tes

ublue-os · Feb 8, 2024 · f190553 · f190553
1 parent 5fe0401
commit f190553
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 46 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,9 +8,6 @@ on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-wor
   pull_request:
   workflow_dispatch:
 
-env:
-  IMAGE_REGISTRY: ghcr.io/${{ github.actor }}
-
 # Only deploys the branch named "live". Ignores all other branches, to allow
 # having "development" branches without interfering with GHCR image uploads.
 jobs:
@@ -24,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: [amd64] #add ,arm64 to add back arm build
+        arch: [amd64]
 
     steps:
       - name: Maximize build space
@@ -41,28 +38,32 @@ jobs:
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        uses: sigstore/cosign-installer@v3.3.0
+
       - name: Add yq (for reading desc.yml)
         uses: mikefarah/yq@v4.35.1
 
+      # important here is to lowercase image related variables like IMAGE_REGISTRY
+      # and IMAGE_NAME because docker does not allow uppercase chars in the whole image name.
       - name: Gather image data from description
         run: |
-          echo "IMAGE_NAME=$(yq '.name' ./desc.yml)" >> $GITHUB_ENV
+          echo "IMAGE_TITLE=$(yq '.title' ./desc.yml)" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${GITHUB_REPOSITORY_OWNER@L}/$(yq '.name | downcase' ./desc.yml)" >> $GITHUB_ENV
           echo "IMAGE_DESCRIPTION=$(yq '.description' ./desc.yml)" >> $GITHUB_ENV
           echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./desc.yml)" >> $GITHUB_ENV
-
-      - name: Get current version
-        id: labels
-        run: |
-          ver=$(skopeo inspect docker://quay.io/fedora/fedora-silverblue:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
-          echo "VERSION=$ver" >> $GITHUB_OUTPUT
+          echo "IMAGE_REGISTRY=$(yq '.image-registry | downcase' ./desc.yml)" >> $GITHUB_ENV
 
       - name: Generate tags
         id: generate-tags
         shell: bash
         run: |
           # Generate a timestamp for creating an image version history
           TIMESTAMP="$(date +%Y%m%d)"
-          MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)"
+          MAJOR_VERSION=${IMAGE_MAJOR_VERSION}
           COMMIT_TAGS=()
           BUILD_TAGS=()
           # Have tags for tracking builds during pull request
@@ -102,26 +103,13 @@ jobs:
           images: |
             ${{ env.IMAGE_NAME }}
           labels: |
-            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
+            org.opencontainers.image.title=${{ env.IMAGE_TITLE }}
+            org.opencontainers.image.ref.name=${{ env.IMAGE_NAME }}
+            org.opencontainers.image.version=${{ env.IMAGE_MAJOR_VERSION }}
             org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/drakulix/infinity/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/33131755?s=200&v=4
 
-      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
-      # https://github.com/macbre/push-to-ghcr/issues/12
-      - name: Lowercase Registry
-        id: registry_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_REGISTRY }}
-
-      - name: Lowercase Image
-        id: image_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_NAME }}
-
       - name: Install qemu dependency
         run: |
           sudo apt-get update
@@ -140,36 +128,43 @@ jobs:
           archs: ${{ matrix.arch }}
           build-args: |
             IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }}
-            IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       # Push the image to GHCR (Image Registry)
       - name: Push To GHCR
         uses: redhat-actions/push-to-registry@v2
         id: push
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        env:
-          REGISTRY_USER: ${{ github.actor }}
-          REGISTRY_PASSWORD: ${{ github.token }}
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
+          registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Echo outputs
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |
-          echo "${{ toJSON(steps.push.outputs) }}"
+          echo "${{ toJSON(steps.push.outputs) }}"
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign --yes ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
diff --git a/desc.yml b/desc.yml
@@ -1,5 +1,5 @@
-name: infinity
-title: infinity
+title: Fedora Cosmic Atomic
+name: fedora-cosmic-atomic
 description: Fedora based ostree image with the COSMIC desktop environment
 image-registry: ghcr.io
 image-version: 39