--- name: BlueOS Build Action description: Builds container images for BlueOS author: JasonN3 inputs: image_name: description: name of the image to build required: true image_variant: description: name of the image variant required: false default: '' version: description: primary tag to assign to the image required: true support: description: latest, gts, or empty required: false default: '' extra_build_args: description: extra args to be passed to buildah required: false default: '' signing_key: description: key to sign images required: true #TODO: Split Containerfiles target: description: target to build in Containerfile required: false default: none container_registry: description: registry to store resulting container required: false default: ghcr.io/${{ github.repository_owner }} container_repo: description: repository for the container image required: false default: ${{ github.repository }} container_ref: description: repository ref for the container image required: false default: ${{ github.ref }} push_container: description: whether to push the resulting container image required: false default: "true" runs: using: "composite" steps: - name: Checkout uses: actions/checkout@v4 with: repository: ${{ inputs.container_repo }} ref: ${{ inputs.container_ref }} submodules: recursive - name: Free disk space (Ubuntu) uses: jlumbroso/free-disk-space@v1.3.1 with: # this might remove tools that are actually needed, # if set to "true" but frees about 6 GB tool-cache: false # all of these default to true, but feel free to set to # "false" if necessary for your workflow android: true dotnet: true haskell: true large-packages: true docker-images: true swap-storage: true - name: Generate image name id: generate-name shell: bash run: | if [[ "${{ inputs.image_variant }}" == "main" ]] then echo "image_name=${{ inputs.image_name }}" >> $GITHUB_OUTPUT elif [[ "${{ inputs.image_variant }}" =~ "main-*" ]] then variant=${{ inputs.image_variant }} echo "image_name=${{ inputs.image_name }}-${variant:5}" >> $GITHUB_OUTPUT else echo "image_name=${{ format('{0}-{1}', inputs.image_name, inputs.image_variant) }}" >> $GITHUB_OUTPUT fi - name: Generate tags id: generate-tags shell: bash run: | # Run on main if [[ ${{ github.event_name }} != 'pull_request' && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]] then BUILD_TAG="${{ inputs.version }}" COMMIT_TAGS=() COMMIT_TAGS+=("${{ inputs.version }}") if [[ -n "${{ inputs.support }}" ]] then COMMIT_TAGS+=("${{ inputs.support }}") fi # VERSION-YYYYMMDD TIMESTAMP="$(date +%Y%m%d)" COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}") fi # Pull Request if [[ ${{ github.event_name }} == "pull_request" ]] then # pr-#-VERSION BUILD_TAG="pr-${{ github.event.number }}-${{ inputs.version }}" COMMIT_TAGS=() # pr-#-VERSION-SHA SHA_SHORT="${GITHUB_SHA::7}" COMMIT_TAGS+=("$BUILD_TAG-${SHA_SHORT}") # pr-#-VERSION-YYYYMMDD TIMESTAMP="$(date +%Y%m%d)" COMMIT_TAGS+=("${BUILD_TAG}-${TIMESTAMP}") fi # Other if [[ -z ${BUILD_TAG} ]] then SHA_SHORT="${GITHUB_SHA::7}" BUILD_TAG="${SHA_SHORT}" fi echo "tags=${BUILD_TAG} ${COMMIT_TAGS[*]}" >> $GITHUB_OUTPUT # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | ${{ steps.generate-name.outputs.image_name }} labels: | org.opencontainers.image.title=${{ steps.generate-name.outputs.image_name }} org.opencontainers.image.version=${{ inputs.version }} org.opencontainers.image.description=An interpretation of the Ubuntu spirit built on Fedora technology io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - name: Determine extra args id: extra-args shell: bash run: | if [[ ${{ inputs.target }} == "none" ]] then echo "args=" >> $GITHUB_OUTPUT else echo "args=--target=${{ inputs.target }}" >> $GITHUB_OUTPUT fi # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile image: ${{ steps.generate-name.outputs.image_name }} tags: ${{ steps.generate-tags.outputs.tags }} build-args: | IMAGE_NAME=${{ inputs.image_name }} IMAGE_FLAVOR=${{ inputs.image_variant }} IMAGE_VENDOR=${{ github.repository_owner }} FEDORA_MAJOR_VERSION=${{ inputs.version }} TARGET_BASE=${{ inputs.image_variant }} ${{ inputs.extra_build_args }} labels: ${{ steps.meta.outputs.labels }} oci: false #TODO: Split Containerfiles extra-args: ${{ steps.extra-args.outputs.args }} - name: Get list of images to verify id: images_to_verify shell: bash run: | # grep may return 1 if no ublue images were used set +o pipefail ublue_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^ghcr.io/ublue-os' | tr '\n' ' ') chainguard_images=$(buildah images | tail -n +2 | grep -v localhost | awk '{print $1}' | grep '^cgr.dev/chainguard' | tr '\n' ' ') echo "ublue_images=${ublue_images}" >> $GITHUB_OUTPUT echo "chainguard_images=${chainguard_images}" >> $GITHUB_OUTPUT - name: Verify base image if: ${{ steps.images_to_verify.output.ublue_images }} != '' uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ steps.images_to_verify.output.ublue_images }} pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub - name: Verify chainguard images if: ${{ steps.images_to_verify.output.chainguard_images }} != '' uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ steps.images_to_verify.output.chainguard_images }} cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main oidc-issuer: https://token.actions.githubusercontent.com registry: cgr.dev/chainguard # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v6 with: string: ${{ inputs.container_registry }} # Push the image to GHCR (Image Registry) - name: Push To GHCR id: push if: inputs.push_container == 'true' env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} uses: redhat-actions/push-to-registry@v2 with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.generate-tags.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} - name: Login to GitHub Container Registry uses: docker/login-action@v3 if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} # Sign container - uses: sigstore/cosign-installer@v3.4.0 if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch - name: Sign container image shell: bash if: inputs.push_container == 'true' && github.event_name == 'push' && github.ref == github.event.repository.default_branch run: | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: "false" COSIGN_PRIVATE_KEY: ${{ inputs.signing_key }} name: build-ublue-custom on: pull_request: branches: - main schedule: - cron: '05 10 * * *' # 10:05am UTC everyday push: branches: - main paths-ignore: - '**/README.md' workflow_dispatch: env: MY_IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names MY_IMAGE_DESC: "My Customized Universal Blue Image" IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit jobs: build_push: name: Build and push image runs-on: ubuntu-24.04 permissions: contents: read packages: write id-token: write steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 - name: Maximize build space uses: ublue-os/remove-unwanted-software@v7 - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request SHA_SHORT="${GITHUB_SHA::7}" COMMIT_TAGS+=("pr-${{ github.event.number }}") COMMIT_TAGS+=("${SHA_SHORT}") # Append matching timestamp tags to keep a version history for TAG in "${BUILD_TAGS[@]}"; do BUILD_TAGS+=("${TAG}-${TIMESTAMP}") done BUILD_TAGS+=("${TIMESTAMP}") BUILD_TAGS+=("latest") if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " for TAG in "${COMMIT_TAGS[@]}"; do echo "${TAG}" done alias_tags=("${COMMIT_TAGS[@]}") else alias_tags=("${BUILD_TAGS[@]}") fi echo "Generated the following build tags: " for TAG in "${BUILD_TAGS[@]}"; do echo "${TAG}" done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | ${{ env.MY_IMAGE_NAME }} labels: | io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md org.opencontainers.image.description=${{ env.MY_IMAGE_DESC }} org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }} # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile # Postfix image name with -custom to make it a little more descriptive # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format image: ${{ env.MY_IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} labels: ${{ steps.meta.outputs.labels }} oci: false # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v6 with: string: ${{ env.IMAGE_REGISTRY }} - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push Image to GHCR uses: redhat-actions/push-to-registry@v2 id: push env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust # This section is optional and only needs to be enabled if you plan on distributing # your project for others to consume. You will need to create a public and private key # using Cosign and save the private key as a repository secret in Github for this workflow # to consume. For more details, review the image signing section of the README. # Sign container - uses: sigstore/cosign-installer@v3.5.0 if: github.event_name != 'pull_request' - name: Sign container image if: github.event_name != 'pull_request' run: | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}