sst/uphy-20241229
1
0
Fork 0
Code Releases Packages Activity Actions

add isobuilder

Browse source
This commit is contained in:
batvin3211 2024-09-18 20:46:44 +00:00 committed by GitHub
parent c7281fccfc
commit 975ebb2732
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 249 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

249
action.yml Normal file
View file

@ -0,0 +1,249 @@
name: BlueOS Build Action
description: Builds container images for BlueOS
author: JasonN3
inputs:
image_name:
description: name of the image to build
required: true
image_variant:
description: name of the image variant
required: false
default: ''
version:
description: primary tag to assign to the image
required: true
support:
description: latest, gts, or empty
required: false
default: ''
extra_build_args:
description: extra args to be passed to buildah
required: false
default: ''
signing_key:
description: key to sign images
required: true
#TODO: Split Containerfiles
target:
description: target to build in Containerfile
required: false
default: none
container_registry:
description: registry to store resulting container
required: false
default: ghcr.io/${{ github.repository_owner }}
container_repo:
description: repository for the container image
required: false
default: ${{ github.repository }}
container_ref:
description: repository ref for the container image
required: false
default: ${{ github.ref }}
push_container:
description: whether to push the resulting container image
required: false
default: "true"
runs:
using: "composite"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ inputs.container_repo }}
ref: ${{ inputs.container_ref }}
submodules: recursive
- name: Free disk space (Ubuntu)
uses: jlumbroso/free-disk-space@v1.3.1
with:
# this might remove tools that are actually needed,
# if set to "true" but frees about 6 GB
tool-cache: false
# all of these default to true, but feel free to set to
# "false" if necessary for your workflow
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Generate image name
id: generate-name
shell: bash
run: |
if [[ "${{ inputs.image_variant }}" == "main" ]]
then
echo "image_name=${{ inputs.image_name }}" >> $GITHUB_OUTPUT
elif [[ "${{ inputs.image_variant }}" =~ "main-*" ]]
then
variant=${{ inputs.image_variant }}
echo "image_name=${{ inputs.image_name }}-${variant:5}" >> $GITHUB_OUTPUT
else
echo "image_name=${{ format('{0}-{1}', inputs.image_name, inputs.image_variant) }}" >> $GITHUB_OUTPUT
fi
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Run on main
if [[ ${{ github.event_name }} != 'pull_request' && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]]
then
BUILD_TAG="${{ inputs.version }}"
COMMIT_TAGS=()
COMMIT_TAGS+=("${{ inputs.version }}")
if [[ -n "${{ inputs.support }}" ]]
then
COMMIT_TAGS+=("${{ inputs.support }}")
fi
# VERSION-YYYYMMDD
TIMESTAMP="$(date +%Y%m%d)"
COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}")
fi
# Pull Request
if [[ ${{ github.event_name }} == "pull_request" ]]
then
# pr-#-VERSION
BUILD_TAG="pr-${{ github.event.number }}-${{ inputs.version }}"
COMMIT_TAGS=()
# pr-#-VERSION-SHA
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("$BUILD_TAG-${SHA_SHORT}")
# pr-#-VERSION-YYYYMMDD
TIMESTAMP="$(date +%Y%m%d)"
COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}")
fi
# Other
if [[ -z ${BUILD_TAG} ]]
then
SHA_SHORT="${GITHUB_SHA::7}"
BUILD_TAG="${SHA_SHORT}"
fi
echo "tags=${BUILD_TAG} ${COMMIT_TAGS[*]}" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ steps.generate-name.outputs.image_name }}
labels: |
org.opencontainers.image.title=${{ steps.generate-name.outputs.image_name }}
org.opencontainers.image.version=${{ inputs.version }}
org.opencontainers.image.description=An interpretation of the Ubuntu spirit built on Fedora technology
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
- name: Determine extra args
id: extra-args
shell: bash
run: |
if [[ ${{ inputs.target }} == "none" ]]
then
echo "args=" >> $GITHUB_OUTPUT
else
echo "args=--target=${{ inputs.target }}" >> $GITHUB_OUTPUT
fi
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
image: ${{ steps.generate-name.outputs.image_name }}
tags: ${{ steps.generate-tags.outputs.tags }}
build-args: |
IMAGE_NAME=${{ inputs.image_name }}
IMAGE_FLAVOR=${{ inputs.image_variant }}
IMAGE_VENDOR=${{ github.repository_owner }}
FEDORA_MAJOR_VERSION=${{ inputs.version }}
TARGET_BASE=${{ inputs.image_variant }}
${{ inputs.extra_build_args }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
#TODO: Split Containerfiles
extra-args: ${{ steps.extra-args.outputs.args }}
- name: Get list of images to verify
id: images_to_verify
shell: bash
run: |
# grep may return 1 if no ublue images were used
set +o pipefail
ublue_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^ghcr.io/ublue-os' | tr '\n' ' ')
chainguard_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^cgr.dev/chainguard' | tr '\n' ' ')
echo "ublue_images=${ublue_images}" >> $GITHUB_OUTPUT
echo "chainguard_images=${chainguard_images}" >> $GITHUB_OUTPUT
- name: Verify base image
if: ${{ steps.images_to_verify.output.ublue_images }} != ''
uses: EyeCantCU/cosign-action/verify@v0.2.2
with:
containers: ${{ steps.images_to_verify.output.ublue_images }}
pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub
- name: Verify chainguard images
if: ${{ steps.images_to_verify.output.chainguard_images }} != ''
uses: EyeCantCU/cosign-action/verify@v0.2.2
with:
containers: ${{ steps.images_to_verify.output.chainguard_images }}
cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
oidc-issuer: https://token.actions.githubusercontent.com
registry: cgr.dev/chainguard
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ inputs.container_registry }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
id: push
if: inputs.push_container == 'true'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.generate-tags.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
# Sign container
- uses: sigstore/cosign-installer@v3.4.0
if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch
- name: Sign container image
shell: bash
if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: "false"
COSIGN_PRIVATE_KEY: ${{ inputs.signing_key }}