generated from blue-build/template
-
Notifications
You must be signed in to change notification settings - Fork 1
160 lines (144 loc) · 5.97 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
---
name: Build Atomic Studio
on: # yamllint disable-line rule:truthy
schedule:
- cron: '41 5 * * 0' # 5:41 UTC Weekly on Sundays
push:
paths:
- config/**
- generators/**
- modules/**
- .github/workflows/build.yml
pull_request:
workflow_dispatch:
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
generate-recipes:
name: Generate Recipes
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
recipes: ${{ steps.generate-recipes.outputs.recipes }}
steps:
- uses: actions/checkout@v4
- name: Generate recipes
id: generate-recipes
shell: bash
run: |
/home/linuxbrew/.linuxbrew/bin/brew install pkl
RECIPES=$(/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml | sed '/.*files/d')
# newlines replaced with spaces
echo "Generated recipes: ${RECIPES//$'\n'/ }"
# adds [" to the start, adds "] to the end, and replaces newlines with "," to turn the newline-delimeted string into a JSON array
RECIPES_JSON_STR="[\"${RECIPES//$'\n'/\",\"}\"]"
echo "Generated JSON: ${RECIPES_JSON_STR}"
# JSON strings are the only way to dynamically generate GH build matrices
echo "recipes=${RECIPES_JSON_STR}" >> $GITHUB_OUTPUT
bluebuild:
name: Build Image
runs-on: ubuntu-latest
needs: generate-recipes
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
recipe: ${{ fromJson(needs.generate-recipes.outputs.recipes) }}
steps:
- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v6
with:
remove-codeql: 'true'
- name: Additional cleanup
run: |
sudo rm -rf /usr/share/miniconda /usr/local/share/vcpkg
sudo apt purge imagemagick imagemagick xorriso sqlite3 sphinxsearch shellcheck
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v3
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate recipes (again) and get metadata
id: recipe_meta
run: |
/home/linuxbrew/.linuxbrew/bin/brew install pkl
/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml
echo "IMAGE_NAME=$(yq '.name' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT
echo "IMAGE_DESCRIPTION=$(yq '.description' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT
echo "VERSION=40" >> $GITHUB_OUTPUT
echo "tags=$(yq '."image-version"' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
driver: docker-container
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=${{ steps.recipe_meta.outputs.IMAGE_NAME }}
org.opencontainers.image.version=${{ steps.recipe_meta.outputs.VERSION }}
org.opencontainers.image.description=${{ steps.recipe_meta.outputs.IMAGE_DESCRIPTION }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/README.md
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/assets/studio-blob.png
- name: Generate Containerfile with Bluebuild
shell: bash
run: |
docker run \
--detach \
--rm \
--name blue-build-installer \
ghcr.io/blue-build/cli:main-installer \
tail -f /dev/null
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild
docker stop -t 0 blue-build-installer
/usr/local/bin/bluebuild template -v ./${{matrix.recipe}} -o /tmp/Containerfile
- name: Build
id: build_image
uses: docker/build-push-action@v5
with:
context: .
push: false
file: /tmp/Containerfile
tags: ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest
labels: ${{ steps.meta.outputs.labels }}
- name: Sign kernel
uses: atomic-studio-org/kernel-signer-docker@main
with:
image: ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}
imagename: ${{ steps.recipe_meta.outputs.IMAGE_NAME }}
privkey: ${{ secrets.SBKEY }}
pubkey: /usr/etc/pki/certs/atomic-studio-sbkey.der
tags: latest
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Push To GHCR Image Registry
run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}
- name: Install cosign
uses: sigstore/cosign-installer@v3.5.0
- name: Sign container image
shell: bash
run: |
SIGN_IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest)
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}
cosign sign -y --key env://COSIGN_PRIVATE_KEY $SIGN_IMAGE
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}