bluedev/.github/workflows/build.yml

---
name: build-ublue-custom
on:
  pull_request:
    branches:
      - main
  schedule:
    - cron: '05 10 * * *'  # 10:05am UTC everyday
  push:
    branches:
      - main
    paths-ignore:
      - '**/README.md'
  workflow_dispatch:

# The env variables starting with "ARG_" are described in the Containerfile of this repo.
# The values here are defaults and should be modified if using a different image, needing
# nvidia, a specific nvidia driver, or a different Fedora version.
env:
  MY_IMAGE_NAME: "custom-silverblue"  # the name of the image produced by this build
  ARG_SOURCE_IMAGE: "silverblue"  # see Containerfile for list of possible upstream images
  ARG_SOURCE_SUFFIX: "main"  # see Containerfile
  ARG_FEDORA_VERSION: "39"  # see Containerfile
  ARG_NVIDIA_VERSION: ""  # see Containerfile
  IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}"  # do not edit

jobs:
  push-ghcr:
    name: Build and push image
    runs-on: ubuntu-22.04

    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      # Checkout push-to-registry action GitHub repository
      - name: Checkout Push to Registry action
        uses: actions/checkout@v3

      - name: Generate tags
        id: generate-tags
        shell: bash
        run: |
          # Generate a timestamp for creating an image version history
          TIMESTAMP="$(date +%Y%m%d)"
          VARIANT="${{ env.ARG_FEDORA_VERSION }}"

          COMMIT_TAGS=()
          BUILD_TAGS=()

          # Have tags for tracking builds during pull request
          SHA_SHORT="${GITHUB_SHA::7}"
          COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
          COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")

          COMMIT_TAGS+=("pr-${{ github.event.number }}")
          COMMIT_TAGS+=("${SHA_SHORT}")

          BUILD_TAGS=("${VARIANT}")

          # Append matching timestamp tags to keep a version history
          for TAG in "${BUILD_TAGS[@]}"; do
              BUILD_TAGS+=("${TAG}-${TIMESTAMP}")
          done

          BUILD_TAGS+=("${TIMESTAMP}")
          BUILD_TAGS+=("latest")

          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
              echo "Generated the following commit tags: "
              for TAG in "${COMMIT_TAGS[@]}"; do
                  echo "${TAG}"
              done

              alias_tags=("${COMMIT_TAGS[@]}")
          else
              alias_tags=("${BUILD_TAGS[@]}")
          fi

          echo "Generated the following build tags: "
          for TAG in "${BUILD_TAGS[@]}"; do
              echo "${TAG}"
          done

          echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT

      - name: Get current version
        id: labels
        run: |
          ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.ARG_SOURCE_IMAGE }}-${{ env.ARG_SOURCE_SUFFIX }}:${{ env.ARG_FEDORA_VERSION }}${{ env.ARG_NVIDIA_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
          echo "VERSION=$ver" >> $GITHUB_OUTPUT

      # Build metadata
      - name: Image Metadata
        uses: docker/metadata-action@v4
        id: meta
        with:
          images: |
            ${{ env.MY_IMAGE_NAME }}

          labels: |
            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
            org.opencontainers.image.description=Customized ${{ env.ARG_SOURCE_IMAGE }}-${{ env.ARG_SOURCE_SUFFIX }}
            org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }}
            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}

      # Build image using Buildah action
      - name: Build Image
        id: build_image
        uses: redhat-actions/buildah-build@v2
        with:
          containerfiles: |
            ./Containerfile
          # Postfix image name with -custom to make it a little more descriptive
          # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format
          image: ${{ env.MY_IMAGE_NAME }}
          tags: |
            ${{ steps.generate-tags.outputs.alias_tags }}
          build-args: |
            SOURCE_IMAGE=${{ env.ARG_SOURCE_IMAGE }}
            SOURCE_SUFFIX=${{ env.ARG_SOURCE_SUFFIX }}
            FEDORA_VERSION=${{ env.ARG_FEDORA_VERSION }}
            NVIDIA_VERSION=${{ env.ARG_NVIDIA_VERSION }}
          labels: ${{ steps.meta.outputs.labels }}
          oci: false

      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
      # https://github.com/macbre/push-to-ghcr/issues/12
      - name: Lowercase Registry
        id: registry_case
        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ env.IMAGE_REGISTRY }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Push the image to GHCR (Image Registry)
      - name: Push To GHCR
        uses: redhat-actions/push-to-registry@v2
        id: push
        env:
          REGISTRY_USER: ${{ github.actor }}
          REGISTRY_PASSWORD: ${{ github.token }}
        with:
          image: ${{ steps.build_image.outputs.image }}
          tags: ${{ steps.build_image.outputs.tags }}
          registry: ${{ steps.registry_case.outputs.lowercase }}
          username: ${{ env.REGISTRY_USER }}
          password: ${{ env.REGISTRY_PASSWORD }}
          extra-args: |
            --disable-content-trust

      # This section is optional and only needs to be enabled in you plan on distributing
      # your project to others to consume. You will need to create a public and private key
      # using Cosign and save the private key as a repository secret in Github for this workflow
      # to consume. For more details, review the image signing section of the README.

      # Sign container

      #- uses: sigstore/cosign-installer@v3.4.0
      #  if: github.event_name != 'pull_request'

      #- name: Sign container image
      #  if: github.event_name != 'pull_request'
      #  run: |
      #    cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
      #  env:
      #    TAGS: ${{ steps.push.outputs.digest }}
      #    COSIGN_EXPERIMENTAL: false
      #    COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00			`---`
			`name: build-ublue-custom`
			`on:`
			`pull_request:`
			`branches:`
			`- main`
			`schedule:`
			`- cron: '05 10 * * *' # 10:05am UTC everyday`
			`push:`
			`branches:`
			`- main`
			`paths-ignore:`
			`- '**/README.md'`
			`workflow_dispatch:`

			`# The env variables starting with "ARG_" are described in the Containerfile of this repo.`
			`# The values here are defaults and should be modified if using a different image, needing`
			`# nvidia, a specific nvidia driver, or a different Fedora version.`
			`env:`
refactor: fixing typo and cleanup comments 2023-08-27 01:16:41 +00:00			`MY_IMAGE_NAME: "custom-silverblue" # the name of the image produced by this build`
			`ARG_SOURCE_IMAGE: "silverblue" # see Containerfile for list of possible upstream images`
			`ARG_SOURCE_SUFFIX: "main" # see Containerfile`
feat: Updated build.yml to include container signing section 2024-03-03 17:39:58 +00:00			`ARG_FEDORA_VERSION: "39" # see Containerfile`
refactor: fixing typo and cleanup comments 2023-08-27 01:16:41 +00:00			`ARG_NVIDIA_VERSION: "" # see Containerfile`
			`IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00
			`jobs:`
			`push-ghcr:`
			`name: Build and push image`
			`runs-on: ubuntu-22.04`

			`permissions:`
			`contents: read`
			`packages: write`
			`id-token: write`

			`steps:`
			`# Checkout push-to-registry action GitHub repository`
			`- name: Checkout Push to Registry action`
			`uses: actions/checkout@v3`

			`- name: Generate tags`
			`id: generate-tags`
			`shell: bash`
			`run: \|`
			`# Generate a timestamp for creating an image version history`
			`TIMESTAMP="$(date +%Y%m%d)"`
refactor: simplify some variable names 2023-08-27 01:09:48 +00:00			`VARIANT="${{ env.ARG_FEDORA_VERSION }}"`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00
			`COMMIT_TAGS=()`
			`BUILD_TAGS=()`

			`# Have tags for tracking builds during pull request`
			`SHA_SHORT="${GITHUB_SHA::7}"`
			`COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")`
			`COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")`

			`COMMIT_TAGS+=("pr-${{ github.event.number }}")`
			`COMMIT_TAGS+=("${SHA_SHORT}")`

			`BUILD_TAGS=("${VARIANT}")`

			`# Append matching timestamp tags to keep a version history`
			`for TAG in "${BUILD_TAGS[@]}"; do`
			`BUILD_TAGS+=("${TAG}-${TIMESTAMP}")`
			`done`

			`BUILD_TAGS+=("${TIMESTAMP}")`
			`BUILD_TAGS+=("latest")`

			`if [[ "${{ github.event_name }}" == "pull_request" ]]; then`
			`echo "Generated the following commit tags: "`
			`for TAG in "${COMMIT_TAGS[@]}"; do`
			`echo "${TAG}"`
			`done`

			`alias_tags=("${COMMIT_TAGS[@]}")`
			`else`
			`alias_tags=("${BUILD_TAGS[@]}")`
			`fi`

			`echo "Generated the following build tags: "`
			`for TAG in "${BUILD_TAGS[@]}"; do`
			`echo "${TAG}"`
			`done`

			`echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT`

			`- name: Get current version`
			`id: labels`
			`run: \|`
chore(ci): the ARG_ was missing from the env var in version lookup 2023-08-27 01:32:04 +00:00			`ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.ARG_SOURCE_IMAGE }}-${{ env.ARG_SOURCE_SUFFIX }}:${{ env.ARG_FEDORA_VERSION }}${{ env.ARG_NVIDIA_VERSION }} \| jq -r '.Labels["org.opencontainers.image.version"]')`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00			`echo "VERSION=$ver" >> $GITHUB_OUTPUT`

			`# Build metadata`
			`- name: Image Metadata`
			`uses: docker/metadata-action@v4`
			`id: meta`
			`with:`
			`images: \|`
refactor: simplify some variable names 2023-08-27 01:09:48 +00:00			`${{ env.MY_IMAGE_NAME }}`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00
			`labels: \|`
chore(ci): fixing urls in build 2023-08-27 01:26:38 +00:00			`io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md`
			`org.opencontainers.image.description=Customized ${{ env.ARG_SOURCE_IMAGE }}-${{ env.ARG_SOURCE_SUFFIX }}`
refactor: simplify some variable names 2023-08-27 01:09:48 +00:00			`org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }}`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00			`org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}`

			`# Build image using Buildah action`
			`- name: Build Image`
			`id: build_image`
			`uses: redhat-actions/buildah-build@v2`
			`with:`
			`containerfiles: \|`
			`./Containerfile`
			`# Postfix image name with -custom to make it a little more descriptive`
			`# Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format`
refactor: simplify some variable names 2023-08-27 01:09:48 +00:00			`image: ${{ env.MY_IMAGE_NAME }}`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00			`tags: \|`
			`${{ steps.generate-tags.outputs.alias_tags }}`
			`build-args: \|`
refactor: simplify some variable names 2023-08-27 01:09:48 +00:00			`SOURCE_IMAGE=${{ env.ARG_SOURCE_IMAGE }}`
			`SOURCE_SUFFIX=${{ env.ARG_SOURCE_SUFFIX }}`
			`FEDORA_VERSION=${{ env.ARG_FEDORA_VERSION }}`
			`NVIDIA_VERSION=${{ env.ARG_NVIDIA_VERSION }}`
feat: add github actions build workflow 2023-08-27 00:55:59 +00:00			`labels: ${{ steps.meta.outputs.labels }}`
			`oci: false`

			`# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.`
			`# https://github.com/macbre/push-to-ghcr/issues/12`
			`- name: Lowercase Registry`
			`id: registry_case`
			`uses: ASzc/change-string-case-action@v5`
			`with:`
			`string: ${{ env.IMAGE_REGISTRY }}`

			`- name: Login to GitHub Container Registry`
			`uses: docker/login-action@v2`
			`with:`
			`registry: ghcr.io`
			`username: ${{ github.actor }}`
			`password: ${{ secrets.GITHUB_TOKEN }}`

			`# Push the image to GHCR (Image Registry)`
			`- name: Push To GHCR`
			`uses: redhat-actions/push-to-registry@v2`
			`id: push`
			`env:`
			`REGISTRY_USER: ${{ github.actor }}`
			`REGISTRY_PASSWORD: ${{ github.token }}`
			`with:`
			`image: ${{ steps.build_image.outputs.image }}`
			`tags: ${{ steps.build_image.outputs.tags }}`
			`registry: ${{ steps.registry_case.outputs.lowercase }}`
			`username: ${{ env.REGISTRY_USER }}`
			`password: ${{ env.REGISTRY_PASSWORD }}`
			`extra-args: \|`
			`--disable-content-trust`
feat: Updated build.yml to include container signing section 2024-03-03 17:39:58 +00:00
			`# This section is optional and only needs to be enabled in you plan on distributing`
			`# your project to others to consume. You will need to create a public and private key`
			`# using Cosign and save the private key as a repository secret in Github for this workflow`
			`# to consume. For more details, review the image signing section of the README.`

			`# Sign container`

			`#- uses: sigstore/cosign-installer@v3.4.0`
			`# if: github.event_name != 'pull_request'`

			`#- name: Sign container image`
			`# if: github.event_name != 'pull_request'`
			`# run: \|`
			`# cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}`
			`# env:`
			`# TAGS: ${{ steps.push.outputs.digest }}`
			`# COSIGN_EXPERIMENTAL: false`
			`# COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}`