Skip to content
Create Release Image

Create Release Image #40

Sign in to view logs

Create Release Image

Create Release Image #40

Workflow file for this run

.github/workflows/release-image.yml at c5cc49c
name: Create Release Image
on:
workflow_dispatch:
inputs:
base-tag:
type: string
required: false
description: Tag of image to layer changes on. Leave empty for clean image.
tag-main-latest:
type: boolean
default: true
description: Tag the resulting image latest and main.
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write # Allow actions to create release
packages: write # Allow pushing images to GHCR
attestations: write # To create and write attestations
id-token: write # Additional permissions for the persistence of the attestations
outputs:
uploaded_image: ${{ steps.push.outputs.uploaded_image }}
uploaded_digest: ${{ steps.push.outputs.uploaded_digest }}
steps:
- name: Generate image name
run: |
REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV"
# - name: Generate image name with tag
# run: |
# echo "IMAGE_URL_CURRENT=${{ env.IMAGE_URL }}:sha-${{ github.sha }}" >> "$GITHUB_ENV"
- name: Generate image name with tag
run: |
echo "IMAGE_URL_CURRENT=${{ env.IMAGE_URL }}:sha-af1c2f2fde5648b630902f220b64a0263cdfa19d" >> "$GITHUB_ENV"
- name: Generate base image name with tag
if: ${{ inputs.base-tag != '' }}
run: |
echo "IMAGE_URL_BASE=${{ env.IMAGE_URL }}:${{ inputs.base-tag }}" >> "$GITHUB_ENV"
- name: Login to GitHub Package Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download current image
run: |
docker image pull ${{ env.IMAGE_URL_CURRENT }}
- name: Verify current image
if: github.repository_owner == 'vanilla-os'
run:
gh attestation verify oci://${{ env.IMAGE_URL_CURRENT }} --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}
- name: Retag current image
if: ${{ inputs.base-tag == '' }}
run: |
docker image tag ${{ env.IMAGE_URL_CURRENT }} image-to-upload:latest
- name: Extract new image
if: ${{ inputs.base-tag != '' }}
run: |
docker run --name current-image-container ${{ env.IMAGE_URL_CURRENT }} echo done
docker export --output="current-image.tar" current-image-container
docker rm current-image-container
docker image rm ${{ env.IMAGE_URL_CURRENT }}
sudo mkdir /current-image-fs
sudo tar --extract --directory="/current-image-fs" --file="current-image.tar"
rm current-image.tar
ls -Al /current-image-fs
- name: Download base image
if: ${{ inputs.base-tag != '' }}
run: |
docker image pull ${{ env.IMAGE_URL_BASE }}
- name: Verify base image
if: inputs.base-tag != '' && github.repository == 'vanilla-os'
run:
gh attestation verify oci://${{ env.IMAGE_URL_BASE }} --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}
- name: Create new image
if: ${{ inputs.base-tag != '' }}
run: |
docker run --name new-image-container -v /current-image-fs:/run/current-image:ro \
${{ env.IMAGE_URL_BASE }} \
rsync --archive --checksum --delete \
--exclude=/run/current-image --exclude=/sys --exclude=/proc --exclude=/dev --exclude=/etc/hosts --exclude=/run/.containerenv --exclude=/etc/hostname --exclude=/etc/resolv.conf \
/run/current-image/ /
docker commit new-image-container image-to-upload:latest
- name: Push image
id: push
run: |
IMAGE_URL_UPLOAD="${{ env.IMAGE_URL }}:test-diff-image"
echo "uploaded_image=$IMAGE_URL_UPLOAD" >> "$GITHUB_OUTPUT"
docker image tag image-to-upload:latest "$IMAGE_URL_UPLOAD"
docker push "$IMAGE_URL_UPLOAD"
IMAGE_DIGEST="$(docker image inspect $IMAGE_URL_UPLOAD | jq -r '.[0].RepoDigests[0]' | cut -d '@' -f2)"
echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> "$GITHUB_ENV"
echo "uploaded_digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
- name: Push extra tags
if: inputs.tag-main-latest
run: |
docker image tag image-to-upload:latest "${{ env.IMAGE_URL }}:main"
docker image tag image-to-upload:latest "${{ env.IMAGE_URL }}:latest"
docker push "${{ env.IMAGE_URL }}:main"
docker push "${{ env.IMAGE_URL }}:latest"
- name: Push version tags
if: github.ref_type == 'tag'
run: |
WITHOUT_V="$(echo ${{ github.ref_name }} | cut -d 'v' -f2)"
PART_1="$(echo $WITHOUT_V | cut -d '.' -f1)"
PART_2="$(echo $WITHOUT_V | cut -d '.' -f2)"
PART_3="$(echo $WITHOUT_V | cut -d '.' -f3)"
TAG_1="v$WITHOUT_V"
TAG_2="$WITHOUT_V"
TAG_3="v$PART_1"
TAG_4="${PART_1}.${Part_2}"
docker image tag image-to-upload:latest "${{ env.IMAGE_URL }}:$TAG_1"
docker image tag image-to-upload:latest "${{ env.IMAGE_URL }}:$TAG_2"
docker image tag image-to-upload:latest "${{ env.IMAGE_URL }}:$TAG_3"
docker image tag image-to-upload:latest "${{ env.IMAGE_URL }}:$TAG_4"
docker push "${{ env.IMAGE_URL }}:$TAG_1"
docker push "${{ env.IMAGE_URL }}:$TAG_2"
docker push "${{ env.IMAGE_URL }}:$TAG_3"
docker push "${{ env.IMAGE_URL }}:$TAG_4"
- name: Attest pushed image
uses: actions/attest-build-provenance@v1
id: attest
with:
subject-name: ${{ env.IMAGE_URL }}
subject-digest: ${{ env.IMAGE_DIGEST }}
push-to-registry: false
differ:
runs-on: ubuntu-latest
container:
image: ${{ needs.build.outputs.uploaded_image }}
if: vars.DIFFER_URL != ''
needs: build
steps:
- uses: actions/checkout@v4
- name: Generate package diff
run: |
lpkg --unlock
PACKAGE_LIST=$(.github/gen_package_list.sh)
apt-get install -y curl
curl -X POST \
-H 'Accept:application/json' \
-H "Authorization:Basic $(echo -n "${{ secrets.DIFFER_USER }}:${{ secrets.DIFFER_PSW }}" | base64)" \
-d "{\"digest\":\"${{ needs.build.outputs.uploaded_digest }}\",${PACKAGE_LIST}}" \
${{ vars.DIFFER_URL }}/images/desktop/new
lpkg --lock