OmegaSquad82 · OmegaSquad82 · Feb 6, 2025 · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -4,7 +4,9 @@ on:
   push:
     paths-ignore:
       - '**/release-please.yml'
+      - '**/recompress-latest.yml'
       - '**/vulnerability-scan.yml'
+      - '**/composition-analysis.yml'
       - "**.md"
       - "**/.gitkeep"
       - "build-isos"
@@ -25,7 +27,7 @@ env:
   ZSTD_CHUNKED: true
 
 jobs:
-  bluebuild:
+  imagebuild:
     name: Build Custom Image
     runs-on: ubuntu-24.04
     permissions:
@@ -195,9 +197,3 @@ jobs:
         if: env.DO_ZSTD_CHUNKED == 'true'
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"
-
-      # Free and Open Source Software license scanning
-      - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
-        with:
-          sw-name: ${{ matrix.package }}
@@ -0,0 +1,127 @@
+name: composition-analysis
+on:
+  workflow_dispatch: # allow manually triggering builds
+  push:
+    paths-ignore:
+      - '**/build-image.yml'
+      - '**/release-please.yml'
+      - '**/recompress-latest.yml'
+      - '**/vulnerability-scan.yml'
+      - "**.md"
+      - "**/.gitkeep"
+      - "build-isos"
+      - "renovate.json"
+  schedule:
+    - cron: "10 07 * * 1,3,5" # scan at 06:10 UTC on Mon, Wed, Fr
+        # (1 hour after bluebuild images started building)
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_TAGS: latest
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+
+jobs:
+  analysis:
+    name: Scan Custom Image
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    strategy:
+      fail-fast: true
+      matrix:
+        package:
+          - aubertit
+          - buttgenbachit
+          - carbonatcyanotrichit
+          - flaviramea
+    steps:
+
+      # Gimme more room to unfold
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          overprovision-lvm: true
+          remove-android: true
+          remove-codeql: true
+          remove-docker-images: true
+          remove-dotnet: true
+          remove-haskell: true
+      - name: Convert to compressed filesystem
+        shell: bash
+        run: |
+          set -eux pipefail
+
+          # https://github.com/easimon/maximize-build-space/issues/23
+          # https://github.com/easimon/maximize-build-space/pull/37
+          WORKSPACE_OWNER="$(stat -c '%U:%G' "${GITHUB_WORKSPACE}")"
+          VG_NAME=buildvg
+          LV_NAME="/dev/mapper/${VG_NAME}-buildlv"
+
+          cd ~
+          sudo umount "${LV_NAME}"
+
+          # https://github.com/radxa/armbian-compile-action/commit/82fe40188f2f3b4dbd4ae8fb9c64f49f117085c7
+          sudo mkfs.btrfs -L buildlv -M -m single --force "${LV_NAME}"
+          sudo mount -o defaults,noatime,compress=zstd:3,discard=sync "${LV_NAME}" "${GITHUB_WORKSPACE}"
+
+          sudo chown -R "$WORKSPACE_OWNER" "${GITHUB_WORKSPACE}"
+
+      # Prepare analysis
+      - name: Checkout codeZ
+        uses: actions/checkout@v4
+
+      - name: Get default branch name
+        run: echo "DEFAULT_BRANCH=${{ github.event.repository.default_branch }}" >$GITHUB_ENV
+
+      - name: Check if on default (main) or test (rechunk) branch to rechunk it
+        run: |
+          if [[ '${{ github.ref_name }}' = "$DEFAULT_BRANCH" || '${{ github.ref_name }}' = 'analyze' ]]; then
+            OUT='IS_DEFAULT=true'
+          else
+            OUT='IS_DEFAULT=false'
+          fi
+          echo "$OUT" >$GITHUB_ENV
+
+      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
+      # https://github.com/macbre/push-to-ghcr/issues/12
+      - name: Lowercase Registry
+        uses: ASzc/change-string-case-action@v6
+        id: case
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      - name: Composite image name
+        run: echo "IMAGE_NAME=${{ steps.case.outputs.lowercase }}/${{ matrix.package }}:$IMAGE_TAGS" >$GITHUB_ENV
+
+      # SCA, Vuln and License scanning
+      - name: Run GitHub Action for ORT
+        uses: oss-review-toolkit/ort-ci-github-action@v1
+        id: ort
+        with:
+          sw-name: ${{ matrix.package }}
+
+      - name: Echo outputs
+        run: |
+          echo "${{ toJSON(steps.ort.outputs) }}"
+
+      - uses: philips-labs/[email protected]
+        id: tern
+        with:
+          image: ${{ env.IMAGE_NAME }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.package }} 
+          path: ${{ steps.tern.outputs.file }}
+
+      - name: Echo outputs
+        run: |
+          echo "${{ toJSON(steps.ort.outputs) }}"
+          echo "${{ toJSON(steps.tern.outputs) }}"
@@ -0,0 +1,161 @@
+name: recompress-latest
+on:
+  workflow_dispatch: # allow manually triggering builds
+  push:
+    paths-ignore:
+      - '**/build-image.yml'
+      - '**/release-please.yml'
+      - '**/vulnerability-scan.yml'
+      - '**/composition-analysis.yml'
+      - "**.md"
+      - "**/.gitkeep"
+      - "build-isos"
+      - "renovate.json"
+  schedule:
+    - cron: "10 07 * * 1,3,5" # build at 07:10 UTC on Mon, Wed, Fr
+        # (60 minutes after bluebuild images start building)
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_TAGS: latest
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+
+jobs:
+  recompress:
+    name: Build Custom Image
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: true
+      matrix:
+        package:
+          - aubertit
+          - buttgenbachit
+          - carbonatcyanotrichit
+          - flaviramea
+    steps:
+
+      # Gimme more room to unfold
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          overprovision-lvm: true
+          remove-android: true
+          remove-codeql: true
+          remove-docker-images: true
+          remove-dotnet: true
+          remove-haskell: true
+      - name: Convert to compressed filesystem
+        shell: bash
+        run: |
+          set -eux pipefail
+
+          # https://github.com/easimon/maximize-build-space/issues/23
+          # https://github.com/easimon/maximize-build-space/pull/37
+          WORKSPACE_OWNER="$(stat -c '%U:%G' "${GITHUB_WORKSPACE}")"
+          VG_NAME=buildvg
+          LV_NAME="/dev/mapper/${VG_NAME}-buildlv"
+
+          cd ~
+          sudo umount "${LV_NAME}"
+
+          # https://github.com/radxa/armbian-compile-action/commit/82fe40188f2f3b4dbd4ae8fb9c64f49f117085c7
+          sudo mkfs.btrfs -L buildlv -M -m single --force "${LV_NAME}"
+          sudo mount -o defaults,noatime,compress=zstd:3,discard=sync "${LV_NAME}" "${GITHUB_WORKSPACE}"
+
+          sudo chown -R "$WORKSPACE_OWNER" "${GITHUB_WORKSPACE}"
+
+      # Create bootc image
+      - name: Checkout codeZ
+        uses: actions/checkout@v4
+
+      - name: Get default branch name
+        run: echo "DEFAULT_BRANCH=${{ github.event.repository.default_branch }}" >$GITHUB_ENV
+
+      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
+      # https://github.com/macbre/push-to-ghcr/issues/12
+      - name: Lowercase Registry
+        uses: ASzc/change-string-case-action@v6
+        id: registry_case
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      - name: Composite image name
+        run: echo "IMAGE_NAME=${{ steps.registry_case.outputs.lowercase }}/${{ matrix.package }}" >$GITHUB_ENV
+
+      # This is something the community works for quite a long time
+      #   but it likely will improve the efficiency of transfers;
+      #    this was made to workaround the fact that blue-build
+      #     does not yet support zstd:chunked and it depends
+      #      on bootc/rpm-ostree having implemented this.
+      #       No OS image must be pushed in this form,
+      #        except to non-productive image tags.
+      #
+      # Changetracker
+      #   https://fedoraproject.org/wiki/Changes/zstd:chunked
+      #   https://github.com/containers/storage/pull/775
+      # Documentation
+      #   https://universal-blue.discourse.group/t/zst-chunked-faq/3462
+      # Projectstuffz
+      #   https://github.com/blue-build/cli/issues/112
+      #   https://github.com/containers/bootc/issues/20
+      #   https://github.com/containers/bootc/issues/963
+      - name: Tag latest as latest-zstchd
+        id: pull
+        run: |
+          set -eux pipefail
+          IMAGES=()
+          podman login \
+            --username ${{ env.REGISTRY_USER }} \
+            --password ${{ env.REGISTRY_PASSWORD }} \
+            ${{ steps.registry_case.outputs.lowercase }}
+          for tag in ${{ env.IMAGE_TAGS }}; do
+            podman pull "${{ env.IMAGE_NAME }}:$tag"
+            podman tag "${{ env.IMAGE_NAME }}:$tag" "${{ env.IMAGE_NAME }}:${tag}-zstchd"
+            IMAGES+=("${{ env.IMAGE_NAME }}:${tag}-zstchd") # zstd:chunked
+          done
+          echo "ALL_TAGS=${IMAGES[@]}" >$GITHUB_ENV
+
+      - name: Push To GHCR with Podman in zstd:chunked 
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        with:
+          tags: ${{ env.ALL_TAGS }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --compression-format=zstd:chunked
+
+      # Sign recompressed container image
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+
+      - uses: sigstore/[email protected]
+
+      - name: Sign container image
+        id: sign
+        run: |
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" >cosign.key
+          wc -c cosign.key
+          cosign sign -y --key cosign.key ${{ env.IMAGE_NAME }}@${TAGS}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+          TAGS: ${{ steps.push.outputs.digest }}
+
+      - name: Echo outputs
+        run: |
+          echo "${{ toJSON(steps.pull.outputs) }}"
+          echo "${{ toJSON(steps.push.outputs) }}"
+          echo "${{ toJSON(steps.sign.outputs) }}"
@@ -2,12 +2,14 @@ name: vulnerability-scan
 on:
   schedule:
     - cron:
-        "50 0,6,12,18 * * *" # build at {0,6,12,18}:55 UTC every day
-        # (50 minutes after custom image build was triggered, then every 6h)
+        "55 06 * * *" # build at 06:55 am UTC every day
+        # (50 minutes after custom image build was triggered)
   push:
     paths-ignore:
       - '**/build-image.yml'
       - '**/release-please.yml'
+      - '**/recompress-latest.yml'
+      - '**/composition-analysis.yml'
       - "**.md"
       - "**/.gitkeep"
       - "build-isos"
@@ -22,9 +24,9 @@ jobs:
     name: Scan Custom Image
     runs-on: ubuntu-24.04
     permissions:
-      security-events: write
       contents: read
       packages: read
+      security-events: write
     strategy:
       fail-fast: true
       matrix: