name: build-bazzite on: pull_request: branches: - main schedule: - cron: '20 21 * * *' # 9:20pm everyday push: branches: - main env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} jobs: push-ghcr: name: Build and push image runs-on: ubuntu-22.04 permissions: contents: read packages: write id-token: write strategy: fail-fast: false matrix: image_name: ['', '-desktop'] major_version: [37] include: - major_version: 37 is_latest: true is_stable: true steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v3 - name: Generate tags id: generate-tags shell: bash run: | echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT alias_tags=() # Only perform the follow code when the action is spawned from a Pull Request if [[ "${{ github.event_name }}" == "pull_request" ]]; then alias_tags+=("pr-${{ github.event.number }}") else # The following is run when the timer is triggered or a merge/push to main echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT alias_tags+=("${{ matrix.major_version }}") if [[ "${{ matrix.is_latest }}" == "true" ]]; then alias_tags+=("latest") fi if [[ "${{ matrix.is_stable }}" == "true" ]]; then alias_tags+=("stable") fi fi echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ${{ format('./Containerfile{0}', matrix.image_name) }} image: ${{ format('bazzite{0}', matrix.image_name) }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} ${{ steps.generate-tags.outputs.date }} ${{ steps.generate-tags.outputs.sha_short }} build-args: | IMAGE_NAME=${{ matrix.image_name }} FEDORA_MAJOR_VERSION=${{ matrix.major_version }} oci: true # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v5 with: string: ${{ env.IMAGE_REGISTRY }} # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust # Sign container - uses: sigstore/cosign-installer@main - name: Write cosign keys to disk run: | echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key echo "${{ env.COSIGN_PUBLIC_KEY }}" > cosign.pub # DEBUG: get character count of keys wc -c cosign.key wc -c cosign.pub env: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} COSIGN_PUBLIC_KEY: ${{ secrets.SIGNING_PUBLIC }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Sign container image run: | cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false - name: Verify signed image run: | cosign verify --key cosign.pub ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false - name: Echo outputs run: | echo "${{ toJSON(steps.push.outputs) }}"