feat: match packagelist with rest of -dx #65
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build Bazzite DX | |
| on: | |
| schedule: | |
| # 7:10 UTC Monday | |
| # - Bazzite is built 4:40 utc Monday and takes roughly 90 minutes | |
| # so this schedule gives about an hour wiggle room | |
| # - Bluefin/Aurora are built everyday at 4:40 utc as well | |
| - cron: "10 7 * * 1" # 4:40 utc monday | |
| merge_group: | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names | |
| IMAGE_DESC: "${{ github.event.repository.description }}" | |
| IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit | |
| ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/187439889?s=200&v=4" | |
| # The tag used in the image from which we base of. | |
| # ex.: ghcr.io/org/image:IMAGE_SOURCE_TAG | |
| IMAGE_SOURCE_TAG: "latest" | |
| SOURCE_ORG: "ublue-os" | |
| SOURCE_REPO: "bazzite" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_push: | |
| name: Build and push image | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| base_image: | |
| - bazzite | |
| - bazzite-gnome | |
| - bazzite-gnome-nvidia-open | |
| - bazzite-nvidia-open | |
| env: | |
| BASE_IMAGE: ${{ matrix.base_image }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| # These stage versions are pinned by https://github.com/renovatebot/renovate | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: | |
| # - name: Maximize build space | |
| # uses: ublue-os/remove-unwanted-software@5a8b0374222a6fffddb1be9516b5fece9483bed0 # v8 | |
| # with: | |
| # remove-codeql: true | |
| - name: Get current date | |
| id: date | |
| run: | | |
| # This generates a timestamp like what is defined on the ArtifactHub documentation | |
| # E.G: 2022-02-08T15:38:15Z' | |
| # https://artifacthub.io/docs/topics/repositories/container-images/ | |
| # https://linux.die.net/man/1/date | |
| echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT | |
| # OUTPUTS: | |
| # - SOURCE_VERSION: version of the source image. Ex.: testing-41.20250312 | |
| # - SOURCE_VERSION_MAJOR: major version. Used to identify big releases. Ex.: 41 | |
| - name: Get image major version | |
| id: fetch_source_meta | |
| env: | |
| org: ${{ env.SOURCE_ORG }} | |
| IMAGE_SOURCE_TAG: ${{ env.IMAGE_SOURCE_TAG || 'latest' }} | |
| run: | | |
| set -x | |
| # SOURCE_VERSION_MAJOR must be a number | |
| declare -i SOURCE_VERSION_MAJOR=0 | |
| # There are some ways to get the major release from an image. | |
| # First method: `skopeo inspect` and annotations. | |
| SOURCE_VERSION=$( | |
| skopeo inspect --no-tags --raw --config \ | |
| "docker://ghcr.io/${org}/${BASE_IMAGE}:${IMAGE_SOURCE_TAG}" | \ | |
| jq -r '.config.Labels["org.opencontainers.image.version"]' | |
| ) | |
| if [[ -z $SOURCE_VERSION ]]; then | |
| echo "::error::$SOURCE_VERSION was not fetched correctly: $SOURCE_VERSION=${$SOURCE_VERSION}" | |
| exit 1 | |
| fi | |
| echo "SOURCE_VERSION=$SOURCE_VERSION" >>$GITHUB_OUTPUT | |
| SOURCE_VERSION_MAJOR=$([[ ${SOURCE_VERSION} =~ ^(.*-)?([[:digit:]]+) ]] && echo "${BASH_REMATCH[-1]}") | |
| _status=$? | |
| unset -v _tag | |
| if [[ $_status -ne 0 ]] || [[ -z ${SOURCE_VERSION_MAJOR} ]] || (( SOURCE_VERSION_MAJOR <= 0 )); then | |
| echo "::error::SOURCE_VERSION_MAJOR was not fetched correctly: SOURCE_VERSION_MAJOR=${SOURCE_VERSION_MAJOR}" | |
| exit 1 | |
| fi | |
| echo "SOURCE_VERSION_MAJOR=$SOURCE_VERSION_MAJOR" >>$GITHUB_OUTPUT | |
| - name: Generate output image ref | |
| id: gen_image_ref | |
| run: | | |
| echo "IMAGE_NAME=${BASE_IMAGE/bazzite/bazzite-dx}" | tee -a $GITHUB_ENV | |
| # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images | |
| # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. | |
| - name: Image Metadata | |
| uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 | |
| id: metadata | |
| with: | |
| # This generates all the tags for your image, you can add custom tags here too! | |
| # By default, it should generate "latest" and "latest.(date here)". | |
| tags: | | |
| type=raw,value=latest | |
| type=raw,value=stable | |
| type=raw,value=stable-${{ steps.fetch_source_meta.outputs.SOURCE_VERSION_MAJOR }} | |
| type=raw,value=stable-${{ steps.fetch_source_meta.outputs.SOURCE_VERSION_MAJOR }}.{{date 'YYYYMMDD'}} | |
| type=raw,value=${{ steps.fetch_source_meta.outputs.SOURCE_VERSION_MAJOR }} | |
| type=raw,value=${{ steps.fetch_source_meta.outputs.SOURCE_VERSION_MAJOR }}.{{date 'YYYYMMDD'}} | |
| type=sha,enable=${{ github.event_name == 'pull_request' }} | |
| type=ref,event=pr | |
| labels: | | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | |
| org.opencontainers.image.created=${{ steps.date.outputs.date }} | |
| org.opencontainers.image.description=${{ env.IMAGE_DESC }} | |
| org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | |
| org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile | |
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.vendor=${{ github.repository_owner }} | |
| org.opencontainers.image.version=${{ steps.fetch_source_meta.outputs.SOURCE_VERSION }} | |
| io.artifacthub.package.deprecated=false | |
| io.artifacthub.package.keywords=bootc,ublue,universal-blue | |
| io.artifacthub.package.license=Apache-2.0 | |
| io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }} | |
| io.artifacthub.package.prerelease=false | |
| containers.bootc=1 | |
| sep-tags: " " | |
| sep-annotations: " " | |
| - name: Build Image | |
| id: build_image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 | |
| with: | |
| containerfiles: | | |
| ./Containerfile | |
| # Postfix image name with -custom to make it a little more descriptive | |
| # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| oci: false | |
| build-args: | | |
| BASE_IMAGE=ghcr.io/${{ env.SOURCE_ORG }}/${{ matrix.base_image }}:${{ env.IMAGE_SOURCE_TAG || 'latest' }} | |
| # Rechunk is a script that we use on Universal Blue to make sure there isnt a single huge layer when your image gets published. | |
| # This does not make your image faster to download, just provides better resumability and fixes a few errors. | |
| # Documentation for Rechunk is provided on their github repository at https://github.com/hhd-dev/rechunk | |
| # You can enable it by uncommenting the following lines: | |
| # - name: Run Rechunker | |
| # id: rechunk | |
| # uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 | |
| # with: | |
| # rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' | |
| # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | |
| # prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | |
| # skip_compression: true | |
| # version: ${{ env.CENTOS_VERSION }} | |
| # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator | |
| # This is necessary so that the podman socket can find the rechunked image on its storage | |
| # - name: Load in podman and tag | |
| # run: | | |
| # IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) | |
| # sudo rm -rf ${{ steps.rechunk.outputs.output }} | |
| # for tag in ${{ steps.metadata.outputs.tags }}; do | |
| # podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag | |
| # done | |
| # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing | |
| # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. | |
| # https://github.com/macbre/push-to-ghcr/issues/12 | |
| - name: Lowercase Image and Registry | |
| id: lowercase | |
| env: | |
| IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} | |
| IMAGE_NAME: ${{ env.IMAGE_NAME }} | |
| run: | | |
| set -x | |
| echo "registry=${IMAGE_REGISTRY,,}" >> $GITHUB_OUTPUT | |
| echo "image=${IMAGE_NAME,,}" >> $GITHUB_OUTPUT | |
| - name: Push To GHCR | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| id: push | |
| env: | |
| REGISTRY_USER: ${{ github.actor }} | |
| REGISTRY_PASSWORD: ${{ github.token }} | |
| with: | |
| registry: ${{ steps.lowercase.outputs.registry }} | |
| image: ${{ steps.lowercase.outputs.image }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ env.REGISTRY_PASSWORD }} | |
| # This section is optional and only needs to be enabled if you plan on distributing | |
| # your project for others to consume. You will need to create a public and private key | |
| # using Cosign and save the private key as a repository secret in Github for this workflow | |
| # to consume. For more details, review the image signing section of the README. | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| - name: Sign container image | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| env: | |
| LOWERCASE_REGISTRY: ${{ steps.lowercase.outputs.registry }} | |
| LOWERCASE_IMAGE: ${{ steps.lowercase.outputs.image }} | |
| TAGS_TO_SIGN: ${{ steps.metadata.outputs.tags }} | |
| TAGS: ${{ steps.push.outputs.digest }} | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
| run: | | |
| IMAGE_FULL="${LOWERCASE_REGISTRY}/${LOWERCASE_IMAGE}" | |
| for tag in ${TAGS_TO_SIGN}; do | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag | |
| done | |
| check: | |
| name: Check all builds successful | |
| if: always() | |
| runs-on: ubuntu-latest | |
| needs: [build_push] | |
| steps: | |
| - name: Check Jobs | |
| env: | |
| JOBS: ${{ toJson(needs) }} | |
| run: | | |
| echo "Job status:" | |
| echo $JOBS | jq -r 'to_entries[] | " - \(.key): \(.value.result)"' | |
| for i in $(echo $JOBS | jq -r 'to_entries[] | .value.result'); do | |
| if [ "$i" != "success" ] && [ "$i" != "skipped" ]; then | |
| echo "" | |
| echo "Status check not okay!" | |
| exit 1 | |
| fi | |
| done |