From b9a6100ab4baf6e7617f458f939a47f175b53106 Mon Sep 17 00:00:00 2001 From: sst Date: Fri, 21 Mar 2025 22:48:45 +0000 Subject: [PATCH] Update .forgejo/workflows/build.yml --- .forgejo/workflows/build.yml | 198 ++++++++++++++++++++++++++++------- 1 file changed, 162 insertions(+), 36 deletions(-) diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index 4f309ed..08a07bc 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -1,56 +1,182 @@ -#inspired from https://github.com/nzwulfin/cicd-bootc/blob/main/.github/workflows/build_fedora_bootc.yml -name: Build bootc image with GHA +--- +name: Build Custom Image on: + pull_request: + branches: + - main schedule: -#weekly updates - change as needed - - cron: "0 0 * * 5" - workflow_dispatch: + - cron: '05 10 * * *' # 10:05am UTC everyday push: branches: - main + paths-ignore: + - '**/README.md' + workflow_dispatch: + +env: + IMAGE_NAME: "uphy-test" # the name of the image produced by this build, matches repo names + IMAGE_DESC: "My Customized Universal Blue Image" + IMAGE_REGISTRY: "rievo.dev/sst" # do not edit + ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # You should put your own image here so that you get a fancy profile image on https://artifacthub.io/! + +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} + cancel-in-progress: true jobs: - build: - name: Build bootc image + build_push: + name: Build and push image + runs-on: buildah-latest + + permissions: + contents: read + packages: write + id-token: write - #change ubuntu-latest to runner if using the included gitea configs - runs-on: buildah-latest - env: - IMAGE_NAME: bootc-example - REGISTRY: rievo.dev/sst - steps: - - name: Clone the repository - uses: actions/checkout@v4 + # These stage versions are pinned by https://github.com/renovatebot/renovate + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Use buildah bud to create the image - id: build-image - uses: https://github.com/redhat-actions/buildah-build@v2 + # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: + # - name: Maximize build space + # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 + # with: + # remove-codeql: true + + - name: Get current date + id: date + run: | + # This generates a timestamp like what is defined on the ArtifactHub documentation + # E.G: 2022-02-08T15:38:15Z' + # https://artifacthub.io/docs/topics/repositories/container-images/ + # https://linux.die.net/man/1/date + echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT + + # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images + # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. + - name: Image Metadata + uses: https://github.com/docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 + id: metadata + with: + # This generates all the tags for your image, you can add custom tags here too! + # By default, it should generate "latest" and "latest.(date here)". + tags: | + type=raw,value=latest + type=raw,value=latest.{{date 'YYYYMMDD'}} + type=raw,value={{date 'YYYYMMDD'}} + type=sha,enable=${{ github.event_name == 'pull_request' }} + type=ref,event=pr + labels: | + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md + org.opencontainers.image.created=${{ steps.date.outputs.date }} + org.opencontainers.image.description=${{ env.IMAGE_DESC }} + org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md + org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} + org.opencontainers.image.vendor=${{ github.repository_owner }} + org.opencontainers.image.version=latest + io.artifacthub.package.deprecated=false + io.artifacthub.package.keywords=bootc,ublue,universal-blue + io.artifacthub.package.license=Apache-2.0 + io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }} + io.artifacthub.package.prerelease=false + containers.bootc=1 + sep-tags: " " + sep-annotations: " " + + - name: Build Image + id: build_image + uses: https://github.com/redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 with: - image: ${{ env.IMAGE_NAME }} - tags: latest ${{ github.sha }} containerfiles: | ./Containerfile + # Postfix image name with -custom to make it a little more descriptive + # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format + image: ${{ env.IMAGE_NAME }} + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + oci: false - # workaround for https://github.com/redhat-actions/podman-login/issues/42 since the docker config from the host doesn't come up to the container - - name: Workaround open podman-login action issue - env: - auth: "{ \"auths\": {} }" - run: | - mkdir -p $HOME/.docker - echo $auth > $HOME/.docker/config.json + # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. + # This does not make your image faster to download, just provides better resumability and fixes a few errors. + # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk + # You can enable it by uncommenting the following lines: + # - name: Run Rechunker + # id: rechunk + # uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 + # with: + # rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' + # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + # prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + # skip_compression: true + # version: ${{ env.CENTOS_VERSION }} + # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator - - name: Log in to the GitHub Container registry - uses: https://github.com/redhat-actions/podman-login@v1 + # This is necessary so that the podman socket can find the rechunked image on its storage + # - name: Load in podman and tag + # run: | + # IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) + # sudo rm -rf ${{ steps.rechunk.outputs.output }} + # for tag in ${{ steps.metadata.outputs.tags }}; do + # podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag + # done + + # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing + # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work + - name: Login to GitHub Container Registry + uses: https://github.com/docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) with: - registry: ${{ env.REGISTRY }} + registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push to GitHub Container Repository - id: push-to-ghcr - uses: https://github.com/redhat-actions/push-to-registry@v2 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + # - name: Lowercase Registry + # id: registry_case + # uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 + # with: + # string: ${{ env.IMAGE_REGISTRY }} + + # - name: Lowercase Image + # id: image_case + # uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 + # with: + # string: ${{ env.IMAGE_NAME }} + + - name: Push To GHCR + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + id: push + env: + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} with: - image: ${{ steps.build-image.outputs.image }} - tags: ${{ steps.build-image.outputs.tags }} - registry: ${{ env.REGISTRY }} + registry: ${{ steps.registry_case.outputs.lowercase }} + image: ${{ steps.image_case.outputs.lowercase }} + tags: ${{ steps.metadata.outputs.tags }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + + # This section is optional and only needs to be enabled if you plan on distributing + # your project for others to consume. You will need to create a public and private key + # using Cosign and save the private key as a repository secret in Github for this workflow + # to consume. For more details, review the image signing section of the README. + # - name: Install Cosign + # uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + + # - name: Sign container image + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # run: | + # IMAGE_FULL="${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}" + # for tag in ${{ steps.metadata.outputs.tags }}; do + # cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag + # done + # env: + # TAGS: ${{ steps.push.outputs.digest }} + # COSIGN_EXPERIMENTAL: false + # COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}