--- name: Build container image on: pull_request: branches: - main schedule: - cron: "05 10 * * *" # 10:05am UTC everyday push: branches: - main paths-ignore: - "**/README.md" workflow_dispatch: env: REGISTRY_USER: ${{ github.actor }} REGISTRY_AUTH_FILE: /root/.podman/auth.json IMAGE_DESC: "My customized Fedora bootc image, based on Universal Blue" IMAGE_KEYWORDS: "bootc,fedora,silverblue,ublue,universal-blue" IMAGE_LOGO_URL: "https://davejansen.dev/avatars/940c9cc684fa03784359f97d591a389ecd90cd912acf2335a60acd616922000a?size=48" IMAGE_NAME: "${{ github.event.repository.name }}" # output image name, usually same as repo name IMAGE_REGISTRY: davejansen.dev IMAGE_OWNER: ${{ github.repository_owner }} FEDORA_BASE: 43 REPO_URL: https://davejansen.dev/${{ github.repository_owner }}/${{ github.event.repository.name }} concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} cancel-in-progress: true jobs: build_push: name: Build and push image runs-on: ubuntu-24.04 permissions: contents: read packages: write id-token: write steps: - name: Prepare environment run: | # Lowercase the image uri echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV} # These stage versions are pinned by https://github.com/renovatebot/renovate - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Get current date id: date run: | # This generates a timestamp like what is defined on the ArtifactHub documentation # E.G: 2022-02-08T15:38:15Z' # https://artifacthub.io/docs/topics/repositories/container-images/ # https://linux.die.net/man/1/date echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. - name: Image Metadata uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 id: metadata env: README_URL: ${{ env.REPO_URL }}/raw/commit/${{ github.sha }}/README.md with: # This generates all the tags for your image, you can add custom tags here too! tags: | type=sha type=raw,value=latest,enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} type=raw,value=${{ env.FEDORA_BASE }},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} type=ref,event=pr labels: | io.artifacthub.package.readme-url=${{ env.README_URL }} org.opencontainers.image.created=${{ steps.date.outputs.date }} org.opencontainers.image.description=${{ env.IMAGE_DESC }} org.opencontainers.image.documentation=${{ env.README_URL }} org.opencontainers.image.source=${{ env.REPO_URL }}/raw/commit/${{ github.sha }}/Containerfile org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.url=${{ env.REPO_URL }} org.opencontainers.image.vendor=${{ github.repository_owner }} org.opencontainers.image.version=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}} io.artifacthub.package.deprecated=false io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }} io.artifacthub.package.license=Apache-2.0 io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }} io.artifacthub.package.prerelease=false containers.bootc=1 sep-tags: " " sep-annotations: " " - name: Install build dependencies run: | apt-get -y update && apt-get -y install buildah podman - name: Build Image id: build_image uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 with: containerfiles: | ./Containerfile build-args: | FEDORA_BASE=${{ env.FEDORA_BASE }} image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} #labels: "localhost/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE }}" extra-args: --isolation=chroot oci: false # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. # This does not make your image faster to download, just provides better resumability and fixes a few errors. # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk # You can enable it by uncommenting the following lines: # - name: Run Rechunker # id: rechunk # uses: hhd-dev/rechunk@v1.2.4 # with: # rechunk: "ghcr.io/hhd-dev/rechunk:v1.2.4" # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE }}" # prev-ref: # "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE # }}" # skip_compression: true # version: ${{ env.FEDORA_BASE }} # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator - name: Login to Container Registry if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | podman login \ --verbose \ --authfile "${{ env.REGISTRY_AUTH_FILE }}" \ --username "${{ env.REGISTRY_USER }}" \ --password "${{ secrets.CONTAINER_TOKEN }}" \ ${{ env.IMAGE_REGISTRY }} - name: Push To Registry uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push env: REGISTRY_PASSWORD: ${{ secrets.CONTAINER_TOKEN }} with: extra-args: --authfile=${{ env.REGISTRY_AUTH_FILE }} registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_OWNER }} image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} # This section is optional and only needs to be enabled if you plan on distributing # your project for others to consume. You will need to create a public and private key # using Cosign and save the private key as a repository secret in Github for this workflow # to consume. For more details, review the image signing section of the README. - name: Install Cosign uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - name: Sign container image if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: IMAGE_FULL: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME }} TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} COSIGN_PASSWORD: "" run: | for tag in ${{ steps.metadata.outputs.tags }}; do cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag done