Move to new template

jitcos · Mar 13, 2024 · c227138 · c227138
1 parent e805688
commit c227138
Show file tree

Hide file tree

Showing 18 changed files with 40 additions and 665 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1 +1 @@
-* @castrojo
+* @xynydev @fiftydinar
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,13 +1,6 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
-
-
+      interval: "daily"
diff --git a/.github/semantic.yml b/.github/semantic.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,224 +1,34 @@
-# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
-# The images are also built after pushing changes or pull requests.
-# The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
-# Only the branch called `live` is published.
-
-
-name: build-cabos
-on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
+name: bluebuild
+on:
   schedule:
-    - cron: "30 16 * * *"
+    - cron: "00 17 * * *" # build at 17:00 UTC every day 
+                          # (20 minutes after last ublue images start building)
   push:
-    branches:
-      - live
-      - template
-      - main
     paths-ignore: # don't rebuild if only documentation has changed
       - "**.md"
+
   pull_request:
-  workflow_dispatch:
-
-env:
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
-# Only deploys the branch named "live". Ignores all other branches, to allow
-# having "development" branches without interfering with GHCR image uploads.
+  workflow_dispatch: # allow manually triggering builds
 jobs:
-  push-ghcr:
-    name: Build and push image
-    runs-on: ubuntu-22.04
+  bluebuild:
+    name: Build Custom Image
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
       id-token: write
     strategy:
-      fail-fast: false
-
+      fail-fast: false # stop GH from cancelling all matrix builds if one fails
       matrix:
-# !!!
-        # Add recipes for all the images you want to build here.
-        # Don't add module configuration files, you will get errors.
         recipe:
+          # !! Add your recipes here 
           - recipe.yml
-# !!!
-
     steps:
-      # Checkout push-to-registry action GitHub repository
-      - name: Checkout Push to Registry action
-        uses: actions/checkout@v4
-
-      # Confirm that cosign.pub matches SIGNING_SECRET
-      - uses: sigstore/cosign-installer@v3.3.0
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-
-      - name: Check SIGNING_SECRET matches cosign.pub
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        env:
-          COSIGN_EXPERIMENTAL: false
-          COSIGN_PASSWORD: ""
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-        shell: bash
-        run: |
-          echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
-          delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
-          if [ -z "$delta" ]; then
-            echo "cosign.pub matches SIGNING_SECRET"
-          else
-            echo "cosign.pub does not match SIGNING_SECRET"
-            echo "$delta"
-            exit 1
-          fi
-
-      - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/yq@v4.40.5
-
-      - name: Gather image data from recipe
-        run: |
-          echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }})
-          echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV
-          echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
-
-      - name: Verify base image
-        uses: EyeCantCU/cosign-action/verify@v0.2.2
-        with:
-          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
-
-      - name: Get current version
-        id: labels
-        run: |
-          ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
-          echo "VERSION=$ver" >> $GITHUB_OUTPUT
-
-      - name: Generate tags
-        id: generate-tags
-        shell: bash
-        run: |
-          # Generate a timestamp for creating an image version history
-          TIMESTAMP="$(date +%Y%m%d)"
-          MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)"
-          COMMIT_TAGS=()
-          BUILD_TAGS=()
-          # Have tags for tracking builds during pull request
-          SHA_SHORT="${GITHUB_SHA::7}"
-
-          # Using clever bash string templating, https://stackoverflow.com/q/40771781
-          # don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) --
-          COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}")
-          COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}")
-
-          BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}")
-          # --
-
-          BUILD_TAGS+=("${TIMESTAMP}")
-          BUILD_TAGS+=("latest")
-
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "Generated the following commit tags: "
-              for TAG in "${COMMIT_TAGS[@]}"; do
-                  echo "${TAG}"
-              done
-              alias_tags=("${COMMIT_TAGS[@]}")
-          else
-              alias_tags=("${BUILD_TAGS[@]}")
-          fi
-          echo "Generated the following build tags: "
-          for TAG in "${BUILD_TAGS[@]}"; do
-              echo "${TAG}"
-          done
-          echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
-
-      # Build metadata
-      - name: Image Metadata
-        uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: |
-            ${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
-            org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md
-            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
-
-      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
-      # https://github.com/macbre/push-to-ghcr/issues/12
-      - name: Lowercase Registry
-        id: registry_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_REGISTRY }}
-
-      - name: Lowercase Image
-        id: image_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_NAME }}
-
-      - name: Maximize build space
-        uses: AdityaGarg8/remove-unwanted-software@v2
-        with:
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-
-      # Build image using Buildah action
-      - name: Build Image
-        id: build_image
-        uses: redhat-actions/buildah-build@v2
-        with:
-          containerfiles: |
-            ./Containerfile
-          image: ${{ env.IMAGE_NAME }}
-          tags: |
-            ${{ steps.generate-tags.outputs.alias_tags }}
-          build-args: |
-            IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }}
-            BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }}
-            RECIPE=${{ matrix.recipe }}
-            IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }}
-          labels: ${{ steps.meta.outputs.labels }}
-          oci: false
-
-      # Push the image to GHCR (Image Registry)
-      - name: Push To GHCR
-        uses: redhat-actions/push-to-registry@v2
-        id: push
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        env:
-          REGISTRY_USER: ${{ github.actor }}
-          REGISTRY_PASSWORD: ${{ github.token }}
-        with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Sign container
-      - name: Sign container image
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS}
-        env:
-          TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_EXPERIMENTAL: false
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-
-      - name: Echo outputs
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        run: |
-          echo "${{ toJSON(steps.push.outputs) }}"
+       # the build is fully handled by the reusable github action
+      - name: Build Custom Image
+        uses: blue-build/github-action@v1.2
+        with:
+          recipe: ${{ matrix.recipe }}
+          cosign_private_key: ${{ secrets.SIGNING_SECRET }}
+          registry_token: ${{ github.token }}
+          pr_event_number: ${{ github.event.number }}
diff --git a/.github/workflows/release-iso.yml b/.github/workflows/release-iso.yml
@@ -1,8 +1,8 @@
 on:
   push:
     paths:
-      - 'boot_menu.yml'
-      - '.github/workflows/release-iso.yml'
+      - "boot_menu.yml"
+      - ".github/workflows/release-iso.yml"
   workflow_dispatch:
 
 name: release-iso
@@ -12,13 +12,13 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-    container: 
+    container:
       image: fedora:39
       options: --privileged
     steps:
       - uses: actions/checkout@v4
-      - name: Generate ISO  
-        uses: ublue-os/isogenerator@v2.3.1
+      - name: Generate ISO
+        uses: ublue-os/isogenerator-old@v2.3.1
         id: isogenerator
         with:
           image-name: ${{ github.event.repository.name }}
@@ -43,5 +43,4 @@ jobs:
       - name: Upload SHA256SUM
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        run:
-          gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
+        run: gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 .idea
 cosign.key
+/Containerfile