From 5f09b7cbdeebadcb88a8d6bbc836b95a3697d0c4 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Tue, 20 Feb 2024 20:39:33 -0800 Subject: [PATCH] =?UTF-8?q?chore:=20migrate=20to=20BlueBuild=20?= =?UTF-8?q?=F0=9F=8E=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/dependabot.yml | 9 +- .github/pull.yml | 6 + .github/semantic.yml | 2 - .github/workflows/build.yml | 211 ++---------------- .github/workflows/release-iso.yml | 13 +- .gitignore | 1 + Containerfile | 44 ---- build.sh | 74 ------ .../recipe-bluefin-dx-framework-userns.yml | 6 +- 9 files changed, 33 insertions(+), 333 deletions(-) create mode 100644 .github/pull.yml delete mode 100644 .github/semantic.yml delete mode 100644 Containerfile delete mode 100644 build.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d26c3c4..1230149 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,13 +1,6 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" - - + interval: "daily" diff --git a/.github/pull.yml b/.github/pull.yml new file mode 100644 index 0000000..0fe7714 --- /dev/null +++ b/.github/pull.yml @@ -0,0 +1,6 @@ +version: "1" +rules: + - base: main + upstream: blue-build:main + mergeMethod: merge + mergeUnstable: false diff --git a/.github/semantic.yml b/.github/semantic.yml deleted file mode 100644 index b5161df..0000000 --- a/.github/semantic.yml +++ /dev/null @@ -1,2 +0,0 @@ -enabled: true -titleOnly: true diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 100a99b..d6fdba4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,43 +1,25 @@ -# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds. -# The images are also built after pushing changes or pull requests. -# The builds can also be triggered manually in the Actions tab thanks to workflow dispatch. -# Only the branch called `live` is published. - - name: build-secureblue -on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows +on: schedule: - - cron: "30 16 * * *" + - cron: "00 17 * * *" # build at 17:00 UTC every day + # (20 minutes after last ublue images start building) push: - branches: - - live - - template - - staging paths-ignore: # don't rebuild if only documentation has changed - "**.md" + pull_request: - workflow_dispatch: - -env: - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - -# Only deploys the branch named "live". Ignores all other branches, to allow -# having "development" branches without interfering with GHCR image uploads. + workflow_dispatch: # allow manually triggering builds jobs: - push-ghcr: - name: Build and push image - runs-on: ubuntu-22.04 + bluebuild: + name: Build secureblue + runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write strategy: - fail-fast: false - + fail-fast: false # stop GH from cancelling all matrix builds if one fails matrix: -# !!! - # Add recipes for all the images you want to build here. - # Don't add module configuration files, you will get errors. recipe: # non-userns # desktop @@ -119,44 +101,18 @@ jobs: - recipes/server/recipe-server-main-userns.yml - recipes/server/recipe-server-nvidia-userns.yml - steps: - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action + - name: Checkout repo uses: actions/checkout@v4 - # Confirm that cosign.pub matches SIGNING_SECRET - - uses: sigstore/cosign-installer@v3.4.0 - if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/live' || github.ref == 'refs/heads/staging') - - - name: Check SIGNING_SECRET matches cosign.pub - if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/live' || github.ref == 'refs/heads/staging') - env: - COSIGN_EXPERIMENTAL: false - COSIGN_PASSWORD: "" - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - shell: bash - run: | - echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub" - delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub) - if [ -z "$delta" ]; then - echo "cosign.pub matches SIGNING_SECRET" - else - echo "cosign.pub does not match SIGNING_SECRET" - echo "$delta" - exit 1 - fi - - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.40.5 - name: Gather image data from recipe run: | echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV - echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }}) - echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - name: Verify base image @@ -173,145 +129,10 @@ jobs: registry: 'ghcr.io/wayblueorg' pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub' - - name: Get current version - id: labels - run: | - ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') - echo "VERSION=$ver" >> $GITHUB_OUTPUT - - - name: Generate tags - id: generate-tags - shell: bash - run: | - # Generate a timestamp for creating an image version history - TIMESTAMP="$(date +%Y%m%d)" - MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)" - COMMIT_TAGS=() - BUILD_TAGS=() - # Have tags for tracking builds during pull request - SHA_SHORT="${GITHUB_SHA::7}" - - # Using clever bash string templating, https://stackoverflow.com/q/40771781 - # don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) -- - COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}") - COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}") - - BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}") - # -- - - if [[ ${{ github.ref_name }} == "staging" ]]; then - BUILD_TAGS=("${MAJOR_VERSION}-staging" "${MAJOR_VERSION}-staging-${TIMESTAMP}") - BUILD_TAGS+=("staging") - else - BUILD_TAGS=("${MAJOR_VERSION}" "${MAJOR_VERSION}-${TIMESTAMP}") - BUILD_TAGS+=("latest") - BUILD_TAGS+=("${TIMESTAMP}") - fi - - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "Generated the following commit tags: " - for TAG in "${COMMIT_TAGS[@]}"; do - echo "${TAG}" - done - alias_tags=("${COMMIT_TAGS[@]}") - else - alias_tags=("${BUILD_TAGS[@]}") - fi - echo "Generated the following build tags: " - for TAG in "${BUILD_TAGS[@]}"; do - echo "${TAG}" - done - echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@v5 - id: meta + - name: Build secureblue + uses: blue-build/github-action@v1.0.2 with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} - org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md - io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - - # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. - # https://github.com/macbre/push-to-ghcr/issues/12 - - name: Lowercase Registry - id: registry_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_REGISTRY }} - - - name: Lowercase Image - id: image_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_NAME }} - - - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v2 - with: - remove-dotnet: 'true' - remove-android: 'true' - remove-haskell: 'true' - - # Build image using Buildah action - - name: Build Image - id: build_image - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./Containerfile - image: ${{ env.IMAGE_NAME }} - tags: | - ${{ steps.generate-tags.outputs.alias_tags }} - build-args: | - IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }} - BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }} - RECIPE=${{ matrix.recipe }} - IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }} - labels: ${{ steps.meta.outputs.labels }} - oci: false - - # Push the image to GHCR (Image Registry) - - name: Push To GHCR - uses: redhat-actions/push-to-registry@v2 - id: push - if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/live' || github.ref == 'refs/heads/staging') - env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - with: - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ steps.registry_case.outputs.lowercase }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/live' || github.ref == 'refs/heads/staging') - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Sign container - - name: Sign container image - if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/live' || github.ref == 'refs/heads/staging') - run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS} - env: - TAGS: ${{ steps.push.outputs.digest }} - COSIGN_EXPERIMENTAL: false - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - - - name: Echo outputs - if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/live' || github.ref == 'refs/heads/staging') - run: | - echo "${{ toJSON(steps.push.outputs) }}" + recipe: ${{ matrix.recipe }} + cosign_private_key: ${{ secrets.SIGNING_SECRET }} + registry_token: ${{ github.token }} + pr_event_number: ${{ github.event.number }} diff --git a/.github/workflows/release-iso.yml b/.github/workflows/release-iso.yml index 899f934..c89ea27 100644 --- a/.github/workflows/release-iso.yml +++ b/.github/workflows/release-iso.yml @@ -1,8 +1,8 @@ on: push: paths: - - 'boot_menu.yml' - - '.github/workflows/release-iso.yml' + - "boot_menu.yml" + - ".github/workflows/release-iso.yml" workflow_dispatch: name: release-iso @@ -12,13 +12,13 @@ jobs: runs-on: ubuntu-latest permissions: contents: write - container: + container: image: fedora:39 options: --privileged steps: - uses: actions/checkout@v4 - - name: Generate ISO - uses: ublue-os/isogenerator@v2.3.1 + - name: Generate ISO + uses: ublue-os/isogenerator-old@v2.3.1 id: isogenerator with: image-name: ${{ github.event.repository.name }} @@ -43,5 +43,4 @@ jobs: - name: Upload SHA256SUM env: GITHUB_TOKEN: ${{ github.token }} - run: - gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber + run: gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber diff --git a/.gitignore b/.gitignore index 02dd1dc..a265fd8 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ cosign.key *.kate-swp .directory +Containerfile diff --git a/Containerfile b/Containerfile deleted file mode 100644 index b89ff33..0000000 --- a/Containerfile +++ /dev/null @@ -1,44 +0,0 @@ -# This is the Containerfile for your custom image. - -# Instead of adding RUN statements here, you should consider creating a script -# in `config/scripts/`. Read more in `modules/script/README.md` - -# This Containerfile takes in the recipe, version, and base image as arguments, -# all of which are provided by build.yml when doing builds -# in the cloud. The ARGs have default values, but changing those -# does nothing if the image is built in the cloud. - -# !! Warning: changing these might not do anything for you. Read comment above. -ARG IMAGE_MAJOR_VERSION=39 -ARG BASE_IMAGE_URL=ghcr.io/ublue-os/silverblue-main - -FROM ${BASE_IMAGE_URL}:${IMAGE_MAJOR_VERSION} - -# The default recipe is set to the recipe's default filename -# so that `podman build` should just work for most people. -ARG RECIPE=recipe.yml -# The default image registry to write to policy.json and cosign.yaml -ARG IMAGE_REGISTRY=ghcr.io/ublue-os - -COPY cosign.pub /usr/share/ublue-os/cosign.pub - -# Copy build scripts & configuration -COPY build.sh /tmp/build.sh -COPY config /tmp/config/ - -# Copy modules -# The default modules are inside ublue-os/bling -COPY --from=ghcr.io/ublue-os/bling:latest /modules /tmp/modules/ -# Custom modules overwrite defaults -COPY modules /tmp/modules/ - -# `yq` is used for parsing the yaml configuration -# It is copied from the official container image since it's not available as an RPM. -COPY --from=docker.io/mikefarah/yq /usr/bin/yq /usr/bin/yq - -# Change this if you want different version/tag of akmods. -COPY --from=ghcr.io/ublue-os/akmods:main-39 /rpms /tmp/rpms - -# Run the build script, then clean up temp files and finalize container build. -RUN chmod +x /tmp/build.sh && /tmp/build.sh && \ - rm -rf /tmp/* /var/* && ostree container commit diff --git a/build.sh b/build.sh deleted file mode 100644 index c48b2ae..0000000 --- a/build.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env bash - -# This script executes the modules in order. -# If you have some custom commands you need to run, you should not put them here. -# Instead, you should probably include them as custom scripts. -# Editing this file directly is an unsupported configuration. - -# Tell build process to exit if there are any errors. -set -oue pipefail - -export CONFIG_DIRECTORY="/tmp/config" -RECIPE_FILE="$CONFIG_DIRECTORY/$RECIPE" -export MODULE_DIRECTORY="/tmp/modules" - -# https://mikefarah.gitbook.io/yq/usage/tips-and-tricks#yq-in-a-bash-loop -get_yaml_array() { - # creates array $1 with content at key $2 from $3 - readarray "$1" < <(echo "$3" | yq -I=0 "$2") -} -export -f get_yaml_array # this makes the function available to all modules - -run_module() { - MODULE="$1" - TYPE=$(echo "$MODULE" | yq '.type') - if [[ "$TYPE" != "null" ]]; then - cd "$CONFIG_DIRECTORY" - # If type is found, that means that the module config - # has been declared inline, and thus is safe to pass to the module - echo "=== Launching module of type: $TYPE ===" - bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE" - else - # If the type is not found, that means that the module config - # is in a separate file, and has to be read from it - FILE=$(echo "$MODULE" | yq '.from-file') - run_modules "$CONFIG_DIRECTORY/$FILE" - fi - echo "======" -} - -run_modules() { - MODULES_FILE="$1" - readarray MODULES < <(yq -o=j -I=0 '.modules[]' "$MODULES_FILE" ) - if [[ ${#MODULES[@]} -gt 0 ]]; then - for MODULE in "${MODULES[@]}"; do - run_module "$MODULE" - done - else - MODULE=$(yq -o=j -I=0 '.' "$MODULES_FILE") - run_module "$MODULE" - fi -} - -# Declare dynamically generated variables as exported -declare -x IMAGE_NAME BASE_IMAGE OS_VERSION - -# Read configuration variables. -BASE_IMAGE="$(yq '.base-image' "$RECIPE_FILE")" -IMAGE_NAME="$(yq '.name' "$RECIPE_FILE")" - -# Automatically determine which Fedora version we're building. -OS_VERSION="$(grep -Po '(?<=VERSION_ID=)\d+' /usr/lib/os-release)" - -# Welcome. -echo "Building $IMAGE_NAME from $BASE_IMAGE:$OS_VERSION." - -# Remove old image-info.json from main image -# (this file is added back by signing.sh, but shouldn't exist -# with wrong details in an unsigned image) -IMAGE_INFO="/usr/share/ublue-os/image-info.json" -if [ -f "$IMAGE_INFO" ]; then - rm -v "$IMAGE_INFO" -fi - -run_modules "$RECIPE_FILE" diff --git a/config/recipes/laptop/recipe-bluefin-dx-framework-userns.yml b/config/recipes/laptop/recipe-bluefin-dx-framework-userns.yml index b31d332..3b98cfb 100644 --- a/config/recipes/laptop/recipe-bluefin-dx-framework-userns.yml +++ b/config/recipes/laptop/recipe-bluefin-dx-framework-userns.yml @@ -1,7 +1,7 @@ # image will be published to ghcr.io// -name: bluefin-framework-userns-hardened +name: bluefin-dx-framework-userns-hardened # description will be included in the image's metadata -description: "Bluefin framework with some hardening applied" +description: "Bluefin-dx framework with some hardening applied" # the base image to build on top of (FROM) and the version tag to use base-image: ghcr.io/ublue-os/bluefin-dx-framework @@ -18,4 +18,4 @@ modules: - from-file: common/common-scripts.yml - from-file: common/gui-scripts.yml - from-file: common/bluefin-scripts.yml - - type: yafti \ No newline at end of file + - type: yafti