chore: sync cosign and workflow with ublue main

also tweaked some docs

.github/workflows/build.yml

@@ -3,15 +3,17 @@ on:
   pull_request:
     branches:
       - main
+    paths-ignore:
+      - '**.md'
+      - '**.txt'
   schedule:
     - cron: '15 20 * * *' # 8:15pm UTC everyday
   push:
     branches:
       - main
     paths-ignore:
-      - '**/*.md'
-  workflow_dispatch:
-
+      - '**.md'
+      - '**.txt'
 env:
     IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
@@ -49,15 +51,14 @@ jobs:
         run: |
           # Generate a timestamp for creating an image version history
           TIMESTAMP="$(date +%Y%m%d)"
-          VARIANT="${{ matrix.coreos_version }}"
-
+          COREOS_VERSION="${{ matrix.coreos_version }}"
           COMMIT_TAGS=()
           BUILD_TAGS=()
 
           # Have tags for tracking builds during pull request
           SHA_SHORT="$(git rev-parse --short HEAD)"
-          COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
-          COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")
+          COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}")
+          COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}")
 
           if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
              [[ "${{ matrix.is_stable_version }}" == "true" ]]; then
@@ -65,12 +66,7 @@ jobs:
               COMMIT_TAGS+=("${SHA_SHORT}")
           fi
 
-          BUILD_TAGS=("${VARIANT}")
-
-          # Append matching timestamp tags to keep a version history
-          for TAG in "${BUILD_TAGS[@]}"; do
-              BUILD_TAGS+=("${TAG}-${TIMESTAMP}")
-          done
+          BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}")
 
           if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
              [[ "${{ matrix.is_stable_version }}" == "true" ]]; then
@@ -83,17 +79,14 @@ jobs:
               for TAG in "${COMMIT_TAGS[@]}"; do
                   echo "${TAG}"
               done
-
               alias_tags=("${COMMIT_TAGS[@]}")
           else
               alias_tags=("${BUILD_TAGS[@]}")
           fi
-
           echo "Generated the following build tags: "
           for TAG in "${BUILD_TAGS[@]}"; do
               echo "${TAG}"
           done
-
           echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
 
       # Build metadata
@@ -106,7 +99,9 @@ jobs:
           labels: |
             org.opencontainers.image.title=${{ matrix.image_name }}
             org.opencontainers.image.description=An OCI base image of Fedora CoreOS with batteries included
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ matrix.image_name }}/main/README.md
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md
+            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image
@@ -114,7 +109,6 @@ jobs:
         with:
           containerfiles: |
             ./Containerfile
-          # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format
           image: ${{ matrix.image_name }}
           tags: |
             ${{ steps.generate-tags.outputs.alias_tags }}
@@ -135,6 +129,7 @@ jobs:
       - name: Push To GHCR
         uses: redhat-actions/push-to-registry@v2
         id: push
+        if: github.event_name != 'pull_request'
         env:
           REGISTRY_USER: ${{ github.actor }}
           REGISTRY_PASSWORD: ${{ github.token }}
@@ -147,31 +142,31 @@ jobs:
           extra-args: |
             --disable-content-trust
 
-      # Sign container
-      - uses: sigstore/cosign-installer@main
-
-      # Only needed when running `cosign sign` using a key
-      - name: Write signing key to disk
-        run: |
-          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
-          # DEBUG: get character count of key
-          wc -c cosign.key
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
+        if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # Sign container
+      - uses: sigstore/cosign-installer@v3.0.1
+        if: github.event_name != 'pull_request'
+
       - name: Sign container image
+        if: github.event_name != 'pull_request'
         run: |
-          cosign sign --yes --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
+          wc -c cosign.key
+          cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
         env:
           TAGS: ${{ steps.push.outputs.digest }}
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
 
       - name: Echo outputs
+        if: github.event_name != 'pull_request'
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"
+

README.md

@@ -4,7 +4,7 @@
 
 ## What is this?
 
-You should be familiar with [Fedora CoreOS](https://getfedora.org/coreos/), as this is an OCI image of CoreOS with "batteries included". More specifically, it's an opinionated, custom CoreOS image built daily with some commonly installed tools, pre-installed. The idea is to make a lightweight server image including most used services or the building blocks to host them.
+You should be familiar with [Fedora CoreOS](https://getfedora.org/coreos/), as this is an OCI image of CoreOS with "batteries included". More specifically, it's an opinionated, custom CoreOS image, built daily with some commonly used tools added in. The idea is to make a lightweight server image including most used services or the building blocks to host them.
 
 WARNING: This image has **not** been heavily tested, though the underlying components have. Please take a look at the included modifications and help test if this project interests you.
 
@@ -28,9 +28,11 @@ One can layer packages directly on a machine running UCore or use this image as
 
 Note: per [cockpit instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is available as a podman container. This image has pre-configured cockpit to run on system boot, but it can be disabled:
 
-    sudo systemctl disable --now cockpit.service
+```bash
+sudo systemctl disable --now cockpit.service
+```
 
-This image should be suitable for use on bare metal or in a virtual machines where you wish to run containerized workloads.
+This image should be suitable for use on bare metal or on virtual machines where you wish to run containerized workloads.
 
 ## Tips and Tricks
 
@@ -48,24 +50,26 @@ It's a good idea to become familar with the [Fedora CoreOS Documentation](https:
 
 ### Prerequsites
 
-This image is not currently avaialable for direct install. The user must follow the [CoreOS installation guide](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/). Note there are varying methods of installation for bare metal, cloud providers, and virtualization platforms.
+This image is not currently avaialable for direct install. The user must follow the [CoreOS installation guide](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/). There are varying methods of installation for bare metal, cloud providers, and virtualization platforms.
 
 All CoreOS installation methods require the user to [produce an Ignition file](https://docs.fedoraproject.org/en-US/fedora-coreos/producing-ign/). This Ignition file should, at mimimum, set a password and SSH key for the default user (default username is `core`).
 
-
 ### Install and Rebase
 
 To rebase an Fedora CoreOS machine to the latest UCore (stable):
 
 1. Install CoreOS via [desired installation method](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/)
-1. After you reboot you should [pin the working deployment](https://docs.fedoraproject.org/en-US/fedora-silverblue/faq/#_how_can_i_upgrade_my_system_to_the_next_major_version_for_instance_rawhide_or_an_upcoming_fedora_release_branch_while_keeping_my_current_deployment) which allos you to rollback if required.
-1. SSH to the freshly installed CoreOS system and rebase the OS:
+1. After you reboot you should [pin the working deployment](https://docs.fedoraproject.org/en-US/fedora-silverblue/faq/#_how_can_i_upgrade_my_system_to_the_next_major_version_for_instance_rawhide_or_an_upcoming_fedora_release_branch_while_keeping_my_current_deployment) which allows you to rollback if required.
+1. SSH to the freshly installed CoreOS system and rebase the OS, then reboot:
 
-    sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable
+```bash
+sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable
+```
 
-  
 ## Verification
 
 These images are signed with sisgstore's [cosign](https://docs.sigstore.dev/cosign/overview/). You can verify the signature by downloading the `cosign.pub` key from this repo and running the following command:
 
-    cosign verify --key cosign.pub ghcr.io/ublue-os/ucore
+```bash
+cosign verify --key cosign.pub ghcr.io/ublue-os/ucore
+```

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
+cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+-----END PUBLIC KEY-----