--- name: Build Custom Image on: pull_request: branches: - main schedule: - cron: '05 10 * * *' # 10:05am UTC everyday push: branches: - main paths-ignore: - '**/README.md' workflow_dispatch: env: IMAGE_NAME: "uphy-test" # the name of the image produced by this build, matches repo names IMAGE_DESC: "My Customized Universal Blue Image" IMAGE_REGISTRY: "rievo.dev/sst" # do not edit ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # You should put your own image here so that you get a fancy profile image on https://artifacthub.io/! concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} cancel-in-progress: true jobs: build_push: name: Build and push image runs-on: buildah-latest permissions: contents: read packages: write id-token: write steps: # These stage versions are pinned by https://github.com/renovatebot/renovate - name: Checkout uses: https://github.com/actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: # - name: Maximize build space # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 # with: # remove-codeql: true - name: Get current date id: date run: | # This generates a timestamp like what is defined on the ArtifactHub documentation # E.G: 2022-02-08T15:38:15Z' # https://artifacthub.io/docs/topics/repositories/container-images/ # https://linux.die.net/man/1/date echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. - name: Image Metadata uses: https://github.com/docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 id: metadata with: # This generates all the tags for your image, you can add custom tags here too! # By default, it should generate "latest" and "latest.(date here)". tags: | type=raw,value=latest type=raw,value=latest.{{date 'YYYYMMDD'}} type=raw,value={{date 'YYYYMMDD'}} type=sha,enable=${{ github.event_name == 'pull_request' }} type=ref,event=pr labels: | io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md org.opencontainers.image.created=${{ steps.date.outputs.date }} org.opencontainers.image.description=${{ env.IMAGE_DESC }} org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} org.opencontainers.image.vendor=${{ github.repository_owner }} org.opencontainers.image.version=latest io.artifacthub.package.deprecated=false io.artifacthub.package.keywords=bootc,ublue,universal-blue io.artifacthub.package.license=Apache-2.0 io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }} io.artifacthub.package.prerelease=false containers.bootc=1 sep-tags: " " sep-annotations: " " - name: Build Image id: build_image uses: https://github.com/redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 with: containerfiles: | ./Containerfile # Postfix image name with -custom to make it a little more descriptive # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} oci: false # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. # This does not make your image faster to download, just provides better resumability and fixes a few errors. # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk # You can enable it by uncommenting the following lines: - name: Run Rechunker id: rechunk uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 with: rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" skip_compression: true version: ${{ env.CENTOS_VERSION }} labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator This is necessary so that the podman socket can find the rechunked image on its storage - name: Load in podman and tag run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) sudo rm -rf ${{ steps.rechunk.outputs.output }} for tag in ${{ steps.metadata.outputs.tags }}; do podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag done # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work # - name: Login to GitHub Container Registry # uses: https://github.com/docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # with: # registry: rievo.dev # username: ${{ github.actor }} # password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to the Container registry run: | echo "${{ secrets.GITHUB_TOKEN }}" | sudo podman login rievo.dev -u ${{ github.actor }} --password-stdin podman push "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest" # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 # - name: Lowercase Registry # id: registry_case # uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 # with: # string: ${{ env.IMAGE_REGISTRY }} # - name: Lowercase Image # id: image_case # uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 # with: # string: ${{ env.IMAGE_NAME }} - name: Push To GHCR uses: https://github.com/redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} with: registry: ${{ env.IMAGE_REGISTRY }} image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} # This section is optional and only needs to be enabled if you plan on distributing # your project for others to consume. You will need to create a public and private key # using Cosign and save the private key as a repository secret in Github for this workflow # to consume. For more details, review the image signing section of the README. # - name: Install Cosign # uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # - name: Sign container image # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run: | # IMAGE_FULL="${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}" # for tag in ${{ steps.metadata.outputs.tags }}; do # cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag # done # env: # TAGS: ${{ steps.push.outputs.digest }} # COSIGN_EXPERIMENTAL: false # COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}