fedora-micro #476
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: fedora-micro | |
| on: | |
| push: | |
| branches: ["main"] | |
| schedule: | |
| - cron: '20 03 * * *' # 3:20am everyday | |
| # I don't think anyone will use these with s390x or ppc64le | |
| env: | |
| PLATFORMS: linux/amd64 | |
| jobs: | |
| build_and_push_docker_images: | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| version: [ 38, 39 ] | |
| images: [ micro, node, npm, python3, python3-dev, code, socket-proxy ] | |
| exclude: | |
| - images: node | |
| version: 39 | |
| - images: npm | |
| version: 39 | |
| include: | |
| - version: 39 | |
| tag: latest | |
| - version: 39 | |
| tag: rawhide | |
| - images: node | |
| node-version: 18 | |
| - images: npm | |
| node-version: 18 | |
| permissions: | |
| contents: read | |
| packages: write | |
| container: | |
| image: quay.io/buildah/upstream:latest | |
| options: --privileged --device /dev/fuse:rw --security-opt label=disable --security-opt seccomp=unconfined | |
| name: Docker Images | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Cache DNF | |
| id: cache-dnf | |
| uses: pat-s/[email protected] | |
| with: | |
| path: /var/cache/dnf | |
| key: ${{ runner.os }}-dnf | |
| # https://github.com/rpm-software-management/mock/issues/277 | |
| - name: Download podman and refresh metadata | |
| run: | | |
| dnf install podman -y | |
| # BUILD | |
| - name: Build Test Image | |
| id: build-test | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: fedora-micro | |
| tags: test | |
| containerfiles: | | |
| ./${{ matrix.images }}/Containerfile | |
| platforms: linux/amd64 | |
| build-args: | | |
| VERSION_ID=${{ matrix.version }} | |
| NODE_VERSION=${{ matrix.node-version }} | |
| extra-args: | | |
| --cap-add=SYS_CHROOT | |
| -v /var/cache/dnf:/var/cache/dnf:O | |
| - name: Check for changes | |
| run: | | |
| echo "Grabbing current container" | |
| remote_container=$(buildah from quay.io/np22-jpg/fedora-${{ matrix.images }}:${{ matrix.version }}) && echo $remote_container | |
| buildah run $remote_container cat /etc/PACKAGES > "current" && cat current | |
| echo "Grabbing update container" | |
| local_container=$(buildah from fedora-micro:test) && echo $local_container | |
| buildah run $local_container cat /etc/PACKAGES > "update" && cat update | |
| echo "Generating diff" | |
| diff current update > "diff" || true | |
| cat diff | |
| [ -s diff ] || false | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: fedora-${{ matrix.images }} | |
| tags: ${{ matrix.version }} ${{ matrix.tag }} | |
| containerfiles: | | |
| ./${{ matrix.images }}/Containerfile | |
| platforms: ${{ env.PLATFORMS }} | |
| build-args: | | |
| VERSION_ID=${{ matrix.version }} | |
| NODE_VERSION=${{ matrix.node-version }} | |
| extra-args: | | |
| --cap-add=SYS_CHROOT | |
| -v /var/cache/dnf:/var/cache/dnf:O | |
| # PUSH | |
| - uses: sigstore/[email protected] | |
| - name: Write Cosign Key | |
| run: | | |
| echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key; | |
| wc -c cosign.key; | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| - name: Push To Docker Hub | |
| id: push-to-docker | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| username: np22jpg | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: docker.io/np22jpg | |
| - name: Sign Docker Hub Image | |
| run: | | |
| cosign login docker.io -u np22jpg -p ${{ secrets.DOCKER_PASSWORD }} | |
| cosign sign -y --key cosign.key docker.io/np22jpg/${{ steps.build-image.outputs.image }}@${DOCKER_TAGS} | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| DOCKER_TAGS: ${{ steps.push-to-docker.outputs.digest }} | |
| - name: Push To Quay.io | |
| id: push-to-quay | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| username: np22-jpg+fedoramicro | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: quay.io/np22-jpg | |
| - name: Sign Quay.io Image | |
| run: | | |
| cosign login quay.io -u np22-jpg+fedoramicro -p ${{ secrets.REGISTRY_PASSWORD }} | |
| cosign sign -y --key cosign.key quay.io/np22-jpg/${{ steps.build-image.outputs.image }}@${QUAY_TAGS} | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| QUAY_TAGS: ${{ steps.push-to-quay.outputs.digest }} | |
| - name: Push To GHCR | |
| id: push-to-ghcr | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| - name: Sign GHCR Image | |
| run: | | |
| cosign login ghcr.io -u ${{ github.actor }} -p ${{ github.token }} | |
| cosign sign -y --key cosign.key ghcr.io/${{ github.repository_owner }}/${{ steps.build-image.outputs.image }}@${GHCR_TAGS} | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| GHCR_TAGS: ${{ steps.push-to-ghcr.outputs.digest }} | |
| - name: Print image URLs | |
| run: | | |
| echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" | |
| echo "Image pushed to ${{ steps.push-to-docker.outputs.registry-paths }}" | |
| echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}" |