davejansen/fedora-bootc
1
0
Fork 1
Code Issues 2 Pull Requests Actions 2 Packages Releases Activity

Initial Setup

Browse Source 
Re-worked to support my Gitea environment, along with some other customizations
and removals.

Currently based off of their `silverblue-main` base image, with 1Password and
Tailscale layered.
This commit is contained in:
Dave Jansen
2025-10-28 10:49:25 +09:00
parent fc98e3c092
commit f36fd9d04d
14 changed files with 434 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

201
.gitea/workflows/build.yml Normal file
View File

@@ -0,0 +1,201 @@
---
name: Build container image
on:
pull_request:
branches:
- main
schedule:
- cron: "05 10 * * *" # 10:05am UTC everyday
push:
branches:
- main
paths-ignore:
- "**/README.md"
workflow_dispatch:
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_AUTH_FILE: /root/.podman/auth.json
IMAGE_DESC: "My customized Fedora bootc image, based on Universal Blue"
IMAGE_KEYWORDS: "bootc,fedora,silverblue,ublue,universal-blue"
IMAGE_LOGO_URL: "https://davejansen.dev/avatars/940c9cc684fa03784359f97d591a389ecd90cd912acf2335a60acd616922000a?size=48"
IMAGE_NAME: "${{ github.event.repository.name }}" # output image name, usually same as repo name
IMAGE_REGISTRY: davejansen.dev
IMAGE_OWNER: ${{ github.repository_owner }}
FEDORA_BASE: 42
REPO_URL:
https://davejansen.dev/${{ github.repository_owner }}/${{
github.event.repository.name }}
concurrency:
group:
${{ github.workflow }}-${{ github.ref || github.run_id }}-${{
inputs.brand_name}}-${{ inputs.stream_name }}
cancel-in-progress: true
jobs:
build_push:
name: Build and push image
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Prepare environment
run: |
# Lowercase the image uri
echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV}
echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV}
# Pre-create Podman's auth file directory and file, this is somehow needed here.
#mkdir -p /tmp/podman-run-0/containers
#echo "{}" > /tmp/podman-run-0/containers/auth.json
# Pre-create docker config file
#mkdir -p ~/.docker
#echo "{}" > ~/.docker/config.json
#touch /tmp/podman-run-0/containers/auth.json
# These stage versions are pinned by https://github.com/renovatebot/renovate
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Get current date
id: date
run: |
# This generates a timestamp like what is defined on the ArtifactHub documentation
# E.G: 2022-02-08T15:38:15Z'
# https://artifacthub.io/docs/topics/repositories/container-images/
# https://linux.die.net/man/1/date
echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT
# Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images
# The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not.
- name: Image Metadata
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5
id: metadata
env:
README_URL: ${{ env.REPO_URL }}/raw/commit/${{ github.sha }}/README.md
with:
# This generates all the tags for your image, you can add custom tags here too!
tags: |
# set latest tag for main branch
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=${{ env.FEDORA_BASE }}
type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}}
type=sha,enable=${{ github.event_name == 'pull_request' }}
type=ref,event=pr
labels: |
io.artifacthub.package.readme-url=${{ env.README_URL }}
org.opencontainers.image.created=${{ steps.date.outputs.date }}
org.opencontainers.image.description=${{ env.IMAGE_DESC }}
org.opencontainers.image.documentation=${{ env.README_URL }}
org.opencontainers.image.source=${{ env.REPO_URL }}/raw/commit/${{ github.sha }}/Containerfile
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.url=${{ env.REPO_URL }}
org.opencontainers.image.vendor=${{ github.repository_owner }}
org.opencontainers.image.version=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}}
io.artifacthub.package.deprecated=false
io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }}
io.artifacthub.package.license=Apache-2.0
io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }}
io.artifacthub.package.prerelease=false
containers.bootc=1
sep-tags: " "
sep-annotations: " "
- name: Install build dependencies
run: |
apt-get -y update && apt-get -y install buildah podman
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
containerfiles: |
./Containerfile
build-args: |
FEDORA_BASE=${{ env.FEDORA_BASE }}
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
extra-args: --isolation=chroot
oci: false
# Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published.
# This does not make your image faster to download, just provides better resumability and fixes a few errors.
# Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk
# You can enable it by uncommenting the following lines:
# - name: Run Rechunker
# id: rechunk
# uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1
# with:
# rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1'
# ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
# prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
# skip_compression: true
# version: ${{ env.CENTOS_VERSION }}
# labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator
# This is necessary so that the podman socket can find the rechunked image on its storage
# - name: Load in podman and tag
# run: |
# IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
# sudo rm -rf ${{ steps.rechunk.outputs.output }}
# for tag in ${{ steps.metadata.outputs.tags }}; do
# podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
# done
- name: Login to Container Registry
run: |
podman login \
--verbose \
--authfile "${{ env.REGISTRY_AUTH_FILE }}" \
--username "${{ env.REGISTRY_USER }}" \
--password "${{ secrets.CONTAINER_TOKEN }}" \
${{ env.IMAGE_REGISTRY }}
- name: Push To Registry
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
if:
github.event_name != 'pull_request' && github.ref ==
format('refs/heads/{0}', github.event.repository.default_branch)
id: push
env:
REGISTRY_PASSWORD: ${{ secrets.CONTAINER_TOKEN }}
with:
extra-args: --authfile=${{ env.REGISTRY_AUTH_FILE }}
registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_OWNER }}
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.metadata.outputs.tags }}
# This section is optional and only needs to be enabled if you plan on distributing
# your project for others to consume. You will need to create a public and private key
# using Cosign and save the private key as a repository secret in Github for this workflow
# to consume. For more details, review the image signing section of the README.
- name: Install Cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
if:
github.event_name != 'pull_request' && github.ref ==
format('refs/heads/{0}', github.event.repository.default_branch)
- name: Sign container image
if:
github.event_name != 'pull_request' && github.ref ==
format('refs/heads/{0}', github.event.repository.default_branch)
env:
IMAGE_FULL:
${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME
}}
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
COSIGN_PASSWORD: ""
run: |
for tag in ${{ steps.metadata.outputs.tags }}; do
cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag
done