This repository has been archived by the owner on Dec 25, 2024. It is now read-only.
Build Atomic Studio #186
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build Atomic Studio | |
on: # yamllint disable-line rule:truthy | |
schedule: | |
- cron: "00 17 * * *" # build at 17:00 UTC every day | |
push: | |
paths: | |
- config/** | |
- modules/** | |
- .github/workflows/build.yml | |
pull_request: | |
workflow_dispatch: | |
env: | |
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
jobs: | |
bluebuild: | |
name: Build Image | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
recipe: | |
- ".yml" | |
- "-nvidia.yml" | |
- "-gnome.yml" | |
- "-gnome-nvidia.yml" | |
- "-hardened.yml" | |
- "-nvidia-hardened.yml" | |
- "-gnome-hardened.yml" | |
- "-gnome-nvidia-hardened.yml" | |
steps: | |
- name: Maximize build space | |
uses: ublue-os/remove-unwanted-software@v6 | |
with: | |
remove-codeql: 'true' | |
- name: Additional cleanup | |
run: | | |
sudo rm -rf /home/linuxbrew /usr/share/miniconda /usr/local/share/vcpkg | |
sudo apt purge imagemagick imagemagick xorriso sqlite3 sphinxsearch shellcheck | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Generate recipes | |
id: recipes_meta | |
run: | | |
sudo apt install -y jsonnet | |
mkdir config/recipes | |
jsonnet config/templates/recipe-std.jsonnet -m config/recipes -y | |
echo "IMAGE_NAME=$(yq '.name' config/recipes/recipe${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
echo "IMAGE_DESCRIPTION=$(yq '.description' config/recipes/recipe${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
echo "VERSION=39" >> $GITHUB_OUTPUT | |
echo "tags=$(yq '."image-version"' config/recipes/recipe${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
install: true | |
driver: docker | |
- name: Image Metadata | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: | | |
${{ env.IMAGE_NAME }} | |
labels: | | |
org.opencontainers.image.title=${{ steps.recipes_meta.outputs.IMAGE_NAME }} | |
org.opencontainers.image.version=${{ steps.recipes_meta.outputs.VERSION }} | |
org.opencontainers.image.description=${{ steps.recipes_meta.outputs.IMAGE_DESCRIPTION }} | |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/README.md | |
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/assets/studio-blob.png | |
- name: Generate Containerfile with Bluebuild | |
shell: bash | |
run: | | |
docker run \ | |
--detach \ | |
--rm \ | |
--name blue-build-installer \ | |
ghcr.io/blue-build/cli:main-installer \ | |
tail -f /dev/null | |
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild | |
docker stop -t 0 blue-build-installer | |
/usr/local/bin/bluebuild template -v ./config/recipes/recipe${{matrix.recipe}} -o /tmp/Containerfile | |
- name: Build | |
id: build_image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: false | |
file: /tmp/Containerfile | |
tags: ${{env.IMAGE_REGISTRY}}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}:latest | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Sign kernel | |
uses: atomic-studio-org/kernel-signer-docker@main | |
with: | |
image: ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }} | |
imagename: ${{ steps.recipes_meta.outputs.IMAGE_NAME }} | |
privkey: ${{ secrets.SBKEY }} | |
pubkey: /usr/etc/pki/certs/atomic-studio-sbkey.der | |
tags: latest | |
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | |
# https://github.com/macbre/push-to-ghcr/issues/12 | |
- name: Lowercase Registry | |
id: registry_case | |
uses: ASzc/change-string-case-action@v6 | |
with: | |
string: ${{ env.IMAGE_REGISTRY }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ github.token }} | |
- name: Push To GHCR Image Registry | |
run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }} | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
- name: Sign container image | |
shell: bash | |
run: | | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}@${{ steps.build_image.outputs.digest }} | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }} | |
env: | |
COSIGN_EXPERIMENTAL: false | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |