Skip to content

Create Release Image #26

Create Release Image

Create Release Image #26

Workflow file for this run

name: Create Release Image
on:
workflow_dispatch:
inputs:
base-tag:
type: string
required: false
description: Tag of image to layer changes on. Leave empty for clean image.
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write # Allow actions to create release
packages: write # Allow pushing images to GHCR
attestations: write # To create and write attestations
id-token: write # Additional permissions for the persistence of the attestations
outputs:
uploaded_image: ${{ steps.push.outputs.uploaded_image }}
steps:
- name: Generate image name
run: |
REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV"
# - name: Generate image name with tag
# run: |
# echo "IMAGE_URL_CURRENT=${{ env.IMAGE_URL }}:sha-${{ github.sha }}" >> "$GITHUB_ENV"
- name: Generate image name with tag
run: |
echo "IMAGE_URL_CURRENT=${{ env.IMAGE_URL }}:sha-af1c2f2fde5648b630902f220b64a0263cdfa19d" >> "$GITHUB_ENV"
- name: Generate base image name with tag
if: ${{ inputs.base-tag != '' }}
run: |
echo "IMAGE_URL_BASE=${{ env.IMAGE_URL }}:${{ inputs.base-tag }}" >> "$GITHUB_ENV"
- name: Login to GitHub Package Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download current image
run: |
docker image pull ${{ env.IMAGE_URL_CURRENT }}
- name: Verify current image
if: github.repository_owner == 'vanilla-os'
run:
gh attestation verify oci://${{ env.IMAGE_URL_CURRENT }} --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}
- name: Retag current image
if: ${{ inputs.base-tag == '' }}
run: |
docker image tag ${{ env.IMAGE_URL_CURRENT }} image-to-upload:latest
- name: Extract new image
if: ${{ inputs.base-tag != '' }}
run: |
docker run --name current-image-container ${{ env.IMAGE_URL_CURRENT }} echo done
docker export --output="current-image.tar" current-image-container
docker rm current-image-container
docker image rm ${{ env.IMAGE_URL_CURRENT }}
sudo mkdir /current-image-fs
sudo tar --extract --directory="/current-image-fs" --file="current-image.tar"
rm current-image.tar
ls -Al /current-image-fs
- name: Download base image
if: ${{ inputs.base-tag != '' }}
run: |
docker image pull ${{ env.IMAGE_URL_BASE }}
- name: Verify base image
if: inputs.base-tag != '' && github.repository == 'vanilla-os'
run:
gh attestation verify oci://${{ env.IMAGE_URL_BASE }} --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}
- name: Create new image
if: ${{ inputs.base-tag != '' }}
run: |
docker run --name new-image-container -v /current-image-fs:/run/current-image:ro \
${{ env.IMAGE_URL_BASE }} \
rsync --archive --checksum --delete \
--exclude=/run/current-image --exclude=/sys --exclude=/proc --exclude=/dev --exclude=/etc/hosts --exclude=/run/.containerenv --exclude=/etc/hostname --exclude=/etc/resolv.conf \
/run/current-image/ /
docker commit new-image-container image-to-upload:latest
- name: Upload image
id: push
run: |
IMAGE_URL_UPLOAD="${{ env.IMAGE_URL }}:test-diff-image"
echo "uploaded_image=$IMAGE_URL_UPLOAD" >> "$GITHUB_OUTPUT"
docker image tag image-to-upload:latest "$IMAGE_URL_UPLOAD"
docker push "$IMAGE_URL_UPLOAD"
IMAGE_DIGEST="$(docker image inspect $IMAGE_URL_UPLOAD | jq '.[0].Id')"
echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> "$GITHUB_ENV"
- name: what
run: |
echo ${{ env.IMAGE_DIGEST }}
- name: Attest pushed image
uses: actions/attest-build-provenance@v1
id: attest
with:
subject-name: ${{ env.IMAGE_URL }}
subject-digest: ${{ env.IMAGE_DIGEST }}
push-to-registry: false
differ:
runs-on: ubuntu-latest
container:
image: ${{ needs.build.outputs.uploaded_image }}
if: vars.DIFFER_URL != ''
needs: build
steps:
- uses: actions/checkout@v4
- name: Generate package diff
run: |
lpkg --unlock
PACKAGE_LIST=$(.github/gen_package_list.sh)
apt-get install -y curl
IMAGE_DIGEST=$(curl -s -L -H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/${{ github.repository_owner }}/packages/container/desktop/versions | grep -m1 name | sed -E 's/^\s*"name": "(.+)".*$/\1/')
curl -X POST \
-H 'Accept:application/json' \
-H "Authorization:Basic $(echo -n "${{ secrets.DIFFER_USER }}:${{ secrets.DIFFER_PSW }}" | base64)" \
-d "{\"digest\":\"${IMAGE_DIGEST}\",${PACKAGE_LIST}}" \
${{ vars.DIFFER_URL }}/images/desktop/new
lpkg --lock