name: BlueOS Build Action description: Builds container images for BlueOS author: JasonN3 inputs: image_name: description: name of the image to build required: true image_variant: description: name of the image variant required: false default: '' version: description: primary tag to assign to the image required: true support: description: latest, gts, or empty required: false default: '' extra_build_args: description: extra args to be passed to buildah required: false default: '' signing_key: description: key to sign images required: true #TODO: Split Containerfiles target: description: target to build in Containerfile required: false default: none container_registry: description: registry to store resulting container required: false default: ghcr.io/${{ github.repository_owner }} container_repo: description: repository for the container image required: false default: ${{ github.repository }} container_ref: description: repository ref for the container image required: false default: ${{ github.ref }} push_container: description: whether to push the resulting container image required: false default: "true" runs: using: "composite" steps: - name: Checkout uses: actions/checkout@v4 with: repository: ${{ inputs.container_repo }} ref: ${{ inputs.container_ref }} submodules: recursive - name: Free disk space (Ubuntu) uses: jlumbroso/free-disk-space@v1.3.1 with: # this might remove tools that are actually needed, # if set to "true" but frees about 6 GB tool-cache: false # all of these default to true, but feel free to set to # "false" if necessary for your workflow android: true dotnet: true haskell: true large-packages: true docker-images: true swap-storage: true - name: Generate image name id: generate-name shell: bash run: | if [[ "${{ inputs.image_variant }}" == "main" ]] then echo "image_name=${{ inputs.image_name }}" >> $GITHUB_OUTPUT elif [[ "${{ inputs.image_variant }}" =~ "main-*" ]] then variant=${{ inputs.image_variant }} echo "image_name=${{ inputs.image_name }}-${variant:5}" >> $GITHUB_OUTPUT else echo "image_name=${{ format('{0}-{1}', inputs.image_name, inputs.image_variant) }}" >> $GITHUB_OUTPUT fi - name: Generate tags id: generate-tags shell: bash run: | # Run on main if [[ ${{ github.event_name }} != 'pull_request' && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]] then BUILD_TAG="${{ inputs.version }}" COMMIT_TAGS=() COMMIT_TAGS+=("${{ inputs.version }}") if [[ -n "${{ inputs.support }}" ]] then COMMIT_TAGS+=("${{ inputs.support }}") fi # VERSION-YYYYMMDD TIMESTAMP="$(date +%Y%m%d)" COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}") fi # Pull Request if [[ ${{ github.event_name }} == "pull_request" ]] then # pr-#-VERSION BUILD_TAG="pr-${{ github.event.number }}-${{ inputs.version }}" COMMIT_TAGS=() # pr-#-VERSION-SHA SHA_SHORT="${GITHUB_SHA::7}" COMMIT_TAGS+=("$BUILD_TAG-${SHA_SHORT}") # pr-#-VERSION-YYYYMMDD TIMESTAMP="$(date +%Y%m%d)" COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}") fi # Other if [[ -z ${BUILD_TAG} ]] then SHA_SHORT="${GITHUB_SHA::7}" BUILD_TAG="${SHA_SHORT}" fi echo "tags=${BUILD_TAG} ${COMMIT_TAGS[*]}" >> $GITHUB_OUTPUT # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | ${{ steps.generate-name.outputs.image_name }} labels: | org.opencontainers.image.title=${{ steps.generate-name.outputs.image_name }} org.opencontainers.image.version=${{ inputs.version }} org.opencontainers.image.description=An interpretation of the Ubuntu spirit built on Fedora technology io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - name: Determine extra args id: extra-args shell: bash run: | if [[ ${{ inputs.target }} == "none" ]] then echo "args=" >> $GITHUB_OUTPUT else echo "args=--target=${{ inputs.target }}" >> $GITHUB_OUTPUT fi # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile image: ${{ steps.generate-name.outputs.image_name }} tags: ${{ steps.generate-tags.outputs.tags }} build-args: | IMAGE_NAME=${{ inputs.image_name }} IMAGE_FLAVOR=${{ inputs.image_variant }} IMAGE_VENDOR=${{ github.repository_owner }} FEDORA_MAJOR_VERSION=${{ inputs.version }} TARGET_BASE=${{ inputs.image_variant }} ${{ inputs.extra_build_args }} labels: ${{ steps.meta.outputs.labels }} oci: false #TODO: Split Containerfiles extra-args: ${{ steps.extra-args.outputs.args }} - name: Get list of images to verify id: images_to_verify shell: bash run: | # grep may return 1 if no ublue images were used set +o pipefail ublue_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^ghcr.io/ublue-os' | tr '\n' ' ') chainguard_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^cgr.dev/chainguard' | tr '\n' ' ') echo "ublue_images=${ublue_images}" >> $GITHUB_OUTPUT echo "chainguard_images=${chainguard_images}" >> $GITHUB_OUTPUT - name: Verify base image if: ${{ steps.images_to_verify.output.ublue_images }} != '' uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ steps.images_to_verify.output.ublue_images }} pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub - name: Verify chainguard images if: ${{ steps.images_to_verify.output.chainguard_images }} != '' uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ steps.images_to_verify.output.chainguard_images }} cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main oidc-issuer: https://token.actions.githubusercontent.com registry: cgr.dev/chainguard # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v6 with: string: ${{ inputs.container_registry }} # Push the image to GHCR (Image Registry) - name: Push To GHCR id: push if: inputs.push_container == 'true' env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} uses: redhat-actions/push-to-registry@v2 with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.generate-tags.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} - name: Login to GitHub Container Registry uses: docker/login-action@v3 if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} # Sign container - uses: sigstore/cosign-installer@v3.4.0 if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch - name: Sign container image shell: bash if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch run: | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: "false" COSIGN_PRIVATE_KEY: ${{ inputs.signing_key }}