|
| 1 | +--- |
| 2 | +name: Build standard container image |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + branches: |
| 6 | + - main |
| 7 | + schedule: |
| 8 | + - cron: '05 10 * * *' # 10:05am UTC everyday |
| 9 | + push: |
| 10 | + branches: |
| 11 | + - main |
| 12 | + paths-ignore: |
| 13 | + - '**/README.md' |
| 14 | + workflow_dispatch: |
| 15 | + |
| 16 | +env: |
| 17 | + IMAGE_DESC: "My Customized Universal Blue Image" |
| 18 | + IMAGE_KEYWORDS: "bootc,ublue,universal-blue" |
| 19 | + IMAGE_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # Put your own image here for a fancy profile on https://artifacthub.io/! |
| 20 | + IMAGE_NAME: "${{ github.event.repository.name }}" # output image name, usually same as repo name |
| 21 | + IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit |
| 22 | + DEFAULT_TAG: "latest" |
| 23 | + |
| 24 | +concurrency: |
| 25 | + group: ${{ github.workflow }}-${{ github.ref || github.run_id }} |
| 26 | + cancel-in-progress: true |
| 27 | + |
| 28 | +jobs: |
| 29 | + build_push: |
| 30 | + name: Build and push standard image |
| 31 | + runs-on: ubuntu-24.04 |
| 32 | + |
| 33 | + permissions: |
| 34 | + contents: read |
| 35 | + packages: write |
| 36 | + id-token: write |
| 37 | + |
| 38 | + steps: |
| 39 | + - name: Prepare environment |
| 40 | + run: | |
| 41 | + # Lowercase the image uri |
| 42 | + echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} |
| 43 | + echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV} |
| 44 | +
|
| 45 | + # These stage versions are pinned by https://github.com/renovatebot/renovate |
| 46 | + - name: Checkout |
| 47 | + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 |
| 48 | + |
| 49 | + # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: |
| 50 | + # - name: Maximize build space |
| 51 | + # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 |
| 52 | + # with: |
| 53 | + # remove-codeql: true |
| 54 | + |
| 55 | + - name: Mount BTRFS for podman storage |
| 56 | + id: container-storage-action |
| 57 | + uses: ublue-os/container-storage-action@911baca08baf30c8654933e9e9723cb399892140 |
| 58 | + |
| 59 | + # Fallback to the remove-unwanted-software-action if github doesn't allocate enough space |
| 60 | + # See: https://github.com/ublue-os/container-storage-action/pull/11 |
| 61 | + continue-on-error: true |
| 62 | + with: |
| 63 | + target-dir: /var/lib/containers |
| 64 | + mount-opts: compress-force=zstd:2 |
| 65 | + |
| 66 | + - name: Get current date |
| 67 | + id: date |
| 68 | + run: | |
| 69 | + # This generates a timestamp like what is defined on the ArtifactHub documentation |
| 70 | + # E.G: 2022-02-08T15:38:15Z' |
| 71 | + # https://artifacthub.io/docs/topics/repositories/container-images/ |
| 72 | + # https://linux.die.net/man/1/date |
| 73 | + echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT |
| 74 | +
|
| 75 | + # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images |
| 76 | + # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. |
| 77 | + - name: Image Metadata |
| 78 | + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5 |
| 79 | + id: metadata |
| 80 | + with: |
| 81 | + # This generates all the tags for your image, you can add custom tags here too! |
| 82 | + # Default tags are "$DEFAULT_TAG" and "$DEFAULT_TAG.$date". |
| 83 | + tags: | |
| 84 | + type=raw,value=${{ env.DEFAULT_TAG }} |
| 85 | + type=raw,value=${{ env.DEFAULT_TAG }}.{{date 'YYYYMMDD'}} |
| 86 | + type=raw,value={{date 'YYYYMMDD'}} |
| 87 | + type=sha,enable=${{ github.event_name == 'pull_request' }} |
| 88 | + type=ref,event=pr |
| 89 | + labels: | |
| 90 | + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md |
| 91 | + org.opencontainers.image.created=${{ steps.date.outputs.date }} |
| 92 | + org.opencontainers.image.description=${{ env.IMAGE_DESC }} |
| 93 | + org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md |
| 94 | + org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile |
| 95 | + org.opencontainers.image.title=${{ env.IMAGE_NAME }} |
| 96 | + org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} |
| 97 | + org.opencontainers.image.vendor=${{ github.repository_owner }} |
| 98 | + org.opencontainers.image.version=${{ env.DEFAULT_TAG }}.{{date 'YYYYMMDD'}} |
| 99 | + io.artifacthub.package.deprecated=false |
| 100 | + io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }} |
| 101 | + io.artifacthub.package.license=Apache-2.0 |
| 102 | + io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }} |
| 103 | + io.artifacthub.package.prerelease=false |
| 104 | + containers.bootc=1 |
| 105 | + sep-tags: " " |
| 106 | + sep-annotations: " " |
| 107 | + |
| 108 | + - name: Build Image |
| 109 | + id: build_image |
| 110 | + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 |
| 111 | + with: |
| 112 | + containerfiles: | |
| 113 | + ./Containerfile |
| 114 | + # Postfix image name with -custom to make it a little more descriptive |
| 115 | + # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format |
| 116 | + image: ${{ env.IMAGE_NAME }} |
| 117 | + tags: ${{ steps.metadata.outputs.tags }} |
| 118 | + labels: ${{ steps.metadata.outputs.labels }} |
| 119 | + build-args: | |
| 120 | + BASE_IMAGE=ghcr.io/ublue-os/bluefin-dx:stable-daily |
| 121 | + oci: false |
| 122 | + |
| 123 | + # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. |
| 124 | + # This does not make your image faster to download, just provides better resumability and fixes a few errors. |
| 125 | + # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk |
| 126 | + # You can enable it by uncommenting the following lines: |
| 127 | + # - name: Run Rechunker |
| 128 | + # id: rechunk |
| 129 | + # uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 |
| 130 | + # with: |
| 131 | + # rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' |
| 132 | + # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" |
| 133 | + # prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" |
| 134 | + # skip_compression: true |
| 135 | + # version: ${{ env.CENTOS_VERSION }} |
| 136 | + # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator |
| 137 | + |
| 138 | + # This is necessary so that the podman socket can find the rechunked image on its storage |
| 139 | + # - name: Load in podman and tag |
| 140 | + # run: | |
| 141 | + # IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) |
| 142 | + # sudo rm -rf ${{ steps.rechunk.outputs.output }} |
| 143 | + # for tag in ${{ steps.metadata.outputs.tags }}; do |
| 144 | + # podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag |
| 145 | + # done |
| 146 | + |
| 147 | + # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing |
| 148 | + # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work |
| 149 | + - name: Login to GitHub Container Registry |
| 150 | + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 |
| 151 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 152 | + with: |
| 153 | + registry: ghcr.io |
| 154 | + username: ${{ github.actor }} |
| 155 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 156 | + |
| 157 | + - name: Push To GHCR |
| 158 | + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 |
| 159 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 160 | + id: push |
| 161 | + env: |
| 162 | + REGISTRY_USER: ${{ github.actor }} |
| 163 | + REGISTRY_PASSWORD: ${{ github.token }} |
| 164 | + with: |
| 165 | + registry: ${{ env.IMAGE_REGISTRY }} |
| 166 | + image: ${{ env.IMAGE_NAME }} |
| 167 | + tags: ${{ steps.metadata.outputs.tags }} |
| 168 | + username: ${{ env.REGISTRY_USER }} |
| 169 | + password: ${{ env.REGISTRY_PASSWORD }} |
| 170 | + |
| 171 | + # This section is optional and only needs to be enabled if you plan on distributing |
| 172 | + # your project for others to consume. You will need to create a public and private key |
| 173 | + # using Cosign and save the private key as a repository secret in Github for this workflow |
| 174 | + # to consume. For more details, review the image signing section of the README. |
| 175 | + - name: Install Cosign |
| 176 | + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 |
| 177 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 178 | + |
| 179 | + - name: Sign container image |
| 180 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 181 | + run: | |
| 182 | + IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" |
| 183 | + for tag in ${{ steps.metadata.outputs.tags }}; do |
| 184 | + cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag |
| 185 | + done |
| 186 | + env: |
| 187 | + TAGS: ${{ steps.push.outputs.digest }} |
| 188 | + COSIGN_EXPERIMENTAL: false |
| 189 | + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |
0 commit comments