name: build-secureblue on: schedule: - cron: "00 6 * * *" # build at 6:00 UTC every day # 60 minutes after last wayblue images start building push: paths-ignore: # don't rebuild if only documentation has changed - "**.md" workflow_dispatch: # allow manually triggering builds jobs: bluebuild: name: Build secureblue runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write strategy: fail-fast: false # stop GH from cancelling all matrix builds if one fails matrix: recipe: # non-userns # general - general/recipe-silverblue-main.yml - general/recipe-silverblue-nvidia.yml - general/recipe-silverblue-nvidia-open.yml - general/recipe-kinoite-main.yml - general/recipe-kinoite-nvidia.yml - general/recipe-kinoite-nvidia-open.yml - general/recipe-sericea-main.yml - general/recipe-sericea-nvidia.yml - general/recipe-sericea-nvidia-open.yml - general/recipe-wayblue-wayfire-main.yml - general/recipe-wayblue-wayfire-nvidia.yml - general/recipe-wayblue-wayfire-nvidia-open.yml - general/recipe-wayblue-hyprland-main.yml - general/recipe-wayblue-hyprland-nvidia.yml - general/recipe-wayblue-hyprland-nvidia-open.yml - general/recipe-wayblue-river-main.yml - general/recipe-wayblue-river-nvidia.yml - general/recipe-wayblue-river-nvidia-open.yml - general/recipe-wayblue-sway-main.yml - general/recipe-wayblue-sway-nvidia.yml - general/recipe-wayblue-sway-nvidia-open.yml # - general/recipe-cosmic-main.yml # - general/recipe-cosmic-nvidia.yml # - general/recipe-cosmic-nvidia-open.yml # server - securecore/recipe-securecore-main.yml - securecore/recipe-securecore-nvidia.yml - securecore/recipe-securecore-nvidia-open.yml - securecore/recipe-securecore-zfs-main.yml - securecore/recipe-securecore-zfs-nvidia.yml - securecore/recipe-securecore-zfs-nvidia-open.yml # userns # general - general/recipe-silverblue-main-userns.yml - general/recipe-silverblue-nvidia-userns.yml - general/recipe-silverblue-nvidia-open-userns.yml - general/recipe-kinoite-main-userns.yml - general/recipe-kinoite-nvidia-userns.yml - general/recipe-kinoite-nvidia-open-userns.yml - general/recipe-sericea-main-userns.yml - general/recipe-sericea-nvidia-userns.yml - general/recipe-sericea-nvidia-open-userns.yml - general/recipe-wayblue-wayfire-main-userns.yml - general/recipe-wayblue-wayfire-nvidia-userns.yml - general/recipe-wayblue-wayfire-nvidia-open-userns.yml - general/recipe-wayblue-hyprland-main-userns.yml - general/recipe-wayblue-hyprland-nvidia-userns.yml - general/recipe-wayblue-hyprland-nvidia-open-userns.yml - general/recipe-wayblue-river-main-userns.yml - general/recipe-wayblue-river-nvidia-userns.yml - general/recipe-wayblue-river-nvidia-open-userns.yml - general/recipe-wayblue-sway-main-userns.yml - general/recipe-wayblue-sway-nvidia-userns.yml - general/recipe-wayblue-sway-nvidia-open-userns.yml # - general/recipe-cosmic-main-userns.yml # - general/recipe-cosmic-nvidia-userns.yml # - general/recipe-cosmic-nvidia-open-userns.yml # server - securecore/recipe-securecore-main-userns.yml - securecore/recipe-securecore-nvidia-userns.yml - securecore/recipe-securecore-nvidia-open-userns.yml - securecore/recipe-securecore-zfs-main-userns.yml - securecore/recipe-securecore-zfs-nvidia-userns.yml - securecore/recipe-securecore-zfs-nvidia-open-userns.yml steps: - name: Checkout repo uses: actions/checkout@v4 - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.44.3 - name: Gather image data from recipe run: | echo "IMAGE_NAME=$(yq '.name' ./recipes/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./recipes/${{ matrix.recipe }})" >> $GITHUB_ENV BASE_IMAGE=$(yq '.base-image' ./recipes/${{ matrix.recipe }}) echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - name: Verify base image if: ${{ contains(env.IMAGE_NAME, 'wayblue') }} uses: EyeCantCU/cosign-action/verify@v0.3.0 with: containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} registry: 'ghcr.io/wayblueorg' pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub' - name: Validate server kernel and kmod versions if: ${{ contains(env.IMAGE_NAME, 'securecore') }} uses: Wandalen/wretry.action@v3.5.0 with: attempt_limit: 3 attempt_delay: 15000 command: | set -eo pipefail linux=$(skopeo inspect docker://ghcr.io/ublue-os/coreos-testing-kernel:40 | jq -r '.Labels["ostree.linux"]') AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:coreos-testing-40 | jq -r '.Labels["ostree.linux"]') if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then echo "Kernel Versions do not match between AKMODS and Cached-Kernel." exit 1 fi echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV - name: Validate desktop kernel and kmod versions if: ${{ !contains(env.IMAGE_NAME, 'securecore') }} uses: Wandalen/wretry.action@v3.5.0 with: attempt_limit: 3 attempt_delay: 15000 command: | set -eo pipefail linux=$(skopeo inspect docker://ghcr.io/ublue-os/main-kernel:40 | jq -r '.Labels["ostree.linux"]') AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:main-40 | jq -r '.Labels["ostree.linux"]') if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then echo "Kernel Versions do not match between AKMODS and Cached-Kernel." exit 1 fi echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV - name: Build secureblue uses: blue-build/github-action@v1.6.1 with: cli_version: v0.8.20 recipe: ${{ matrix.recipe }} cosign_private_key: ${{ secrets.SIGNING_SECRET }} registry_token: ${{ github.token }} pr_event_number: ${{ github.event.number }} maximize_build_space: true squash: true