diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0e78bca..7260761 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,13 +1,7 @@ name: build-ublue on: - # Build *every* branch at 10:20pm UTC every day (1 hr delay after "nvidia" builds), - # regardless of the branch names. (Not just "live, template and main" branches.) - # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule schedule: - cron: "20 22 * * *" - # Build automatically after pushing commits or tags to the "live", "template" - # or "main" branches, except when the commit only affects "documentation" text files. - # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push push: branches: - live @@ -16,26 +10,14 @@ on: paths-ignore: - "**.md" - "**.txt" - # Build pull requests whenever they are opened or updated, to make sure they - # work. The build won't be deployed, since we filter out PRs in the deployment - # stage. Note that submitted PRs run the workflow of the *fork's* own primary - # branch, using the fork's own secrets/environment. Please be sure to sync - # your primary branch with upstream's latest workflow before submitting PRs! - # For pull requests, we build *any* branch regardless of name, to allow "build - # checks" to succeed for typical PR branch names such as "fix-something". - # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request pull_request: - # Build when manually triggering this workflow for a branch. This allows you - # to build any branch, even if it's not listed in the automated triggers above. - # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch workflow_dispatch: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_OWNER: ${{ github.repository_owner }} jobs: push-ghcr: - # Only deploys the branch named "live". Ignores all other branches, to allow - # having "development" branches without interfering with GHCR image uploads. - name: Build and push image + name: Build & Push runs-on: ubuntu-22.04 permissions: contents: read @@ -44,6 +26,10 @@ jobs: strategy: fail-fast: false matrix: + image_variant: [silverblue] + image_flavor: [main, nvidia] + base_name: [ublue] + major_version: [38] recipe: - recipe.yml steps: @@ -54,10 +40,20 @@ jobs: uses: mikefarah/yq@v4.34.2 - name: Gather image data from recipe run: | - echo "IMAGE_NAME=$(yq '.name' ./${{ matrix.recipe }})" >> $GITHUB_ENV + if [[ "${{ matrix.image_flavor }}" == "main" ]]; then + echo "IMAGE_NAME=${{ matrix.base_name }}" >> $GITHUB_ENV + elif [[ "${{ matrix.image_variant }}" == "silverblue" ]]; then + echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_flavor) }}" >> $GITHUB_ENV + elif [[ "${{ matrix.image_flavor }}" == "main" ]]; then + echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_variant) }}" >> $GITHUB_ENV + else + echo "IMAGE_NAME=${{ format('{0}-{1}-{2}', matrix.base_name, matrix.image_variant, matrix.image_flavor) }}" >> $GITHUB_ENV + fi + + echo "BASE_IMAGE_REGISTRY=$(yq '.base_image_registry' ./${{ matrix.recipe }})" >> $GITHUB_ENV + echo "RECIPE=${{ matrix.recipe }}" >> $GITHUB_ENV echo "IMAGE_DESCRIPTION=$(yq '.description' ./${{ matrix.recipe }})" >> $GITHUB_ENV - echo "FEDORA_MAJOR_VERSION=$(yq '.fedora-version' ./${{ matrix.recipe }})" >> $GITHUB_ENV - echo "BASE_IMAGE_URL=$(yq '.base-image' ./${{ matrix.recipe }})" >> $GITHUB_ENV + echo "FEDORA_MAJOR_VERSION=${{ matrix.major_version }}" >> $GITHUB_ENV - name: Generate tags id: generate-tags shell: bash @@ -94,21 +90,8 @@ jobs: - name: Get current version id: labels run: | - ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.FEDORA_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') + ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_REGISTRY }}/${{ matrix.image_variant }}-${{ matrix.image_flavor }}:${{ matrix.major_version }} | jq -r '.Labels["org.opencontainers.image.version"]') echo "VERSION=$ver" >> $GITHUB_OUTPUT - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@v4 - id: meta - with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} - org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md - io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry @@ -121,21 +104,36 @@ jobs: uses: ASzc/change-string-case-action@v5 with: string: ${{ env.IMAGE_NAME }} - # Build image using Buildah action + - name: Image Metadata + uses: docker/metadata-action@v4 + id: meta + with: + images: | + ${{ steps.image_case.outputs.lowercase }} + labels: | + org.opencontainers.image.title=${{ steps.image_case.outputs.lowercase }} + org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} + org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/scottames/ublue/main/README.md + io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile - image: ${{ env.IMAGE_NAME }} + image: ${{ steps.image_case.outputs.lowercase }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | + IMAGE_VARIANT=${{ matrix.image_variant }} + IMAGE_FLAVOR=${{ matrix.image_flavor }} + IMAGE_NAME=${{ steps.image_case.outputs.lowercase }} FEDORA_MAJOR_VERSION=${{ env.FEDORA_MAJOR_VERSION }} - BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }} + BASE_IMAGE_REGISTRY=${{ env.BASE_IMAGE_REGISTRY }} RECIPE=${{ matrix.recipe }} IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }} + IMAGE_REGISTRY_OWNER=${{ env.IMAGE_REGISTRY_OWNER }} labels: ${{ steps.meta.outputs.labels }} oci: false - name: Push To GHCR diff --git a/Containerfile b/Containerfile index 7fa9c3b..4ad0683 100644 --- a/Containerfile +++ b/Containerfile @@ -1,56 +1,37 @@ -# This is the Containerfile for your custom image. +ARG IMAGE_VARIANT="${IMAGE_VARIANT:-silverblue}" +ARG IMAGE_FLAVOR="${IMAGE_FLAVOR:-main}" +ARG IMAGE_NAME="${IMAGE_NAME}" +ARG SOURCE_IMAGE="${SOURCE_IMAGE:-$IMAGE_VARIANT-$IMAGE_FLAVOR}" +ARG BASE_IMAGE_REGISTRY="${BASE_IMAGE_REGISTRY:-ghcr.io/ublue-os}" +ARG BASE_IMAGE="${BASE_IMAGE_REGISTRY}/${SOURCE_IMAGE}" +ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-38}" -# It takes in the recipe, version, and base image as arguments, -# all of which are provided by build.yml when doing builds -# in the cloud. The ARGs have default values, but changing those -# does nothing if the image is built in the cloud. +FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} -ARG FEDORA_MAJOR_VERSION=38 -# Warning: changing this might not do anything for you. Read comment above. -ARG BASE_IMAGE_URL=ghcr.io/ublue-os/silverblue-main - -FROM ${BASE_IMAGE_URL}:${FEDORA_MAJOR_VERSION} - -# The default recipe set to the recipe's default filename -# so that `podman build` should just work for many people. -ARG RECIPE=./recipe.yml - -# The default image registry to write to policy.json and cosign.yaml -ARG IMAGE_REGISTRY=ghcr.io/ublue-os +ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/scottames}" +ARG IMAGE_REGISTRY_OWNER="${IMAGE_REGISTRY_OWNER:-scottames}" +ARG RECIPE="${RECIPE:-recipe.yml}" # Copy static configurations and component files. +COPY usr /usr # Warning: If you want to place anything in "/etc" of the final image, you MUST # place them in "./usr/etc" in your repo, so that they're written to "/usr/etc" # on the final system. That is the proper directory for "system" configuration # templates on immutable Fedora distros, whereas the normal "/etc" is ONLY meant # for manual overrides and editing by the machine's admin AFTER installation! # See issue #28 (https://github.com/ublue-os/startingpoint/issues/28). -COPY usr /usr COPY etc /etc -# Copy public key -COPY cosign.pub /usr/share/ublue-os/cosign.pub - -# Copy the recipe that we're building. -COPY ${RECIPE} /usr/share/ublue-os/recipe.yml +COPY cosign.pub /usr/share/ublue-os/${IMAGE_REGISTRY_OWNER}.pub +COPY "${RECIPE}" /usr/share/ublue-os/recipe.yml -# Copy nix install script and Universal Blue wallpapers RPM from Bling image +RUN mkdir -p /usr/share/wallpapers COPY --from=ghcr.io/ublue-os/bling:latest /rpms/ublue-os-wallpapers-0.1-1.fc38.noarch.rpm /tmp/ublue-os-wallpapers-0.1-1.fc38.noarch.rpm - -# Integrate bling justfiles onto image COPY --from=ghcr.io/ublue-os/bling:latest /files/usr/share/ublue-os/just /usr/share/ublue-os/just - -# Add nix installer if you want to use it -COPY --from=ghcr.io/ublue-os/bling:latest /files/usr/bin/ublue-nix* /usr/bin - # "yq" used in build.sh and the "setup-flatpaks" just-action to read recipe.yml. # Copied from the official container image since it's not available as an RPM. COPY --from=docker.io/mikefarah/yq /usr/bin/yq /usr/bin/yq - -# Copy the build script and all custom scripts. COPY scripts /tmp/scripts - -# Run the build script, then clean up temp files and finalize container build. RUN rpm-ostree install /tmp/ublue-os-wallpapers-0.1-1.fc38.noarch.rpm && \ chmod +x /tmp/scripts/build.sh && \ /tmp/scripts/build.sh && \ diff --git a/recipe.yml b/recipe.yml index 99fa0f4..0bf9781 100644 --- a/recipe.yml +++ b/recipe.yml @@ -1,22 +1,5 @@ -# This file can only be edited inside the uBlue image's git repository. - -# The image will be at "ghcr.io/yourusername/name". -name: ublue -# The native container image to build on top of. -# Warning: Non-uBlue images might not work properly, due to missing components. -base-image: ghcr.io/ublue-os/silverblue-main -# What Fedora version to use. Use an explicit version or `latest`. -# If you use `latest`, you will be automatically updated to the next major -# Fedora version, assuming the image you're using as your base container -# builds with the tag (all uBlue images do this). -fedora-version: 38 -# This description will be visible in the container metadata. +base_image_registry: ghcr.io/ublue-os description: A starting point for further customization of uBlue images. Make your own! https://ublue.it/making-your-own/ -# These scripts will be executed during the container build. -# Place scripts in the "scripts/" dir and put the corresponding filenames here. -# Any files that aren't listed here won't be executed automatically, which -# means that you can place "helper" or "library" scripts in the folder too. -# You can use "autorun.sh" if you want an automatic runner. scripts: # "Pre" scripts run very early in the build, immediately after your custom # repos have been imported (so that you can access those repos if necessary). diff --git a/scripts/build.sh b/scripts/build.sh index c5d43ff..a6c98a3 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -110,25 +110,24 @@ echo "Setup container signing in policy.json and cosign.yaml" echo "Registry to write: $IMAGE_REGISTRY" # Copy Name -NAME=$(get_yaml_string '.name') -cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$NAME".pub +cp "/usr/share/ublue-os/$IMAGE_REGISTRY_OWNER.pub" /usr/etc/pki/containers/ # Work around the fact that jq doesn't have an "inplace" option FILE=/usr/etc/containers/policy.json TMP=/tmp/policy.json -jq '.transports.docker |= +jq '.transports.docker |= {"'"$IMAGE_REGISTRY"'": [ { "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/'"$NAME"'.pub", + "keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY_OWNER"'.pub", "signedIdentity": { "type": "matchRepository" } } ] } -+ .' $FILE > $TMP ++ .' $FILE >$TMP mv -f $TMP $FILE cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$NAME".yaml