From e3cff3c47dc7e5aa983d683226d6d3eca3653a4b Mon Sep 17 00:00:00 2001 From: MrOgieBogie Date: Mon, 29 Jul 2024 00:50:07 +1000 Subject: [PATCH] Update build.yml --- .github/workflows/build.yml | 324 +++--------------------------------- 1 file changed, 23 insertions(+), 301 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2e652de80e..aa8c11ee99 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,315 +1,37 @@ -name: Build Bazzite +name: Build Docker Image + on: - schedule: - - cron: '40 16 * * 2,5' # 16:40 utc tues thurs - pull_request: - branches: - - testing - - unstable - paths-ignore: - - '**.md' - - '**.txt' - - 'installer/**' - - 'repo_content/**' - - 'spec_files/**' - - 'post_install_files/**' - - 'press_kit/**' - - '.github/workflows/build_iso.yml' push: branches: - - testing - - unstable - paths-ignore: - - '**.md' - - '**.txt' - - 'repo_content/**' - - 'spec_files/**' - - 'post_install_files/**' - - 'press_kit/**' - - '.github/workflows/build_iso.yml' - merge_group: + - main + pull_request: + branches: + - main workflow_dispatch: -env: - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref || github.run_id }} - cancel-in-progress: true jobs: - push-ghcr: - name: Make - runs-on: ubuntu-22.04 - continue-on-error: false - permissions: - contents: read - packages: write - id-token: write - strategy: - fail-fast: false - matrix: - base_image_flavor: [main] - base_name: [bazzite, bazzite-deck, bazzite-nvidia] - base_image_name: [kinoite, silverblue] - target_image_flavor: [main, asus] - fedora_version: [40] - include: - - fedora_version: 40 - is_latest_version: true - is_stable_version: true - kernel_flavor: fsync # must match a kernel_flavor from akmods repo + build: + name: Build Docker Image + runs-on: ubuntu-latest steps: - - name: Define env.IMAGE_FLAVOR - run: | - if [[ "${{ matrix.base_name }}" == "bazzite-nvidia" ]]; then - if [[ "${{ matrix.target_image_flavor }}" == "main" ]]; then - echo "IMAGE_FLAVOR=nvidia" >> $GITHUB_ENV - else - echo "IMAGE_FLAVOR=${{ format('{0}-{1}', matrix.target_image_flavor, 'nvidia') }}" >> $GITHUB_ENV - fi - else - echo "IMAGE_FLAVOR=${{ matrix.target_image_flavor }}" >> $GITHUB_ENV - fi - - - name: Define env.IMAGE_NAME - run: | - DESKTOP="" - if [[ "${{ matrix.base_image_name }}" == "silverblue" ]]; then - DESKTOP="-gnome" - fi - - if [[ "${{ matrix.base_name }}" == "bazzite-deck" ]]; then - if [[ "${{ matrix.target_image_flavor }}" == "asus" ]]; then - echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite-ally', '${DESKTOP}') }}" >> $GITHUB_ENV - else - echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite-deck', '${DESKTOP}') }}" >> $GITHUB_ENV - fi - else - if [[ "${{ env.IMAGE_FLAVOR }}" == "main" ]]; then - echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite', '${DESKTOP}') }}" >> $GITHUB_ENV - else - echo "IMAGE_NAME=${{ format('{0}{1}-{2}', 'bazzite', '${DESKTOP}', env.IMAGE_FLAVOR) }}" >> $GITHUB_ENV - fi - fi - - - name: Verify main image - uses: EyeCantCU/cosign-action/verify@v0.2.2 - with: - containers: ${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} - pubkey: https://raw.githubusercontent.com/ublue-os/${{ matrix.base_image_flavor }}/main/cosign.pub - registry: ${{ env.IMAGE_REGISTRY }} - - - name: Verify akmods image - uses: EyeCantCU/cosign-action/verify@v0.2.2 - with: - containers: akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} - pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub - registry: ${{ env.IMAGE_REGISTRY }} - - - name: Verify akmods-nvidia image - uses: EyeCantCU/cosign-action/verify@v0.2.2 - with: - containers: akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} - pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub - registry: ${{ env.IMAGE_REGISTRY }} - - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action - uses: actions/checkout@v4 - - - name: Check just syntax - uses: ublue-os/just-action@v1 - - - name: Maximize build space - uses: ublue-os/remove-unwanted-software@v6 - - - name: Generate tags - id: generate-tags - shell: bash - run: | - # Generate a timestamp for creating an image version history - TIMESTAMP="$(date +%Y%m%d)" - FEDORA_VERSION="${{ matrix.fedora_version }}" - COMMIT_TAGS=() - BUILD_TAGS=() - # Have tags for tracking builds during pull request - SHA_SHORT="${GITHUB_SHA::7}" - COMMIT_TAGS+=("pr-${{ github.event.pull_request.number }}-${FEDORA_VERSION}") - COMMIT_TAGS+=("${SHA_SHORT}-${FEDORA_VERSION}") - if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ - [[ "${{ matrix.is_stable_version }}" == "true" ]]; then - COMMIT_TAGS+=("pr-${{ github.event.pull_request.number }}") - COMMIT_TAGS+=("${SHA_SHORT}") - fi + - name: Checkout code + uses: actions/checkout@v3 - if [[ ${{ github.ref_name }} == "unstable" ]]; then - BUILD_TAGS=("${FEDORA_VERSION}-unstable" "${FEDORA_VERSION}-unstable-${TIMESTAMP}") - if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ - [[ "${{ matrix.is_stable_version }}" == "true" ]]; then - BUILD_TAGS+=("unstable") - fi - elif [[ ${{ github.ref_name }} == "testing" ]]; then - BUILD_TAGS=("${FEDORA_VERSION}-testing" "${FEDORA_VERSION}-testing-${TIMESTAMP}") - if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ - [[ "${{ matrix.is_stable_version }}" == "true" ]]; then - BUILD_TAGS+=("testing") - fi - else - BUILD_TAGS=("${FEDORA_VERSION}" "${FEDORA_VERSION}-${TIMESTAMP}") - BUILD_TAGS+=("${FEDORA_VERSION}-stable" "${FEDORA_VERSION}-stable-${TIMESTAMP}") - if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ - [[ "${{ matrix.is_stable_version }}" == "true" ]]; then - BUILD_TAGS+=("latest" "stable") - fi - fi + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "Generated the following commit tags: " - for TAG in "${COMMIT_TAGS[@]}"; do - echo "${TAG}" - done - alias_tags=("${COMMIT_TAGS[@]}") - else - alias_tags=("${BUILD_TAGS[@]}") - fi - echo "Generated the following build tags: " - for TAG in "${BUILD_TAGS[@]}"; do - echo "${TAG}" - done - echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - - - name: Pull main and akmods images - uses: Wandalen/wretry.action@v3.4.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base images used for FROM in Containerfile so - # we can retry on that unfortunately common failure case - podman pull ${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} - - - name: Get source versions - id: labels - uses: Wandalen/wretry.action@v3.4.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - set -eo pipefail - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} > source.json - ver=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json) - if [ -z "$ver" ] || [ "null" = "$ver" ]; then - echo "inspected image version must not be empty or null" - exit 1 - fi - echo "SOURCE_IMAGE_VERSION=$ver" >> $GITHUB_ENV - - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} > akmods.json - linux=$(jq -r '.Labels["ostree.linux"]' akmods.json) - if [ -z "$linux" ] || [ "null" = "$linux" ]; then - echo "inspected image linux version must not be empty or null" - exit 1 - fi - echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV - - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@v5 - id: meta - with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.description=Bazzite is an OCI image that serves as an alternative operating system for the Steam Deck, and a ready-to-game SteamOS-like for desktop computers, living room home theater PCs, and numerous other handheld PCs. - org.opencontainers.image.version=${{ env.SOURCE_IMAGE_VERSION }} - ostree.linux=${{ env.KERNEL_VERSION }} - io.artifacthub.package.readme-url=https://bazzite.gg/ - io.artifacthub.package.logo-url=https://raw.githubusercontent.com/ublue-os/bazzite/main/repo_content/logo.png - - # Build image using Buildah action - - name: Build Image + - name: Build Docker image id: build_image - uses: redhat-actions/buildah-build@v2 + uses: docker/build-push-action@v3 with: - containerfiles: | - ./Containerfile - image: ${{ env.IMAGE_NAME }} + context: . + push: false tags: | - ${{ steps.generate-tags.outputs.alias_tags }} - build-args: | - IMAGE_NAME=${{ env.IMAGE_NAME }} - IMAGE_FLAVOR=${{ env.IMAGE_FLAVOR }} - IMAGE_VENDOR=${{ github.repository_owner }} - BASE_IMAGE_NAME=${{ matrix.base_image_name }} - BASE_IMAGE_FLAVOR=${{ matrix.base_image_flavor }} - FEDORA_VERSION=${{ matrix.fedora_version }} - KERNEL_FLAVOR=${{ matrix.kernel_flavor }} - IMAGE_BRANCH=${{ github.ref_name }} - labels: ${{ steps.meta.outputs.labels }} - oci: false - extra-args: | - --target=${{ matrix.base_name }} + bazzite:latest - - name: Sign kernel - uses: EyeCantCU/kernel-signer@v0.1.3 + - name: Save Docker image as artifact + uses: actions/upload-artifact@v3 with: - image: ${{ steps.build_image.outputs.image }} - privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }} - pubkey: /etc/pki/akmods/certs/akmods-ublue.der - tags: ${{ steps.build_image.outputs.tags }} - - # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. - # https://github.com/macbre/push-to-ghcr/issues/12 - - name: Lowercase Registry - id: registry_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_REGISTRY }} - - # Push the image to GHCR (Image Registry) - - name: Push To GHCR - uses: Wandalen/wretry.action@v3.4.0 - id: push - if: github.event_name != 'pull_request' - env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - with: - action: redhat-actions/push-to-registry@v2 - attempt_limit: 3 - attempt_delay: 15000 - with: | - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ steps.registry_case.outputs.lowercase }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust - - - name: Sign container image - uses: EyeCantCU/cosign-action/sign@v0.2.2 - if: github.event_name != 'pull_request' - with: - containers: ${{ env.IMAGE_NAME }} - registry-token: ${{ secrets.GITHUB_TOKEN }} - signing-secret: ${{ secrets.SIGNING_SECRET }} - tags: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} - - - - name: Echo outputs - if: github.event_name != 'pull_request' - run: | - echo "${{ toJSON(steps.push.outputs) }}" - - build_iso: - name: build iso - needs: [push-ghcr] - if: github.ref_name == 'testing' - # Eventually would be nice for building images in PRs - #if: ${{ endsWith(github.event.pull_request.title, '[ISO]') }} - uses: ./.github/workflows/build_iso.yml - secrets: inherit + name: bazzite-image + path: | + $(docker save bazzite:latest | tee /tmp/bazzite-image.tar)