ci: support multiple images (nvidia) + fix signing

.github/workflows/build.yml

@@ -1,13 +1,7 @@
 name: build-ublue
 on:
-  # Build *every* branch at 10:20pm UTC every day (1 hr delay after "nvidia" builds),
-  # regardless of the branch names. (Not just "live, template and main" branches.)
-  # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
   schedule:
     - cron: "20 22 * * *"
-  # Build automatically after pushing commits or tags to the "live", "template"
-  # or "main" branches, except when the commit only affects "documentation" text files.
-  # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push
   push:
     branches:
       - live
@@ -16,26 +10,14 @@ on:
     paths-ignore:
       - "**.md"
       - "**.txt"
-  # Build pull requests whenever they are opened or updated, to make sure they
-  # work. The build won't be deployed, since we filter out PRs in the deployment
-  # stage. Note that submitted PRs run the workflow of the *fork's* own primary
-  # branch, using the fork's own secrets/environment. Please be sure to sync
-  # your primary branch with upstream's latest workflow before submitting PRs!
-  # For pull requests, we build *any* branch regardless of name, to allow "build
-  # checks" to succeed for typical PR branch names such as "fix-something".
-  # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
   pull_request:
-  # Build when manually triggering this workflow for a branch. This allows you
-  # to build any branch, even if it's not listed in the automated triggers above.
-  # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
   workflow_dispatch:
 env:
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_REGISTRY_OWNER: ${{ github.repository_owner }}
 jobs:
   push-ghcr:
-    # Only deploys the branch named "live". Ignores all other branches, to allow
-    # having "development" branches without interfering with GHCR image uploads.
-    name: Build and push image
+    name: Build & Push
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -44,6 +26,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        image_variant: [silverblue]
+        image_flavor: [main, nvidia]
+        base_name: [ublue]
+        major_version: [38]
         recipe:
           - recipe.yml
     steps:
@@ -54,10 +40,20 @@ jobs:
         uses: mikefarah/yq@v4.34.2
       - name: Gather image data from recipe
         run: |
-          echo "IMAGE_NAME=$(yq '.name' ./${{ matrix.recipe }})" >> $GITHUB_ENV
+          if [[ "${{ matrix.image_flavor }}" == "main" ]]; then
+              echo "IMAGE_NAME=${{ matrix.base_name }}" >> $GITHUB_ENV
+          elif [[ "${{ matrix.image_variant }}" == "silverblue" ]]; then
+              echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_flavor) }}" >> $GITHUB_ENV
+          elif [[ "${{ matrix.image_flavor }}" == "main" ]]; then
+              echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_variant) }}" >> $GITHUB_ENV
+          else
+              echo "IMAGE_NAME=${{ format('{0}-{1}-{2}', matrix.base_name, matrix.image_variant, matrix.image_flavor) }}" >> $GITHUB_ENV
+          fi
+
+          echo "BASE_IMAGE_REGISTRY=$(yq '.base_image_registry' ./${{ matrix.recipe }})" >> $GITHUB_ENV
+          echo "RECIPE=${{ matrix.recipe }}" >> $GITHUB_ENV
           echo "IMAGE_DESCRIPTION=$(yq '.description' ./${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "FEDORA_MAJOR_VERSION=$(yq '.fedora-version' ./${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "BASE_IMAGE_URL=$(yq '.base-image' ./${{ matrix.recipe }})" >> $GITHUB_ENV
+          echo "FEDORA_MAJOR_VERSION=${{ matrix.major_version }}" >> $GITHUB_ENV
       - name: Generate tags
         id: generate-tags
         shell: bash
@@ -94,21 +90,8 @@ jobs:
       - name: Get current version
         id: labels
         run: |
-          ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.FEDORA_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
+          ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_REGISTRY }}/${{ matrix.image_variant }}-${{ matrix.image_flavor }}:${{ matrix.major_version }} | jq -r '.Labels["org.opencontainers.image.version"]')
           echo "VERSION=$ver" >> $GITHUB_OUTPUT
-      # Build metadata
-      - name: Image Metadata
-        uses: docker/metadata-action@v4
-        id: meta
-        with:
-          images: |
-            ${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
-            org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md
-            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry
@@ -121,21 +104,36 @@ jobs:
         uses: ASzc/change-string-case-action@v5
         with:
           string: ${{ env.IMAGE_NAME }}
-      # Build image using Buildah action
+      - name: Image Metadata
+        uses: docker/metadata-action@v4
+        id: meta
+        with:
+          images: |
+            ${{ steps.image_case.outputs.lowercase }}
+          labels: |
+            org.opencontainers.image.title=${{ steps.image_case.outputs.lowercase }}
+            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
+            org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/scottames/ublue/main/README.md
+            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
       - name: Build Image
         id: build_image
         uses: redhat-actions/buildah-build@v2
         with:
           containerfiles: |
             ./Containerfile
-          image: ${{ env.IMAGE_NAME }}
+          image: ${{ steps.image_case.outputs.lowercase }}
           tags: |
             ${{ steps.generate-tags.outputs.alias_tags }}
           build-args: |
+            IMAGE_VARIANT=${{ matrix.image_variant }}
+            IMAGE_FLAVOR=${{ matrix.image_flavor }}
+            IMAGE_NAME=${{ steps.image_case.outputs.lowercase }}
             FEDORA_MAJOR_VERSION=${{ env.FEDORA_MAJOR_VERSION }}
-            BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }}
+            BASE_IMAGE_REGISTRY=${{ env.BASE_IMAGE_REGISTRY }}
             RECIPE=${{ matrix.recipe }}
             IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }}
+            IMAGE_REGISTRY_OWNER=${{ env.IMAGE_REGISTRY_OWNER }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
       - name: Push To GHCR

Containerfile

@@ -1,56 +1,37 @@
-# This is the Containerfile for your custom image. 
+ARG IMAGE_VARIANT="${IMAGE_VARIANT:-silverblue}"
+ARG IMAGE_FLAVOR="${IMAGE_FLAVOR:-main}"
+ARG IMAGE_NAME="${IMAGE_NAME}"
+ARG SOURCE_IMAGE="${SOURCE_IMAGE:-$IMAGE_VARIANT-$IMAGE_FLAVOR}"
+ARG BASE_IMAGE_REGISTRY="${BASE_IMAGE_REGISTRY:-ghcr.io/ublue-os}"
+ARG BASE_IMAGE="${BASE_IMAGE_REGISTRY}/${SOURCE_IMAGE}"
+ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-38}"
 
-# It takes in the recipe, version, and base image as arguments,
-# all of which are provided by build.yml when doing builds
-# in the cloud. The ARGs have default values, but changing those
-# does nothing if the image is built in the cloud.
+FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}
 
-ARG FEDORA_MAJOR_VERSION=38
-# Warning: changing this might not do anything for you. Read comment above.
-ARG BASE_IMAGE_URL=ghcr.io/ublue-os/silverblue-main
-
-FROM ${BASE_IMAGE_URL}:${FEDORA_MAJOR_VERSION}
-
-# The default recipe set to the recipe's default filename
-# so that `podman build` should just work for many people.
-ARG RECIPE=./recipe.yml
-
-# The default image registry to write to policy.json and cosign.yaml
-ARG IMAGE_REGISTRY=ghcr.io/ublue-os
+ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/scottames}"
+ARG IMAGE_REGISTRY_OWNER="${IMAGE_REGISTRY_OWNER:-scottames}"
+ARG RECIPE="${RECIPE:-recipe.yml}"
 
 # Copy static configurations and component files.
+COPY usr /usr
 # Warning: If you want to place anything in "/etc" of the final image, you MUST
 # place them in "./usr/etc" in your repo, so that they're written to "/usr/etc"
 # on the final system. That is the proper directory for "system" configuration
 # templates on immutable Fedora distros, whereas the normal "/etc" is ONLY meant
 # for manual overrides and editing by the machine's admin AFTER installation!
 # See issue #28 (https://github.com/ublue-os/startingpoint/issues/28).
-COPY usr /usr
 COPY etc /etc
 
-# Copy public key
-COPY cosign.pub /usr/share/ublue-os/cosign.pub
-
-# Copy the recipe that we're building.
-COPY ${RECIPE} /usr/share/ublue-os/recipe.yml
+COPY cosign.pub /usr/share/ublue-os/${IMAGE_REGISTRY_OWNER}.pub
+COPY "${RECIPE}" /usr/share/ublue-os/recipe.yml
 
-# Copy nix install script and Universal Blue wallpapers RPM from Bling image
+RUN mkdir -p /usr/share/wallpapers
 COPY --from=ghcr.io/ublue-os/bling:latest /rpms/ublue-os-wallpapers-0.1-1.fc38.noarch.rpm /tmp/ublue-os-wallpapers-0.1-1.fc38.noarch.rpm
-
-# Integrate bling justfiles onto image
 COPY --from=ghcr.io/ublue-os/bling:latest /files/usr/share/ublue-os/just /usr/share/ublue-os/just
-
-# Add nix installer if you want to use it
-COPY --from=ghcr.io/ublue-os/bling:latest /files/usr/bin/ublue-nix* /usr/bin
-
 # "yq" used in build.sh and the "setup-flatpaks" just-action to read recipe.yml.
 # Copied from the official container image since it's not available as an RPM.
 COPY --from=docker.io/mikefarah/yq /usr/bin/yq /usr/bin/yq
-
-# Copy the build script and all custom scripts.
 COPY scripts /tmp/scripts
-
-# Run the build script, then clean up temp files and finalize container build.
 RUN rpm-ostree install /tmp/ublue-os-wallpapers-0.1-1.fc38.noarch.rpm && \
   chmod +x /tmp/scripts/build.sh && \
   /tmp/scripts/build.sh && \

recipe.yml

@@ -1,22 +1,5 @@
-# This file can only be edited inside the uBlue image's git repository.
-
-# The image will be at "ghcr.io/yourusername/name".
-name: ublue
-# The native container image to build on top of.
-# Warning: Non-uBlue images might not work properly, due to missing components.
-base-image: ghcr.io/ublue-os/silverblue-main
-# What Fedora version to use. Use an explicit version or `latest`.
-# If you use `latest`, you will be automatically updated to the next major
-# Fedora version, assuming the image you're using as your base container
-# builds with the tag (all uBlue images do this).
-fedora-version: 38
-# This description will be visible in the container metadata.
+base_image_registry: ghcr.io/ublue-os
 description: A starting point for further customization of uBlue images. Make your own! https://ublue.it/making-your-own/
-# These scripts will be executed during the container build.
-# Place scripts in the "scripts/" dir and put the corresponding filenames here.
-# Any files that aren't listed here won't be executed automatically, which
-# means that you can place "helper" or "library" scripts in the folder too.
-# You can use "autorun.sh" if you want an automatic runner.
 scripts:
   # "Pre" scripts run very early in the build, immediately after your custom
   # repos have been imported (so that you can access those repos if necessary).

scripts/build.sh

@@ -110,25 +110,24 @@ echo "Setup container signing in policy.json and cosign.yaml"
 echo "Registry to write: $IMAGE_REGISTRY"
 
 # Copy Name
-NAME=$(get_yaml_string '.name')
-cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$NAME".pub
+cp "/usr/share/ublue-os/$IMAGE_REGISTRY_OWNER.pub" /usr/etc/pki/containers/
 
 # Work around the fact that jq doesn't have an "inplace" option
 FILE=/usr/etc/containers/policy.json
 TMP=/tmp/policy.json
 
-jq '.transports.docker |= 
+jq '.transports.docker |=
     {"'"$IMAGE_REGISTRY"'": [
             {
                 "type": "sigstoreSigned",
-                "keyPath": "/usr/etc/pki/containers/'"$NAME"'.pub",
+                "keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY_OWNER"'.pub",
                 "signedIdentity": {
                     "type": "matchRepository"
                 }
             }
         ]
     }
-+ .' $FILE > $TMP
++ .' $FILE >$TMP
 mv -f $TMP $FILE
 
 cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$NAME".yaml