Skip to content

Build Atomic Studio #386

Build Atomic Studio

Build Atomic Studio #386

Workflow file for this run

---
name: Build Atomic Studio
on: # yamllint disable-line rule:truthy
schedule:
- cron: '41 5 * * 0' # 5:41 UTC Weekly on Sundays
push:
paths:
- config/**
- generators/**
- modules/**
- .github/workflows/build.yml
pull_request:
workflow_dispatch:
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
generate-recipes:
name: Generate Recipes
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
recipes: ${{ steps.generate-recipes.outputs.recipes }}
steps:
- uses: actions/checkout@v4
- name: Generate recipes
id: generate-recipes
shell: bash
run: |
/home/linuxbrew/.linuxbrew/bin/brew install pkl
RECIPES=$(/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml | sed '/.*files/d')
# newlines replaced with spaces
echo "Generated recipes: ${RECIPES//$'\n'/ }"
# adds [" to the start, adds "] to the end, and replaces newlines with "," to turn the newline-delimeted string into a JSON array
RECIPES_JSON_STR="[\"${RECIPES//$'\n'/\",\"}\"]"
echo "Generated JSON: ${RECIPES_JSON_STR}"
# JSON strings are the only way to dynamically generate GH build matrices
echo "recipes=${RECIPES_JSON_STR}" >> $GITHUB_OUTPUT
bluebuild:
name: Build Image
runs-on: ubuntu-latest
needs: generate-recipes
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
recipe: ${{ fromJson(needs.generate-recipes.outputs.recipes) }}
steps:
- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v6
with:
remove-codeql: 'true'
- name: Additional cleanup
run: |
sudo rm -rf /usr/share/miniconda /usr/local/share/vcpkg
sudo apt purge imagemagick imagemagick xorriso sqlite3 sphinxsearch shellcheck
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v3
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate recipes (again) and get metadata
id: recipe_meta
run: |
/home/linuxbrew/.linuxbrew/bin/brew install pkl
/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml
echo "IMAGE_NAME=$(yq '.name' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT
echo "IMAGE_DESCRIPTION=$(yq '.description' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT
echo "VERSION=40" >> $GITHUB_OUTPUT
echo "tags=$(yq '."image-version"' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
driver: docker-container
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=${{ steps.recipe_meta.outputs.IMAGE_NAME }}
org.opencontainers.image.version=${{ steps.recipe_meta.outputs.VERSION }}
org.opencontainers.image.description=${{ steps.recipe_meta.outputs.IMAGE_DESCRIPTION }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/README.md
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/assets/studio-blob.png
- name: Generate Containerfile with Bluebuild
shell: bash
run: |
docker run \
--detach \
--rm \
--name blue-build-installer \
ghcr.io/blue-build/cli:main-installer \
tail -f /dev/null
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild
docker stop -t 0 blue-build-installer
/usr/local/bin/bluebuild template -v ./${{matrix.recipe}} -o /tmp/Containerfile
- name: Build
id: build_image
uses: docker/build-push-action@v5
with:
context: .
push: false
file: /tmp/Containerfile
tags: ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest
labels: ${{ steps.meta.outputs.labels }}
- name: Sign kernel
uses: atomic-studio-org/kernel-signer-docker@main
with:
image: ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}
imagename: ${{ steps.recipe_meta.outputs.IMAGE_NAME }}
privkey: ${{ secrets.SBKEY }}
pubkey: /usr/etc/pki/certs/atomic-studio-sbkey.der
tags: latest
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Push To GHCR Image Registry
run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}
- name: Install cosign
uses: sigstore/cosign-installer@v3.5.0
- name: Sign container image
shell: bash
run: |
SIGN_IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest)
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}
cosign sign -y --key env://COSIGN_PRIVATE_KEY $SIGN_IMAGE
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}