name: Build Bazzite on: schedule: - cron: "40 4 * * 2,5" # 4:40 utc tues thurs pull_request: branches: - testing - unstable paths-ignore: - "**.md" - "**.txt" - "installer/**" - "repo_content/**" - "spec_files/**" - "post_install_files/**" - "press_kit/**" - ".github/workflows/build_iso.yml" push: branches: - testing - unstable paths-ignore: - "**.md" - "**.txt" - "repo_content/**" - "spec_files/**" - "post_install_files/**" - "press_kit/**" - ".github/workflows/build_iso.yml" merge_group: workflow_dispatch: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true jobs: push-ghcr: name: Make runs-on: ubuntu-24.04 continue-on-error: false permissions: contents: read packages: write id-token: write strategy: fail-fast: false matrix: base_image_flavor: [main] base_name: [bazzite, bazzite-deck, bazzite-nvidia] base_image_name: [kinoite, silverblue] target_image_flavor: [main, asus] fedora_version: [40] include: - fedora_version: 40 is_latest_version: true is_stable_version: true kernel_flavor: fsync # must match a kernel_flavor from akmods repo steps: - name: Define env.IMAGE_FLAVOR run: | if [[ "${{ matrix.base_name }}" == "bazzite-nvidia" ]]; then if [[ "${{ matrix.target_image_flavor }}" == "main" ]]; then echo "IMAGE_FLAVOR=nvidia" >> $GITHUB_ENV else echo "IMAGE_FLAVOR=${{ format('{0}-{1}', matrix.target_image_flavor, 'nvidia') }}" >> $GITHUB_ENV fi else echo "IMAGE_FLAVOR=${{ matrix.target_image_flavor }}" >> $GITHUB_ENV fi - name: Define env.IMAGE_NAME run: | DESKTOP="" if [[ "${{ matrix.base_image_name }}" == "silverblue" ]]; then DESKTOP="-gnome" fi if [[ "${{ matrix.base_name }}" == "bazzite-deck" ]]; then if [[ "${{ matrix.target_image_flavor }}" == "asus" ]]; then echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite-ally', '${DESKTOP}') }}" >> $GITHUB_ENV else echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite-deck', '${DESKTOP}') }}" >> $GITHUB_ENV fi else if [[ "${{ env.IMAGE_FLAVOR }}" == "main" ]]; then echo "IMAGE_NAME=${{ format('{0}{1}', 'bazzite', '${DESKTOP}') }}" >> $GITHUB_ENV else echo "IMAGE_NAME=${{ format('{0}{1}-{2}', 'bazzite', '${DESKTOP}', env.IMAGE_FLAVOR) }}" >> $GITHUB_ENV fi fi - name: Define env.SHA_HEAD_SHORT run: | echo "SHA_HEAD_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV - name: Verify main image uses: EyeCantCU/cosign-action/verify@v0.3.0 with: containers: ${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} pubkey: https://raw.githubusercontent.com/ublue-os/${{ matrix.base_image_flavor }}/main/cosign.pub registry: ${{ env.IMAGE_REGISTRY }} - name: Verify akmods image uses: EyeCantCU/cosign-action/verify@v0.3.0 with: containers: akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub registry: ${{ env.IMAGE_REGISTRY }} - name: Verify akmods-nvidia image uses: EyeCantCU/cosign-action/verify@v0.3.0 with: containers: akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub registry: ${{ env.IMAGE_REGISTRY }} # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 - name: Check just syntax uses: ublue-os/just-action@v1 - name: Maximize build space uses: ublue-os/remove-unwanted-software@v7 - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" FEDORA_VERSION="${{ matrix.fedora_version }}" COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request SHA_SHORT="${GITHUB_SHA::7}" COMMIT_TAGS+=("pr-${{ github.event.pull_request.number }}-${FEDORA_VERSION}") COMMIT_TAGS+=("${SHA_SHORT}-${FEDORA_VERSION}") if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ [[ "${{ matrix.is_stable_version }}" == "true" ]]; then COMMIT_TAGS+=("pr-${{ github.event.pull_request.number }}") COMMIT_TAGS+=("${SHA_SHORT}") fi if [[ ${{ github.ref_name }} == "unstable" ]]; then BUILD_TAGS=("${FEDORA_VERSION}-unstable" "${FEDORA_VERSION}-unstable-${TIMESTAMP}") if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ [[ "${{ matrix.is_stable_version }}" == "true" ]]; then BUILD_TAGS+=("unstable") echo "DEFAULT_TAG=unstable" >> $GITHUB_ENV fi elif [[ ${{ github.ref_name }} == "testing" ]]; then BUILD_TAGS=("${FEDORA_VERSION}-testing" "${FEDORA_VERSION}-testing-${TIMESTAMP}") if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ [[ "${{ matrix.is_stable_version }}" == "true" ]]; then BUILD_TAGS+=("testing") echo "DEFAULT_TAG=testing" >> $GITHUB_ENV fi else BUILD_TAGS=("${FEDORA_VERSION}" "${FEDORA_VERSION}-${TIMESTAMP}") BUILD_TAGS+=("${FEDORA_VERSION}-stable" "${FEDORA_VERSION}-stable-${TIMESTAMP}") if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ [[ "${{ matrix.is_stable_version }}" == "true" ]]; then BUILD_TAGS+=("latest" "stable") echo "DEFAULT_TAG=latest" >> $GITHUB_ENV fi fi if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " for TAG in "${COMMIT_TAGS[@]}"; do echo "${TAG}" done alias_tags=("${COMMIT_TAGS[@]}") else alias_tags=("${BUILD_TAGS[@]}") fi echo "Generated the following build tags: " for TAG in "${BUILD_TAGS[@]}"; do echo "${TAG}" done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - name: Pull main and akmods images uses: Wandalen/wretry.action@v3.5.0 with: attempt_limit: 3 attempt_delay: 15000 command: | # pull the base images used for FROM in Containerfile so # we can retry on that unfortunately common failure case podman pull ${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} - name: Get source versions id: labels uses: Wandalen/wretry.action@v3.5.0 with: attempt_limit: 3 attempt_delay: 15000 command: | set -eo pipefail skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ matrix.base_image_name }}-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }} > source.json ver=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json) if [ -z "$ver" ] || [ "null" = "$ver" ]; then echo "inspected image version must not be empty or null" exit 1 fi echo "SOURCE_IMAGE_VERSION=$ver" >> $GITHUB_ENV skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} > akmods.json linux=$(jq -r '.Labels["ostree.linux"]' akmods.json) if [ -z "$linux" ] || [ "null" = "$linux" ]; then echo "inspected image linux version must not be empty or null" exit 1 fi echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | ${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.description=Bazzite is an OCI image that serves as an alternative operating system for the Steam Deck, and a ready-to-game SteamOS-like for desktop computers, living room home theater PCs, and numerous other handheld PCs. org.opencontainers.image.version=${{ env.SOURCE_IMAGE_VERSION }} ostree.linux=${{ env.KERNEL_VERSION }} io.artifacthub.package.readme-url=https://bazzite.gg/ io.artifacthub.package.logo-url=https://raw.githubusercontent.com/ublue-os/bazzite/main/repo_content/logo.png # Build image using Buildah action - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | IMAGE_NAME=${{ env.IMAGE_NAME }} IMAGE_FLAVOR=${{ env.IMAGE_FLAVOR }} IMAGE_VENDOR=${{ github.repository_owner }} BASE_IMAGE_NAME=${{ matrix.base_image_name }} BASE_IMAGE_FLAVOR=${{ matrix.base_image_flavor }} FEDORA_VERSION=${{ matrix.fedora_version }} KERNEL_FLAVOR=${{ matrix.kernel_flavor }} IMAGE_BRANCH=${{ github.ref_name }} SHA_HEAD_SHORT=${{ env.SHA_HEAD_SHORT }} labels: ${{ steps.meta.outputs.labels }} oci: false extra-args: | --target=${{ matrix.base_name }} - name: Check Secureboot shell: bash run: | set -x if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then sudo apt update sudo apt install sbsigntool curl openssl fi podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sbverify --list vmlinuz curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der openssl x509 -in kernel-sign.der -out kernel-sign.crt openssl x509 -in akmods.der -out akmods.crt sbverify --cert kernel-sign.crt vmlinuz || exit 1 sbverify --cert akmods.crt vmlinuz || exit 1 # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v6 with: string: ${{ env.IMAGE_REGISTRY }} # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: Wandalen/wretry.action@v3.5.0 id: push if: github.event_name != 'pull_request' env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} with: action: redhat-actions/push-to-registry@v2 attempt_limit: 3 attempt_delay: 15000 with: | image: ${{ steps.build_image.outputs.image }} tags: ${{ steps.build_image.outputs.tags }} registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust - name: Sign container image uses: EyeCantCU/cosign-action/sign@v0.3.0 if: github.event_name != 'pull_request' with: containers: ${{ env.IMAGE_NAME }} registry-token: ${{ secrets.GITHUB_TOKEN }} signing-secret: ${{ secrets.SIGNING_SECRET }} tags: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} - name: Echo outputs if: github.event_name != 'pull_request' run: | echo "${{ toJSON(steps.push.outputs) }}" build_iso: name: build iso needs: [push-ghcr] if: github.ref_name == 'testing' # Eventually would be nice for building images in PRs #if: ${{ endsWith(github.event.pull_request.title, '[ISO]') }} uses: ./.github/workflows/build_iso.yml secrets: inherit