # podman build -f Containerfile --build-arg FEDORA_VERSION=40 -t local-image | ||
|
|
||
| # SOURCE_IMAGE arg can be anything from ublue upstream which matches your desired version: | ||
| # See list here: https://github.com/orgs/ublue-os/packages?repo_name=main | ||
| # - "silverblue" | ||
| # - "kinoite" | ||
| # - "sericea" | ||
| # - "onyx" | ||
| # - "lazurite" | ||
| # - "vauxite" | ||
| # - "base" | ||
| # | ||
| # "aurora", "bazzite", "bluefin" or "ucore" may also be used but have different suffixes. | ||
| ARG SOURCE_IMAGE="bluefin" | ||
|
|
||
| # SOURCE_SUFFIX arg should include a hyphen and the appropriate suffix name. | ||
| # These examples all work for silverblue/kinoite/sericea/onyx/lazurite/vauxite/base | ||
| # - "-main" | ||
| # - "-nvidia" | ||
| # - "-asus" | ||
| # - "-asus-nvidia" | ||
| # - "-surface" | ||
| # - "-surface-nvidia" | ||
| # | ||
| # aurora, bazzite and bluefin each have unique suffixes. Please check the specific image. | ||
| # ucore has the following possible suffixes: | ||
| # | ||
| # -nvidia | ||
| # -zfs | ||
| # -nvidia-zfs | ||
| ARG SOURCE_SUFFIX="-dx-nvidia" | ||
| # ARG SOURCE_SUFFIX="-dx" | ||
|
|
||
| # SOURCE_TAG arg must be a version built for the specific image: eg, 39, 40, gts, latest | ||
| ARG SOURCE_TAG="latest" | ||
|
|
||
| ## BUILD IMAGE | ||
|
|
||
| FROM ghcr.io/ublue-os/${SOURCE_IMAGE}${SOURCE_SUFFIX}:${SOURCE_TAG} | ||
| FROM ghcr.io/ublue-os/bluefin-dx-nvidia:latest | ||
|
|
||
| COPY build.sh install-chrome.sh /tmp/ | ||
|
|
||
| RUN mkdir -p /var/lib/alternatives && \ | ||
| /tmp/build.sh && \ | ||
| ostree container commit | ||
| # NOTES: | ||
| # - /var/lib/alternatives is required to prevent failure with some RPM installs | ||
| # - All RUN commands must end with ostree container commit | ||
| # see: https://coreos.github.io/rpm-ostree/container/#using-ostree-container-commit | ||
| ostree container commit && \ | ||
| bootc container lint |
Oops, something went wrong.