uphy-20241229/README.md

# image-template

# Purpose

This repository is meant to be a template for building your own custom Universal Blue image. 

# Prerequisites

Working knowledge in the following topics:

- Containers
  - https://www.youtube.com/watch?v=SnSH8Ht3MIc
  - https://www.mankier.com/5/Containerfile
- bootc
  - https://containers.github.io/bootc/
- Fedora Silverblue (and other Fedora Atomic variants)
  - https://docs.fedoraproject.org/en-US/fedora-silverblue/
- Github Workflows
  - https://docs.github.com/en/actions/using-workflows

# How to Use

## Template

Select `Use this Template` and create a new repository from it. To enable the workflows, you may need to go the `Actions` tab of the new repository and click to enable workflows.

## Containerfile

The top line is the base image you want to start FROM. Any valid image can be a starting point, examples include:

- `FROM ghcr.io/ublue-os/bazzite:latest`
- `FROM ghcr.io/ublue-os/bluefin:stable`
- `FROM ghcr.io/ublue-os/aurora-dx:stable`

## "Empty" base images

These contain a base system WITHOUT a pre-existing desktop. This is recommended for a more bottom up approach or if you want to to use a different desktop environment than is currently available:

- `FROM ghcr.io/ublue-os/base-main:latest`

Use `base-nvidia:latest` if you need the Nvidia drivers. You can also lock to a specific version like `base-nvidia:41`, etc.

## Workflows

### build.yml

This workflow creates your custom OCI image and publishes it to the Github Container Registry (GHCR). By default, the image name will match the Github repository name.

#### Container Signing

Container signing is important for end-user security and is enabled on all Universal Blue images. It is recommended you set this up, and by default the image builds *will fail* if you don't.

This provides users a method of verifying the image.

1. Install the [cosign CLI tool](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-install-cosign/#installing-cosign-with-the-cosign-binary)

2. Run inside your repo folder:

    ```bash
    cosign generate-key-pair
    ```

    
    - Do NOT put in a password when it asks you to, just press enter. The signing key will be used in GitHub Actions and will not work if it is encrypted.

> [!WARNING]
> Be careful to *never* accidentally commit `cosign.key` into your git repo.

3. Add the private key to GitHub

    - This can also be done manually. Go to your repository settings, under Secrets and Variables -> Actions
    ![image](https://user-images.githubusercontent.com/1264109/216735595-0ecf1b66-b9ee-439e-87d7-c8cc43c2110a.png)
    Add a new secret and name it `SIGNING_SECRET`, then paste the contents of `cosign.key` into the secret and save it. Make sure it's the .key file and not the .pub file. Once done, it should look like this:
    ![image](https://user-images.githubusercontent.com/1264109/216735690-2d19271f-cee2-45ac-a039-23e6a4c16b34.png)

    - (CLI instructions) If you have the `github-cli` installed, run:

    ```bash
    gh secret set SIGNING_SECRET < cosign.key
    ```

4. Commit the `cosign.pub` file into your git repository

### Examples
- [m2os](https://github.com/m2giles/m2os)
- [bos](https://github.com/bsherman/bos)
- [homer](https://github.com/bketelsen/homer/)
docs: change header 2024-04-12 22:00:27 +00:00			`# image-template`
feat: initial update of readme 2024-03-04 01:00:00 +00:00
			`# Purpose`

docs: update readme 2024-12-03 03:50:53 +00:00			`This repository is meant to be a template for building your own custom Universal Blue image.`
feat: initial update of readme 2024-03-04 01:00:00 +00:00
			`# Prerequisites`

			`Working knowledge in the following topics:`

			`- Containers`
docs: add cosign and cleanup other info 2024-04-12 20:37:55 +00:00			`- https://www.youtube.com/watch?v=SnSH8Ht3MIc`
			`- https://www.mankier.com/5/Containerfile`
docs: update readme 2024-12-03 03:50:53 +00:00			`- bootc`
			`- https://containers.github.io/bootc/`
feat: initial update of readme 2024-03-04 01:00:00 +00:00			`- Fedora Silverblue (and other Fedora Atomic variants)`
docs: add cosign and cleanup other info 2024-04-12 20:37:55 +00:00			`- https://docs.fedoraproject.org/en-US/fedora-silverblue/`
feat: initial update of readme 2024-03-04 01:00:00 +00:00			`- Github Workflows`
docs: add cosign and cleanup other info 2024-04-12 20:37:55 +00:00			`- https://docs.github.com/en/actions/using-workflows`
feat: initial update of readme 2024-03-04 01:00:00 +00:00
			`# How to Use`

			`## Template`

docs: update may need to 2024-04-12 22:03:10 +00:00			Select `Use this Template` and create a new repository from it. To enable the workflows, you may need to go the `Actions` tab of the new repository and click to enable workflows.
feat: initial update of readme 2024-03-04 01:00:00 +00:00
			`## Containerfile`

docs: update readme 2024-12-03 03:50:53 +00:00			`The top line is the base image you want to start FROM. Any valid image can be a starting point, examples include:`

docs: fix whitespace 2024-12-03 03:59:13 +00:00			- `FROM ghcr.io/ublue-os/bazzite:latest`
			- `FROM ghcr.io/ublue-os/bluefin:stable`
			- `FROM ghcr.io/ublue-os/aurora-dx:stable`
docs: update readme 2024-12-03 03:50:53 +00:00
fix: typos 2024-12-03 03:55:11 +00:00			`## "Empty" base images`
docs: update readme 2024-12-03 03:50:53 +00:00
fix: typos 2024-12-03 03:55:11 +00:00			`These contain a base system WITHOUT a pre-existing desktop. This is recommended for a more bottom up approach or if you want to to use a different desktop environment than is currently available:`
docs: update readme 2024-12-03 03:50:53 +00:00
docs: fix whitespace 2024-12-03 03:59:13 +00:00			- `FROM ghcr.io/ublue-os/base-main:latest`
docs: update readme 2024-12-03 03:50:53 +00:00
			Use `base-nvidia:latest` if you need the Nvidia drivers. You can also lock to a specific version like `base-nvidia:41`, etc.
feat: initial update of readme 2024-03-04 01:00:00 +00:00
			`## Workflows`
chore: update readme 2024-04-12 16:28:03 +00:00
			`### build.yml`

refactor: use repo name as default image name (#7) Also makes the source image's tag easier to understand in the Containerfile. 2024-04-23 04:05:49 +00:00			`This workflow creates your custom OCI image and publishes it to the Github Container Registry (GHCR). By default, the image name will match the Github repository name.`
docs: add cosign and cleanup other info 2024-04-12 20:37:55 +00:00
			`#### Container Signing`

			`Container signing is important for end-user security and is enabled on all Universal Blue images. It is recommended you set this up, and by default the image builds will fail if you don't.`

			`This provides users a method of verifying the image.`

			`1. Install the [cosign CLI tool](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-install-cosign/#installing-cosign-with-the-cosign-binary)`

			`2. Run inside your repo folder:`

			```bash
			`cosign generate-key-pair`
			```


			`- Do NOT put in a password when it asks you to, just press enter. The signing key will be used in GitHub Actions and will not work if it is encrypted.`

			`> [!WARNING]`
			> Be careful to never accidentally commit `cosign.key` into your git repo.

			`3. Add the private key to GitHub`

			`- This can also be done manually. Go to your repository settings, under Secrets and Variables -> Actions`
			`![image](https://user-images.githubusercontent.com/1264109/216735595-0ecf1b66-b9ee-439e-87d7-c8cc43c2110a.png)`
			Add a new secret and name it `SIGNING_SECRET`, then paste the contents of `cosign.key` into the secret and save it. Make sure it's the .key file and not the .pub file. Once done, it should look like this:
			`![image](https://user-images.githubusercontent.com/1264109/216735690-2d19271f-cee2-45ac-a039-23e6a4c16b34.png)`

			- (CLI instructions) If you have the `github-cli` installed, run:
chore: update readme 2024-04-12 16:28:03 +00:00
docs: add cosign and cleanup other info 2024-04-12 20:37:55 +00:00			```bash
			`gh secret set SIGNING_SECRET < cosign.key`
			```
chore: update readme 2024-04-12 16:28:03 +00:00
docs: add cosign and cleanup other info 2024-04-12 20:37:55 +00:00			4. Commit the `cosign.pub` file into your git repository
feat: Add examples of image-template to README (#37) * feat: Add examples of image-template to README * include BK's * Update README.md 2024-11-19 22:12:06 +00:00
			`### Examples`
			`- [m2os](https://github.com/m2giles/m2os)`
			`- [bos](https://github.com/bsherman/bos)`
			`- [homer](https://github.com/bketelsen/homer/)`