[pull] live from template #152

Workflow file for this run

	# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
	# The images are also built after pushing changes or pull requests.
	# The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
	# Only the branch called `live` is published.


	name: build-ublue
	on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
	schedule:
	- cron: "30 16 * * *"
	push:
	branches:
	- live
	- template
	- main
	paths-ignore: # don't rebuild if only documentation has changed
	- "**.md"
	pull_request:
	workflow_dispatch:

	env:
	IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}

	# Only deploys the branch named "live". Ignores all other branches, to allow
	# having "development" branches without interfering with GHCR image uploads.
	jobs:
	push-ghcr:
	name: Build and push image
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	packages: write
	id-token: write
	strategy:
	fail-fast: false

	matrix:
	# !!!
	# Add recipes for all the images you want to build here.
	# Don't add module configuration files, you will get errors.
	recipe:
	- recipe.yml
	# !!!

	steps:
	# Checkout push-to-registry action GitHub repository
	- name: Checkout Push to Registry action
	uses: actions/checkout@v4

	# Confirm that cosign.pub matches SIGNING_SECRET
	- uses: sigstore/[email protected]
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'

	- name: Check SIGNING_SECRET matches cosign.pub
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
	env:
	COSIGN_EXPERIMENTAL: false
	COSIGN_PASSWORD: ""
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
	shell: bash
	run: \|
	echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
	delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
	if [ -z "$delta" ]; then
	echo "cosign.pub matches SIGNING_SECRET"
	else
	echo "cosign.pub does not match SIGNING_SECRET"
	echo "$delta"
	exit 1
	fi

	- name: Add yq (for reading recipe.yml)
	uses: mikefarah/[email protected]

	- name: Gather image data from recipe
	run: \|
	echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
	echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
	echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
	BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }})
	echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV
	echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE \| sed 's/.\/.\///')" >> $GITHUB_ENV

	- name: Verify base image
	uses: EyeCantCU/cosign-action/[email protected]
	with:
	containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}

	- name: Get current version
	id: labels
	run: \|
	ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.IMAGE_MAJOR_VERSION }} \| jq -r '.Labels["org.opencontainers.image.version"]')
	echo "VERSION=$ver" >> $GITHUB_OUTPUT

	- name: Generate tags
	id: generate-tags
	shell: bash
	run: \|
	# Generate a timestamp for creating an image version history
	TIMESTAMP="$(date +%Y%m%d)"
	MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} \| cut -d . -f 1)"
	COMMIT_TAGS=()
	BUILD_TAGS=()
	# Have tags for tracking builds during pull request
	SHA_SHORT="${GITHUB_SHA::7}"

	# Using clever bash string templating, https://stackoverflow.com/q/40771781
	# don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) --
	COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}")
	COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}")

	BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}")
	# --

	BUILD_TAGS+=("${TIMESTAMP}")
	BUILD_TAGS+=("latest")

	if [[ "${{ github.event_name }}" == "pull_request" ]]; then
	echo "Generated the following commit tags: "
	for TAG in "${COMMIT_TAGS[@]}"; do
	echo "${TAG}"
	done
	alias_tags=("${COMMIT_TAGS[@]}")
	else
	alias_tags=("${BUILD_TAGS[@]}")
	fi
	echo "Generated the following build tags: "
	for TAG in "${BUILD_TAGS[@]}"; do
	echo "${TAG}"
	done
	echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT

	# Build metadata
	- name: Image Metadata
	uses: docker/metadata-action@v5
	id: meta
	with:
	images: \|
	${{ env.IMAGE_NAME }}
	labels: \|
	org.opencontainers.image.title=${{ env.IMAGE_NAME }}
	org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
	org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
	io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md
	io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4

	# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
	# https://github.com/macbre/push-to-ghcr/issues/12
	- name: Lowercase Registry
	id: registry_case
	uses: ASzc/change-string-case-action@v6
	with:
	string: ${{ env.IMAGE_REGISTRY }}

	- name: Lowercase Image
	id: image_case
	uses: ASzc/change-string-case-action@v6
	with:
	string: ${{ env.IMAGE_NAME }}

	- name: Maximize build space
	uses: AdityaGarg8/remove-unwanted-software@v2
	with:
	remove-dotnet: 'true'
	remove-android: 'true'
	remove-haskell: 'true'

	# Build image using Buildah action
	- name: Build Image
	id: build_image
	uses: redhat-actions/buildah-build@v2
	with:
	containerfiles: \|
	./Containerfile
	image: ${{ env.IMAGE_NAME }}
	tags: \|
	${{ steps.generate-tags.outputs.alias_tags }}
	build-args: \|
	IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }}
	BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }}
	RECIPE=${{ matrix.recipe }}
	IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }}
	labels: ${{ steps.meta.outputs.labels }}
	oci: false

	# Push the image to GHCR (Image Registry)
	- name: Push To GHCR
	uses: redhat-actions/push-to-registry@v2
	id: push
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
	env:
	REGISTRY_USER: ${{ github.actor }}
	REGISTRY_PASSWORD: ${{ github.token }}
	with:
	image: ${{ steps.build_image.outputs.image }}
	tags: ${{ steps.build_image.outputs.tags }}
	registry: ${{ steps.registry_case.outputs.lowercase }}
	username: ${{ env.REGISTRY_USER }}
	password: ${{ env.REGISTRY_PASSWORD }}
	extra-args: \|
	--disable-content-trust

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Sign container
	- name: Sign container image
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
	run: \|
	cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS}
	env:
	TAGS: ${{ steps.push.outputs.digest }}
	COSIGN_EXPERIMENTAL: false
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

	- name: Echo outputs
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
	run: \|
	echo "${{ toJSON(steps.push.outputs) }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[pull] live from template #152

Workflow file

[pull] live from template #152

Jobs

Run details

Workflow file for this run