--- name: build-ublue-custom on: pull_request: branches: - main schedule: - cron: '05 10 * * *' # 10:05am UTC everyday push: branches: - main paths-ignore: - '**/README.md' workflow_dispatch: # The env variables starting with "ARG_" are described in the Containerfile of this repo. # The values here are defaults and should be modified if using a different image, needing # nvidia, a specific nvidia driver, or a different Fedora version. env: MY_IMAGE_NAME: "custom-silverblue" # the name of the image produced by this build ARG_SOURCE_IMAGE: "silverblue" # see Containerfile for list of possible upstream images ARG_SOURCE_SUFFIX: "main" # see Containerfile ARG_FEDORA_VERSION: "39" # see Containerfile ARG_NVIDIA_VERSION: "" # see Containerfile IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit jobs: push-ghcr: name: Build and push image runs-on: ubuntu-22.04 permissions: contents: read packages: write id-token: write steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v3 - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" VARIANT="${{ env.ARG_FEDORA_VERSION }}" COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request SHA_SHORT="${GITHUB_SHA::7}" COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}") COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}") COMMIT_TAGS+=("pr-${{ github.event.number }}") COMMIT_TAGS+=("${SHA_SHORT}") BUILD_TAGS=("${VARIANT}") # Append matching timestamp tags to keep a version history for TAG in "${BUILD_TAGS[@]}"; do BUILD_TAGS+=("${TAG}-${TIMESTAMP}") done BUILD_TAGS+=("${TIMESTAMP}") BUILD_TAGS+=("latest") if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " for TAG in "${COMMIT_TAGS[@]}"; do echo "${TAG}" done alias_tags=("${COMMIT_TAGS[@]}") else alias_tags=("${BUILD_TAGS[@]}") fi echo "Generated the following build tags: " for TAG in "${BUILD_TAGS[@]}"; do echo "${TAG}" done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - name: Get current version id: labels run: | ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.ARG_SOURCE_IMAGE }}-${{ env.ARG_SOURCE_SUFFIX }}:${{ env.ARG_FEDORA_VERSION }}${{ env.ARG_NVIDIA_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') echo "VERSION=$ver" >> $GITHUB_OUTPUT # Build metadata - name: Image Metadata uses: docker/metadata-action@v4 id: meta with: images: | ${{ env.MY_IMAGE_NAME }} labels: | io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md org.opencontainers.image.description=Customized ${{ env.ARG_SOURCE_IMAGE }}-${{ env.ARG_SOURCE_SUFFIX }} org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }} org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile # Postfix image name with -custom to make it a little more descriptive # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format image: ${{ env.MY_IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | SOURCE_IMAGE=${{ env.ARG_SOURCE_IMAGE }} SOURCE_SUFFIX=${{ env.ARG_SOURCE_SUFFIX }} FEDORA_VERSION=${{ env.ARG_FEDORA_VERSION }} NVIDIA_VERSION=${{ env.ARG_NVIDIA_VERSION }} labels: ${{ steps.meta.outputs.labels }} oci: false # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v5 with: string: ${{ env.IMAGE_REGISTRY }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust # This section is optional and only needs to be enabled in you plan on distributing # your project to others to consume. You will need to create a public and private key # using Cosign and save the private key as a repository secret in Github for this workflow # to consume. For more details, review the image signing section of the README. # Sign container #- uses: sigstore/cosign-installer@v3.4.0 # if: github.event_name != 'pull_request' #- name: Sign container image # if: github.event_name != 'pull_request' # run: | # cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} # env: # TAGS: ${{ steps.push.outputs.digest }} # COSIGN_EXPERIMENTAL: false # COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}