This repository has been archived by the owner on Dec 25, 2024. It is now read-only.
generated from blue-build/template
-
Notifications
You must be signed in to change notification settings - Fork 1
134 lines (122 loc) · 4.91 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
---
name: Build Atomic Studio
on: # yamllint disable-line rule:truthy
schedule:
- cron: "00 17 * * *" # build at 17:00 UTC every day
push:
paths:
- config/**
- modules/**
- .github/workflows/build.yml
pull_request:
workflow_dispatch:
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
bluebuild:
name: Build Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
recipe:
- ".yml"
- "-nvidia.yml"
- "-gnome.yml"
- "-gnome-nvidia.yml"
steps:
- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v6
with:
remove-codeql: 'true'
- name: Additional cleanup
run: |
sudo rm -rf /home/linuxbrew /usr/share/miniconda /usr/local/share/vcpkg
sudo apt purge imagemagick imagemagick xorriso sqlite3 sphinxsearch shellcheck
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate recipes
id: recipes_meta
run: |
sudo apt install -y jsonnet
mkdir config/recipes
jsonnet config/templates/recipe-std.jsonnet -m config/recipes -y
echo "IMAGE_NAME=$(yq '.name' config/recipes/recipe${{matrix.recipe}} )" >> $GITHUB_OUTPUT
echo "IMAGE_DESCRIPTION=$(yq '.description' config/recipes/recipe${{matrix.recipe}} )" >> $GITHUB_OUTPUT
echo "VERSION=39" >> $GITHUB_OUTPUT
echo "tags=$(yq '."image-version"' config/recipes/recipe${{matrix.recipe}} )" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
driver: docker
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=${{ steps.recipes_meta.outputs.IMAGE_NAME }}
org.opencontainers.image.version=${{ steps.recipes_meta.outputs.VERSION }}
org.opencontainers.image.description=${{ steps.recipes_meta.outputs.IMAGE_DESCRIPTION }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/README.md
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/atomic-studio-org/Atomic-Studio/main/assets/studio-blob.png
- name: Generate Containerfile with Bluebuild
shell: bash
run: |
docker run \
--detach \
--rm \
--name blue-build-installer \
ghcr.io/blue-build/cli:main-installer \
tail -f /dev/null
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild
docker stop -t 0 blue-build-installer
/usr/local/bin/bluebuild template -v ./config/recipes/recipe${{matrix.recipe}} -o /tmp/Containerfile
- name: Build
id: build_image
uses: docker/build-push-action@v5
with:
context: .
push: false
file: /tmp/Containerfile
tags: ${{env.IMAGE_REGISTRY}}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}:latest
labels: ${{ steps.meta.outputs.labels }}
- name: Sign kernel
uses: atomic-studio-org/kernel-signer-docker@main
with:
image: ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}
imagename: ${{ steps.recipes_meta.outputs.IMAGE_NAME }}
privkey: ${{ secrets.SBKEY }}
pubkey: /usr/etc/pki/certs/atomic-studio-sbkey.der
tags: latest
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Push To GHCR Image Registry
run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}
- name: Install cosign
uses: sigstore/[email protected]
- name: Sign container image
shell: bash
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}@${{ steps.build_image.outputs.digest }}
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}