Skip to content

Build Bazzite

Build Bazzite #25

Workflow file for this run

name: Build Bazzite
on:
schedule:
- cron: "40 4 * * 2,5" # 4:40 utc tues thurs
pull_request:
branches:
- testing
- unstable
paths-ignore:
- "**.md"
- "**.txt"
- "installer/**"
- "repo_content/**"
- "spec_files/**"
- "post_install_files/**"
- "press_kit/**"
- ".github/workflows/build_iso.yml"
push:
branches:
- testing
- unstable
paths-ignore:
- "**.md"
- "**.txt"
- "repo_content/**"
- "spec_files/**"
- "post_install_files/**"
- "press_kit/**"
- ".github/workflows/build_iso.yml"
merge_group:
workflow_dispatch:
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true
jobs:
push-ghcr:
name: Make
runs-on: ubuntu-24.04
continue-on-error: false
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
base_image_flavor: [main]
base_name: [bazzite, bazzite-deck, bazzite-nvidia]
base_image_name: [kinoite, silverblue]
target_image_flavor: [main, asus]
fedora_version: [40]
include:
- fedora_version: 40
is_latest_version: true
is_stable_version: true
kernel_flavor: fsync # must match a kernel_flavor from akmods repo
steps:
- name: Define env.IMAGE_FLAVOR
run: |
if [[ "${{ matrix.base_name }}" == "bazzite-nvidia" ]]; then
if [[ "${{ matrix.target_image_flavor }}" == "main" ]]; then
echo "IMAGE_FLAVOR=nvidia" >> $GITHUB_ENV
else
echo "IMAGE_FLAVOR=${{ format('{0}-{1}', matrix.target_image_flavor, 'nvidia') }}" >> $GITHUB_ENV
fi
else
echo "IMAGE_FLAVOR=${{ matrix.target_image_flavor }}" >> $GITHUB_ENV
fi
- name: Define env.IMAGE_NAME
run: |
DESKTOP=""
if [[ "${{ matrix.base_image_name }}" == "silverblue" ]]; then
DESKTOP="-gnome"
fi
if [[ "${{ matrix.base_name }}" == "bazzite-deck" ]]; then
if [[ "${{ matrix.target_image_flavor }}" == "asus" ]]; then
echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite-ally', '${DESKTOP}') }}" >> $GITHUB_ENV
else
echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite-deck', '${DESKTOP}') }}" >> $GITHUB_ENV
fi
else
if [[ "${{ env.IMAGE_FLAVOR }}" == "main" ]]; then
echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite', '${DESKTOP}') }}" >> $GITHUB_ENV
else
echo "IMAGE_NAME=${{ format('{0}{1}-{2}', 'bazzite', '${DESKTOP}', env.IMAGE_FLAVOR) }}" >> $GITHUB_ENV
fi
fi
- name: Define env.SHA_HEAD_SHORT
run: |
echo "SHA_HEAD_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV
- name: Verify main image
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: ${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/${{ matrix.base_image_flavor }}/main/cosign.pub
registry: ${{ env.IMAGE_REGISTRY }}
- name: Verify akmods image
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
registry: ${{ env.IMAGE_REGISTRY }}
- name: Verify akmods-nvidia image
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
registry: ${{ env.IMAGE_REGISTRY }}
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Check just syntax
uses: ublue-os/just-action@v1
- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v7
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
FEDORA_VERSION="${{ matrix.fedora_version }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.pull_request.number }}-${FEDORA_VERSION}")
COMMIT_TAGS+=("${SHA_SHORT}-${FEDORA_VERSION}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
COMMIT_TAGS+=("pr-${{ github.event.pull_request.number }}")
COMMIT_TAGS+=("${SHA_SHORT}")
fi
if [[ ${{ github.ref_name }} == "unstable" ]]; then
BUILD_TAGS=("${FEDORA_VERSION}-unstable" "${FEDORA_VERSION}-unstable-${TIMESTAMP}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
BUILD_TAGS+=("unstable")
echo "DEFAULT_TAG=unstable" >> $GITHUB_ENV
fi
elif [[ ${{ github.ref_name }} == "testing" ]]; then
BUILD_TAGS=("${FEDORA_VERSION}-testing" "${FEDORA_VERSION}-testing-${TIMESTAMP}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
BUILD_TAGS+=("testing")
echo "DEFAULT_TAG=testing" >> $GITHUB_ENV
fi
else
BUILD_TAGS=("${FEDORA_VERSION}" "${FEDORA_VERSION}-${TIMESTAMP}")
BUILD_TAGS+=("${FEDORA_VERSION}-stable" "${FEDORA_VERSION}-stable-${TIMESTAMP}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
BUILD_TAGS+=("latest" "stable")
echo "DEFAULT_TAG=latest" >> $GITHUB_ENV
fi
fi
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
- name: Pull main and akmods images
uses: Wandalen/wretry.action@v3.5.0
with:
attempt_limit: 3
attempt_delay: 15000
command: |
# pull the base images used for FROM in Containerfile so
# we can retry on that unfortunately common failure case
podman pull ${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}
- name: Get source versions
id: labels
uses: Wandalen/wretry.action@v3.5.0
with:
attempt_limit: 3
attempt_delay: 15000
command: |
set -eo pipefail
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} > source.json
ver=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json)
if [ -z "$ver" ] || [ "null" = "$ver" ]; then
echo "inspected image version must not be empty or null"
exit 1
fi
echo "SOURCE_IMAGE_VERSION=$ver" >> $GITHUB_ENV
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} > akmods.json
linux=$(jq -r '.Labels["ostree.linux"]' akmods.json)
if [ -z "$linux" ] || [ "null" = "$linux" ]; then
echo "inspected image linux version must not be empty or null"
exit 1
fi
echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.description=Bazzite is an OCI image that serves as an alternative operating system for the Steam Deck, and a ready-to-game SteamOS-like for desktop computers, living room home theater PCs, and numerous other handheld PCs.
org.opencontainers.image.version=${{ env.SOURCE_IMAGE_VERSION }}
ostree.linux=${{ env.KERNEL_VERSION }}
io.artifacthub.package.readme-url=https://bazzite.gg/
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/ublue-os/bazzite/main/repo_content/logo.png
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
IMAGE_NAME=${{ env.IMAGE_NAME }}
IMAGE_FLAVOR=${{ env.IMAGE_FLAVOR }}
IMAGE_VENDOR=${{ github.repository_owner }}
BASE_IMAGE_NAME=${{ matrix.base_image_name }}
BASE_IMAGE_FLAVOR=${{ matrix.base_image_flavor }}
FEDORA_VERSION=${{ matrix.fedora_version }}
KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
IMAGE_BRANCH=${{ github.ref_name }}
SHA_HEAD_SHORT=${{ env.SHA_HEAD_SHORT }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
extra-args: |
--target=${{ matrix.base_name }}
- name: Check Secureboot
shell: bash
run: |
set -x
if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
sudo apt update
sudo apt install sbsigntool curl openssl
fi
podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz .
podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
sbverify --list vmlinuz
curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
openssl x509 -in kernel-sign.der -out kernel-sign.crt
openssl x509 -in akmods.der -out akmods.crt
sbverify --cert kernel-sign.crt vmlinuz || exit 1
sbverify --cert akmods.crt vmlinuz || exit 1
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: Wandalen/wretry.action@v3.5.0
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
action: redhat-actions/push-to-registry@v2
attempt_limit: 3
attempt_delay: 15000
with: |
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Sign container image
uses: EyeCantCU/cosign-action/sign@v0.3.0
if: github.event_name != 'pull_request'
with:
containers: ${{ env.IMAGE_NAME }}
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
- name: Echo outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
build_iso:
name: build iso
needs: [push-ghcr]
if: github.ref_name == 'testing'
# Eventually would be nice for building images in PRs
#if: ${{ endsWith(github.event.pull_request.title, '[ISO]') }}
uses: ./.github/workflows/build_iso.yml
secrets: inherit