feature(nebula): build offsec image #1679
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Images | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - ".github/workflows/build-iso.yml" | |
| schedule: | |
| - cron: "0 1 * * 1" # Every Monday at 1am | |
| workflow_dispatch: | |
| env: | |
| IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-build | |
| cancel-in-progress: true | |
| jobs: | |
| build-lumina: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| fedora-version: [39, 40, stable] | |
| base-image: [silverblue, kinoite, cosmic] | |
| exclude: | |
| - fedora-version: 39 | |
| base-image: cosmic | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| IMAGE_NAME: "" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Optimize GHA Storage | |
| uses: rsturla/eternal-main/.github/actions/optimise-gha-storage@main | |
| - name: Setup Environment Variables | |
| env: | |
| BASE_IMAGE: ${{ matrix.base-image }} | |
| run: | | |
| if [ "${BASE_IMAGE}" == "silverblue" ]; then | |
| echo "IMAGE_NAME=eternal-linux/lumina" >> $GITHUB_ENV | |
| else | |
| echo "IMAGE_NAME=eternal-linux/lumina-${BASE_IMAGE}" >> $GITHUB_ENV | |
| fi | |
| - name: Generate Image Tags | |
| uses: rsturla/eternal-main/.github/actions/generate-image-tags@main | |
| id: generate-image-tags | |
| with: | |
| image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }} | |
| major-version: ${{ matrix.fedora-version }} | |
| is-release: ${{ github.event_name != 'pull_request' }} | |
| - name: Build Image | |
| id: build | |
| uses: rsturla/eternal-main/.github/actions/build-image@main | |
| with: | |
| builder: docker | |
| context: lumina/. | |
| dockerfile: lumina/Containerfile | |
| image-name: ${{ env.IMAGE_NAME }} | |
| image-tags: | | |
| ${{ steps.generate-image-tags.outputs.tags }} | |
| build-args: | | |
| BASE_TAG=${{ matrix.fedora-version }} | |
| BASE_IMAGE=${{ matrix.base-image }} | |
| - name: Push Image | |
| id: push | |
| uses: rsturla/eternal-main/.github/actions/push-image@main | |
| with: | |
| builder: ${{ steps.build.outputs.builder }} | |
| image-name: ${{ steps.build.outputs.image }} | |
| image-tags: ${{ steps.build.outputs.tags }} | |
| image-registry: ${{ env.IMAGE_REGISTRY }} | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign Image | |
| uses: rsturla/eternal-main/.github/actions/sign-image@main | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| registry-provider: ghcr.io | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| digest: ${{ steps.push.outputs.digest }} | |
| private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} | |
| private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} | |
| build-lumina-nvidia: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| fedora-version: [39, 40, stable] | |
| base-image: [silverblue, kinoite, cosmic] | |
| nvidia-type: [open, proprietary] | |
| exclude: | |
| - fedora-version: 39 | |
| base-image: cosmic | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| IMAGE_NAME: "" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Optimize GHA Storage | |
| uses: rsturla/eternal-main/.github/actions/optimise-gha-storage@main | |
| - name: Setup Environment Variables | |
| env: | |
| BASE_IMAGE: ${{ matrix.base-image }} | |
| run: | | |
| if [ "${BASE_IMAGE}" == "silverblue" ]; then | |
| echo "IMAGE_NAME=eternal-linux/lumina" >> $GITHUB_ENV | |
| else | |
| echo "IMAGE_NAME=eternal-linux/lumina-${BASE_IMAGE}" >> $GITHUB_ENV | |
| fi | |
| - name: Generate Image Tags | |
| uses: rsturla/eternal-main/.github/actions/generate-image-tags@main | |
| id: generate-image-tags | |
| with: | |
| image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }} | |
| major-version: ${{ matrix.fedora-version }} | |
| is-release: ${{ github.event_name != 'pull_request' }} | |
| is-nvidia: true | |
| nvidia-type: ${{ matrix.nvidia-type }} | |
| - name: Build Image | |
| id: build | |
| uses: rsturla/eternal-main/.github/actions/build-image@main | |
| with: | |
| builder: docker | |
| context: lumina/. | |
| dockerfile: lumina/Containerfile | |
| image-name: ${{ env.IMAGE_NAME }} | |
| image-tags: | | |
| ${{ steps.generate-image-tags.outputs.tags }} | |
| build-args: | | |
| BASE_TAG=${{ matrix.fedora-version }}-${{ matrix.nvidia-type == 'open' && 'nvidia-open' || 'nvidia' }} | |
| FEDORA_VERSION=${{ matrix.fedora-version }} | |
| BASE_IMAGE=${{ matrix.base-image }} | |
| - name: Push Image | |
| id: push | |
| uses: rsturla/eternal-main/.github/actions/push-image@main | |
| with: | |
| builder: ${{ steps.build.outputs.builder }} | |
| image-name: ${{ steps.build.outputs.image }} | |
| image-tags: ${{ steps.build.outputs.tags }} | |
| image-registry: ${{ env.IMAGE_REGISTRY }} | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign Image | |
| uses: rsturla/eternal-main/.github/actions/sign-image@main | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| registry-provider: ghcr.io | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| digest: ${{ steps.push.outputs.digest }} | |
| private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} | |
| private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} | |
| build-nebula: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| fedora-version: [40, stable] | |
| base-image: [silverblue] | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| IMAGE_NAME: "" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Optimize GHA Storage | |
| uses: rsturla/eternal-main/.github/actions/optimise-gha-storage@main | |
| - name: Setup Environment Variables | |
| env: | |
| BASE_IMAGE: ${{ matrix.base-image }} | |
| run: | | |
| if [ "${BASE_IMAGE}" == "silverblue" ]; then | |
| echo "IMAGE_NAME=eternal-linux/nebula" >> $GITHUB_ENV | |
| else | |
| echo "IMAGE_NAME=eternal-linux/nebula-${BASE_IMAGE}" >> $GITHUB_ENV | |
| fi | |
| - name: Generate Image Tags | |
| uses: rsturla/eternal-main/.github/actions/generate-image-tags@main | |
| id: generate-image-tags | |
| with: | |
| image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }} | |
| major-version: ${{ matrix.fedora-version }} | |
| is-release: ${{ github.event_name != 'pull_request' }} | |
| - name: Build Image | |
| id: build | |
| uses: rsturla/eternal-main/.github/actions/build-image@main | |
| with: | |
| builder: docker | |
| context: nebula/. | |
| dockerfile: nebula/Containerfile | |
| image-name: ${{ env.IMAGE_NAME }} | |
| image-tags: | | |
| ${{ steps.generate-image-tags.outputs.tags }} | |
| build-args: | | |
| BASE_TAG=${{ matrix.fedora-version }} | |
| BASE_IMAGE=${{ matrix.base-image }} | |
| - name: Push Image | |
| id: push | |
| uses: rsturla/eternal-main/.github/actions/push-image@main | |
| with: | |
| builder: ${{ steps.build.outputs.builder }} | |
| image-name: ${{ steps.build.outputs.image }} | |
| image-tags: ${{ steps.build.outputs.tags }} | |
| image-registry: ${{ env.IMAGE_REGISTRY }} | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign Image | |
| uses: rsturla/eternal-main/.github/actions/sign-image@main | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| registry-provider: ghcr.io | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| digest: ${{ steps.push.outputs.digest }} | |
| private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} | |
| private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} | |
| build-nebula-nvidia: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| fedora-version: [40, stable] | |
| base-image: [silverblue] | |
| nvidia-type: [open, proprietary] | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| IMAGE_NAME: "" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Optimize GHA Storage | |
| uses: rsturla/eternal-main/.github/actions/optimise-gha-storage@main | |
| - name: Setup Environment Variables | |
| env: | |
| BASE_IMAGE: ${{ matrix.base-image }} | |
| run: | | |
| if [ "${BASE_IMAGE}" == "silverblue" ]; then | |
| echo "IMAGE_NAME=eternal-linux/nebula" >> $GITHUB_ENV | |
| else | |
| echo "IMAGE_NAME=eternal-linux/nebula-${BASE_IMAGE}" >> $GITHUB_ENV | |
| fi | |
| - name: Generate Image Tags | |
| uses: rsturla/eternal-main/.github/actions/generate-image-tags@main | |
| id: generate-image-tags | |
| with: | |
| image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }} | |
| major-version: ${{ matrix.fedora-version }} | |
| is-release: ${{ github.event_name != 'pull_request' }} | |
| is-nvidia: true | |
| nvidia-type: ${{ matrix.nvidia-type }} | |
| - name: Build Image | |
| id: build | |
| uses: rsturla/eternal-main/.github/actions/build-image@main | |
| with: | |
| builder: docker | |
| context: nebula/. | |
| dockerfile: nebula/Containerfile | |
| image-name: ${{ env.IMAGE_NAME }} | |
| image-tags: | | |
| ${{ steps.generate-image-tags.outputs.tags }} | |
| build-args: | | |
| BASE_TAG=${{ matrix.fedora-version }}-${{ matrix.nvidia-type == 'open' && 'nvidia-open' || 'nvidia' }} | |
| FEDORA_VERSION=${{ matrix.fedora-version }} | |
| BASE_IMAGE=${{ matrix.base-image }} | |
| - name: Push Image | |
| id: push | |
| uses: rsturla/eternal-main/.github/actions/push-image@main | |
| with: | |
| builder: ${{ steps.build.outputs.builder }} | |
| image-name: ${{ steps.build.outputs.image }} | |
| image-tags: ${{ steps.build.outputs.tags }} | |
| image-registry: ${{ env.IMAGE_REGISTRY }} | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign Image | |
| uses: rsturla/eternal-main/.github/actions/sign-image@main | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| registry-provider: ghcr.io | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| digest: ${{ steps.push.outputs.digest }} | |
| private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} | |
| private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} | |
| check: | |
| needs: [build-lumina, build-lumina-nvidia, build-nebula, build-nebula-nvidia] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Check Job Status | |
| uses: rsturla/eternal-main/.github/actions/check-jobs-success@main | |
| with: | |
| jobs: ${{ toJSON(needs) }} |