Refactoring (#16) #144
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build container image | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '05 10 * * *' # 10:05am UTC everyday | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/README.md' | |
| workflow_dispatch: | |
| env: | |
| IMAGE_DESC: "Hypercube - A Hyprland-focused bootc image built on Bluefin-DX" | |
| IMAGE_KEYWORDS: "bootc,ublue,universal-blue,hyprland,hypercube,wayland" | |
| IMAGE_LOGO_URL: "https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/main/branding/hypercube-logo.png" | |
| IMAGE_NAME: "${{ github.event.repository.name }}" | |
| IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" | |
| DEFAULT_TAG: "latest" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_push: | |
| name: Build and push image | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| variant: | |
| - flavor: "main" | |
| base_image: "ghcr.io/ublue-os/bluefin-dx:stable-daily" | |
| tag_suffix: "" | |
| - flavor: "nvidia" | |
| base_image: "ghcr.io/ublue-os/bluefin-dx-nvidia:stable-daily" | |
| tag_suffix: "-nvidia" | |
| steps: | |
| - name: Prepare environment | |
| run: | | |
| # Lowercase the image uri | |
| echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} | |
| echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Maximize build space | |
| uses: ublue-os/remove-unwanted-software@v9 | |
| - name: Mount BTRFS for podman storage | |
| id: container-storage-action | |
| uses: ublue-os/container-storage-action@main | |
| continue-on-error: true | |
| with: | |
| target-dir: /var/lib/containers | |
| mount-opts: compress-force=zstd:2 | |
| - name: Get current date | |
| id: date | |
| run: | | |
| echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT | |
| echo "version=$(date +%Y%m%d)" >> $GITHUB_OUTPUT | |
| - name: Image Metadata | |
| uses: docker/metadata-action@v5 | |
| id: metadata | |
| with: | |
| tags: | | |
| type=raw,value=${{ env.DEFAULT_TAG }}${{ matrix.variant.tag_suffix }} | |
| type=raw,value=${{ env.DEFAULT_TAG }}${{ matrix.variant.tag_suffix }}.{{date 'YYYYMMDD'}} | |
| type=raw,value={{date 'YYYYMMDD'}}${{ matrix.variant.tag_suffix }} | |
| type=sha,enable=${{ github.event_name == 'pull_request' }},suffix=${{ matrix.variant.tag_suffix }} | |
| type=ref,event=pr,suffix=${{ matrix.variant.tag_suffix }} | |
| labels: | | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | |
| org.opencontainers.image.created=${{ steps.date.outputs.date }} | |
| org.opencontainers.image.description=${{ env.IMAGE_DESC }} | |
| org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | |
| org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile | |
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.vendor=${{ github.repository_owner }} | |
| org.opencontainers.image.version=${{ env.DEFAULT_TAG }}.${{ steps.date.outputs.version }} | |
| io.artifacthub.package.deprecated=false | |
| io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }} | |
| io.artifacthub.package.license=Apache-2.0 | |
| io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }} | |
| io.artifacthub.package.prerelease=false | |
| containers.bootc=1 | |
| sep-tags: " " | |
| sep-annotations: " " | |
| - name: Build Image | |
| id: build_image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| containerfiles: | | |
| ./Containerfile | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| build-args: | | |
| BASE_IMAGE=${{ matrix.variant.base_image }} | |
| IMAGE_NAME=${{ env.IMAGE_NAME }} | |
| IMAGE_VENDOR=${{ github.repository_owner }} | |
| oci: false | |
| # Rechunk for optimized OCI layers | |
| - name: Run Rechunker | |
| id: rechunk | |
| uses: hhd-dev/[email protected] | |
| if: github.event_name != 'pull_request' | |
| with: | |
| rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.3' | |
| ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}${{ matrix.variant.tag_suffix }}" | |
| prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}${{ matrix.variant.tag_suffix }}" | |
| skip_compression: true | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| - name: Load rechunked image and tag | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) | |
| sudo rm -rf ${{ steps.rechunk.outputs.output }} | |
| for tag in ${{ steps.metadata.outputs.tags }}; do | |
| podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag | |
| done | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push To GHCR | |
| uses: redhat-actions/push-to-registry@v2 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| id: push | |
| env: | |
| REGISTRY_USER: ${{ github.actor }} | |
| REGISTRY_PASSWORD: ${{ github.token }} | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ env.REGISTRY_PASSWORD }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| - name: Sign container image | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| run: | | |
| # Sign by digest for better security | |
| IMAGE_DIGEST="${{ steps.push.outputs.digest }}" | |
| IMAGE_REF="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST}" | |
| echo "Signing image: ${IMAGE_REF}" | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY "${IMAGE_REF}" | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |