|
10 | 10 | - Containerfile |
11 | 11 | - build.sh |
12 | 12 | - plasma.sh |
13 | | - # tags: ['v*.*.*'] |
14 | | - # pull_request: |
15 | | - # branches: ["main"] |
16 | 13 |
|
17 | 14 | env: |
| 15 | + DEFAULT_TAG: "latest" |
| 16 | + IMAGE_NAME: ${{ github.event.repository.name }} |
| 17 | + IMAGE_DESC: "Customized image of Fedora Kinoite" |
| 18 | + IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" |
18 | 19 | REGISTRY: ghcr.io |
19 | | - IMAGE_NAME: ${{ github.repository }} |
20 | 20 |
|
21 | 21 | jobs: |
22 | 22 | build: |
23 | | - runs-on: ubuntu-latest |
| 23 | + runs-on: ubuntu-24.04 |
24 | 24 | permissions: |
25 | 25 | contents: read |
26 | 26 | packages: write |
27 | 27 | id-token: write |
28 | 28 |
|
29 | 29 | steps: |
30 | | - - name: Checkout repository |
31 | | - uses: actions/checkout@v4 |
32 | | - |
33 | | - - name: Install cosign |
34 | | - if: github.event_name != 'pull_request' |
35 | | - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 |
| 30 | + - name: prepare environment |
| 31 | + run: | |
| 32 | + echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> "${GITHUB_ENV}" |
| 33 | + echo "IMAGE_NAME=${IMAGE_NAME,,}" >> "${GITHUB_ENV}" |
36 | 34 |
|
37 | | - - name: Set up Docker Buildx |
38 | | - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 |
| 35 | + - name: checkout |
| 36 | + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 |
39 | 37 |
|
40 | | - - name: Log into registry ${{ env.REGISTRY }} |
41 | | - if: github.event_name != 'pull_request' |
42 | | - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 |
| 38 | + - name: mount btrfs for podman storage |
| 39 | + id: container-storage-action |
| 40 | + uses: ublue-os/container-storage-action@911baca08baf30c8654933e9e9723cb399892140 |
| 41 | + continue-on-error: true |
43 | 42 | with: |
44 | | - registry: ${{ env.REGISTRY }} |
45 | | - username: ${{ github.actor }} |
46 | | - password: ${{ secrets.GITHUB_TOKEN }} |
| 43 | + target-dir: /var/lib/containers |
| 44 | + mount-opts: compress-force=zstd:2 |
| 45 | + |
| 46 | + - name: get current date |
| 47 | + id: date |
| 48 | + run: | |
| 49 | + # shellcheck disable=SC1001 |
| 50 | + echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> "${GITHUB_OUTPUT}" |
47 | 51 |
|
48 | | - - name: Extract Docker metadata |
49 | | - id: meta |
50 | | - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 |
| 52 | + - name: metadata |
| 53 | + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 |
| 54 | + id: metadata |
51 | 55 | with: |
52 | | - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} |
53 | | - labels: | |
54 | | - org.opencontainers.image.description=Customized image of Fedora Kinoite |
55 | | - org.opencontainers.image.licenses=MIT |
56 | | - org.opencontainers.image.source=https://github.com/clemak27/kinokite |
57 | | - org.opencontainers.image.title=Fedora Kinokite |
58 | 56 | tags: | |
59 | 57 | type=schedule,pattern={{date 'YYYYMMDD'}} |
60 | 58 | type=raw,value=latest |
61 | | - type=raw,value=43 |
| 59 | + labels: | |
| 60 | + org.opencontainers.image.created=${{ steps.date.outputs.date }} |
| 61 | + org.opencontainers.image.description=${{ env.IMAGE_DESC }} |
| 62 | + org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/${{ github.sha }}/README.md |
| 63 | + org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/${{ github.sha }}/Containerfile |
| 64 | + org.opencontainers.image.title=${{ env.IMAGE_NAME }} |
| 65 | + org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/tree/${{ github.sha }} |
| 66 | + org.opencontainers.image.vendor=${{ github.repository_owner }} |
| 67 | + org.opencontainers.image.licenses=MIT |
| 68 | + containers.bootc=1 |
62 | 69 |
|
63 | | - - name: Build and push Docker image |
64 | | - id: build-and-push |
65 | | - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 |
| 70 | + - name: build image |
| 71 | + id: build_image |
| 72 | + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 |
66 | 73 | with: |
67 | | - context: . |
68 | | - file: Containerfile |
69 | | - push: ${{ github.event_name != 'pull_request' }} |
70 | | - tags: ${{ steps.meta.outputs.tags }} |
71 | | - labels: ${{ steps.meta.outputs.labels }} |
72 | | - cache-from: type=gha |
73 | | - cache-to: type=gha,mode=max |
| 74 | + containerfiles: | |
| 75 | + ./Containerfile |
| 76 | + image: ${{ env.IMAGE_NAME }} |
| 77 | + tags: ${{ steps.metadata.outputs.tags }} |
| 78 | + labels: ${{ steps.metadata.outputs.labels }} |
| 79 | + oci: false |
74 | 80 |
|
75 | | - - name: Sign the published Docker image |
76 | | - if: ${{ github.event_name != 'pull_request' }} |
| 81 | + - name: ghcr login |
| 82 | + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 |
| 83 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 84 | + with: |
| 85 | + registry: ghcr.io |
| 86 | + username: ${{ github.actor }} |
| 87 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 88 | + |
| 89 | + - name: push image |
| 90 | + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 |
| 91 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 92 | + id: push |
| 93 | + env: |
| 94 | + REGISTRY_USER: ${{ github.actor }} |
| 95 | + REGISTRY_PASSWORD: ${{ github.token }} |
| 96 | + with: |
| 97 | + registry: ${{ env.IMAGE_REGISTRY }} |
| 98 | + image: ${{ env.IMAGE_NAME }} |
| 99 | + tags: ${{ steps.metadata.outputs.tags }} |
| 100 | + username: ${{ env.REGISTRY_USER }} |
| 101 | + password: ${{ env.REGISTRY_PASSWORD }} |
| 102 | + |
| 103 | + - name: install cosign |
| 104 | + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 |
| 105 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 106 | + |
| 107 | + - name: sign image |
| 108 | + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) |
| 109 | + run: | |
| 110 | + IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" |
| 111 | + cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL@$DIGEST |
77 | 112 | env: |
78 | | - TAGS: ${{ steps.build-and-push.outputs.digest }} |
| 113 | + DIGEST: ${{ steps.push.outputs.digest }} |
79 | 114 | COSIGN_EXPERIMENTAL: false |
80 | 115 | COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |
81 | | - run: | |
82 | | - IMAGE_FULL="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" |
83 | | - for tag in ${{ steps.metadata.outputs.tags }}; do |
84 | | - cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag |
85 | | - done |
|
0 commit comments