This repository has been archived by the owner on Dec 25, 2024. It is now read-only.
Build Atomic Studio #325
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build Atomic Studio | |
on: # yamllint disable-line rule:truthy | |
schedule: | |
- cron: "00 17 * * *" # build at 17:00 UTC every day | |
push: | |
paths: | |
- config/** | |
- generators/** | |
- modules/** | |
- .github/workflows/build.yml | |
pull_request: | |
workflow_dispatch: | |
env: | |
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
jobs: | |
generate-recipes: | |
name: Generate Recipes | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
outputs: | |
recipes: ${{ steps.generate-recipes.outputs.recipes }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Generate recipes | |
id: generate-recipes | |
shell: bash | |
run: | | |
/home/linuxbrew/.linuxbrew/bin/brew install pkl | |
RECIPES=$(/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml | sed '/.*files/d') | |
# newlines replaced with spaces | |
echo "Generated recipes: ${RECIPES//$'\n'/ }" | |
# adds [" to the start, adds "] to the end, and replaces newlines with "," to turn the newline-delimeted string into a JSON array | |
RECIPES_JSON_STR="[\"${RECIPES//$'\n'/\",\"}\"]" | |
echo "Generated JSON: ${RECIPES_JSON_STR}" | |
# JSON strings are the only way to dynamically generate GH build matrices | |
echo "recipes=${RECIPES_JSON_STR}" >> $GITHUB_OUTPUT | |
bluebuild: | |
name: Build Image | |
runs-on: ubuntu-latest | |
needs: generate-recipes | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
recipe: ${{ fromJson(needs.generate-recipes.outputs.recipes) }} | |
steps: | |
- name: Maximize build space | |
uses: ublue-os/remove-unwanted-software@v6 | |
with: | |
remove-codeql: 'true' | |
- name: Additional cleanup | |
run: | | |
sudo rm -rf /usr/share/miniconda /usr/local/share/vcpkg | |
sudo apt purge imagemagick imagemagick xorriso sqlite3 sphinxsearch shellcheck | |
- name: Expose GitHub Runtime | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Generate recipes (again) and get metadata | |
id: recipe_meta | |
run: | | |
/home/linuxbrew/.linuxbrew/bin/brew install pkl | |
/home/linuxbrew/.linuxbrew/bin/pkl eval ./generators/main.pkl -m . -f yaml | |
echo "IMAGE_NAME=$(yq '.name' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
echo "IMAGE_DESCRIPTION=$(yq '.description' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
echo "VERSION=40" >> $GITHUB_OUTPUT | |
echo "tags=$(yq '."image-version"' ./${{matrix.recipe}} )" >> $GITHUB_OUTPUT | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
install: true | |
driver: docker-container | |
- name: Image Metadata | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: | | |
${{ env.IMAGE_NAME }} | |
labels: | | |
org.opencontainers.image.title=${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
org.opencontainers.image.version=${{ steps.recipe_meta.outputs.VERSION }} | |
org.opencontainers.image.description=${{ steps.recipe_meta.outputs.IMAGE_DESCRIPTION }} | |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/README.md | |
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/assets/studio-blob.png | |
- name: Generate Containerfile with Bluebuild | |
shell: bash | |
run: | | |
docker run \ | |
--detach \ | |
--rm \ | |
--name blue-build-installer \ | |
ghcr.io/blue-build/cli:main-installer \ | |
tail -f /dev/null | |
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild | |
docker stop -t 0 blue-build-installer | |
/usr/local/bin/bluebuild template -v ./${{matrix.recipe}} -o /tmp/Containerfile | |
- name: Build | |
id: build_image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: false | |
file: /tmp/Containerfile | |
tags: ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Sign kernel | |
uses: atomic-studio-org/kernel-signer-docker@main | |
with: | |
image: ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
imagename: ${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
privkey: ${{ secrets.SBKEY }} | |
pubkey: /usr/etc/pki/certs/atomic-studio-sbkey.der | |
tags: latest | |
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | |
# https://github.com/macbre/push-to-ghcr/issues/12 | |
- name: Lowercase Registry | |
id: registry_case | |
uses: ASzc/change-string-case-action@v6 | |
with: | |
string: ${{ env.IMAGE_REGISTRY }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ github.token }} | |
- name: Push To GHCR Image Registry | |
run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
- name: Sign container image | |
shell: bash | |
run: | | |
SIGN_IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${{env.IMAGE_REGISTRY}}/${{ steps.recipe_meta.outputs.IMAGE_NAME }}:latest) | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipe_meta.outputs.IMAGE_NAME }} | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY $SIGN_IMAGE | |
env: | |
COSIGN_EXPERIMENTAL: false | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |