add isobuilder

2024-09-18 20:46:44 +00:00 · 2024-09-18 20:46:44 +00:00 · 975ebb2732
commit 975ebb2732
parent c7281fccfc
1 changed files with 249 additions and 0 deletions
--- a/action.yml
+++ b/action.yml
@ -0,0 +1,249 @@
+name: BlueOS Build Action
+description: Builds container images for BlueOS
+author: JasonN3
+inputs:
+  image_name:
+    description: name of the image to build
+    required: true
+  image_variant:
+    description: name of the image variant
+    required: false
+    default: ''
+  version:
+    description: primary tag to assign to the image
+    required: true
+  support:
+    description: latest, gts, or empty
+    required: false
+    default: ''
+  extra_build_args:
+    description: extra args to be passed to buildah
+    required: false
+    default: ''
+  signing_key:
+    description: key to sign images
+    required: true
+  #TODO: Split Containerfiles
+  target:
+    description: target to build in Containerfile
+    required: false
+    default: none
+  container_registry:
+    description: registry to store resulting container
+    required: false
+    default: ghcr.io/${{ github.repository_owner }}
+  container_repo:
+    description: repository for the container image
+    required: false
+    default: ${{ github.repository }}
+  container_ref:
+    description: repository ref for the container image
+    required: false
+    default: ${{ github.ref }}
+  push_container:
+    description: whether to push the resulting container image
+    required: false
+    default: "true"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ inputs.container_repo }}
+        ref: ${{ inputs.container_ref }}
+        submodules: recursive
+
+    - name: Free disk space (Ubuntu)
+      uses: jlumbroso/free-disk-space@v1.3.1
+      with:
+        # this might remove tools that are actually needed,
+        # if set to "true" but frees about 6 GB
+        tool-cache: false
+        
+        # all of these default to true, but feel free to set to
+        # "false" if necessary for your workflow
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: true
+        docker-images: true
+        swap-storage: true
+
+    - name: Generate image name
+      id: generate-name
+      shell: bash
+      run: |
+        if [[ "${{ inputs.image_variant }}" == "main" ]]
+        then
+          echo "image_name=${{ inputs.image_name }}" >> $GITHUB_OUTPUT
+        elif [[ "${{ inputs.image_variant }}" =~ "main-*" ]]
+        then
+          variant=${{ inputs.image_variant }}
+          echo "image_name=${{ inputs.image_name }}-${variant:5}" >> $GITHUB_OUTPUT
+        else
+          echo "image_name=${{ format('{0}-{1}', inputs.image_name, inputs.image_variant) }}" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Generate tags
+      id: generate-tags
+      shell: bash
+      run: |
+        # Run on main
+        if [[ ${{ github.event_name }} != 'pull_request' && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]]
+        then
+          BUILD_TAG="${{ inputs.version }}"
+          COMMIT_TAGS=()
+          COMMIT_TAGS+=("${{ inputs.version }}")
+          if [[ -n "${{ inputs.support }}" ]]
+          then
+            COMMIT_TAGS+=("${{ inputs.support }}")
+          fi
+          # VERSION-YYYYMMDD
+          TIMESTAMP="$(date +%Y%m%d)"
+          COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}")
+        fi
+
+        # Pull Request
+        if [[ ${{ github.event_name }} == "pull_request" ]]
+        then
+          # pr-#-VERSION
+          BUILD_TAG="pr-${{ github.event.number }}-${{ inputs.version }}"
+          COMMIT_TAGS=()
+          # pr-#-VERSION-SHA
+          SHA_SHORT="${GITHUB_SHA::7}"
+          COMMIT_TAGS+=("$BUILD_TAG-${SHA_SHORT}")
+          # pr-#-VERSION-YYYYMMDD
+          TIMESTAMP="$(date +%Y%m%d)"
+          COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}")
+        fi
+
+        # Other
+        if [[ -z ${BUILD_TAG} ]]
+        then
+          SHA_SHORT="${GITHUB_SHA::7}"
+          BUILD_TAG="${SHA_SHORT}"
+        fi
+
+        echo "tags=${BUILD_TAG} ${COMMIT_TAGS[*]}" >> $GITHUB_OUTPUT
+
+    # Build metadata
+    - name: Image Metadata
+      uses: docker/metadata-action@v5
+      id: meta
+      with:
+        images: |
+          ${{ steps.generate-name.outputs.image_name }}
+        labels: |
+          org.opencontainers.image.title=${{ steps.generate-name.outputs.image_name }}
+          org.opencontainers.image.version=${{ inputs.version }}
+          org.opencontainers.image.description=An interpretation of the Ubuntu spirit built on Fedora technology 
+          io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
+          io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
+
+    - name: Determine extra args
+      id: extra-args
+      shell: bash
+      run: |
+        if [[ ${{ inputs.target }} == "none" ]]
+        then
+          echo "args=" >> $GITHUB_OUTPUT
+        else
+          echo "args=--target=${{ inputs.target }}" >> $GITHUB_OUTPUT
+        fi
+
+    # Build image using Buildah action
+    - name: Build Image
+      id: build_image
+      uses: redhat-actions/buildah-build@v2
+      with:
+        containerfiles: |
+          ./Containerfile
+        image: ${{ steps.generate-name.outputs.image_name }}
+        tags: ${{ steps.generate-tags.outputs.tags }}
+        build-args: |
+          IMAGE_NAME=${{ inputs.image_name }}
+          IMAGE_FLAVOR=${{ inputs.image_variant }}
+          IMAGE_VENDOR=${{ github.repository_owner }}
+          FEDORA_MAJOR_VERSION=${{ inputs.version }}
+          TARGET_BASE=${{ inputs.image_variant }}
+          ${{ inputs.extra_build_args }}
+        labels: ${{ steps.meta.outputs.labels }}
+        oci: false
+        #TODO: Split Containerfiles
+        extra-args: ${{ steps.extra-args.outputs.args }}
+          
+
+    - name: Get list of images to verify
+      id: images_to_verify
+      shell: bash
+      run: |
+        # grep may return 1 if no ublue images were used
+        set +o pipefail
+        ublue_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^ghcr.io/ublue-os' | tr '\n' ' ')
+        chainguard_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^cgr.dev/chainguard' | tr '\n' ' ')
+
+        echo "ublue_images=${ublue_images}" >> $GITHUB_OUTPUT
+        echo "chainguard_images=${chainguard_images}" >> $GITHUB_OUTPUT
+
+    - name: Verify base image
+      if: ${{ steps.images_to_verify.output.ublue_images }} != ''
+      uses: EyeCantCU/cosign-action/verify@v0.2.2
+      with:
+        containers: ${{ steps.images_to_verify.output.ublue_images }}
+        pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub
+    
+    - name: Verify chainguard images
+      if: ${{ steps.images_to_verify.output.chainguard_images }} != ''
+      uses: EyeCantCU/cosign-action/verify@v0.2.2
+      with:
+        containers: ${{ steps.images_to_verify.output.chainguard_images }}
+        cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
+        oidc-issuer: https://token.actions.githubusercontent.com
+        registry: cgr.dev/chainguard
+
+    # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
+    # https://github.com/macbre/push-to-ghcr/issues/12
+    - name: Lowercase Registry
+      id: registry_case
+      uses: ASzc/change-string-case-action@v6
+      with:
+        string: ${{ inputs.container_registry }}
+
+    # Push the image to GHCR (Image Registry)
+    - name: Push To GHCR
+      id: push
+      if: inputs.push_container == 'true'
+      env:
+        REGISTRY_USER: ${{ github.actor }}
+        REGISTRY_PASSWORD: ${{ github.token }}
+      uses: redhat-actions/push-to-registry@v2
+      with:
+        image: ${{ steps.build_image.outputs.image }}
+        tags: ${{ steps.generate-tags.outputs.tags }}
+        registry: ${{ steps.registry_case.outputs.lowercase }}
+        username: ${{ env.REGISTRY_USER }}
+        password: ${{ env.REGISTRY_PASSWORD }}
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
+
+    # Sign container
+    - uses: sigstore/cosign-installer@v3.4.0
+      if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch
+
+    - name: Sign container image
+      shell: bash
+      if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch
+      run: |
+        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+      env:
+        TAGS: ${{ steps.push.outputs.digest }}
+        COSIGN_EXPERIMENTAL: "false"
+        COSIGN_PRIVATE_KEY: ${{ inputs.signing_key }}