diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 45ad307..d5a39fb 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -130,8 +130,6 @@ jobs: set -x IMAGE_NAME=ucore${{ matrix.image_suffix }} echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV - echo "TAG_VERSION=${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}" >> $GITHUB_ENV - echo "TIMESTAMP=$(date +%Y%m%d)" >> $GITHUB_ENV - name: Pull base and kmod images uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 @@ -188,33 +186,63 @@ jobs: exit 1 fi + - name: Generate tags + id: generate-tags + shell: bash + run: | + # Generate a timestamp for creating an image version history + TIMESTAMP="$(date +%Y%m%d)" + COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}" + + COMMIT_TAGS=() + BUILD_TAGS=() + + # Have tags for tracking builds during pull request + SHA_SHORT="${GITHUB_SHA::7}" + COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}") + COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}") + + BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}") + # always add the '-zfs' tag to each image since we include ZFS with them all + # and we want users of the existing '-zfs' images to still get updates + BUILD_TAGS+=("${COREOS_VERSION}-zfs") + BUILD_TAGS+=("${COREOS_VERSION}-zfs-${TIMESTAMP}") + + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + echo "Generated the following commit tags: " + for TAG in "${COMMIT_TAGS[@]}"; do + echo "${TAG}" + done + + alias_tags=("${COMMIT_TAGS[@]}") + else + if [[ "${COREOS_VERSION}" == "stable" ]]; then + BUILD_TAGS+=("latest") + fi + + alias_tags=("${BUILD_TAGS[@]}") + fi + + echo "Generated the following build tags: " + for TAG in "${BUILD_TAGS[@]}"; do + echo "${TAG}" + done + + echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT + # Build metadata - name: Image Metadata uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5 id: meta with: + images: | + ${{ env.IMAGE_NAME }} labels: | io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md org.opencontainers.image.description=${{ matrix.description }} org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.version=${{ env.IMAGE_VERSION }} - tags: | - type=sha,format=short,suffix=-${{ env.TAG_VERSION }} - type=ref,event=pr,suffix=-${{ env.TAG_VERSION }} - # Tags only for push to main or workflow_dispatch on main - type=raw,value=${{ env.TAG_VERSION }}-${{ env.TIMESTAMP }},priority=750,enable=${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }} - type=raw,value=${{ env.TAG_VERSION }},priority=350,enable=${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }} - type=raw,value=${{ env.TAG_VERSION }}-zfs-${{ env.TIMESTAMP }},priority=700,enable=${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }} - type=raw,value=${{ env.TAG_VERSION }}-zfs,priority=300,enable=${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }} - type=raw,value=latest,enable=${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' && env.TAG_VERSION == 'stable' }} - - - name: Single Line (convert newlines to spaces) - id: single-line - run: | - tags="${{ steps.meta.outputs.tags }}" - tags_space=$(printf '%s' "$tags" | tr '\n' ' ' | xargs) - echo "tags=${tags_space}" >> $GITHUB_OUTPUT # Build image using Buildah action - name: Build Image @@ -226,7 +254,7 @@ jobs: context: ./ucore image: ${{ env.IMAGE_NAME }} tags: | - ${{ steps.single-line.outputs.tags }} + ${{ steps.generate-tags.outputs.alias_tags }} build-args: | COREOS_VERSION=${{ inputs.coreos_version }} FEDORA_VERSION=${{ env.FEDORA_VERSION }} @@ -248,10 +276,9 @@ jobs: sudo apt update sudo apt install sbsigntool curl openssl fi - TAG=$(echo "${{ steps.single-line.outputs.tags }}" | cut -d " " -f 1) - podman run -d --rm --name checksb "${{ env.IMAGE_NAME }}:${TAG}" sleep 1000 - podman cp checksb:/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . - podman rm -f checksb + podman run -d --rm --name ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sbverify --list vmlinuz curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der @@ -260,22 +287,34 @@ jobs: sbverify --cert kernel-sign.crt vmlinuz || exit 1 sbverify --cert akmods.crt vmlinuz || exit 1 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 + with: + string: ${{ env.IMAGE_REGISTRY }} + # Push the image to GHCR (Image Registry) - name: Push To GHCR - uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 + uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 id: push if: github.event_name != 'pull_request' env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ env.IMAGE_REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust + action: redhat-actions/push-to-registry@v2 + attempt_limit: 3 + attempt_delay: 15000 + with: | + image: ${{ steps.build_image.outputs.image }} + tags: ${{ steps.build_image.outputs.tags }} + registry: ${{ steps.registry_case.outputs.lowercase }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + extra-args: | + --disable-content-trust - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 @@ -294,7 +333,7 @@ jobs: - name: Sign container image if: github.event_name != 'pull_request' run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}@${TAGS} + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} COSIGN_EXPERIMENTAL: false