Initial commit

Author: alexiri

.github/README.md

@@ -0,0 +1,46 @@
+# Purpose
+
+This repository is a template repository for generating Atomic AlmaLinux respins.
+
+[Create a new repository](https://github.com/new?template_name=atomic-respin-template&template_owner=AlmaLinux)
+using this template to get started! Once that's done, there you can follow [the instructions](/README.md) of your
+newly-created repository to start customizing your image.
+
+# Contributing
+
+We welcome contributions to all parts of the AlmaLinux project. If you'd like to get involved, please feel free to reach out through [the chat](https://chat.almalinux.org/almalinux/channels/sigatomic)!
+
+## Contributing - Code and Design
+
+This project is a template for starting new Atomic AlmaLinux respins.
+
+Before submitting code changes, please check if there are any open issues or pull requests that cover your proposal. If not, open an issue with a brief description and so you can discuss it with us first. This helps avoid duplicated work and ensures proposed changes align with project goals. This can be your anticipated workflow:
+
+- Create an issue describing your changes.
+- Await confirmation from contributors.
+- Fork the project.
+- Create a new branch for your feature or bug fix.
+- Add your code, documentation, etc.
+- Submit a pull request (PR). All PRs should target the `main` branch.
+
+After review and approval, the changes will be merged and deployed.
+
+## Reporting a Bug
+
+If you find a bug, please report it [here](https://github.com/AlmaLinux/atomic-respin-template/issues)!
+
+## Requesting a Feature
+
+We're open to feature requests! Please follow this workflow:
+
+1. [Search existing issues](https://github.com/AlmaLinux/atomic-respin-template/issues) to see if the feature has already been requested. If so, give it a thumbs up, +1, or a comment on your use-case.
+2. If no similar request exists, open a new issue. Please clearly explain why the feature is needed and provide a detailed use case.
+
+## Change Approval Process
+
+- Minor or cosmetic changes (typos, small style tweaks) can be reviewed and approved by any contributor with merge rights.
+- Larger changes should be agreed on as a SIG.
+
+# Getting help
+
+This repo is managed by the Atomic SIG. You can see how best to contact us in the [AlmaLinux wiki](https://wiki.almalinux.org/sigs/Atomic.html).

.github/actions/config/action.yml

@@ -0,0 +1,71 @@
+---
+name: Set Environment Variables
+
+inputs:
+  SIGNING_SECRET:
+    description: "The secret used for signing the image. If not provided, the image will not be signed."
+    required: false
+
+outputs:
+  LATEST_TAG:
+    description: "The latest tag based on the event type"
+    value: ${{ steps.set.outputs.LATEST_TAG }}
+  REGISTRY:
+    description: "The container registry to use"
+    value:  ${{ steps.set.outputs.REGISTRY }}
+  REGISTRY_USER:
+    description: "The user for the container registry"
+    value: ${{ steps.set.outputs.REGISTRY_USER }}
+  PLATFORMS:
+    description: "The platforms to build for"
+    value: ${{ steps.set.outputs.PLATFORMS }}
+  IMAGE_PATH:
+    description: "The path to the image in the registry"
+    value: ${{ steps.set.outputs.IMAGE_PATH }}
+  IMAGE_NAME:
+    description: "The name of the image"
+    value: ${{ steps.set.outputs.IMAGE_NAME }}
+  IMAGE_REF:
+    description: "The full reference to the image in the registry"
+    value: ${{ steps.set.outputs.IMAGE_REF }}
+  IS_SIGNED:
+    description: "Whether the image is signed"
+    value: ${{ steps.set.outputs.IS_SIGNED }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set environment variables
+      id: set
+      shell: bash
+      run: |
+        # Pick a latest tag based on the event type
+        if [[ "${{ github.ref }}" != "refs/heads/${{ github.event.repository.default_branch }}" ]]; then
+          echo "LATEST_TAG=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+        else
+          echo "LATEST_TAG=latest" >> $GITHUB_OUTPUT
+        fi
+
+        REGISTRY=ghcr.io
+        REGISTRY_USER=${{ github.actor }}
+        IMAGE_PATH=${{ github.repository_owner }}
+        IMAGE_NAME=${{ github.event.repository.name }}
+        PLATFORMS="amd64"
+
+        echo "REGISTRY=${REGISTRY}" >> $GITHUB_OUTPUT
+        echo "REGISTRY_USER=${REGISTRY_USER}" >> $GITHUB_OUTPUT
+        echo "IMAGE_PATH=${IMAGE_PATH}" >> $GITHUB_OUTPUT
+        echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+        echo "IMAGE_REF=${REGISTRY}/${IMAGE_PATH}/${IMAGE_NAME}" >> $GITHUB_OUTPUT
+        echo "PLATFORMS=${PLATFORMS}" >> $GITHUB_OUTPUT
+
+        # This is a workaround so that the expansion of SIGNING_SECRET doesn't break the if statement
+        SECRET=$(cat <<EOF
+        ${{ inputs.SIGNING_SECRET }}
+        EOF
+        )
+        if [ -z "${SECRET}" ]; then
+          echo "IS_SIGNED=false" >> $GITHUB_OUTPUT
+        else
+          echo "IS_SIGNED=true" >> $GITHUB_OUTPUT
+        fi

.github/dependabot.yml

@@ -0,0 +1,23 @@
+---
+# ba0fde3d-bee7-4307-b97b-17d0d20aff50
+version: 2
+updates:
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "07:00"
+    open-pull-requests-limit: 5
+
+  # Maintain dependencies for Docker
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "07:00"
+    open-pull-requests-limit: 5
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,24 @@
+name: Dependabot auto-approve
+on: pull_request_target
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2.4.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{ contains(steps.metadata.outputs.package-ecosystem, 'docker') }}
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/build-iso.yml

@@ -0,0 +1,53 @@
+---
+# ba0fde3d-bee7-4307-b97b-17d0d20aff50
+name: Build ISO
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  set-env:
+    if: github.repository != 'AlmaLinux/atomic-respin-template'
+    runs-on: ubuntu-latest
+    outputs:
+      LATEST_TAG: ${{ steps.set.outputs.LATEST_TAG }}
+      REGISTRY: ${{ steps.set.outputs.REGISTRY }}
+      REGISTRY_USER: ${{ steps.set.outputs.REGISTRY_USER }}
+      PLATFORMS: ${{ steps.set.outputs.PLATFORMS }}
+      IMAGE_PATH: ${{ steps.set.outputs.IMAGE_PATH }}
+      IMAGE_NAME: ${{ steps.set.outputs.IMAGE_NAME }}
+      IMAGE_REF: ${{ steps.set.outputs.IMAGE_REF }}
+      IS_SIGNED: ${{ steps.set.outputs.IS_SIGNED }}
+    steps:
+      - name: Checkout github actions
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set environment variables
+        uses: ./.github/actions/config
+        id: set
+        with:
+          SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
+
+  build-iso:
+    name: Build ISO
+    needs: [set-env]
+    uses: AlmaLinux/atomic-ci/.github/workflows/build-iso.yml@v6
+    with:
+      image-name: "${{ needs.set-env.outputs.IMAGE_NAME }}"
+      image: "${{ needs.set-env.outputs.IMAGE_REF }}:${{ needs.set-env.outputs.LATEST_TAG }}"
+      update_origin_ref: "${{ needs.set-env.outputs.IMAGE_REF }}:${{ needs.set-env.outputs.LATEST_TAG }}"
+      update_is_signed: ${{ needs.set-env.outputs.IS_SIGNED == 'true' }}
+      config-file: ./iso.toml
+      platforms: ${{ needs.set-env.outputs.PLATFORMS }}
+      REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
+      REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
+      upload-to-cloudflare: false
+      # bucket: ${{ secrets.R2_BUCKET }}
+    secrets:
+      REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+      # ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+      # SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}

.github/workflows/build.yml

@@ -0,0 +1,118 @@
+---
+# ba0fde3d-bee7-4307-b97b-17d0d20aff50
+name: Build image
+on:
+  pull_request:
+  push:
+    branches:
+      - 'main'
+    paths-ignore:
+      - '**/README.md'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  set-env:
+    if: github.repository != 'AlmaLinux/atomic-respin-template'
+    runs-on: ubuntu-latest
+    outputs:
+      LATEST_TAG: ${{ steps.set.outputs.LATEST_TAG }}
+      REGISTRY: ${{ steps.set.outputs.REGISTRY }}
+      REGISTRY_USER: ${{ steps.set.outputs.REGISTRY_USER }}
+      PLATFORMS: ${{ steps.set.outputs.PLATFORMS }}
+      IMAGE_PATH: ${{ steps.set.outputs.IMAGE_PATH }}
+      IMAGE_NAME: ${{ steps.set.outputs.IMAGE_NAME }}
+      IMAGE_REF: ${{ steps.set.outputs.IMAGE_REF }}
+      IS_SIGNED: ${{ steps.set.outputs.IS_SIGNED }}
+    steps:
+      - name: Checkout github actions
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set environment variables
+        uses: ./.github/actions/config
+        id: set
+        with:
+          SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
+
+  build-image:
+    name: Build image
+    uses: AlmaLinux/atomic-ci/.github/workflows/build-image.yml@v6
+    needs: set-env
+    with:
+      containerfile: Dockerfile
+      image-name: "${{ needs.set-env.outputs.IMAGE_NAME }}"
+      previous-image: "${{ needs.set-env.outputs.IMAGE_REF }}:latest"
+      upstream-public-key: atomic-desktop.pub
+      platforms: ${{ needs.set-env.outputs.PLATFORMS }}
+      skip-maximize-build-space: true
+      image-path: ${{ needs.set-env.outputs.IMAGE_PATH }}
+      REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
+      REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
+    secrets:
+      REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+  test-image:
+    name: Test image
+    runs-on: ubuntu-latest
+    needs: [set-env, build-image]
+
+    env:
+      IMAGE_REF: "${{ needs.build-image.outputs.image-ref }}@${{ needs.build-image.outputs.digest }}"
+
+    steps:
+      - name: Login to Container Registry
+        run: echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ needs.set-env.outputs.REGISTRY_USER }} --password-stdin ${{ needs.set-env.outputs.REGISTRY }}
+
+      - name: Test container
+        run: |
+          # Create a short script to test the image using heredoc
+          cat << 'EOF' > /tmp/test.sh
+          set -ex
+
+          cat /etc/os-release
+          bootc -V
+          EOF
+
+          podman run --rm \
+            -v /tmp/test.sh:/tmp/test.sh \
+            ${{ env.IMAGE_REF }} \
+            /bin/bash /tmp/test.sh
+
+  promote-image:
+    name: Promote image
+    needs: [set-env, build-image, test-image]
+    if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+    uses: AlmaLinux/atomic-ci/.github/workflows/retag-image.yml@v6
+    with:
+      image: ${{ needs.build-image.outputs.image-ref }}@${{ needs.build-image.outputs.digest }}
+      tag: |
+        ${{ needs.set-env.outputs.LATEST_TAG }}
+        ${{ needs.build-image.outputs.redhat-version-id }}
+        ${{ needs.build-image.outputs.version }}
+      REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
+      REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
+    secrets:
+      REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      packages: write
+
+  create-release:
+    name: Create Release
+    needs: [set-env, build-image, test-image, promote-image]
+    if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+    uses: AlmaLinux/atomic-ci/.github/workflows/create-release.yml@v6
+    with:
+      image-name: "${{ needs.set-env.outputs.IMAGE_NAME }}"
+      version: ${{ needs.build-image.outputs.version }}
+      pretty-version: ${{ needs.build-image.outputs.redhat-version-id }}
+      latest-image-ref: "${{ needs.build-image.outputs.image-ref }}:${{ needs.set-env.outputs.LATEST_TAG }}"
+    permissions:
+      contents: write

.github/workflows/initial_setup.yml

@@ -0,0 +1,32 @@
+---
+name: Initial Setup
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  start:
+    runs-on: ubuntu-latest
+    if: github.repository != 'AlmaLinux/atomic-respin-template'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run initial setup script
+        run: |
+          # sed -i "/if: github.repository != 'AlmaLinux\/atomic-respin-template'/d" .github/workflows/*.yml
+          rm -rf \
+            .github/README.md \
+            .github/workflows/auto-merge-dependabot.yml \
+            .github/workflows/initial_setup.yml
+
+      - name: Commit changes
+        run: |
+          git config --global user.name 'GitHub Actions'
+          git config --global user.email 'actions@github.com'
+          git commit -a -m "Initial setup: remove template files"
+          git push

.gitignore

@@ -0,0 +1,2 @@
+cosign.key
+output/