Merge branch 'secureblue:live' into chromiumconfinement #516
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build-secureblue | |
on: | |
schedule: | |
- cron: "00 6 * * *" # build at 6:00 UTC every day | |
# 60 minutes after last wayblue images start building | |
push: | |
paths-ignore: # don't rebuild if only documentation has changed | |
- "**.md" | |
workflow_dispatch: # allow manually triggering builds | |
jobs: | |
bluebuild: | |
name: Build secureblue | |
runs-on: ubuntu-24.04 | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false # stop GH from cancelling all matrix builds if one fails | |
matrix: | |
recipe: | |
# non-userns | |
# general | |
- general/recipe-silverblue-main.yml | |
# - general/recipe-silverblue-nvidia.yml | |
# - general/recipe-silverblue-nvidia-open.yml | |
# - general/recipe-kinoite-main.yml | |
# - general/recipe-kinoite-nvidia.yml | |
# - general/recipe-kinoite-nvidia-open.yml | |
# - general/recipe-sericea-main.yml | |
# - general/recipe-sericea-nvidia.yml | |
# - general/recipe-sericea-nvidia-open.yml | |
# - general/recipe-wayblue-wayfire-main.yml | |
# - general/recipe-wayblue-wayfire-nvidia.yml | |
# - general/recipe-wayblue-wayfire-nvidia-open.yml | |
# - general/recipe-wayblue-hyprland-main.yml | |
# - general/recipe-wayblue-hyprland-nvidia.yml | |
# - general/recipe-wayblue-hyprland-nvidia-open.yml | |
# - general/recipe-wayblue-river-main.yml | |
# - general/recipe-wayblue-river-nvidia.yml | |
# - general/recipe-wayblue-river-nvidia-open.yml | |
# - general/recipe-wayblue-sway-main.yml | |
# - general/recipe-wayblue-sway-nvidia.yml | |
# - general/recipe-wayblue-sway-nvidia-open.yml | |
# - general/recipe-cosmic-main.yml | |
# - general/recipe-cosmic-nvidia.yml | |
# - general/recipe-cosmic-nvidia-open.yml | |
# # server | |
# - securecore/recipe-securecore-main.yml | |
# - securecore/recipe-securecore-nvidia.yml | |
# - securecore/recipe-securecore-nvidia-open.yml | |
# - securecore/recipe-securecore-zfs-main.yml | |
# - securecore/recipe-securecore-zfs-nvidia.yml | |
# - securecore/recipe-securecore-zfs-nvidia-open.yml | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Gather image data from recipe | |
run: | | |
echo "IMAGE_NAME=$(grep '^name:' ./recipes/${{ matrix.recipe }} | sed 's/^name: //')" >> $GITHUB_ENV | |
echo "IMAGE_MAJOR_VERSION=$(grep '^image-version:' ./recipes/${{ matrix.recipe }} | sed 's/^image-version: //')" >> $GITHUB_ENV | |
BASE_IMAGE=$(grep '^base-image:' ./recipes/${{ matrix.recipe }} | sed 's/^base-image: //') | |
echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV | |
- name: Verify base image | |
if: ${{ contains(env.IMAGE_NAME, 'wayblue') }} | |
uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0 | |
with: | |
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} | |
registry: 'ghcr.io/wayblueorg' | |
pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub' | |
- name: Validate server kernel and kmod versions | |
if: ${{ contains(env.IMAGE_NAME, 'securecore') }} | |
run: | | |
set -eo pipefail | |
linux=$(skopeo inspect docker://ghcr.io/ublue-os/coreos-testing-kernel:41 | jq -r '.Labels["ostree.linux"]') | |
AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:coreos-testing-41 | jq -r '.Labels["ostree.linux"]') | |
if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then | |
echo "Kernel Versions do not match between AKMODS and Cached-Kernel." | |
exit 1 | |
fi | |
echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV | |
- name: Validate desktop kernel and kmod versions | |
if: ${{ !contains(env.IMAGE_NAME, 'securecore') }} | |
run: | | |
set -eo pipefail | |
linux=$(skopeo inspect docker://ghcr.io/ublue-os/main-kernel:41 | jq -r '.Labels["ostree.linux"]') | |
AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:main-41 | jq -r '.Labels["ostree.linux"]') | |
if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then | |
echo "Kernel Versions do not match between AKMODS and Cached-Kernel." | |
exit 1 | |
fi | |
echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV | |
- name: Build secureblue | |
uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1 | |
with: | |
cli_version: v0.9.2 | |
recipe: ${{ matrix.recipe }} | |
cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
registry_token: ${{ github.token }} | |
pr_event_number: ${{ github.event.number }} | |
maximize_build_space: true | |
squash: true |