From e1d7cf1e23d5d83ba017655ffe4072631a977e64 Mon Sep 17 00:00:00 2001 From: m2 <69128853+m2Giles@users.noreply.github.com> Date: Sun, 10 Nov 2024 17:56:21 -0500 Subject: [PATCH] chore(ci): Consolidate workflow into just commands (#1910) Signed-off-by: m2 <69128853+m2Giles@users.noreply.github.com> Co-authored-by: Benjamin Sherman Co-authored-by: Jorge O. Castro Co-authored-by: befanyt <172807209+befanyt@users.noreply.github.com> --- .github/changelogs.py | 19 +- .github/workflows/build-image-beta.yml | 1 - .github/workflows/build-image-gts.yml | 3 +- .github/workflows/build-image-latest.yml | 1 - .github/workflows/build-image-stable.yml | 1 - .github/workflows/generate-release.yml | 28 +- .github/workflows/reusable-build-iso.yml | 125 +---- .github/workflows/reusable-build.yml | 370 ++++----------- Justfile | 429 +++++++++++++++--- build_files/base/02-install-copr-repos.sh | 6 +- build_files/base/03-install-kernel-akmods.sh | 16 +- build_files/base/05-override-install.sh | 4 +- build_files/base/06-fetch-quadlets.sh | 8 +- build_files/base/07-base-image-changes.sh | 2 +- build_files/base/08-firmware.sh | 4 +- build_files/base/09-hwe-additions.sh | 4 +- build_files/base/10-brew.sh | 2 +- build_files/dx/01-install-copr-repos-dx.sh | 10 +- build_files/dx/02-install-kernel-akmods-dx.sh | 8 +- build_files/dx/04-override-install-dx.sh | 6 +- 20 files changed, 530 insertions(+), 517 deletions(-) diff --git a/.github/changelogs.py b/.github/changelogs.py index 845602db31c..a7c796e5a3a 100644 --- a/.github/changelogs.py +++ b/.github/changelogs.py @@ -368,15 +368,24 @@ def generate_changelog( except Exception as e: print(f"Failed to get finish hash:\n{e}") finish = "" + try: + linux: str = next(iter(manifests.values()))["Labels"][ + "ostree.linux" + ] + start=linux.find(".fc") + 3 + fedora_version=linux[start:start+2] + except Exception as e: + print(f"Failed to get linux version:\n{e}") + fedora_version = "" # Remove .0 from curr curr_pretty = re.sub(r"\.\d{1,2}$", "", curr) # Remove target- from curr - curr_pretty = re.sub(rf"^[a-z]+-", "", curr_pretty) - pretty = target.capitalize() + " (F" + curr_pretty - if finish and target != "stable": - pretty += ", #" + finish[:7] - pretty += ")" + curr_pretty = re.sub(rf"^[a-z]+-|^[0-9]+-", "", curr_pretty) + pretty = target.capitalize() + pretty += " (F" + fedora_version + pretty += "." + curr_pretty + pretty += ", #" + finish[:7] + ")" title = CHANGELOG_TITLE.format_map(defaultdict(str, tag=curr, pretty=pretty)) diff --git a/.github/workflows/build-image-beta.yml b/.github/workflows/build-image-beta.yml index 55c63a8dbbc..1628f017b66 100644 --- a/.github/workflows/build-image-beta.yml +++ b/.github/workflows/build-image-beta.yml @@ -38,7 +38,6 @@ jobs: generate-release: name: Generate Release needs: [build-image-beta] - if: github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call' || github.event_name.schedule == '40 4 * * 0' secrets: inherit uses: ./.github/workflows/generate-release.yml with: diff --git a/.github/workflows/build-image-gts.yml b/.github/workflows/build-image-gts.yml index 55b88a1e0f1..f4116ae76db 100644 --- a/.github/workflows/build-image-gts.yml +++ b/.github/workflows/build-image-gts.yml @@ -7,7 +7,7 @@ on: paths-ignore: - "**.md" schedule: - - cron: "41 5 * * 0" # 5:41 UTC Weekly on Sundays + - cron: "45 5 * * 0" # 5:45 UTC Weekly on Sundays workflow_dispatch: workflow_call: @@ -27,7 +27,6 @@ jobs: generate_release: name: Generate Release needs: [build-image-gts] - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call' secrets: inherit uses: ./.github/workflows/generate-release.yml with: diff --git a/.github/workflows/build-image-latest.yml b/.github/workflows/build-image-latest.yml index 01792af0e50..b91cecf2d64 100644 --- a/.github/workflows/build-image-latest.yml +++ b/.github/workflows/build-image-latest.yml @@ -39,7 +39,6 @@ jobs: generate-release: name: Generate Release needs: [build-image-latest] - if: github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call' || github.event_name.schedule == '40 4 * * 0' secrets: inherit uses: ./.github/workflows/generate-release.yml with: diff --git a/.github/workflows/build-image-stable.yml b/.github/workflows/build-image-stable.yml index 2e32bb3c77c..9eb1e45be10 100644 --- a/.github/workflows/build-image-stable.yml +++ b/.github/workflows/build-image-stable.yml @@ -38,7 +38,6 @@ jobs: generate-release: name: Generate Release needs: [build-image-stable] - if: github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call' || github.event_name.schedule == '45 5 * * 0' secrets: inherit uses: ./.github/workflows/generate-release.yml with: diff --git a/.github/workflows/generate-release.yml b/.github/workflows/generate-release.yml index 794cd3b93cc..6a12413e3f2 100644 --- a/.github/workflows/generate-release.yml +++ b/.github/workflows/generate-release.yml @@ -45,28 +45,38 @@ jobs: version: ${{ fromJson( inputs.stream_name ) }} steps: - - name: Checkout last 500 commits (fot to work) - uses: actions/checkout@v4 + - name: Checkout last 500 commits (for to work) + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 500 + - name: Install Just + shell: bash + run: | + set -eoux pipefail + JUST_VERSION=$(curl -L https://api.github.com/repos/casey/just/releases/latest | jq -r '.tag_name') + curl -sSLO https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz + tar -zxvf just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz -C /tmp just + sudo mv /tmp/just /usr/local/bin/just + rm -f just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz + + - name: Check Just Syntax + shell: bash + run: | + just check + - name: Generate Release Text id: generate-release-text shell: bash run: | - python3 ./.github/changelogs.py \ - "${{ matrix.version }}" \ - ./output.env \ - ./changelog.md \ - --workdir . \ - --handwritten "${{ github.event.inputs.handwritten }}" - + just changelogs "${{ matrix.version }}" "${{ github.event.inputs.handwritten }}" source ./output.env echo "title=${TITLE}" >> $GITHUB_OUTPUT echo "tag=${TAG}" >> $GITHUB_OUTPUT - name: Create Release uses: softprops/action-gh-release@v2 + if: contains(fromJson('["workflow_dispatch", "workflow_call"]'), github.event_name) || contains(fromJson('["45 5 * * 0", "40 4 * * 0"]'), github.event_name.schedule) with: name: ${{ steps.generate-release-text.outputs.title }} tag_name: ${{ steps.generate-release-text.outputs.tag }} diff --git a/.github/workflows/reusable-build-iso.yml b/.github/workflows/reusable-build-iso.yml index 4b1ee158e75..8764fa97da9 100644 --- a/.github/workflows/reusable-build-iso.yml +++ b/.github/workflows/reusable-build-iso.yml @@ -21,7 +21,7 @@ concurrency: jobs: build-iso: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read packages: write @@ -34,115 +34,35 @@ jobs: stream_name: ["${{ inputs.stream_name }}"] steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 - - name: Checkout Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Matrix Variables - run: | - if [[ "${{ matrix.image_flavor }}" == "main" ]]; then - echo "IMAGE_NAME=${{ matrix.base_name }}" >> $GITHUB_ENV - else - echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_flavor) }}" >> $GITHUB_ENV - fi - if [[ ${{ matrix.base_name }} =~ bluefin ]]; then - echo "VARIANT=Silverblue" >> $GITHUB_ENV - elif [[ ${{ matrix.base_name }} =~ aurora ]]; then - echo "VARIANT=Kinoite" >> $GITHUB_ENV - fi - - - name: Get Current Fedora Version - id: labels + - name: Install Just shell: bash run: | - set -eo pipefail - kernel_release=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.IMAGE_NAME }}:${{ matrix.stream_name }} | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]') - fedora_version=$(echo $kernel_release | grep -oP 'fc\K[0-9]+') - echo "kernel_release=$kernel_release" >> $GITHUB_OUTPUT - echo "fedora_version=$fedora_version" >> $GITHUB_OUTPUT - - - name: Set Image Tag - id: generate-tag + set -eoux pipefail + JUST_VERSION=$(curl -L https://api.github.com/repos/casey/just/releases/latest | jq -r '.tag_name') + curl -sSLO https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz + tar -zxvf just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz -C /tmp just + sudo mv /tmp/just /usr/local/bin/just + rm -f just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz + + - name: Check Just Syntax shell: bash run: | - TAG="${{ matrix.stream_name }}" - - if [[ "${{ github.ref_name }}" == "testing" ]]; then - TAG="testing-${TAG}" - fi - - # Would like to implement in the future. This will allow us to support image tags from a PR. - #if [[ github.event.number ]]; then - # TAG="pr-${{ github.event.number }}-${{ matrix.stream_name }}" - #fi + just check - echo "tag=${TAG}" >> $GITHUB_OUTPUT - - - name: Set Flatpaks Directory Shortname - id: generate-flatpak-dir-shortname - shell: bash - run: | - if [[ "${{ env.IMAGE_NAME }}" =~ bluefin ]]; then - FLATPAK_DIR_SHORTNAME="bluefin_flatpaks" - elif [[ "${{ env.IMAGE_NAME }}" =~ aurora ]]; then - FLATPAK_DIR_SHORTNAME="aurora_flatpaks" - fi - echo "flatpak-dir-shortname=${FLATPAK_DIR_SHORTNAME}" >> $GITHUB_OUTPUT + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 - - name: Determine Flatpak Dependencies - id: flatpak_dependencies + - name: Build ISO shell: bash run: | - set -ex - image="ghcr.io/ublue-os/${{ env.IMAGE_NAME }}:${{ matrix.stream_name }}" - # Make temp space - TEMP_FLATPAK_INSTALL_DIR=$(mktemp -d -p ${{ github.workspace }} flatpak.XXX) - # Get list of refs from directory - FLATPAK_REFS_DIR=${{ github.workspace }}/${{ steps.generate-flatpak-dir-shortname.outputs.flatpak-dir-shortname }} - FLATPAK_REFS_DIR_LIST=$(cat ${FLATPAK_REFS_DIR}/* | tr '\n' ' ' ) - DX_FLATPAK_REFS_DIR_LIST="$(cat dx_flatpaks/* | tr '\n' ' ' )" - if [[ ${{ env.IMAGE_NAME }} == *"-dx"* ]]; then - FLATPAK_REFS_DIR_LIST="${FLATPAK_REFS_DIR_LIST} ${DX_FLATPAK_REFS_DIR_LIST}" - fi - # Generate install script - cat << EOF > ${TEMP_FLATPAK_INSTALL_DIR}/script.sh - cat /temp_flatpak_install_dir/script.sh - mkdir -p /flatpak/flatpak /flatpak/triggers - mkdir /var/tmp || true - chmod -R 1777 /var/tmp - flatpak config --system --set languages "*" - flatpak remote-add --system flathub https://flathub.org/repo/flathub.flatpakrepo - flatpak install --system -y ${FLATPAK_REFS_DIR_LIST} - ostree refs --repo=\${FLATPAK_SYSTEM_DIR}/repo | grep '^deploy/' | grep -v 'org\.freedesktop\.Platform\.openh264' | sed 's/^deploy\///g' > /output/flatpaks_with_deps - EOF - docker run --rm --privileged \ - --entrypoint bash \ - -e FLATPAK_SYSTEM_DIR=/flatpak/flatpak \ - -e FLATPAK_TRIGGERSDIR=/flatpak/triggers \ - --volume ${FLATPAK_REFS_DIR}:/output \ - --volume ${TEMP_FLATPAK_INSTALL_DIR}:/temp_flatpak_install_dir \ - ${image} /temp_flatpak_install_dir/script.sh - docker rmi ${image} - - - name: Build ISOs - uses: jasonn3/build-container-installer@a1ce6da2d6c1af0561bec053366d0f3aa7e38743 # v1.2.3 - id: build - with: - arch: x86_64 - image_name: ${{ env.IMAGE_NAME }} - image_repo: ghcr.io/ublue-os - variant: ${{ env.VARIANT }} - version: ${{ steps.labels.outputs.fedora_version }} - image_tag: ${{ steps.generate-tag.outputs.tag }} - secure_boot_key_url: "https://github.com/ublue-os/akmods/raw/main/certs/public_key.der" - enrollment_password: "universalblue" - iso_name: ${{ env.IMAGE_NAME }}-${{ steps.generate-tag.outputs.tag }}.iso - enable_cache_dnf: "false" - enable_cache_skopeo: "false" - flatpak_remote_refs_dir: ${{ steps.generate-flatpak-dir-shortname.outputs.flatpak-dir-shortname }} - enable_flatpak_dependencies: "false" + image_name="$(just image_name ${{ matrix.base_name }} ${{ matrix.stream_name }} ${{ matrix.image_flavor }})" + sudo just build-iso-ghcr "${{ matrix.base_name }} ${{ matrix.stream_name }} ${{ matrix.image_flavor }}" + echo "IMAGE_NAME=${image_name}" >> $GITHUB_ENV + echo "ISO_BUILD_DIR=${{ github.workspace }}/${image_name}_build" >> $GITHUB_ENV + echo "ISO_NAME=${image_name}.iso" >> $GITHUB_ENV - name: Move ISOs to Upload Directory id: upload-directory @@ -150,16 +70,15 @@ jobs: run: | ISO_UPLOAD_DIR=${{ github.workspace }}/upload mkdir ${ISO_UPLOAD_DIR} - mv ${{ steps.build.outputs.iso_path }}/${{ steps.build.outputs.iso_name }} ${ISO_UPLOAD_DIR} - mv ${{ steps.build.outputs.iso_path }}/${{ steps.build.outputs.iso_name }}-CHECKSUM ${ISO_UPLOAD_DIR} + mv ${{ env.ISO_BUILD_DIR }}/${{ env.ISO_NAME }} ${ISO_UPLOAD_DIR} + mv ${{ env.ISO_BUILD_DIR }}/${{ env.ISO_NAME }}-CHECKSUM ${ISO_UPLOAD_DIR} echo "iso-upload-dir=${ISO_UPLOAD_DIR}" >> $GITHUB_OUTPUT - name: Upload ISOs and Checksum to Job Artifacts if: github.ref_name == 'testing' - #if: github.event_name == 'pull_request' uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 with: - name: ${{ steps.build.outputs.iso_name }} + name: ${{ env.ISO_NAME }} path: ${{ steps.upload-directory.outputs.iso-upload-dir }} if-no-files-found: error retention-days: 0 diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 2ad478f7355..a37cbfb745c 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -45,249 +45,90 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - - name: Matrix Variables + + - name: Install Just shell: bash run: | set -eoux pipefail - # IMAGE_NAME - if [[ "${{ matrix.image_flavor }}" == "main" ]]; then - echo "IMAGE_NAME=${{ matrix.base_name }}" >> $GITHUB_ENV - else - echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_flavor) }}" >> $GITHUB_ENV - fi - - # BASE_IMAGE_NAME - if [[ "${{ matrix.base_name }}" =~ "bluefin" ]]; then - echo "BASE_IMAGE_NAME"="silverblue" >> $GITHUB_ENV - elif [[ "${{ matrix.base_name }}" =~ "aurora" ]]; then - echo "BASE_IMAGE_NAME"="kinoite" >> $GITHUB_ENV - fi - - # TARGET_NAME - if [[ "${{ matrix.base_name }}" =~ "dx" ]]; then - echo "TARGET_NAME"="dx" >> $GITHUB_ENV - else - echo "TARGET_NAME"="base" >> $GITHUB_ENV - fi - - # AKMODS_FLAVOR - if [[ "${{ matrix.image_flavor }}" =~ "hwe" ]]; then - echo "AKMODS_FLAVOR=bazzite" >> $GITHUB_ENV - elif [[ "${{ matrix.stream_name }}" =~ stable|gts ]]; then - echo "AKMODS_FLAVOR=coreos-stable" >> $GITHUB_ENV - elif [[ "${{ matrix.stream_name }}" =~ beta ]]; then - echo "AKMODS_FLAVOR=coreos-testing" >> $GITHUB_ENV - else - echo "AKMODS_FLAVOR=main" >> $GITHUB_ENV - fi - - - name: Get Current Fedora Version - id: labels - uses: Wandalen/wretry.action@8ceaefd717b7cdae4f2637f9a433242ade421a0a # v3.7.2 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - set -eoux pipefail - - # Fedora Version - if [[ "${{ matrix.stream_name }}" =~ stable ]]; then - fedora_version=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:stable | jq -r '.Labels["ostree.linux"]' | grep -oP 'fc\K[0-9]+') - else - fedora_version=$(skopeo inspect docker://ghcr.io/ublue-os/base-main:${{ matrix.stream_name }} | jq -r '.Labels["ostree.linux"]' | grep -oP 'fc\K[0-9]+') - fi - - # Kernel Release for ostree.linux label - kernel_release=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.AKMODS_FLAVOR }}-kernel:"${fedora_version}" | jq -r '.Labels["ostree.linux"]') - - # Get Version - ver=$(skopeo inspect docker://ghcr.io/ublue-os/"${{ env.BASE_IMAGE_NAME }}"-main:"${fedora_version}" | jq -r '.Labels["org.opencontainers.image.version"]') - if [ -z "$ver" ] || [ "null" = "$ver" ]; then - echo "inspected image version must not be empty or null" - exit 1 - fi - - kernel_pin="${{ inputs.kernel_pin }}" - - if [[ -n "${kernel_pin:-}" ]]; then - kernel_release="${kernel_pin}" - fedora_version="$(grep -oP 'fc\K[0-9]+' <<< ${kernel_pin})" - - # check to make sure pin exists - if [[ $(skopeo inspect docker://ghcr.io/ublue-os/"${{ env.AKMODS_FLAVOR }}"-kernel:"${kernel_pin}" | jq -r '.Labels["ostree.linux"]') != "${kernel_pin}" ]]; then - echo "Kernel Pin does not exist" - exit 1 - fi - fi - - # Push into GITHUB ENV - echo "KERNEL_RELEASE=$kernel_release" >> $GITHUB_ENV - echo "FEDORA_VERSION=$fedora_version" >> $GITHUB_ENV - echo "VERSION=$ver" >> $GITHUB_ENV - - - name: Verify base image - uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0 - with: - containers: ${{ env.BASE_IMAGE_NAME}}-main:${{ env.FEDORA_VERSION }} - - - name: Verify Akmods - uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0 - with: - containers: akmods:${{ env.AKMODS_FLAVOR}}-${{ env.FEDORA_VERSION }}-${{ env.KERNEL_RELEASE }} - - - name: Verify Nvidia - uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0 - with: - containers: akmods-nvidia:${{ env.AKMODS_FLAVOR}}-${{ env.FEDORA_VERSION }}-${{ env.KERNEL_RELEASE }} - - - name: Verify ZFS - uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0 - if: contains(env.AKMODS_FLAVOR, 'coreos') - with: - containers: akmods-zfs:${{ env.AKMODS_FLAVOR }}-${{ env.FEDORA_VERSION }}-${{ env.KERNEL_RELEASE }} - - - name: Verify Kernel Cache - uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0 - with: - containers: ${{ env.AKMODS_FLAVOR }}-kernel:${{ env.KERNEL_RELEASE }} - - - name: Check just syntax - uses: ublue-os/just-action@bda593098a84a84973b002b4377709166a68be52 # v2 + JUST_VERSION=$(curl -L https://api.github.com/repos/casey/just/releases/latest | jq -r '.tag_name') + curl -sSLO https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz + tar -zxvf just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz -C /tmp just + sudo mv /tmp/just /usr/local/bin/just + rm -f just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz + + - name: Check Just Syntax + shell: bash + run: | + just check + + - name: Image Name + shell: bash + run: | + IMAGE_NAME="$(just image_name ${{ matrix.base_name }} ${{ matrix.stream_name }} ${{ matrix.image_flavor }})" + echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV - name: Generate tags id: generate-tags shell: bash run: | - # Generate a timestamp for creating an image version history - TIMESTAMP="$(date +%Y%m%d)" - TODAY="$(date +%A)" - WEEKLY="Sunday" - - # Arrays for Tags - COMMIT_TAGS=() - BUILD_TAGS=() - - # Have tags for tracking builds during pull request - SHA_SHORT="${GITHUB_SHA::7}" - COMMIT_TAGS+=("pr-${{ github.event.number }}-${{ matrix.stream_name }}") - COMMIT_TAGS+=("${SHA_SHORT}-${{ matrix.stream_name }}") - - # Convenience and Default Tags - if [[ "${{ matrix.stream_name }}" =~ stable ]]; then - BUILD_TAGS+=("stable-daily" "stable-daily-${TIMESTAMP}") - echo "DEFAULT_TAG=stable-daily" >> $GITHUB_ENV - else - BUILD_TAGS+=("${{ matrix.stream_name }}" "${{ matrix.stream_name }}-${TIMESTAMP}") - echo "DEFAULT_TAG=${{ matrix.stream_name }}" >> $GITHUB_ENV - fi - - # Weekly Stable / Rebuild Stable on workflow_dispatch - if [[ "${{ matrix.stream_name }}" =~ "stable" && "${WEEKLY}" == "${TODAY}" && "${{ github.event_name }}" =~ schedule ]]; then - BUILD_TAGS+=("stable" "stable-${TIMESTAMP}") - elif [[ "${{ matrix.stream_name }}" =~ "stable" && "${{ github.event_name }}" =~ workflow_dispatch|workflow_call ]]; then - BUILD_TAGS+=("stable" "stable-${TIMESTAMP}") - elif [[ ! "${{ matrix.stream_name}}" =~ "stable" ]]; then - BUILD_TAGS+=("${{ env.FEDORA_VERSION }}" "${{ env.FEDORA_VERSION }}-${TIMESTAMP}") - fi - - # Prepend testing if built on testing branch - if [[ "${{ github.ref_name }}" == "testing" ]]; then - temp=() - for TAG in "${BUILD_TAGS[@]}"; do - temp+=(testing-"$TAG") - done - BUILD_TAGS=(${temp[@]}) - fi - - # Use Commit Tags if PR / Use Build Tags if Not - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "Generated the following commit tags: " - for TAG in "${COMMIT_TAGS[@]}"; do - echo "${TAG}" - done - alias_tags=("${COMMIT_TAGS[@]}") - else - echo "Generated the following build tags: " - for TAG in "${BUILD_TAGS[@]}"; do - echo "${TAG}" - done - alias_tags=("${BUILD_TAGS[@]}") - fi - - echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 - id: meta - with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ env.VERSION }} - org.opencontainers.image.description=An interpretation of the Ubuntu spirit built on Fedora technology - ostree.linux=${{ env.KERNEL_RELEASE }} - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md - io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - - - name: Define env.SHA_HEAD_SHORT - run: | - echo "SHA_HEAD_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV - + DEFAULT_TAG="$(just generate-default-tag \ + ${{ matrix.stream_name }} \ + "1")" + + alias_tags="$(just generate-build-tags \ + ${{ matrix.base_name }} \ + ${{ matrix.stream_name }} \ + ${{ matrix.image_flavor }} \ + "1" \ + ${{ github.event.number }} \ + ${{ github.event_name }})" + + echo "Default Tag: ${DEFAULT_TAG}" + echo "Tags for this Action..." + echo "$alias_tags" + + echo "DEFAULT_TAG=${DEFAULT_TAG}" >> $GITHUB_ENV + echo "alias_tags=${alias_tags}" >> $GITHUB_OUTPUT + - name: Maximize build space uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 with: remove-codeql: true - - name: Pull images - uses: Wandalen/wretry.action@8ceaefd717b7cdae4f2637f9a433242ade421a0a # v3.7.2 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base image used for FROM in containerfile so - # we can retry on that unfortunately common failure case - sudo podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.BASE_IMAGE_NAME }}-main:${{ env.FEDORA_VERSION }} - - name: Build Image - id: build_image + id: build-image + shell: bash run: | - set -euox pipefail + sudo just build-ghcr "${{ matrix.base_name }}" \ + "${{ matrix.stream_name }}" \ + "${{ matrix.image_flavor }}" \ + "${{ inputs.kernel_pin }}" - BUILD_ARGS=() - BUILD_ARGS+=("--build-arg" "AKMODS_FLAVOR=${{ env.AKMODS_FLAVOR }}") - BUILD_ARGS+=("--build-arg" "BASE_IMAGE_NAME=${{ env.BASE_IMAGE_NAME }}") - BUILD_ARGS+=("--build-arg" "FEDORA_MAJOR_VERSION=${{ env.FEDORA_VERSION }}") - BUILD_ARGS+=("--build-arg" "IMAGE_NAME=${{ env.IMAGE_NAME }}") - BUILD_ARGS+=("--build-arg" "IMAGE_VENDOR=${{ github.repository_owner }}") - BUILD_ARGS+=("--build-arg" "KERNEL=${{ env.KERNEL_RELEASE }}") - BUILD_ARGS+=("--build-arg" "SHA_HEAD_SHORT=${{ env.SHA_HEAD_SHORT }}") - BUILD_ARGS+=("--build-arg" "UBLUE_IMAGE_TAG=${{ matrix.stream_name }}") - - TAG_ARGS=() - IFS=' ' read -r -a tags_array <<< "${{ steps.generate-tags.outputs.alias_tags }}" - for tag in "${tags_array[@]}"; do - TAG_ARGS+=("--tag" "${{ env.IMAGE_NAME }}:${tag}") - done - - LABEL_ARGS=() - IFS=' ' read -r -a labels_array <<< "${{ steps.meta.outputs.labels }}" - for label in "${labels_array[@]}"; do - LABEL_ARGS+=("--label" "${label}") - done - - sudo podman build --format docker --target ${{ env.TARGET_NAME }} \ - "${BUILD_ARGS[@]}" \ - "${LABEL_ARGS[@]}" \ - --tag raw-img \ - . + - name: Rechunk Image + id: rechunk-image + shell: bash + run: | + sudo just rechunk "${{ matrix.base_name }}" \ + "${{ matrix.stream_name }}" \ + "${{ matrix.image_flavor }}" \ + "1" - sudo podman image ls + - name: Secureboot Check + id: secureboot + shell: bash + run: | + sudo just secureboot "${{ matrix.base_name }}" \ + "${{ env.DEFAULT_TAG }}" \ + "${{ matrix.image_flavor }}" - echo "image=${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT - echo "tags=${{ steps.generate-tags.outputs.alias_tags }}" >> $GITHUB_OUTPUT + # Tag Images + - name: Tag Images + shell: bash + run: | + set -eoux pipefail + sudo just tag-images "${{ env.IMAGE_NAME }}" \ + "${{ env.DEFAULT_TAG }}" \ + "${{ steps.generate-tags.outputs.alias_tags }}" # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 @@ -297,67 +138,10 @@ jobs: with: string: ${{ env.IMAGE_REGISTRY }} - - name: Rechunk Image - id: rechunk - uses: hhd-dev/rechunk@v1.0.1 - with: - rechunk: ghcr.io/hhd-dev/rechunk:v1.0.1 - ref: "raw-img" - skip_compression: "true" - labels: ${{ steps.meta.outputs.labels }} - prev-ref: ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}:${{ env.DEFAULT_TAG }} - - # Load Rechunked image and Tag them - - name: Load Rechunked Image - shell: bash - run: | - set -eoux pipefail - IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) - sudo rm -rf ${{ steps.rechunk.outputs.output }} - - for tag in ${{ steps.build_image.outputs.tags }}; do - podman tag $IMAGE ${{ env.IMAGE_NAME }}:${tag} - done - - # HWE Tagging - if [[ "${{ matrix.image_flavor }}" =~ hwe ]]; then - - image_name="${{ env.IMAGE_NAME }}" - asus_name="${image_name/hwe/asus}" - surface_name="${image_name/hwe/surface}" - - for tag in ${{ steps.build_image.outputs.tags }}; do - podman tag "${IMAGE}" "${asus_name}":${tag} - podman tag "${IMAGE}" "${surface_name}":${tag} - done - fi - podman tag $IMAGE rechunked-img - podman images - - # Check that Kernel is signed with Secureboot Keys - - name: Check Secureboot - shell: bash - run: | - set -x - if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then - sudo apt update - sudo apt install sbsigntool curl openssl - fi - TMP=$(podman create rechunked-img bash) - podman cp $TMP:/usr/lib/modules/${{ env.KERNEL_RELEASE }}/vmlinuz . - podman rm $TMP - sbverify --list vmlinuz - curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der - curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der - openssl x509 -in kernel-sign.der -out kernel-sign.crt - openssl x509 -in akmods.der -out akmods.crt - sbverify --cert kernel-sign.crt vmlinuz || exit 1 - sbverify --cert akmods.crt vmlinuz || exit 1 - - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' run: | - echo ${{ secrets.GITHUB_TOKEN }} | podman login ghcr.io -u ${{ github.actor }} --password-stdin + echo ${{ secrets.GITHUB_TOKEN }} | sudo podman login ghcr.io -u ${{ github.actor }} --password-stdin echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin - name: Push to GHCR @@ -370,8 +154,8 @@ jobs: command: | set -euox pipefail - for tag in ${{ steps.build_image.outputs.tags }}; do - podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag} + for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do + sudo podman push ${{ env.IMAGE_NAME }}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${tag} done if [[ "${{ matrix.image_flavor }}" =~ hwe ]]; then @@ -380,17 +164,15 @@ jobs: asus_name="${image_name/hwe/asus}" surface_name="${image_name/hwe/surface}" - for tag in ${{ steps.build_image.outputs.tags }}; do - podman push ${asus_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${asus_name}:${tag} - podman push ${surface_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${surface_name}:${tag} + for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do + sudo podman push ${asus_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${asus_name}:${tag} + sudo podman push ${surface_name}:${tag} ${{ steps.registry_case.outputs.lowercase }}/${surface_name}:${tag} done fi - digest=$(skopeo inspect docker://${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} --format '{{.Digest}}') - echo "digest=${digest}" >> $GITHUB_OUTPUT - # Sign container - - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - if: github.event_name != 'pull_request' + digest=$(sudo skopeo inspect docker://${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} --format '{{.Digest}}') + + echo "digest=${digest}" >> $GITHUB_OUTPUT - name: Sign container image if: github.event_name != 'pull_request' @@ -435,7 +217,7 @@ jobs: ${{ env.IMAGE_NAME }}-${{ matrix.stream_name }}.txt check: - name: Check all ${{ inputs.stream_name }} builds successful + name: Check all ${{ matrix.stream_name }} builds successful if: always() runs-on: ubuntu-latest needs: [build_container] diff --git a/Justfile b/Justfile index 8d03ff1942c..69d13a58ce0 100644 --- a/Justfile +++ b/Justfile @@ -1,4 +1,6 @@ repo_organization := "ublue-os" +rechunker_image := "ghcr.io/hhd-dev/rechunk:v1.0.1" +iso_builder_image := "ghcr.io/jasonn3/build-container-installer:v1.2.3" images := '( [aurora]=aurora [aurora-dx]=aurora-dx @@ -23,6 +25,7 @@ default: @just --list # Check Just Syntax +[group('Just')] check: #!/usr/bin/bash find . -type f -name "*.just" | while read -r file; do @@ -33,6 +36,7 @@ check: just --unstable --fmt --check -f Justfile # Fix Just Syntax +[group('Just')] fix: #!/usr/bin/bash find . -type f -name "*.just" | while read -r file; do @@ -43,24 +47,27 @@ fix: just --unstable --fmt -f Justfile || { exit 1; } # Clean Repo +[group('Utility')] clean: #!/usr/bin/bash set -eoux pipefail + touch _build find *_build* -exec rm -rf {} \; rm -f previous.manifest.json + rm -f changelog.md + rm -f output.env -# Sudo Clean +# Sudo Clean Repo +[group('Utility')] sudo-clean: - #!/usr/bin/bash - set -eoux pipefail - just sudoif "find *_build* -exec rm -rf {} \;" - just sudoif "rm -f previous.manifest.json" + just sudoif just clean # Check if valid combo +[group('Utility')] [private] validate image="" tag="" flavor="": #!/usr/bin/bash - set -eoux pipefail + set -eou pipefail declare -A images={{ images }} declare -A tags={{ tags }} declare -A flavors={{ flavors }} @@ -90,6 +97,7 @@ validate image="" tag="" flavor="": fi # sudoif bash function +[group('Utility')] [private] sudoif command *args: #!/usr/bin/bash @@ -107,7 +115,8 @@ sudoif command *args: sudoif {{ command }} {{ args }} # Build Image -build image="bluefin" tag="latest" flavor="main" rechunk="0": +[group('Image')] +build image="bluefin" tag="latest" flavor="main" rechunk="0" ghcr="0" pipeline="0" kernel_pin="": #!/usr/bin/bash set -eoux pipefail image={{ image }} @@ -118,11 +127,7 @@ build image="bluefin" tag="latest" flavor="main" rechunk="0": just validate "${image}" "${tag}" "${flavor}" # Image Name - if [[ "${flavor}" =~ main ]]; then - image_name="${image}" - else - image_name="${image}-${flavor}" - fi + image_name=$(just image_name {{ image }} {{ tag }} {{ flavor }}) # Base Image if [[ "${image}" =~ bluefin ]]; then @@ -138,13 +143,6 @@ build image="bluefin" tag="latest" flavor="main" rechunk="0": target="base" fi - # Fedora Version - if [[ "${tag}" =~ stable ]]; then - fedora_version=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:stable | jq -r '.Labels["ostree.linux"]' | grep -oP 'fc\K[0-9]+') - else - fedora_version=$(skopeo inspect docker://ghcr.io/ublue-os/base-main:"${tag}" | jq -r '.Labels["ostree.linux"]' | grep -oP 'fc\K[0-9]+') - fi - # AKMODS Flavor and Kernel Version if [[ "${flavor}" =~ hwe ]]; then akmods_flavor="bazzite" @@ -155,10 +153,37 @@ build image="bluefin" tag="latest" flavor="main" rechunk="0": else akmods_flavor="main" fi - kernel_release=$(skopeo inspect docker://ghcr.io/ublue-os/${akmods_flavor}-kernel:"${fedora_version}" | jq -r '.Labels["ostree.linux"]') + + # Fedora Version + if [[ {{ ghcr }} == "0" ]]; then + rm -f /tmp/manifest.json + fi + fedora_version=$(just fedora_version {{ image }} {{ tag }} {{ flavor }}) + + # Verify Base Image with cosign + just verify-container "${base_image_name}-main:${fedora_version}" + + # Kernel Release/Pin + kernel_pin="{{ kernel_pin }}" + if [[ -z "${kernel_pin:-}" ]]; then + kernel_release=$(skopeo inspect --retry-times 3 docker://ghcr.io/ublue-os/${akmods_flavor}-kernel:"${fedora_version}" | jq -r '.Labels["ostree.linux"]') + else + kernel_release="${kernel_pin}" + fi + + # Verify Containers with Cosign + just verify-container "${akmods_flavor}-kernel:${kernel_release}" + just verify-container "akmods:${akmods_flavor}-${fedora_version}-${kernel_release}" + if [[ "${akmods_flavor}" =~ coreos ]]; then + just verify-container "akmods-zfs:${akmods_flavor}-${fedora_version}-${kernel_release}" + fi + if [[ "${flavor}" =~ nvidia ]]; then + just verify-container "akmods-nvidia:${akmods_flavor}-${fedora_version}-${kernel_release}" + fi + # Get Version - ver=$(skopeo inspect docker://ghcr.io/ublue-os/"${base_image_name}-main":"${fedora_version}" | jq -r '.Labels["org.opencontainers.image.version"]') + ver=$(skopeo inspect --retry-times 3 docker://ghcr.io/ublue-os/"${base_image_name}-main":"${fedora_version}" | jq -r '.Labels["org.opencontainers.image.version"]') if [ -z "$ver" ] || [ "null" = "$ver" ]; then echo "inspected image version must not be empty or null" exit 1 @@ -172,7 +197,7 @@ build image="bluefin" tag="latest" flavor="main" rechunk="0": BUILD_ARGS+=("--build-arg" "IMAGE_NAME=${image_name}") BUILD_ARGS+=("--build-arg" "IMAGE_VENDOR={{ repo_organization }}") BUILD_ARGS+=("--build-arg" "KERNEL=${kernel_release}") - if ! git diff-index --quiet HEAD -- ; then + if [[ -z "$(git status -s)" ]]; then BUILD_ARGS+=("--build-arg" "SHA_HEAD_SHORT=$(git rev-parse --short HEAD)") fi BUILD_ARGS+=("--build-arg" "UBLUE_IMAGE_TAG=${tag}") @@ -195,17 +220,43 @@ build image="bluefin" tag="latest" flavor="main" rechunk="0": . # Rechunk - if [[ "{{ rechunk }}" == "1" ]]; then + if [[ "{{ rechunk }}" == "1" && "{{ ghcr }}" == "1" && "{{ pipeline }}" == "1" ]]; then + just rechunk "${image}" "${tag}" "${flavor}" 1 1 + elif [[ "{{ rechunk }}" == "1" && "{{ ghcr }}" == "1" ]]; then + just rechunk "${image}" "${tag}" "${flavor}" 1 + elif [[ "{{ rechunk }}" == "1" ]]; then just rechunk "${image}" "${tag}" "${flavor}" fi # Build Image and Rechunk -build-rechunk image="bluefin" tag="latest" flavor="main": - @just build {{ image }} {{ tag }} {{ flavor }} 1 +[group('Image')] +build-rechunk image="bluefin" tag="latest" flavor="main" kernel_pin="": + @just build {{ image }} {{ tag }} {{ flavor }} 1 0 0 {{ kernel_pin }} + +# Build Image with GHCR Flag +[group('Production')] +build-ghcr image="bluefin" tag="latest" flavor="main" kernel_pin="": + #!/usr/bin/bash + if [[ "${UID}" -gt "0" ]]; then + echo "Must Run with sudo or as root..." + exit 1 + fi + just build {{ image }} {{ tag }} {{ flavor }} 0 1 0 {{ kernel_pin }} + +# Build Image for Pipeline: +[group('Production')] +build-pipeline image="bluefin" tag="latest" flavor="main" kernel_pin="": + #!/usr/bin/bash + if [[ "${UID}" -gt "0" ]]; then + echo "Must Run with sudo or as root..." + exit 1 + fi + just build {{ image }} {{ tag }} {{ flavor }} 1 1 1 {{ kernel_pin }} # Rechunk Image +[group('Image')] [private] -rechunk image="bluefin" tag="latest" flavor="main": +rechunk image="bluefin" tag="latest" flavor="main" ghcr="0" pipeline="0": #!/usr/bin/bash set -eoux pipefail @@ -217,11 +268,7 @@ rechunk image="bluefin" tag="latest" flavor="main": just validate "${image}" "${tag}" "${flavor}" # Image Name - if [[ "${flavor}" =~ main ]]; then - image_name="${image}" - else - image_name="${image}-${flavor}" - fi + image_name=$(just image_name {{ image }} {{ tag }} {{ flavor }}) # Check if image is already built ID=$(podman images --filter reference=localhost/"${image_name}":"${tag}" --format "'{{ '{{.ID}}' }}'") @@ -237,8 +284,31 @@ rechunk image="bluefin" tag="latest" flavor="main": # Prep Container CREF=$(just sudoif podman create localhost/"${image_name}":"${tag}" bash) - MOUNT=$(just sudoif podman mount "${CREF}") + OLD_IMAGE=$(just sudoif podman inspect $CREF | jq -r '.[].Image') OUT_NAME="${image_name}_build" + MOUNT=$(just sudoif podman mount "${CREF}") + + # Fedora Version + fedora_version=$(just sudoif podman inspect $CREF | jq -r '.[].Config.Labels["ostree.linux"]' | grep -oP 'fc\K[0-9]+') + + # Cleanup Space during Github Action + if [[ "{{ ghcr }}" == "1" ]]; then + if [[ "${image_name}" =~ bluefin ]]; then + base_image_name=silverblue-main + elif [[ "${image_name}" =~ aurora ]]; then + base_image_name=kinoite-main + fi + if [[ "${tag}" =~ stable ]]; then + tag="stable-daily" + fi + ID=$(just sudoif podman images --filter reference=ghcr.io/ublue-os/"${base_image_name}":${fedora_version} --format "'{{ '{{.ID}}' }}'") + if [[ -n "$ID" ]]; then + podman rmi "$ID" + fi + fi + + # Rechunk Container + rechunker="{{ rechunker_image }}" # Run Rechunker's Prune just sudoif podman run --rm \ @@ -247,7 +317,7 @@ rechunk image="bluefin" tag="latest" flavor="main": --volume "$MOUNT":/var/tree \ --env TREE=/var/tree \ --user 0:0 \ - ghcr.io/hhd-dev/rechunk:latest \ + "${rechunker}" \ /sources/rechunk/1_prune.sh # Run Rechunker's Create @@ -259,12 +329,13 @@ rechunk image="bluefin" tag="latest" flavor="main": --env REPO=/var/ostree/repo \ --env RESET_TIMESTAMP=1 \ --user 0:0 \ - ghcr.io/hhd-dev/rechunk:latest \ + "${rechunker}" \ /sources/rechunk/2_create.sh # Cleanup Temp Container Reference just sudoif podman unmount "$CREF" just sudoif podman rm "$CREF" + just sudoif podman rmi "$OLD_IMAGE" # Run Rechunker just sudoif podman run --rm \ @@ -276,29 +347,34 @@ rechunk image="bluefin" tag="latest" flavor="main": --env REPO=/var/ostree/repo \ --env PREV_REF=ghcr.io/ublue-os/"${image_name}":"${tag}" \ --env OUT_NAME="$OUT_NAME" \ - --env LABELS="org.opencontainers.image.title=${image_name}$'\n'org.opencontainers.image.version=localbuild-$(date +%Y%m%d-%H:%M:%S)$'\n''io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/refs/heads/main/README.md'$'\n''io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4'$'\n'" \ + --env LABELS="org.opencontainers.image.title=${image_name}$'\n'org.opencontainers.image.version=${fedora_version}.$(date +%Y%m%d)$'\n''io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/refs/heads/main/README.md'$'\n''io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4'$'\n'" \ --env "DESCRIPTION='An interpretation of the Ubuntu spirit built on Fedora technology'" \ --env VERSION_FN=/workspace/version.txt \ --env OUT_REF="oci:$OUT_NAME" \ --env GIT_DIR="/var/git" \ --user 0:0 \ - ghcr.io/hhd-dev/rechunk:latest \ + "${rechunker}" \ /sources/rechunk/3_chunk.sh - # Cleanup - just sudoif "find ${OUT_NAME} -type d -exec chmod 0755 {} \;" || true - just sudoif "find ${OUT_NAME}* -type f -exec chmod 0644 {} \;" || true - if [[ "${UID}" -gt 0 ]]; then - just sudoif chown ${UID}:${GROUPS} -R "${PWD}" - fi - just sudoif podman volume rm cache_ostree - just sudoif podman rmi localhost/"${image_name}":"${tag}" - # Load Image into Podman Store + if [[ "${UID}" -gt "0" ]]; then + just sudoif chown "${UID}:${GROUPS}" -R "${PWD}" + fi IMAGE=$(podman pull oci:"${PWD}"/"${OUT_NAME}") podman tag ${IMAGE} localhost/"${image_name}":"${tag}" + # Cleanup + just sudoif podman volume rm cache_ostree + just sudoif "rm -rf ${OUT_NAME}*" + just sudoif "rm -f previous.manifest.json" + + # Pipeline Checks + if [[ {{ pipeline }} == "1" ]]; then + just secureboot "${image}" "${tag}" "${flavor}" + fi + # Run Container +[group('Image')] run image="bluefin" tag="latest" flavor="main": #!/usr/bin/bash set -eoux pipefail @@ -310,11 +386,7 @@ run image="bluefin" tag="latest" flavor="main": just validate "${image}" "${tag}" "${flavor}" # Image Name - if [[ "${flavor}" =~ main ]]; then - image_name="${image}" - else - image_name="${image}-${flavor}" - fi + image_name=$(just image_name {{ image }} {{ tag }} {{ flavor }}) # Check if image exists ID=$(podman images --filter reference=localhost/"${image_name}":"${tag}" --format "'{{ '{{.ID}}' }}'") @@ -326,6 +398,7 @@ run image="bluefin" tag="latest" flavor="main": podman run -it --rm localhost/"${image_name}":"${tag}" bash # Build ISO +[group('ISO')] build-iso image="bluefin" tag="latest" flavor="main" ghcr="0": #!/usr/bin/bash set -eoux pipefail @@ -337,11 +410,7 @@ build-iso image="bluefin" tag="latest" flavor="main" ghcr="0": just validate "${image}" "${tag}" "${flavor}" # Image Name - if [[ "${flavor}" =~ main ]]; then - image_name="${image}" - else - image_name="${image}-${flavor}" - fi + image_name=$(just image_name {{ image }} {{ tag }} {{ flavor }}) build_dir="${image_name}_build" mkdir -p "$build_dir" @@ -428,7 +497,7 @@ build-iso image="bluefin" tag="latest" flavor="main" ghcr="0": iso_build_args+=("--rm" "--privileged" "--pull=newer") iso_build_args+=(--volume "/var/lib/containers/storage:/var/lib/containers/storage") iso_build_args+=(--volume "${PWD}:/github/workspace/") - iso_build_args+=(ghcr.io/jasonn3/build-container-installer:latest) + iso_build_args+=("{{ iso_builder_image }}") iso_build_args+=(ARCH="x86_64") iso_build_args+=(ENROLLMENT_PASSWORD="universalblue") iso_build_args+=(FLATPAK_REMOTE_REFS_DIR="/github/workspace/${build_dir}") @@ -448,13 +517,18 @@ build-iso image="bluefin" tag="latest" flavor="main" ghcr="0": iso_build_args+=(WEB_UI="false") just sudoif podman run "${iso_build_args[@]}" - just sudoif chown "${UID}:${GROUPS}" -R "${PWD}" + + if [[ "${UID}" -gt "0" ]]; then + just sudoif chown "${UID}:${GROUPS}" -R "${PWD}" + fi # Build ISO using GHCR Image +[group('Production')] build-iso-ghcr image="bluefin" tag="latest" flavor="main": - @just build-iso {{ image }} {{ tag }} {{ flavor }} ghcr + @just build-iso {{ image }} {{ tag }} {{ flavor }} 1 # Run ISO +[group('ISO')] run-iso image="bluefin" tag="latest" flavor="main": #!/usr/bin/bash set -eoux pipefail @@ -466,11 +540,7 @@ run-iso image="bluefin" tag="latest" flavor="main": just validate "${image}" "${tag}" "${flavor}" # Image Name - if [[ "${flavor}" =~ main ]]; then - image_name="${image}" - else - image_name="${image}-${flavor}" - fi + image_name=$(just image_name {{ image }} {{ tag }} {{ flavor }}) # Check if ISO Exists if [[ ! -f "${image_name}_build/${image_name}.iso" ]]; then @@ -502,7 +572,236 @@ run-iso image="bluefin" tag="latest" flavor="main": fg "%podman" # Test Changelogs -changelogs branch="stable": +[group('Changelogs')] +changelogs branch="stable" handwritten="": + #!/usr/bin/bash + set -eou pipefail + python3 ./.github/changelogs.py "{{ branch }}" ./output.env ./changelog.md --workdir . --handwritten "{{ handwritten }}" + +# Verify Container with Cosign +[group('Utility')] +verify-container container="" registry="ghcr.io/ublue-os" key="": + #!/usr/bin/bash + set -eoux pipefail + + # Get Cosign if Needed + if [[ ! $(command -v cosign) ]]; then + COSIGN_CONTAINER_ID=$(just sudoif podman create cgr.dev/chainguard/cosign:latest bash) + just sudoif podman cp "${COSIGN_CONTAINER_ID}":/usr/bin/cosign /usr/local/bin/cosign + just sudoif podman rm -f "${COSIGN_CONTAINER_ID}" + fi + + # Verify Cosign Image Signatures if needed + if [[ -n "${COSIGN_CONTAINER_ID:-}" ]]; then + if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign >/dev/null; then + echo "NOTICE: Failed to verify cosign image signatures." + exit 1 + fi + fi + + # Public Key for Container Verification + key={{ key }} + if [[ -z "${key:-}" ]]; then + key="https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub" + fi + + # Verify Container using cosign public key + if ! cosign verify --key "${key}" "{{ registry }}"/"{{ container }}" >/dev/null; then + echo "NOTICE: Verification failed. Please ensure your public key is correct." + exit 1 + fi + +# Secureboot Check +[group('Utility')] +secureboot image="bluefin" tag="latest" flavor="main": #!/usr/bin/bash set -eoux pipefail - python3 ./.github/changelogs.py {{ branch }} ./output.env ./changelog.md --workdir . + image={{ image }} + tag={{ tag }} + flavor={{ flavor }} + + # Validate (Handle Stable-daily) + if [[ "${tag}" == "stable-daily" ]]; then + temp_tag="${tag}" + tag="stable" + fi + + just validate "${image}" "${tag}" "${flavor}" + + # Image Name + image_name=$(just image_name ${image} ${tag} ${flavor}) + + if [[ -n "${temp_tag:-}" ]]; then + tag="${temp_tag}" + fi + + + # Get the vmlinuz to check + kernel_release=$(podman inspect "${image_name}":"${tag}" | jq -r '.[].Config.Labels["ostree.linux"]') + TMP=$(podman create "${image_name}":"${tag}" bash) + podman cp "$TMP":/usr/lib/modules/"${kernel_release}"/vmlinuz /tmp/vmlinuz + podman rm "$TMP" + + # Get the Public Certificates + curl --retry 3 -Lo /tmp/kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo /tmp/akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in /tmp/kernel-sign.der -out /tmp/kernel-sign.crt + openssl x509 -in /tmp/akmods.der -out /tmp/akmods.crt + + # Make sure we have sbverify + CMD="$(command -v sbverify)" + if [[ -z "${CMD:-}" ]]; then + temp_name="sbverify-${RANDOM}" + podman run -dt \ + --entrypoint /bin/sh \ + --volume /tmp/vmlinuz:/tmp/vmlinuz:z \ + --volume /tmp/kernel-sign.crt:/tmp/kernel-sign.crt:z \ + --volume /tmp/akmods.crt:/tmp/akmods.crt:z \ + --name ${temp_name} \ + alpine:edge + podman exec ${temp_name} apk add sbsigntool + CMD="podman exec ${temp_name} /usr/bin/sbverify" + fi + + # Confirm that Signatures Are Good + $CMD --list /tmp/vmlinuz + returncode=0 + if ! $CMD --cert /tmp/kernel-sign.crt /tmp/vmlinuz || ! $CMD --cert /tmp/akmods.crt /tmp/vmlinuz; then + echo "Secureboot Signature Failed...." + returncode=1 + fi + if [[ -n "${temp_name:-}" ]]; then + podman rm -f "${temp_name}" + fi + exit "$returncode" + +# Get Fedora Version of an image +[group('Utility')] +fedora_version image="bluefin" tag="latest" flavor="main": + #!/usr/bin/bash + set -eou pipefail + just validate {{ image }} {{ tag }} {{ flavor }} + if [[ ! -f /tmp/manifest.json ]]; then + if [[ "{{ tag }}" =~ stable ]]; then + # CoreOS does not uses cosign + skopeo inspect --retry-times 3 docker://quay.io/fedora/fedora-coreos:stable > /tmp/manifest.json + else + skopeo inspect --retry-times 3 docker://ghcr.io/ublue-os/base-main:"{{ tag }}" > /tmp/manifest.json + fi + fi + fedora_version=$(jq -r '.Labels["ostree.linux"]' < /tmp/manifest.json | grep -oP 'fc\K[0-9]+') + echo "${fedora_version}" + +# Image Name +[group('Utility')] +image_name image="bluefin" tag="latest" flavor="main": + #!/usr/bin/bash + set -eou pipefail + just validate {{ image }} {{ tag }} {{ flavor }} + if [[ "{{ flavor }}" =~ main ]]; then + image_name={{ image }} + else + image_name="{{ image }}-{{ flavor }}" + fi + echo "${image_name}" + +# Generate Tags +[group('Utility')] +generate-build-tags image="bluefin" tag="latest" flavor="main" ghcr="0" github_number="" github_event="": + #!/usr/bin/bash + set -eou pipefail + # Generate a timestamp for creating an image version history + TIMESTAMP="$(date +%Y%m%d)" + TODAY="$(date +%A)" + WEEKLY="Sunday" + if [[ {{ ghcr }} == "0" ]]; then + rm -f /tmp/manifest.json + fi + FEDORA_VERSION="$(just fedora_version {{ image }} {{ tag }} {{ flavor }})" + + # Arrays for Tags + BUILD_TAGS=() + COMMIT_TAGS=() + + # Commit Tags + github_number="{{ github_number }}" + SHA_SHORT="$(git rev-parse --short HEAD)" + if [[ "{{ ghcr }}" == "1" ]]; then + COMMIT_TAGS+=(pr-${github_number:-}-{{ tag }}) + COMMIT_TAGS+=(${SHA_SHORT}-{{ tag }}) + fi + + # Convenience Tags + if [[ "{{ tag }}" =~ stable ]]; then + BUILD_TAGS+=("stable-daily" "stable-daily-${TIMESTAMP}") + else + BUILD_TAGS+=("{{ tag }}" "{{ tag }}-${TIMESTAMP}") + fi + + # Weekly Stable / Rebuild Stable on workflow_dispatch + github_event="{{ github_event }}" + if [[ "{{ tag }}" =~ "stable" && "${WEEKLY}" == "${TODAY}" && "${github_event}" =~ schedule ]]; then + BUILD_TAGS+=("stable" "stable-${TIMESTAMP}") + elif [[ "{{ tag }}" =~ "stable" && "${github_event}" =~ workflow_dispatch|workflow_call ]]; then + BUILD_TAGS+=("stable" "stable-${TIMESTAMP}") + elif [[ "{{ tag }}" =~ "stable" && "{{ ghcr }}" == "0" ]]; then + BUILD_TAGS+=("stable" "stable-${TIMESTAMP}") + elif [[ ! "{{ tag }}" =~ stable|beta ]]; then + BUILD_TAGS+=("${FEDORA_VERSION}" "${FEDORA_VERSION}-${TIMESTAMP}") + fi + + if [[ "${github_event}" == "pull_request" ]]; then + alias_tags=("${COMMIT_TAGS[@]}") + else + alias_tags=("${BUILD_TAGS[@]}") + fi + + echo "${alias_tags[*]}" + +# Generate Default Tag +[group('Utility')] +generate-default-tag tag="latest" ghcr="0": + #!/usr/bin/bash + set -eou pipefail + + # Default Tag + if [[ "{{ tag }}" =~ stable && "{{ ghcr }}" == "1" ]]; then + DEFAULT_TAG="stable-daily" + elif [[ "{{ tag }}" =~ stable && "{{ ghcr }}" == "0" ]]; then + DEFAULT_TAG="stable" + else + DEFAULT_TAG="{{ tag }}" + fi + + echo "${DEFAULT_TAG}" + +# Tag Images +[group('Utility')] +tag-images image_name="" default_tag="" tags="": + #!/usr/bin/bash + set -eou pipefail + + # Get Image, and untag + IMAGE=$(podman inspect localhost/{{ image_name }}:{{ default_tag }} | jq -r .[].Id) + podman untag localhost/{{ image_name }}:{{ default_tag }} + + # Tag Image + for tag in {{ tags }}; do + podman tag $IMAGE {{ image_name }}:${tag} + done + + # HWE Tagging + if [[ "{{ image_name }}" =~ hwe ]]; then + + image_name="{{ image_name }}" + asus_name="${image_name/hwe/asus}" + surface_name="${image_name/hwe/surface}" + + for tag in {{ tags }}; do + podman tag "${IMAGE}" "${asus_name}":${tag} + podman tag "${IMAGE}" "${surface_name}":${tag} + done + fi + + # Show Images + podman images diff --git a/build_files/base/02-install-copr-repos.sh b/build_files/base/02-install-copr-repos.sh index 868885bd313..b115a66b682 100755 --- a/build_files/base/02-install-copr-repos.sh +++ b/build_files/base/02-install-copr-repos.sh @@ -4,12 +4,12 @@ set -eoux pipefail # Add Staging repo -curl -Lo /etc/yum.repos.d/ublue-os-staging-fedora-"$(rpm -E %fedora)".repo \ +curl --retry 3 -Lo /etc/yum.repos.d/ublue-os-staging-fedora-"$(rpm -E %fedora)".repo \ https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"$(rpm -E %fedora)"/ublue-os-staging-fedora-"$(rpm -E %fedora)".repo # Add Switcheroo Repo -curl -Lo /etc/yum.repos.d/_copr_sentry-switcheroo-control_discrete.repo \ +curl --retry 3 -Lo /etc/yum.repos.d/_copr_sentry-switcheroo-control_discrete.repo \ https://copr.fedorainfracloud.org/coprs/sentry/switcheroo-control_discrete/repo/fedora-"$(rpm -E %fedora)"/sentry-switcheroo-control_discrete-fedora-"$(rpm -E %fedora)".repo # Add Nerd Fonts Repo -curl -Lo /etc/yum.repos.d/_copr_che-nerd-fonts-"$(rpm -E %fedora)".repo https://copr.fedorainfracloud.org/coprs/che/nerd-fonts/repo/fedora-"$(rpm -E %fedora)"/che-nerd-fonts-fedora-"$(rpm -E %fedora)".repo +curl --retry 3 -Lo /etc/yum.repos.d/_copr_che-nerd-fonts-"$(rpm -E %fedora)".repo https://copr.fedorainfracloud.org/coprs/che/nerd-fonts/repo/fedora-"$(rpm -E %fedora)"/che-nerd-fonts-fedora-"$(rpm -E %fedora)".repo diff --git a/build_files/base/03-install-kernel-akmods.sh b/build_files/base/03-install-kernel-akmods.sh index 032ea467500..f59319b6c3c 100755 --- a/build_files/base/03-install-kernel-akmods.sh +++ b/build_files/base/03-install-kernel-akmods.sh @@ -9,7 +9,7 @@ do done # Fetch Kernel -skopeo copy docker://ghcr.io/ublue-os/"${AKMODS_FLAVOR}"-kernel:"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/kernel-rpms +skopeo copy --retry-times 3 docker://ghcr.io/ublue-os/"${AKMODS_FLAVOR}"-kernel:"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/kernel-rpms KERNEL_TARGZ=$(jq -r '.layers[].digest' < /tmp/kernel-rpms/manifest.json | cut -d : -f 2) tar -xvzf /tmp/kernel-rpms/"$KERNEL_TARGZ" -C / mv /tmp/rpms/* /tmp/kernel-rpms/ @@ -21,7 +21,7 @@ rpm-ostree install \ /tmp/kernel-rpms/kernel-modules-*.rpm # Fetch Common AKMODS -skopeo copy docker://ghcr.io/ublue-os/akmods:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods +skopeo copy --retry-times 3 docker://ghcr.io/ublue-os/akmods:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods AKMODS_TARGZ=$(jq -r '.layers[].digest' < /tmp/akmods/manifest.json | cut -d : -f 2) tar -xvzf /tmp/akmods/"$AKMODS_TARGZ" -C /tmp/ mv /tmp/rpms/* /tmp/akmods/ @@ -30,12 +30,8 @@ mv /tmp/rpms/* /tmp/akmods/ sed -i 's@enabled=0@enabled=1@g' /etc/yum.repos.d/_copr_ublue-os-akmods.repo rpm-ostree install \ /tmp/akmods/kmods/*xone*.rpm \ - /tmp/akmods/kmods/*openrazer*.rpm - -if [[ -f $(find /tmp/akmods-rpms/kmods/*framework-laptop*.rpm) ]]; then - rpm-ostree install \ - /tmp/akmods-rpms/kmods/*framework-laptop*.rpm -fi + /tmp/akmods/kmods/*xpadneo*.rpm \ + /tmp/akmods/kmods/*framework-laptop*.rpm # RPMFUSION Dependent AKMODS rpm-ostree install \ @@ -49,7 +45,7 @@ rpm-ostree uninstall rpmfusion-free-release rpmfusion-nonfree-release # Nvidia AKMODS if [[ "${IMAGE_NAME}" =~ nvidia ]]; then # Fetch Nvidia RPMs - skopeo copy docker://ghcr.io/ublue-os/akmods-nvidia:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods-rpms + skopeo copy --retry-times 3 docker://ghcr.io/ublue-os/akmods-nvidia:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods-rpms NVIDIA_TARGZ=$(jq -r '.layers[].digest' < /tmp/akmods-rpms/manifest.json | cut -d : -f 2) tar -xvzf /tmp/akmods-rpms/"$NVIDIA_TARGZ" -C /tmp/ mv /tmp/rpms/* /tmp/akmods-rpms/ @@ -64,7 +60,7 @@ fi # ZFS for gts/stable if [[ ${AKMODS_FLAVOR} =~ coreos ]]; then # Fetch ZFS RPMs - skopeo copy docker://ghcr.io/ublue-os/akmods-zfs:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods-zfs + skopeo copy --retry-times 3 docker://ghcr.io/ublue-os/akmods-zfs:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods-zfs ZFS_TARGZ=$(jq -r '.layers[].digest' < /tmp/akmods-zfs/manifest.json | cut -d : -f 2) tar -xvzf /tmp/akmods-zfs/"$ZFS_TARGZ" -C /tmp/ mv /tmp/rpms/* /tmp/akmods-zfs/ diff --git a/build_files/base/05-override-install.sh b/build_files/base/05-override-install.sh index f84b64b004a..47f0d4faabb 100755 --- a/build_files/base/05-override-install.sh +++ b/build_files/base/05-override-install.sh @@ -48,14 +48,14 @@ rpm-ostree override replace \ rm /etc/yum.repos.d/_copr_sentry-switcheroo-control_discrete.repo # Starship Shell Prompt -curl -Lo /tmp/starship.tar.gz "https://github.com/starship/starship/releases/latest/download/starship-x86_64-unknown-linux-gnu.tar.gz" +curl --retry 3 -Lo /tmp/starship.tar.gz "https://github.com/starship/starship/releases/latest/download/starship-x86_64-unknown-linux-gnu.tar.gz" tar -xzf /tmp/starship.tar.gz -C /tmp install -c -m 0755 /tmp/starship /usr/bin # shellcheck disable=SC2016 echo 'eval "$(starship init bash)"' >> /etc/bashrc # Bash Prexec -curl -Lo /usr/share/bash-prexec https://raw.githubusercontent.com/rcaloras/bash-preexec/master/bash-preexec.sh +curl --retry 3 -Lo /usr/share/bash-prexec https://raw.githubusercontent.com/rcaloras/bash-preexec/master/bash-preexec.sh # Topgrade Install pip install --prefix=/usr topgrade diff --git a/build_files/base/06-fetch-quadlets.sh b/build_files/base/06-fetch-quadlets.sh index f0c57b3db0e..722ffebb2b7 100755 --- a/build_files/base/06-fetch-quadlets.sh +++ b/build_files/base/06-fetch-quadlets.sh @@ -6,19 +6,19 @@ set -ouex pipefail mkdir -p /etc/containers/systemd/users # fedora-toolbox -curl -Lo /etc/containers/systemd/users/fedora-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/fedora-toolbox/fedora-distrobox-quadlet.container +curl --retry 3 -Lo /etc/containers/systemd/users/fedora-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/fedora-toolbox/fedora-distrobox-quadlet.container sed -i 's/ContainerName=fedora-distrobox-quadlet/ContainerName=fedora-toolbox/' /etc/containers/systemd/users/fedora-toolbox.container # ubuntu-toolbox -curl -Lo /etc/containers/systemd/users/ubuntu-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/ubuntu-toolbox/ubuntu-distrobox-quadlet.container +curl --retry 3 -Lo /etc/containers/systemd/users/ubuntu-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/ubuntu-toolbox/ubuntu-distrobox-quadlet.container sed -i 's/ContainerName=ubuntu-distrobox-quadlet/ContainerName=ubuntu-toolbox/' /etc/containers/systemd/users/ubuntu-toolbox.container # wolfi-toolbox -curl -Lo /etc/containers/systemd/users/wolfi-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/wolfi-toolbox/wolfi-distrobox-quadlet.container +curl --retry 3 -Lo /etc/containers/systemd/users/wolfi-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/wolfi-toolbox/wolfi-distrobox-quadlet.container sed -i 's/ContainerName=wolfi-quadlet/ContainerName=wolfi-toolbox/' /etc/containers/systemd/users/wolfi-toolbox.container # wolfi-dx-toolbox -curl -Lo /etc/containers/systemd/users/wolfi-dx-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/wolfi-toolbox/wolfi-dx-distrobox-quadlet.container +curl --retry 3 -Lo /etc/containers/systemd/users/wolfi-dx-toolbox.container https://raw.githubusercontent.com/ublue-os/toolboxes/main/quadlets/wolfi-toolbox/wolfi-dx-distrobox-quadlet.container sed -i 's/ContainerName=wolfi-quadlet/ContainerName=wolfi-dx-toolbox/' /etc/containers/systemd/users/wolfi-dx-toolbox.container # Brew Integration for Fedora and Ubuntu Toolboxes diff --git a/build_files/base/07-base-image-changes.sh b/build_files/base/07-base-image-changes.sh index b6cc014fd31..df33959fab6 100755 --- a/build_files/base/07-base-image-changes.sh +++ b/build_files/base/07-base-image-changes.sh @@ -38,7 +38,7 @@ if [[ "${BASE_IMAGE_NAME}" = "kinoite" ]]; then systemctl enable kde-sysmonitor-workaround.service # Get Default Font since font fallback doesn't work - curl --output-dir /tmp -LO https://github.com/ryanoasis/nerd-fonts/releases/download/v3.2.1/FiraCode.zip + curl --retry 3 --output-dir /tmp -LO https://github.com/ryanoasis/nerd-fonts/releases/download/v3.2.1/FiraCode.zip mkdir -p /usr/share/fonts/fira-nf unzip /tmp/FiraCode.zip -d /usr/share/fonts/fira-nf fc-cache -f /usr/share/fonts/fira-nf diff --git a/build_files/base/08-firmware.sh b/build_files/base/08-firmware.sh index 0dca6ac801a..0bf5f77695a 100755 --- a/build_files/base/08-firmware.sh +++ b/build_files/base/08-firmware.sh @@ -3,8 +3,8 @@ set -eoux pipefail mkdir -p /tmp/mediatek-firmware -curl -Lo /tmp/mediatek-firmware/WIFI_MT7922_patch_mcu_1_1_hdr.bin https://gitlab.com/kernel-firmware/linux-firmware/-/raw/8f08053b2a7474e210b03dbc2b4ba59afbe98802/mediatek/WIFI_MT7922_patch_mcu_1_1_hdr.bin?inline=false -curl -Lo /tmp/mediatek-firmware/WIFI_RAM_CODE_MT7922_1.bin https://gitlab.com/kernel-firmware/linux-firmware/-/raw/8f08053b2a7474e210b03dbc2b4ba59afbe98802/mediatek/WIFI_RAM_CODE_MT7922_1.bin?inline=false +curl --retry 3 -Lo /tmp/mediatek-firmware/WIFI_MT7922_patch_mcu_1_1_hdr.bin https://gitlab.com/kernel-firmware/linux-firmware/-/raw/8f08053b2a7474e210b03dbc2b4ba59afbe98802/mediatek/WIFI_MT7922_patch_mcu_1_1_hdr.bin?inline=false +curl --retry 3 -Lo /tmp/mediatek-firmware/WIFI_RAM_CODE_MT7922_1.bin https://gitlab.com/kernel-firmware/linux-firmware/-/raw/8f08053b2a7474e210b03dbc2b4ba59afbe98802/mediatek/WIFI_RAM_CODE_MT7922_1.bin?inline=false xz --check=crc32 /tmp/mediatek-firmware/WIFI_MT7922_patch_mcu_1_1_hdr.bin xz --check=crc32 /tmp/mediatek-firmware/WIFI_RAM_CODE_MT7922_1.bin mv -vf /tmp/mediatek-firmware/* /usr/lib/firmware/mediatek/ diff --git a/build_files/base/09-hwe-additions.sh b/build_files/base/09-hwe-additions.sh index 7553206132b..638c2e8c35e 100755 --- a/build_files/base/09-hwe-additions.sh +++ b/build_files/base/09-hwe-additions.sh @@ -10,10 +10,10 @@ else fi # Asus/Surface for HWE -curl -Lo /etc/yum.repos.d/_copr_lukenukem-asus-linux.repo \ +curl --retry 3 -Lo /etc/yum.repos.d/_copr_lukenukem-asus-linux.repo \ https://copr.fedorainfracloud.org/coprs/lukenukem/asus-linux/repo/fedora-$(rpm -E %fedora)/lukenukem-asus-linux-fedora-$(rpm -E %fedora).repo -curl -Lo /etc/yum.repos.d/linux-surface.repo \ +curl --retry 3 -Lo /etc/yum.repos.d/linux-surface.repo \ https://pkg.surfacelinux.com/fedora/linux-surface.repo # Asus Firmware diff --git a/build_files/base/10-brew.sh b/build_files/base/10-brew.sh index 39c99b21e57..f8264b5a4c6 100755 --- a/build_files/base/10-brew.sh +++ b/build_files/base/10-brew.sh @@ -10,7 +10,7 @@ mkdir -p /var/home mkdir -p /var/roothome # Brew Install Script -curl -Lo /tmp/brew-install https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh +curl --retry 3 -Lo /tmp/brew-install https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh chmod +x /tmp/brew-install /tmp/brew-install tar --zstd -cvf /usr/share/homebrew.tar.zst /home/linuxbrew/.linuxbrew diff --git a/build_files/dx/01-install-copr-repos-dx.sh b/build_files/dx/01-install-copr-repos-dx.sh index 08e1d24410a..1ea50acd28e 100755 --- a/build_files/dx/01-install-copr-repos-dx.sh +++ b/build_files/dx/01-install-copr-repos-dx.sh @@ -9,21 +9,21 @@ if [[ "${FEDORA_MAJOR_VERSION}" -lt "42" ]]; then fi #umoci -curl -Lo /etc/yum.repos.d/ganto-umoci-fedora-"${FEDORA_MAJOR_VERSION}".repo \ +curl --retry 3 -Lo /etc/yum.repos.d/ganto-umoci-fedora-"${FEDORA_MAJOR_VERSION}".repo \ https://copr.fedorainfracloud.org/coprs/ganto/umoci/repo/fedora-"${FEDORA_MAJOR_VERSION}"/ganto-umoci-fedora-"${FEDORA_MAJOR_VERSION}".repo #ublue-os staging -curl -Lo /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo \ +curl --retry 3 -Lo /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo \ https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${FEDORA_MAJOR_VERSION}"/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo #karmab-kcli -curl -Lo /etc/yum.repos.d/karmab-kcli-fedora-"${FEDORA_MAJOR_VERSION}".repo \ +curl --retry 3 -Lo /etc/yum.repos.d/karmab-kcli-fedora-"${FEDORA_MAJOR_VERSION}".repo \ https://copr.fedorainfracloud.org/coprs/karmab/kcli/repo/fedora-"${FEDORA_MAJOR_VERSION}"/karmab-kcli-fedora-"${FEDORA_MAJOR_VERSION}".repo # Fonts -curl -Lo /etc/yum.repos.d/atim-ubuntu-fonts-fedora-"${FEDORA_MAJOR_VERSION}".repo \ +curl --retry 3 -Lo /etc/yum.repos.d/atim-ubuntu-fonts-fedora-"${FEDORA_MAJOR_VERSION}".repo \ https://copr.fedorainfracloud.org/coprs/atim/ubuntu-fonts/repo/fedora-"${FEDORA_MAJOR_VERSION}"/atim-ubuntu-fonts-fedora-"${FEDORA_MAJOR_VERSION}".repo # Kvmfr module -curl -Lo /etc/yum.repos.d/hikariknight-looking-glass-kvmfr-fedora-"${FEDORA_MAJOR_VERSION}".repo \ +curl --retry 3 -Lo /etc/yum.repos.d/hikariknight-looking-glass-kvmfr-fedora-"${FEDORA_MAJOR_VERSION}".repo \ https://copr.fedorainfracloud.org/coprs/hikariknight/looking-glass-kvmfr/repo/fedora-"${FEDORA_MAJOR_VERSION}"/hikariknight-looking-glass-kvmfr-fedora-"${FEDORA_MAJOR_VERSION}".repo diff --git a/build_files/dx/02-install-kernel-akmods-dx.sh b/build_files/dx/02-install-kernel-akmods-dx.sh index 5cc8d11b5ad..85913705302 100755 --- a/build_files/dx/02-install-kernel-akmods-dx.sh +++ b/build_files/dx/02-install-kernel-akmods-dx.sh @@ -5,15 +5,17 @@ set -ouex pipefail sed -i 's@enabled=0@enabled=1@g' /etc/yum.repos.d/_copr_ublue-os-akmods.repo # Fetch Kernel RPMS -skopeo copy docker://ghcr.io/ublue-os/"${AKMODS_FLAVOR}"-kernel:"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/kernel-rpms +skopeo copy --retry-times 3 docker://ghcr.io/ublue-os/"${AKMODS_FLAVOR}"-kernel:"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/kernel-rpms KERNEL_TARGZ=$(jq -r '.layers[].digest' < /tmp/kernel-rpms/manifest.json | cut -d : -f 2) tar -xvzf /tmp/kernel-rpms/"$KERNEL_TARGZ" -C / mv /tmp/rpms/* /tmp/kernel-rpms/ -rpm-ostree install /tmp/kernel-rpms/kernel-devel-*.rpm +if [[ -z "$(grep kernel-devel <<< $(rpm -qa))" ]]; then + rpm-ostree install /tmp/kernel-rpms/kernel-devel-*.rpm +fi # Fetch AKMODS RPMS -skopeo copy docker://ghcr.io/ublue-os/akmods:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods +skopeo copy --retry-times 3 docker://ghcr.io/ublue-os/akmods:"${AKMODS_FLAVOR}"-"$(rpm -E %fedora)"-"${KERNEL}" dir:/tmp/akmods AKMODS_TARGZ=$(jq -r '.layers[].digest' < /tmp/akmods/manifest.json | cut -d : -f 2) tar -xvzf /tmp/akmods/"$AKMODS_TARGZ" -C /tmp/ mv /tmp/rpms/* /tmp/akmods/ diff --git a/build_files/dx/04-override-install-dx.sh b/build_files/dx/04-override-install-dx.sh index 24426551caa..32eb825524e 100755 --- a/build_files/dx/04-override-install-dx.sh +++ b/build_files/dx/04-override-install-dx.sh @@ -2,13 +2,13 @@ set -eoux pipefail -curl -Lo /tmp/kind "https://github.com/kubernetes-sigs/kind/releases/latest/download/kind-$(uname)-amd64" +curl --retry 3 -Lo /tmp/kind "https://github.com/kubernetes-sigs/kind/releases/latest/download/kind-$(uname)-amd64" chmod +x /tmp/kind mv /tmp/kind /usr/bin/kind # GitHub Monaspace Font -DOWNLOAD_URL=$(curl https://api.github.com/repos/githubnext/monaspace/releases/latest | jq -r '.assets[] | select(.name| test(".*.zip$")).browser_download_url') -curl -Lo /tmp/monaspace-font.zip "$DOWNLOAD_URL" +DOWNLOAD_URL=$(curl --retry 3 https://api.github.com/repos/githubnext/monaspace/releases/latest | jq -r '.assets[] | select(.name| test(".*.zip$")).browser_download_url') +curl --retry 3 -Lo /tmp/monaspace-font.zip "$DOWNLOAD_URL" unzip -qo /tmp/monaspace-font.zip -d /tmp/monaspace-font mkdir -p /usr/share/fonts/monaspace