forked from argrubbs/silverblue-ublue
-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (121 loc) · 4.15 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: build-ublue
on:
pull_request:
branches:
- beta
schedule:
- cron: '20 20 * * *' # 8:20pm everyday
push:
branches:
- main
paths-ignore:
- '**/README.md'
env:
IMAGE_NAME: noahs-fedora
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
push-ghcr:
name: Build and push image
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
major_version: [41]
include:
- major_version: 41
is_latest: true
is_stable: true
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v3
- name: Generate tags
id: generate-tags
shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
alias_tags=()
# Only perform the follow code when the action is spawned from a Pull Request
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
alias_tags+=("pr-${{ github.event.number }}")
else
# The following is run when the timer is triggered or a merge/push to main
echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT
alias_tags+=("${{ matrix.major_version }}")
if [[ "${{ matrix.is_latest }}" == "true" ]]; then
alias_tags+=("latest")
fi
if [[ "${{ matrix.is_stable }}" == "true" ]]; then
alias_tags+=("stable")
fi
fi
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
${{ steps.generate-tags.outputs.date }}
${{ steps.generate-tags.outputs.sha_short }}
build-args: |
FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
oci: true
extra-args:
--runtime-flag debug
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
with:
string: ${{ env.IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
# Sign container
- uses: sigstore/cosign-installer@main
# Only needed when running `cosign sign` using a key
- name: Write signing key to disk
run: |
echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
# DEBUG: get character count of key
wc -c cosign.key
env:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign container image
run: |
cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} -y
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Echo outputs
run: |
echo "${{ toJSON(steps.push.outputs) }}"