generated from ublue-os/image-template
-
Notifications
You must be signed in to change notification settings - Fork 0
138 lines (138 loc) · 4.34 KB
/
build-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
---
name: Build westerOS Images
on: # yamllint disable-line rule:truthy
workflow_call:
inputs:
image_flavor:
type: string
concurrency:
group: >-
${{ github.workflow }}-${{ github.ref
|| github.run_id }}-${{ inputs.image_flavor }}
cancel-in-progress: true
env:
IMAGE_REGISTRY: ghcr.io/mariolopjr
IMAGE_NAME: westeros
SET_X: 1
jobs:
get-images:
name: Get ${{ inputs.image_flavor }} Images for Build
outputs:
images: ${{ steps.images.outputs.images }}
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Get Images for Build
id: images
uses: ./.github/actions/get-images
with:
image_flavor: ${{ inputs.image_flavor }}
build-image:
name: Build ${{ inputs.image_flavor }} Images (${{ matrix.image }})
needs: get-images
runs-on: ubuntu-24.04
continue-on-error: false
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image: ["${{ fromJson(needs.get-images.outputs.images) }}"]
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install Just
uses: ./.github/actions/install-just
- name: Maximize Build Space
uses: ublue-os/remove-unwanted-software@v8
- name: Build Image
shell: bash
run: |
sudo just build ${{ matrix.image }}
- name: Rechunk Image
shell: bash
run: |
sudo just rechunk ${{ matrix.image }}
- name: Load and Tag Image
shell: bash
run: |
just load-image ${{ matrix.image }}
- name: Get Tags
id: get_tags
shell: bash
run: |
tags=$(just get-tags ${{ matrix.image }})
echo "tags=$tags" >> $GITHUB_OUTPUT
echo $GITHUB_OUTPUT
- name: Check Secureboot
id: secureboot
shell: bash
run: |
just secureboot ${{ matrix.image }}
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Push to GHCR
uses: Wandalen/[email protected]
id: push
if: >-
contains(fromJson('["workflow_dispatch", "merge_group"]'),
github.event_name) || github.event.schedule == '42 6 * * 0'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
action: redhat-actions/push-to-registry@v2
attempt_limit: 3
attempt_delay: 15000
with: |
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.get_tags.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: >-
contains(fromJson('["workflow_dispatch", "merge_group"]'),
github.event_name) || github.event.schedule == '42 6 * * 0'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign Container Image
if: >-
contains(fromJson('["workflow_dispatch", "merge_group"]'),
github.event_name) || github.event.schedule == '42 6 * * 0'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: >-
${{ steps.push.outputs.outputs
&& fromJSON(steps.push.outputs.outputs).digest }}
REGISTRY: ${{ steps.registry_case.outputs.lowercase }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
check:
name: Check Build ${{ inputs.image_flavor }} Images Successful
if: ${{ !cancelled() }}
runs-on: ubuntu-24.04
needs: [build-image]
steps:
- name: Exit on failure
if: >-
${{ contains(fromJson('["failure", "skipped"]'),
needs.build-image.result) }}
shell: bash
run: exit 1
- name: Exit
shell: bash
run: exit 0