generated from ublue-os/image-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 29d253a
Showing
7 changed files
with
529 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# To get started with Dependabot version updates, you'll need to specify which | ||
# package ecosystems to update and where the package manifests are located. | ||
# Please see the documentation for all configuration options: | ||
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||
|
||
version: 2 | ||
updates: | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "weekly" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,153 @@ | ||
--- | ||
name: build-ublue-custom | ||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
schedule: | ||
- cron: '05 10 * * *' # 10:05am UTC everyday | ||
push: | ||
branches: | ||
- main | ||
paths-ignore: | ||
- '**/README.md' | ||
workflow_dispatch: | ||
|
||
env: | ||
MY_IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names | ||
MY_IMAGE_DESC: "My Customized Universal Blue Image" | ||
IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit | ||
|
||
jobs: | ||
build_push: | ||
name: Build and push image | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
|
||
steps: | ||
# Checkout push-to-registry action GitHub repository | ||
- name: Checkout Push to Registry action | ||
uses: actions/checkout@v4 | ||
|
||
- name: Maximize build space | ||
uses: ublue-os/remove-unwanted-software@v7 | ||
|
||
- name: Generate tags | ||
id: generate-tags | ||
shell: bash | ||
run: | | ||
# Generate a timestamp for creating an image version history | ||
TIMESTAMP="$(date +%Y%m%d)" | ||
COMMIT_TAGS=() | ||
BUILD_TAGS=() | ||
# Have tags for tracking builds during pull request | ||
SHA_SHORT="${GITHUB_SHA::7}" | ||
COMMIT_TAGS+=("pr-${{ github.event.number }}") | ||
COMMIT_TAGS+=("${SHA_SHORT}") | ||
# Append matching timestamp tags to keep a version history | ||
for TAG in "${BUILD_TAGS[@]}"; do | ||
BUILD_TAGS+=("${TAG}-${TIMESTAMP}") | ||
done | ||
BUILD_TAGS+=("${TIMESTAMP}") | ||
BUILD_TAGS+=("latest") | ||
if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
echo "Generated the following commit tags: " | ||
for TAG in "${COMMIT_TAGS[@]}"; do | ||
echo "${TAG}" | ||
done | ||
alias_tags=("${COMMIT_TAGS[@]}") | ||
else | ||
alias_tags=("${BUILD_TAGS[@]}") | ||
fi | ||
echo "Generated the following build tags: " | ||
for TAG in "${BUILD_TAGS[@]}"; do | ||
echo "${TAG}" | ||
done | ||
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT | ||
# Build metadata | ||
- name: Image Metadata | ||
uses: docker/metadata-action@v5 | ||
id: meta | ||
with: | ||
images: | | ||
${{ env.MY_IMAGE_NAME }} | ||
labels: | | ||
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md | ||
org.opencontainers.image.description=${{ env.MY_IMAGE_DESC }} | ||
org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }} | ||
# Build image using Buildah action | ||
- name: Build Image | ||
id: build_image | ||
uses: redhat-actions/buildah-build@v2 | ||
with: | ||
containerfiles: | | ||
./Containerfile | ||
# Postfix image name with -custom to make it a little more descriptive | ||
# Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format | ||
image: ${{ env.MY_IMAGE_NAME }} | ||
tags: | | ||
${{ steps.generate-tags.outputs.alias_tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
oci: false | ||
|
||
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | ||
# https://github.com/macbre/push-to-ghcr/issues/12 | ||
- name: Lowercase Registry | ||
id: registry_case | ||
uses: ASzc/change-string-case-action@v6 | ||
with: | ||
string: ${{ env.IMAGE_REGISTRY }} | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Push Image to GHCR | ||
uses: redhat-actions/push-to-registry@v2 | ||
id: push | ||
env: | ||
REGISTRY_USER: ${{ github.actor }} | ||
REGISTRY_PASSWORD: ${{ github.token }} | ||
with: | ||
image: ${{ steps.build_image.outputs.image }} | ||
tags: ${{ steps.build_image.outputs.tags }} | ||
registry: ${{ steps.registry_case.outputs.lowercase }} | ||
username: ${{ env.REGISTRY_USER }} | ||
password: ${{ env.REGISTRY_PASSWORD }} | ||
extra-args: | | ||
--disable-content-trust | ||
# This section is optional and only needs to be enabled in you plan on distributing | ||
# your project to others to consume. You will need to create a public and private key | ||
# using Cosign and save the private key as a repository secret in Github for this workflow | ||
# to consume. For more details, review the image signing section of the README. | ||
|
||
# Sign container | ||
- uses: sigstore/[email protected] | ||
if: github.event_name != 'pull_request' | ||
|
||
- name: Sign container image | ||
if: github.event_name != 'pull_request' | ||
run: | | ||
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} | ||
env: | ||
TAGS: ${{ steps.push.outputs.digest }} | ||
COSIGN_EXPERIMENTAL: false | ||
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
cosign.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
## 1. BUILD ARGS | ||
# These allow changing the produced image by passing different build args to adjust | ||
# the source from which your image is built. | ||
# Build args can be provided on the commandline when building locally with: | ||
# podman build -f Containerfile --build-arg FEDORA_VERSION=40 -t local-image | ||
|
||
# SOURCE_IMAGE arg can be anything from ublue upstream which matches your desired version: | ||
# See list here: https://github.com/orgs/ublue-os/packages?repo_name=main | ||
# - "silverblue" | ||
# - "kinoite" | ||
# - "sericea" | ||
# - "onyx" | ||
# - "lazurite" | ||
# - "vauxite" | ||
# - "base" | ||
# | ||
# "aurora", "bazzite", "bluefin" or "ucore" may also be used but have different suffixes. | ||
ARG SOURCE_IMAGE="silverblue" | ||
|
||
## SOURCE_SUFFIX arg should include a hyphen and the appropriate suffix name | ||
# These examples all work for silverblue/kinoite/sericea/onyx/lazurite/vauxite/base | ||
# - "-main" | ||
# - "-nvidia" | ||
# - "-asus" | ||
# - "-asus-nvidia" | ||
# - "-surface" | ||
# - "-surface-nvidia" | ||
# | ||
# aurora, bazzite and bluefin each have unique suffixes. Please check the specific image. | ||
# ucore has the following possible suffixes | ||
# - stable | ||
# - stable-nvidia | ||
# - stable-zfs | ||
# - stable-nvidia-zfs | ||
# - (and the above with testing rather than stable) | ||
ARG SOURCE_SUFFIX="-main" | ||
|
||
## SOURCE_TAG arg must be a version built for the specific image: eg, 39, 40, gts, latest | ||
ARG SOURCE_TAG="latest" | ||
|
||
|
||
### 2. SOURCE IMAGE | ||
## this is a standard Containerfile FROM using the build ARGs above to select the right upstream image | ||
FROM ghcr.io/ublue-os/${SOURCE_IMAGE}${SOURCE_SUFFIX}:${SOURCE_TAG} | ||
|
||
|
||
### 3. MODIFICATIONS | ||
## make modifications desired in your image and install packages by modifying the build.sh script | ||
## the following RUN directive does all the things required to run "build.sh" as recommended. | ||
|
||
COPY build.sh /tmp/build.sh | ||
|
||
RUN mkdir -p /var/lib/alternatives && \ | ||
/tmp/build.sh && \ | ||
ostree container commit | ||
## NOTES: | ||
# - /var/lib/alternatives is required to prevent failure with some RPM installs | ||
# - All RUN commands must end with ostree container commit | ||
# see: https://coreos.github.io/rpm-ostree/container/#using-ostree-container-commit |
Oops, something went wrong.