mirror/bazzite
1
0
Fork 0
mirror of https://github.com/ublue-os/bazzite.git synced 2025-03-01 16:13:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: split image registry variable in build workflow (#1978)

Browse Source 
* fix: split image registry in build workflow

* fix: cosign should sign image in the 'push' registry
This commit is contained in:
BynariStar 2024-12-20 10:14:48 +02:00 committed by GitHub
parent cff5814eb0
commit cc695544a1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/build.yml vendored
View File

@ -41,7 +41,8 @@ on:
type: boolean type: boolean
default: false default: false
env: env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} PULL_IMAGE_REGISTRY: ghcr.io/ublue-os
PUSH_IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }} group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
@ -119,21 +120,21 @@ jobs:
with: with:
containers: ${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} containers: ${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/${{ matrix.base_image_flavor }}/main/cosign.pub pubkey: https://raw.githubusercontent.com/ublue-os/${{ matrix.base_image_flavor }}/main/cosign.pub
registry: ${{ env.IMAGE_REGISTRY }} registry: ${{ env.PULL_IMAGE_REGISTRY }}
- name: Verify akmods image - name: Verify akmods image
uses: EyeCantCU/cosign-action/verify@v0.3.0 uses: EyeCantCU/cosign-action/verify@v0.3.0
with: with:
containers: akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }} containers: akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
registry: ${{ env.IMAGE_REGISTRY }} registry: ${{ env.PULL_IMAGE_REGISTRY }}
- name: Verify akmods-nvidia image - name: Verify akmods-nvidia image
uses: EyeCantCU/cosign-action/verify@v0.3.0 uses: EyeCantCU/cosign-action/verify@v0.3.0
with: with:
containers: akmods-${{ matrix.target_nvidia_flavor }}:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }} containers: akmods-${{ matrix.target_nvidia_flavor }}:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }}
pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
registry: ${{ env.IMAGE_REGISTRY }} registry: ${{ env.PULL_IMAGE_REGISTRY }}
# Checkout push-to-registry action GitHub repository # Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action - name: Checkout Push to Registry action
@ -167,9 +168,9 @@ jobs:
command: | command: |
# pull the base images used for FROM in Containerfile so # pull the base images used for FROM in Containerfile so
# we can retry on that unfortunately common failure case # we can retry on that unfortunately common failure case
sudo podman pull ${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} sudo podman pull ${{ env.PULL_IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}
sudo podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }} sudo podman pull ${{ env.PULL_IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }}
sudo podman pull ${{ env.IMAGE_REGISTRY }}/akmods-${{ matrix.target_nvidia_flavor }}:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }} sudo podman pull ${{ env.PULL_IMAGE_REGISTRY }}/akmods-${{ matrix.target_nvidia_flavor }}:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }}
# Add rechunk as well to remove this source of failure # Add rechunk as well to remove this source of failure
sudo podman pull ghcr.io/hhd-dev/rechunk:v1.0.1 sudo podman pull ghcr.io/hhd-dev/rechunk:v1.0.1
@ -182,7 +183,7 @@ jobs:
attempt_delay: 15000 attempt_delay: 15000
command: | command: |
set -eo pipefail set -eo pipefail
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} > source.json skopeo inspect docker://${{ env.PULL_IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} > source.json
ver=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json) ver=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json)
if [ -z "$ver" ] || [ "null" = "$ver" ]; then if [ -z "$ver" ] || [ "null" = "$ver" ]; then
echo "inspected image version must not be empty or null" echo "inspected image version must not be empty or null"
@ -248,9 +249,9 @@ jobs:
- name: Remove auxiliary images - name: Remove auxiliary images
# We are tight on space, need at least 2x for OSTree # We are tight on space, need at least 2x for OSTree
run: | run: |
sudo podman image rm ${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} sudo podman image rm ${{ env.PULL_IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}
sudo podman image rm ${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }} sudo podman image rm ${{ env.PULL_IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }}
sudo podman image rm ${{ env.IMAGE_REGISTRY }}/akmods-${{ matrix.target_nvidia_flavor }}:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }} sudo podman image rm ${{ env.PULL_IMAGE_REGISTRY }}/akmods-${{ matrix.target_nvidia_flavor }}:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }}-${{ matrix.kernel_version }}
# Generate the previous image reference used by the Rechunker # Generate the previous image reference used by the Rechunker
- name: Generate previous reference - name: Generate previous reference
@ -260,7 +261,7 @@ jobs:
if [ "${{ github.event.inputs.fresh-rechunk }}" == "true" ]; then if [ "${{ github.event.inputs.fresh-rechunk }}" == "true" ]; then
IMAGEREF="" IMAGEREF=""
else else
IMAGEREF="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:stable" IMAGEREF="${{ env.PUSH_IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:stable"
fi fi
echo "ref=${IMAGEREF}" >> $GITHUB_OUTPUT echo "ref=${IMAGEREF}" >> $GITHUB_OUTPUT
@ -377,7 +378,7 @@ jobs:
id: registry_case id: registry_case
uses: ASzc/change-string-case-action@v6 uses: ASzc/change-string-case-action@v6
with: with:
string: ${{ env.IMAGE_REGISTRY }} string: ${{ env.PUSH_IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry) # Push the image to GHCR (Image Registry)
- name: Push To GHCR - name: Push To GHCR
@ -409,6 +410,7 @@ jobs:
registry-token: ${{ secrets.GITHUB_TOKEN }} registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }} signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: ${{ steps.digest.outputs.digest }} tags: ${{ steps.digest.outputs.digest }}
registry: ${{ env.PUSH_IMAGE_REGISTRY }}
generate_release: generate_release:
name: Generate Release name: Generate Release