Create Release Image #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create Release Image | |
on: | |
workflow_dispatch: | |
inputs: | |
base-tag: | |
type: string | |
required: false | |
description: Tag of image to layer changes on. Leave empty for clean image. | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # Allow actions to create release | |
packages: write # Allow pushing images to GHCR | |
attestations: write # To create and write attestations | |
id-token: write # Additional permissions for the persistence of the attestations | |
outputs: | |
uploaded_image: ${{ steps.push.outputs.uploaded_image }} | |
steps: | |
- name: Generate image name | |
run: | | |
REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" | |
echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV" | |
echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV" | |
# - name: Generate image name with tag | |
# run: | | |
# echo "IMAGE_URL_CURRENT=${{ env.IMAGE_URL }}:sha-${{ github.sha }}" >> "$GITHUB_ENV" | |
- name: Generate image name with tag | |
run: | | |
echo "IMAGE_URL_CURRENT=${{ env.IMAGE_URL }}:sha-af1c2f2fde5648b630902f220b64a0263cdfa19d" >> "$GITHUB_ENV" | |
- name: Generate base image name with tag | |
if: ${{ inputs.base-tag != '' }} | |
run: | | |
echo "IMAGE_URL_BASE=${{ env.IMAGE_URL }}:${{ inputs.base-tag }}" >> "$GITHUB_ENV" | |
- name: Login to GitHub Package Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Download current image | |
run: | | |
docker image pull ${{ env.IMAGE_URL_CURRENT }} | |
- name: Verify current image | |
if: github.repository_owner == 'vanilla-os' | |
run: | |
gh attestation verify oci://${{ env.IMAGE_URL_CURRENT }} --owner Vanilla-OS | |
env: | |
GH_TOKEN: ${{ github.token }} | |
- name: Retag current image | |
if: ${{ inputs.base-tag == '' }} | |
run: | | |
docker image tag ${{ env.IMAGE_URL_CURRENT }} image-to-upload:latest | |
- name: Extract new image | |
if: ${{ inputs.base-tag != '' }} | |
run: | | |
docker run --name current-image-container ${{ env.IMAGE_URL_CURRENT }} echo done | |
docker export --output="current-image.tar" current-image-container | |
docker rm current-image-container | |
docker image rm ${{ env.IMAGE_URL_CURRENT }} | |
sudo mkdir /current-image-fs | |
sudo tar --extract --directory="/current-image-fs" --file="current-image.tar" | |
rm current-image.tar | |
ls -Al /current-image-fs | |
- name: Download base image | |
if: ${{ inputs.base-tag != '' }} | |
run: | | |
docker image pull ${{ env.IMAGE_URL_BASE }} | |
- name: Verify base image | |
if: inputs.base-tag != '' && github.repository == 'vanilla-os' | |
run: | |
gh attestation verify oci://${{ env.IMAGE_URL_BASE }} --owner Vanilla-OS | |
env: | |
GH_TOKEN: ${{ github.token }} | |
- name: Create new image | |
if: ${{ inputs.base-tag != '' }} | |
run: | | |
docker run --name new-image-container -v /current-image-fs:/run/current-image:ro \ | |
${{ env.IMAGE_URL_BASE }} \ | |
rsync --archive --checksum --delete \ | |
--exclude=/run/current-image --exclude=/sys --exclude=/proc --exclude=/dev --exclude=/etc/hosts --exclude=/run/.containerenv --exclude=/etc/hostname --exclude=/etc/resolv.conf \ | |
/run/current-image/ / | |
docker commit new-image-container image-to-upload:latest | |
- name: Upload image | |
id: push | |
run: | | |
IMAGE_URL_UPLOAD="${{ env.IMAGE_URL }}:test-diff-image" | |
echo "uploaded_image=$IMAGE_URL_UPLOAD" >> "$GITHUB_OUTPUT" | |
docker image tag image-to-upload:latest "$IMAGE_URL_UPLOAD" | |
docker push "$IMAGE_URL_UPLOAD" | |
IMAGE_DIGEST="$(docker image inspect $IMAGE_URL_UPLOAD | jq '.[0].Id')" | |
echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> "$GITHUB_ENV" | |
- name: what | |
run: | | |
echo ${{ env.IMAGE_DIGEST }} | |
- name: Attest pushed image | |
uses: actions/attest-build-provenance@v1 | |
id: attest | |
with: | |
subject-name: ${{ env.IMAGE_URL }} | |
subject-digest: ${{ env.IMAGE_DIGEST }} | |
push-to-registry: false | |
differ: | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ needs.build.outputs.uploaded_image }} | |
if: vars.DIFFER_URL != '' | |
needs: build | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Generate package diff | |
run: | | |
lpkg --unlock | |
PACKAGE_LIST=$(.github/gen_package_list.sh) | |
apt-get install -y curl | |
IMAGE_DIGEST=$(curl -s -L -H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/orgs/${{ github.repository_owner }}/packages/container/desktop/versions | grep -m1 name | sed -E 's/^\s*"name": "(.+)".*$/\1/') | |
curl -X POST \ | |
-H 'Accept:application/json' \ | |
-H "Authorization:Basic $(echo -n "${{ secrets.DIFFER_USER }}:${{ secrets.DIFFER_PSW }}" | base64)" \ | |
-d "{\"digest\":\"${IMAGE_DIGEST}\",${PACKAGE_LIST}}" \ | |
${{ vars.DIFFER_URL }}/images/desktop/new | |
lpkg --lock |