sst/uphy-test
1
0
Fork 0
Code Releases Packages Activity Actions
uphy-test/.forgejo/workflows/build.yml
Workflow config file is invalid. Please check your config file: yaml: line 117: could not find expected ':'

187 lines
9.3 KiB
YAML
Raw Blame History

---
name: Build Custom Image
on:
pull_request:
branches:
- main
schedule:
- cron: '05 10 * * *' # 10:05am UTC everyday
push:
branches:
- main
paths-ignore:
- '**/README.md'
workflow_dispatch:
env:
IMAGE_NAME: "uphy-test" # the name of the image produced by this build, matches repo names
IMAGE_DESC: "My Customized Universal Blue Image"
IMAGE_REGISTRY: "rievo.dev/sst" # do not edit
ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # You should put your own image here so that you get a fancy profile image on https://artifacthub.io/!
concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }}
cancel-in-progress: true
jobs:
build_push:
name: Build and push image
runs-on: buildah-latest
permissions:
contents: read
packages: write
id-token: write
steps:
# These stage versions are pinned by https://github.com/renovatebot/renovate
- name: Checkout
uses: https://github.com/actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
# This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines:
# - name: Maximize build space
# uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7
# with:
# remove-codeql: true
- name: Get current date
id: date
run: |
# This generates a timestamp like what is defined on the ArtifactHub documentation
# E.G: 2022-02-08T15:38:15Z'
# https://artifacthub.io/docs/topics/repositories/container-images/
# https://linux.die.net/man/1/date
echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT
# Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images
# The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not.
- name: Image Metadata
uses: https://github.com/docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
id: metadata
with:
# This generates all the tags for your image, you can add custom tags here too!
# By default, it should generate "latest" and "latest.(date here)".
tags: |
type=raw,value=latest
type=raw,value=latest.{{date 'YYYYMMDD'}}
type=raw,value={{date 'YYYYMMDD'}}
type=sha,enable=${{ github.event_name == 'pull_request' }}
type=ref,event=pr
labels: |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
org.opencontainers.image.created=${{ steps.date.outputs.date }}
org.opencontainers.image.description=${{ env.IMAGE_DESC }}
org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
org.opencontainers.image.vendor=${{ github.repository_owner }}
org.opencontainers.image.version=latest
io.artifacthub.package.deprecated=false
io.artifacthub.package.keywords=bootc,ublue,universal-blue
io.artifacthub.package.license=Apache-2.0
io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }}
io.artifacthub.package.prerelease=false
containers.bootc=1
sep-tags: " "
sep-annotations: " "
- name: Build Image
id: build_image
uses: https://github.com/redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
containerfiles: |
./Containerfile
# Postfix image name with -custom to make it a little more descriptive
# Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
oci: false
# Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published.
# This does not make your image faster to download, just provides better resumability and fixes a few errors.
# Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk
# You can enable it by uncommenting the following lines:
- name: Run Rechunker
id: rechunk
uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1
with:
rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1'
ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
skip_compression: true
version: ${{ env.CENTOS_VERSION }}
labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator
This is necessary so that the podman socket can find the rechunked image on its storage
- name: Load in podman and tag
run: |
IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
sudo rm -rf ${{ steps.rechunk.outputs.output }}
for tag in ${{ steps.metadata.outputs.tags }}; do
podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
done
# These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing
# They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work
# - name: Login to GitHub Container Registry
# uses: https://github.com/docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
# if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
# with:
# registry: rievo.dev
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to the Container registry
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | sudo podman login rievo.dev -u ${{ github.actor }} --password-stdin
podman push "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
# - name: Lowercase Registry
# id: registry_case
# uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6
# with:
# string: ${{ env.IMAGE_REGISTRY }}
# - name: Lowercase Image
# id: image_case
# uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6
# with:
# string: ${{ env.IMAGE_NAME }}
- name: Push To GHCR
uses: https://github.com/redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
id: push
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
registry: ${{ env.IMAGE_REGISTRY }}
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.metadata.outputs.tags }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
# This section is optional and only needs to be enabled if you plan on distributing
# your project for others to consume. You will need to create a public and private key
# using Cosign and save the private key as a repository secret in Github for this workflow
# to consume. For more details, review the image signing section of the README.
# - name: Install Cosign
# uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
# if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
# - name: Sign container image
# if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
# run: |
# IMAGE_FULL="${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}"
# for tag in ${{ steps.metadata.outputs.tags }}; do
# cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag
# done
# env:
# TAGS: ${{ steps.push.outputs.digest }}
# COSIGN_EXPERIMENTAL: false
# COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
View git blame Copy permalink