Build container image #450
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build container image | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "05 10 * * *" # 10:05am UTC everyday | |
| push: | |
| branches: | |
| - main | |
| - testing | |
| paths-ignore: | |
| - "**/README.md" | |
| workflow_dispatch: | |
| env: | |
| IMAGE_DESC: "Custom Bazzite image based on Niri and Noctalia, built for the Data Lab Techs out there." | |
| IMAGE_KEYWORDS: "bootc,ublue,universal-blue,bazzite,fedora,nvidia,niri,noctalia" | |
| IMAGE_LOGO_URL: "https://raw.githubusercontent.com/DataLabTechTV/dltos/refs/heads/main/repo_files/dltos-logo.png" | |
| IMAGE_NAME: "${{ github.event.repository.name }}" | |
| IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" | |
| DEFAULT_TAG: "latest" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_push: | |
| name: Build and push image | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Prepare environment | |
| run: | | |
| # Lowercase the image uri | |
| echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} | |
| echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV} | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Maximize build space | |
| uses: ublue-os/remove-unwanted-software@695eb75bc387dbcd9685a8e72d23439d8686cba6 | |
| - name: Get current date | |
| id: date | |
| run: | | |
| # This generates a timestamp like what is defined on the ArtifactHub documentation | |
| # E.G: 2022-02-08T15:38:15Z' | |
| # https://artifacthub.io/docs/topics/repositories/container-images/ | |
| # https://linux.die.net/man/1/date | |
| echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT | |
| - name: Image Metadata | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| id: metadata | |
| with: | |
| tags: | | |
| type=raw,value=${{ env.DEFAULT_TAG }},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=raw,value=${{ env.DEFAULT_TAG }}.{{date 'YYYYMMDD'}},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=raw,value=${{ github.ref_name }},enable=${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=raw,value=${{ github.ref_name }}.{{date 'YYYYMMDD'}},enable=${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=raw,value={{date 'YYYYMMDD'}},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=sha,enable=${{ github.event_name == 'pull_request' }} | |
| type=ref,event=pr | |
| labels: | | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/${{ github.sha }}/README.md | |
| org.opencontainers.image.created=${{ steps.date.outputs.date }} | |
| org.opencontainers.image.description=${{ env.IMAGE_DESC }} | |
| org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/${{ github.sha }}/README.md | |
| org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/${{ github.sha }}/Containerfile | |
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/tree/${{ github.sha }} | |
| org.opencontainers.image.vendor=${{ github.repository_owner }} | |
| org.opencontainers.image.version=${{ env.DEFAULT_TAG }}.{{date 'YYYYMMDD'}} | |
| io.artifacthub.package.deprecated=false | |
| io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }} | |
| io.artifacthub.package.license=Apache-2.0 | |
| io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }} | |
| io.artifacthub.package.prerelease=false | |
| containers.bootc=1 | |
| sep-tags: " " | |
| sep-annotations: " " | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| if: github.event_name != 'pull_request' && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.ref == 'refs/heads/testing') | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Restore Buildah Cache | |
| uses: actions/cache/restore@v5 | |
| with: | |
| path: /var/tmp/buildah-cache-* | |
| key: ${{ runner.os }}-${{ runner.arch }}-buildah-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-${{ runner.arch }}-buildah- | |
| - name: Build Image | |
| id: build_image | |
| run: | | |
| LABELS="${{ steps.metadata.outputs.labels }}" | |
| LABEL_ARGS=() | |
| while IFS= read -r label; do | |
| if [ -n "$label" ]; then | |
| LABEL_ARGS+=(--label "$label") | |
| fi | |
| done <<< "$LABELS" | |
| export REGISTRY_AUTH_FILE="$HOME/.docker/config.json" | |
| CACHE_IMAGE="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}-cache" | |
| sudo -E buildah build \ | |
| --layers \ | |
| --cache-from "$CACHE_IMAGE" \ | |
| --cache-to "$CACHE_IMAGE" \ | |
| "${LABEL_ARGS[@]}" \ | |
| --tag raw-img \ | |
| -f ./Containerfile . | |
| - name: Fix Cache Permissions | |
| run: | | |
| [ -d /var/tmp/buildah-cache-0 ] && sudo chmod -R 777 /var/tmp/buildah-cache-0 || true | |
| - name: Save Buildah Cache | |
| uses: actions/cache/save@v5 | |
| with: | |
| path: /var/tmp/buildah-cache-* | |
| key: ${{ runner.os }}-${{ runner.arch }}-buildah-${{ github.sha }} | |
| - name: Run Rechunker | |
| id: rechunk | |
| run: | | |
| container=$(sudo buildah from raw-img) | |
| mnt=$(sudo buildah mount $container) | |
| sudo bash -c "rm -rf $mnt/run/.* $mnt/run/* $mnt/tmp/.* $mnt/tmp/*" | |
| sudo buildah umount $container | |
| sudo buildah config --label "-" $container | |
| sudo buildah commit --identity-label=false --rm $container raw-img | |
| sudo podman run --rm --privileged \ | |
| --volume /var/lib/containers:/var/lib/containers \ | |
| quay.io/centos-bootc/centos-bootc:stream10 \ | |
| rpm-ostree compose build-chunked-oci \ | |
| --bootc \ | |
| --format-version 2 \ | |
| --from localhost/raw-img \ | |
| --output containers-storage:localhost/chunked-img | |
| sudo podman untag raw-img | |
| echo "ref=containers-storage:localhost/chunked-img" >> "$GITHUB_OUTPUT" | |
| - name: Push to GHCR | |
| if: github.event_name != 'pull_request' && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.ref == 'refs/heads/testing') | |
| run: | | |
| export REGISTRY_AUTH_FILE="$HOME/.docker/config.json" | |
| for tag in ${{ steps.metadata.outputs.tags }}; do | |
| sudo -E skopeo copy \ | |
| ${{ steps.rechunk.outputs.ref }} \ | |
| docker://${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${tag} | |
| done | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| if: github.event_name != 'pull_request' && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.ref == 'refs/heads/testing') | |
| with: | |
| cosign-release: "v2.6.1" | |
| - name: Sign container image | |
| if: github.event_name != 'pull_request' && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.ref == 'refs/heads/testing') | |
| run: | | |
| IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" | |
| for tag in ${{ steps.metadata.outputs.tags }}; do | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag | |
| done | |
| env: | |
| TAGS: ${{ steps.push.outputs.digest }} | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |