name: build-ublue on: pull_request: branches: - main schedule: - cron: '20 20 * * *' # 8:20pm everyday push: branches: - main paths-ignore: - '**/README.md' env: IMAGE_NAME: base IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} jobs: push-ghcr: name: Build and push image runs-on: ubuntu-22.04 permissions: contents: read packages: write id-token: write strategy: fail-fast: false matrix: major_version: [37] include: - major_version: 37 is_latest: true is_stable: true steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v3 - name: Generate tags id: generate-tags shell: bash run: | echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT alias_tags=() # Only perform the follow code when the action is spawned from a Pull Request if [[ "${{ github.event_name }}" == "pull_request" ]]; then alias_tags+=("pr-${{ github.event.number }}") else # The following is run when the timer is triggered or a merge/push to main echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT alias_tags+=("${{ matrix.major_version }}") if [[ "${{ matrix.is_latest }}" == "true" ]]; then alias_tags+=("latest") fi if [[ "${{ matrix.is_stable }}" == "true" ]]; then alias_tags+=("stable") fi fi echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} ${{ steps.generate-tags.outputs.date }} ${{ steps.generate-tags.outputs.sha_short }} build-args: | FEDORA_MAJOR_VERSION=${{ matrix.major_version }} oci: true # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v5 with: string: ${{ env.IMAGE_REGISTRY }} # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust # Sign container - uses: sigstore/cosign-installer@main # Only needed when running `cosign sign` using a key - name: Write signing key to disk run: | echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key # DEBUG: get character count of key wc -c cosign.key env: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Sign container image run: | cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false - name: Echo outputs run: | echo "${{ toJSON(steps.push.outputs) }}"