add ananicy-cpp #144
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build container image | |
| on: | |
| #pull_request: | |
| # branches: | |
| # - main | |
| #schedule: | |
| # - cron: '05 10 * * *' # 10:05am UTC everyday | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/README.md' | |
| workflow_dispatch: | |
| env: | |
| IMAGE_DESC: "Botany Linux" | |
| IMAGE_KEYWORDS: "bootc,ublue,universal-blue" | |
| IMAGE_LOGO_URL: "https://botany.pl/images/Layout/logo.svg" # Put your own image here for a fancy profile on https://artifacthub.io/! | |
| IMAGE_NAME: "${{ github.event.repository.name }}" # output image name, usually same as repo name | |
| IMAGE_REGISTRY: "${{ secrets.IMAGE_REGISTRY }}" | |
| IMAGE_REGISTRY_ALT: "${{ secrets.IMAGE_REGISTRY_ALT }}" # previous domain name that we used... | |
| DEFAULT_TAG: "latest" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_push: | |
| name: Build and push image | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Prepare environment | |
| run: | | |
| # Lowercase the image uri | |
| echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} | |
| echo "IMAGE_REGISTRY_ALT=${IMAGE_REGISTRY_ALT,,}" >> ${GITHUB_ENV} | |
| echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV} | |
| # Checkout last 300 commits (for <commits> to work) | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 300 | |
| # This is optional, but if you see that your builds are way too big for the runners, you can enable this by uncommenting the following lines: | |
| - name: Maximize build space | |
| uses: ublue-os/remove-unwanted-software@695eb75bc387dbcd9685a8e72d23439d8686cba6 # v10 | |
| # - name: Mount BTRFS for podman storage | |
| # continue-on-error: true | |
| # uses: ublue-os/container-storage-action@main | |
| # - if: always() | |
| # run: | | |
| # journalctl -xe | cat | |
| - name: Get current date | |
| id: date | |
| run: | | |
| # This generates a timestamp like what is defined on the ArtifactHub documentation | |
| # E.G: 2022-02-08T15:38:15Z' | |
| # https://artifacthub.io/docs/topics/repositories/container-images/ | |
| # https://linux.die.net/man/1/date | |
| echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT | |
| echo "date_short=$(date -u +%Y%m%d)" >> $GITHUB_OUTPUT | |
| # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images | |
| # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. | |
| - name: Image Metadata | |
| uses: docker/metadata-action@v5 | |
| id: metadata | |
| with: | |
| # This generates all the tags for your image, you can add custom tags here too! | |
| # Default tags are "$DEFAULT_TAG" and "$DEFAULT_TAG.$date". | |
| tags: | | |
| type=raw,value=${{ env.DEFAULT_TAG }} | |
| type=raw,value={{date 'YYYYMMDD'}} | |
| type=sha,enable=${{ github.event_name == 'pull_request' }} | |
| type=ref,event=pr | |
| labels: | | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | |
| org.opencontainers.image.created=${{ steps.date.outputs.date }} | |
| org.opencontainers.image.description=${{ env.IMAGE_DESC }} | |
| org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md | |
| org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile | |
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| org.opencontainers.image.vendor=${{ github.repository_owner }} | |
| org.opencontainers.image.version={{date 'YYYYMMDD'}} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| io.artifacthub.package.deprecated=false | |
| io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }} | |
| io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }} | |
| io.artifacthub.package.prerelease=false | |
| containers.bootc=1 | |
| sep-tags: " " | |
| sep-annotations: " " | |
| - name: Image Env | |
| id: image_env | |
| run: | | |
| cat <<EOF > .env | |
| IMAGE_NAME=${{ env.IMAGE_NAME }} | |
| IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} | |
| IMAGE_REGISTRY_ALT=${{ env.IMAGE_REGISTRY_ALT }} | |
| REGISTRY_USER=${{ secrets.REGISTRY_USER }} | |
| REGISTRY_PASSWORD=${{ secrets.REGISTRY_PASSWORD }} | |
| REGISTRY_PULLER_USER=${{ secrets.REGISTRY_PULLER_USER }} | |
| REGISTRY_PULLER_PASSWORD=${{ secrets.REGISTRY_PULLER_PASSWORD }} | |
| SCRUTINY_COLLECTOR_API_ENDPOINT=${{ secrets.SCRUTINY_COLLECTOR_API_ENDPOINT }} | |
| BESZEL_HUB_URL=${{ secrets.BESZEL_HUB_URL }} | |
| BESZEL_TOKEN=${{ secrets.BESZEL_TOKEN }} | |
| BESZEL_KEY="${{ secrets.BESZEL_KEY }}" | |
| EOF | |
| echo "${{ secrets.MOK_PRIVATE_KEY }}" > MOK.key | |
| echo "${{ secrets.U2F_KEYS }}" > u2f_keys | |
| - name: Build image (rootful) | |
| id: build_image | |
| run: | | |
| # Builds image in root store as root, to be picked up by Rechunker | |
| sudo buildah bud \ | |
| --format docker \ | |
| --tag "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" \ | |
| --file Containerfile | |
| - name: Remove source images | |
| run: | | |
| images=$(sudo podman images -n --sort repository --format '{{.ID}} {{.Repository}}' | grep -v localhost | awk '{print $1}') | |
| if [ -n "${images}" ]; then | |
| for image in ${images}; do | |
| echo "Removing image: $image" | |
| sudo podman rmi --force "$image" | |
| done | |
| else | |
| echo "No images to remove." | |
| fi | |
| - name: Login to private registry | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| run: | | |
| podman login -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_PASSWORD }} ${{ env.IMAGE_REGISTRY }} | |
| install -D ${XDG_RUNTIME_DIR}/containers/auth.json ~/.docker/config.json | |
| sudo install -D ${XDG_RUNTIME_DIR}/containers/auth.json /run/user/0/containers/auth.json | |
| sudo install -D ${XDG_RUNTIME_DIR}/containers/auth.json /root/.docker/config.json | |
| # Work around Rechunker not being able to use private registry auth details | |
| skopeo inspect "docker://${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | tee previous.manifest.json | |
| - name: Run Rechunker | |
| id: rechunk | |
| uses: hhd-dev/rechunk@v1.2.4 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| with: | |
| rechunk: 'ghcr.io/hhd-dev/rechunk:v1.2.4' | |
| ref: "containers-storage:localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | |
| #prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" | |
| skip_compression: true | |
| max-layers: 100 | |
| labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator | |
| version: '${{ steps.date.outputs.date_short }}' | |
| revision: ${{ github.sha }} | |
| pretty: '(from ${{ github.ref }})' | |
| git: "${{ github.workspace }}" | |
| description: > | |
| Botany Linux <pretty> | |
| [Kernel: <relver:kernel>, | |
| KDE: <version:kwayland>] | |
| changelog: | | |
| # Botany Linux <pretty> | |
| ## Version: <version> | |
| Major Components: | |
| - Kernel: <relver:kernel> | |
| - Firmware: <relver:linux-firmware> | |
| - Mesa: <relver:mesa-filesystem> | |
| - KDE: <version:kwayland> | |
| - OnlyOffice: <version:onlyoffice-desktopeditors> | |
| - LibreOffice: <version:libreoffice> | |
| - WINE: <version:wine> | |
| ## Changes since last version (<previous>): | |
| ### Commits | |
| <commits> | |
| ### Package Changes: | |
| <pkgupd> | |
| formatters: | | |
| commits.none=No changes\n | |
| commits.commit=- **[<short>](https://github.com/IB-PAN/botany-linux/commit/<hash>)** <subject>\n | |
| pkgupd.none=No package updates\n | |
| pkgupd.add=- **<package>** Added at <new>\n | |
| pkgupd.update=- **<package>** <old> → <new>\n | |
| pkgupd.remove=- **<package>** <old> → Removed\n | |
| meta: 'rechunker_meta.yml' | |
| - name: Print rechunk output | |
| if: always() && github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| run: | | |
| if [[ "${STEPS_RECHUNK_CONCLUSION}" == "success" ]]; then | |
| echo "::group::${STEPS_RECHUNK_OUTPUTS_CHANGELOG}" | |
| cat "${STEPS_RECHUNK_OUTPUTS_CHANGELOG}" | |
| echo "::endgroup::" | |
| echo "::group::${STEPS_RECHUNK_OUTPUTS_MANIFEST}" | |
| cat "${STEPS_RECHUNK_OUTPUTS_MANIFEST}" | |
| echo "::endgroup::" | |
| else | |
| echo "Rechunk conclusion:" | |
| echo "${STEPS_RECHUNK_CONCLUSION}" | |
| fi | |
| env: | |
| STEPS_RECHUNK_CONCLUSION: ${{ steps.rechunk.conclusion }} | |
| STEPS_RECHUNK_OUTPUTS_CHANGELOG: ${{ steps.rechunk.outputs.changelog }} | |
| STEPS_RECHUNK_OUTPUTS_MANIFEST: ${{ steps.rechunk.outputs.manifest }} | |
| - name: Add rechunk changelog to summary | |
| run: cat ${{ steps.rechunk.outputs.changelog }} >> $GITHUB_STEP_SUMMARY | |
| - name: Remove Rechunker image | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| run: | | |
| image=$(sudo podman images -n --sort repository --format '{{.ID}} {{.Repository}}' | grep rechunk | awk '{print $1}') | |
| if [ -n "${image}" ]; then | |
| sudo podman rmi --force "$image" | |
| else | |
| echo "No image to remove" | |
| fi | |
| - name: Push to registry | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| run: | | |
| echo "::group::Pushing primary tag" | |
| sudo skopeo copy --format oci --dest-compress-format zstd:chunked --digestfile /tmp/digest.txt \ | |
| ${{ steps.rechunk.outputs.ref }} \ | |
| docker://${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} | |
| sudo rm -rf ${{ steps.rechunk.outputs.location }} | |
| echo "::endgroup::" | |
| for tag in ${{ steps.metadata.outputs.tags }}; do | |
| if [[ "$tag" != "${{ env.DEFAULT_TAG }}" ]]; then | |
| echo "Pushing tag \"$tag\"..." | |
| skopeo copy --preserve-digests \ | |
| docker://${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} \ | |
| docker://${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$tag | |
| fi | |
| done | |
| # This section is optional and only needs to be enabled if you plan on distributing | |
| # your project for others to consume. You will need to create a public and private key | |
| # using Cosign and save the private key as a repository secret in Github for this workflow | |
| # to consume. For more details, review the image signing section of the README. | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v4.0.0 | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| with: | |
| cosign-release: 'v2.6.1' | |
| - name: Sign container image | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| run: | | |
| IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" | |
| DIGEST=$(cat /tmp/digest.txt) | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY --new-bundle-format=false "$IMAGE_FULL@$DIGEST" | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} |