name: build-ublue on: pull_request: branches: - main paths-ignore: - '**.md' - '**.txt' schedule: - cron: '20 20 * * *' # 8:20pm everyday push: branches: - main paths-ignore: - '**.md' - '**.txt' env: IMAGE_BASE_NAME: base IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} jobs: push-ghcr: name: Build and push image runs-on: ubuntu-22.04 permissions: contents: read packages: write id-token: write strategy: fail-fast: false matrix: image_name: [base] major_version: [37] include: - major_version: 37 is_latest_version: true is_stable_version: true steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v3 - name: Matrix Variables run: | echo "IMAGE_NAME=${{ format('{1}', matrix.image_name, env.IMAGE_BASE_NAME) }}" >> $GITHUB_ENV - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" MAJOR_VERSION="${{ matrix.major_version }}" COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request SHA_SHORT="$(git rev-parse --short HEAD)" COMMIT_TAGS+=("pr-${{ github.event.number }}-${MAJOR_VERSION}") COMMIT_TAGS+=("${SHA_SHORT}-${MAJOR_VERSION}") if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ [[ "${{ matrix.is_stable_version }}" == "true" ]]; then COMMIT_TAGS+=("pr-${{ github.event.number }}") COMMIT_TAGS+=("${SHA_SHORT}") fi BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION}-${TIMESTAMP}") if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ [[ "${{ matrix.is_stable_version }}" == "true" ]]; then BUILD_TAGS+=("${TIMESTAMP}") BUILD_TAGS+=("latest") fi if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " for TAG in "${COMMIT_TAGS[@]}"; do echo "${TAG}" done alias_tags=("${COMMIT_TAGS[@]}") else alias_tags=("${BUILD_TAGS[@]}") fi echo "Generated the following build tags: " for TAG in "${BUILD_TAGS[@]}"; do echo "${TAG}" done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT # Build metadata - name: Image Metadata uses: docker/metadata-action@v4 id: meta with: images: | $IMAGE_NAME labels: | org.opencontainers.image.title=$IMAGE_NAME org.opencontainers.image.description=A base $IMAGE_NAME image with batteries included io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/base/base/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | IMAGE_NAME=${{ matrix.image_name }} FEDORA_MAJOR_VERSION=${{ matrix.major_version }} labels: ${{ steps.meta.outputs.labels }} oci: false # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v5 with: string: ${{ env.IMAGE_REGISTRY }} # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust # Sign container - uses: sigstore/cosign-installer@main # Only needed when running `cosign sign` using a key - name: Write signing key to disk run: | echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key # DEBUG: get character count of key wc -c cosign.key env: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Sign container - uses: sigstore/cosign-installer@v3.0.1 if: github.event_name != 'pull_request' - name: Sign container image run: | echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key wc -c cosign.key cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Echo outputs run: | echo "${{ toJSON(steps.push.outputs) }}" - name: Upload Container Export run: | mkdir -p output podman save -o output/image.tar ${{ steps.build_image.outputs.image }} echo "${{ steps.build_image.outputs.image }}" >> output/image echo "${{ steps.build_image.outputs.tags }}" >> output/tags - name: Publish Artifact uses: actions/upload-artifact@v2 if: github.event_name == 'pull_request' with: name: output path: output