Build Atomic Studio #367
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build Atomic Studio | |
on: # yamllint disable-line rule:truthy | |
schedule: | |
- cron: '41 5 * * 0' # 5:41 UTC Weekly on Sundays | |
push: | |
paths: | |
- config/** | |
- generators/** | |
- modules/** | |
- .github/workflows/build.yml | |
pull_request: | |
workflow_dispatch: | |
env: | |
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
jobs: | |
generate-recipes: | |
name: Generate Recipes | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
outputs: | |
recipes: ${{ steps.generate-recipes.outputs.recipes }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Generate recipes | |
id: generate-recipes | |
shell: bash | |
run: | | |
/home/linuxbrew/.linuxbrew/bin/brew install pkl | |
RECIPES=$(/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml | sed '/.*files/d') | |
# newlines replaced with spaces | |
echo "Generated recipes: ${RECIPES//$'\n'/ }" | |
# adds [" to the start, adds "] to the end, and replaces newlines with "," to turn the newline-delimeted string into a JSON array | |
RECIPES_JSON_STR="[\"${RECIPES//$'\n'/\",\"}\"]" | |
echo "Generated JSON: ${RECIPES_JSON_STR}" | |
# JSON strings are the only way to dynamically generate GH build matrices | |
echo "recipes=${RECIPES_JSON_STR}" >> $GITHUB_OUTPUT | |
bluebuild: | |
name: Build Image | |
runs-on: ubuntu-latest | |
needs: generate-recipes | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
recipe: ${{ fromJson(needs.generate-recipes.outputs.recipes) }} | |
steps: | |
- name: Maximize build space | |
uses: ublue-os/remove-unwanted-software@v6 | |
with: | |
remove-codeql: 'true' | |
- name: Additional cleanup | |
run: | | |
sudo rm -rf /usr/share/miniconda /usr/local/share/vcpkg | |
sudo apt purge imagemagick imagemagick xorriso sqlite3 sphinxsearch shellcheck | |
- name: Expose GitHub Runtime | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Generate recipes (again) and get metadata | |
id: recipe_meta | |
run: | | |
/home/linuxbrew/.linuxbrew/bin/brew install pkl | |
/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml | |
echo "IMAGE_NAME=$(yq '.name' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
echo "IMAGE_DESCRIPTION=$(yq '.description' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
echo "VERSION=40" >> $GITHUB_OUTPUT | |
echo "tags=$(yq '."image-version"' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
install: true | |
driver: docker-container | |
- name: Image Metadata | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: | | |
${{ env.IMAGE_NAME }} | |
labels: | | |
org.opencontainers.image.title=${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
org.opencontainers.image.version=${{ steps.recipe_meta.outputs.VERSION }} | |
org.opencontainers.image.description=${{ steps.recipe_meta.outputs.IMAGE_DESCRIPTION }} | |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/README.md | |
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/assets/studio-blob.png | |
- name: Generate Containerfile with Bluebuild | |
shell: bash | |
run: | | |
docker run \ | |
--detach \ | |
--rm \ | |
--name blue-build-installer \ | |
ghcr.io/blue-build/cli:main-installer \ | |
tail -f /dev/null | |
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild | |
docker stop -t 0 blue-build-installer | |
/usr/local/bin/bluebuild template -v ./${{matrix.recipe}} -o /tmp/Containerfile | |
- name: Build | |
id: build_image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: false | |
file: /tmp/Containerfile | |
tags: ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Sign kernel | |
uses: atomic-studio-org/kernel-signer-docker@main | |
with: | |
image: ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
imagename: ${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
privkey: ${{ secrets.SBKEY }} | |
pubkey: /usr/etc/pki/certs/atomic-studio-sbkey.der | |
tags: latest | |
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | |
# https://github.com/macbre/push-to-ghcr/issues/12 | |
- name: Lowercase Registry | |
id: registry_case | |
uses: ASzc/change-string-case-action@v6 | |
with: | |
string: ${{ env.IMAGE_REGISTRY }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ github.token }} | |
- name: Push To GHCR Image Registry | |
run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
- name: Install cosign | |
uses: sigstore/cosign-installer@v3.5.0 | |
- name: Sign container image | |
shell: bash | |
run: | | |
SIGN_IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest) | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY $SIGN_IMAGE | |
env: | |
COSIGN_EXPERIMENTAL: false | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |