Skip to content
This repository has been archived by the owner on Jul 22, 2024. It is now read-only.

build-ucore

build-ucore #353

Workflow file for this run

name: build-ucore
on:
pull_request:
merge_group:
schedule:
- cron: '15 23 * * *' # 11:15PM UTC everyday (approx 1 hours after coreos images publish)
workflow_dispatch:
env:
IMAGE_NAME: ucore-kmods
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
SOURCE_IMAGE: fedora-coreos
jobs:
push-ghcr:
name: Build and push ucore-kmods image
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
coreos_version: [stable, testing]
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
VARIANT="${{ matrix.coreos_version }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")
BUILD_TAGS=("${VARIANT}" "${VARIANT}-${TIMESTAMP}")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# in addition to existing tag logic, add docker/metadata friendly tags
METADATA_TAGS=$(
for TAG in "${alias_tags[@]}"; do
echo "${TAG}"
done)
echo "METADATA_TAGS<<EOF" >> $GITHUB_ENV
echo "$METADATA_TAGS" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Retrieve akmods signing key
run: |
mkdir -p certs
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Using test signing key"
else
echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
fi
# DEBUG: get character count of key
wc -c certs/private_key.priv
- name: Get current versions
id: labels
run: |
skopeo inspect docker://quay.io/fedora/${{ env.SOURCE_IMAGE }}:${{ matrix.coreos_version }} > inspect.json
version=$(jq -r '.Labels["org.opencontainers.image.version"]' inspect.json)
linux=$(jq -r '.Labels["ostree.linux"]' inspect.json)
echo "VERSION=$version" >> $GITHUB_OUTPUT
echo "LINUX=$linux" >> $GITHUB_OUTPUT
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.description=A caching layer for pre-built kmod RPMs
org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
ostree.linux=${{ steps.labels.outputs.LINUX }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4
tags: |
${{ env.METADATA_TAGS }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Build/push image using docker buildx action
- name: Build and Push Image
id: build_image
uses: docker/build-push-action@v5
with:
push: ${{ github.event_name != 'pull_request' }}
context: .
file: ./Containerfile
build-args: |
SOURCE_IMAGE=${{ env.SOURCE_IMAGE }}
COREOS_VERSION=${{ matrix.coreos_version }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ steps.meta.outputs.tags }}
# Sign container
- uses: sigstore/cosign-installer@v3.1.1
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: ${{ steps.build_image.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
run: |
echo "${{ toJSON(steps.build_image.outputs) }}"