diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eccfa61..e58d732 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,9 @@ on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-wor pull_request: workflow_dispatch: +env: + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + # Only deploys the branch named "live". Ignores all other branches, to allow # having "development" branches without interfering with GHCR image uploads. jobs: @@ -21,41 +24,37 @@ jobs: strategy: fail-fast: false matrix: - arch: [amd64] + arch: [amd64] #add ,arm64 to add back arm build steps: - # - name: Maximize build space - # uses: easimon/maximize-build-space@v10 - # with: - # root-reserve-mb: 37500 - # remove-dotnet: 'true' - # remove-android: 'true' - # remove-haskell: 'true' - # remove-codeql: 'true' - # remove-docker-images: 'true' + - name: Maximize build space + uses: easimon/maximize-build-space@v10 + with: + root-reserve-mb: 37500 + remove-dotnet: 'true' + remove-android: 'true' + remove-haskell: 'true' + remove-codeql: 'true' + remove-docker-images: 'true' # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - uses: sigstore/cosign-installer@v3.3.0 - - name: Add yq (for reading desc.yml) uses: mikefarah/yq@v4.35.1 - # important here is to lowercase image related variables like IMAGE_REGISTRY - # and IMAGE_NAME because docker does not allow uppercase chars in the whole image name. - name: Gather image data from description run: | - echo "IMAGE_TITLE=$(yq '.title' ./desc.yml)" >> $GITHUB_ENV - echo "IMAGE_NAME=${GITHUB_REPOSITORY_OWNER@L}/$(yq '.name | downcase' ./desc.yml)" >> $GITHUB_ENV + echo "IMAGE_NAME=$(yq '.name' ./desc.yml)" >> $GITHUB_ENV echo "IMAGE_DESCRIPTION=$(yq '.description' ./desc.yml)" >> $GITHUB_ENV echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./desc.yml)" >> $GITHUB_ENV - echo "IMAGE_REGISTRY=$(yq '.image-registry | downcase' ./desc.yml)" >> $GITHUB_ENV + + - name: Get current version + id: labels + run: | + ver=$(skopeo inspect docker://quay.io/fedora/fedora-silverblue:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]') + echo "VERSION=$ver" >> $GITHUB_OUTPUT - name: Generate tags id: generate-tags @@ -63,7 +62,7 @@ jobs: run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" - MAJOR_VERSION=${IMAGE_MAJOR_VERSION} + MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)" COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request @@ -103,13 +102,26 @@ jobs: images: | ${{ env.IMAGE_NAME }} labels: | - org.opencontainers.image.title=${{ env.IMAGE_TITLE }} - org.opencontainers.image.ref.name=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ env.IMAGE_MAJOR_VERSION }} + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }} org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }} io.artifacthub.package.readme-url=https://raw.githubusercontent.com/drakulix/infinity/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/33131755?s=200&v=4 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@v6 + with: + string: ${{ env.IMAGE_REGISTRY }} + + - name: Lowercase Image + id: image_case + uses: ASzc/change-string-case-action@v6 + with: + string: ${{ env.IMAGE_NAME }} + - name: Install qemu dependency run: | sudo apt-get update @@ -128,43 +140,28 @@ jobs: archs: ${{ matrix.arch }} build-args: | IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }} + IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }} labels: ${{ steps.meta.outputs.labels }} oci: false - - name: Login to GitHub Container Registry + - name: 'Login to GitHub Container Registry' uses: docker/login-action@v3 - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' with: registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ env.IMAGE_REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} + registry: ${{ steps.registry_case.outputs.lowercase }} + extra-args: | + --disable-content-trust - name: Echo outputs - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' run: | - echo "${{ toJSON(steps.push.outputs) }}" - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: cosign sign --yes ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} \ No newline at end of file + echo "${{ toJSON(steps.push.outputs) }}" \ No newline at end of file