From e697ba48aefd47af13e1f6b61b4cf41b2d6e0a78 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 09:36:54 +0000 Subject: [PATCH 01/44] chore: update workflow to support multi-architecture builds --- .github/workflows/build.yml | 230 +++++++++++++++++++++++++++--------- 1 file changed, 174 insertions(+), 56 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7897caa..6d54ccd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,30 +5,51 @@ on: branches: - main schedule: - - cron: '05 10 * * *' # 10:05am UTC everyday - merge_group: + - cron: "05 10 * * *" # 10:05am UTC everyday + merge_group: push: branches: - main paths-ignore: - - '**/README.md' + - "**/README.md" workflow_dispatch: env: - IMAGE_NAME: "main" # the name of the image produced by this build, matches repo names + IMAGE_NAME: "rs-main-test" # the name of the image produced by this build, matches repo names IMAGE_DESC: "CentOS Stream-based image for basing off of " IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" + PLATFORMS: "amd64" concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true jobs: + generate_matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Set matrix + id: set-matrix + run: | + # turn the comma separated string into a list + platforms=(${{ env.PLATFORMS }}) + MATRIX="{\"include\":[]}" + for platform in "${platforms[@]}"; do + MATRIX=$(echo $MATRIX | jq ".include += [{\"platform\": \"$platform\"}]") + done + echo "matrix=$(echo $MATRIX | jq -c '.')" >> $GITHUB_OUTPUT + build_push: name: Build and push image runs-on: ubuntu-24.04 + needs: generate_matrix + strategy: + fail-fast: false + matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} permissions: contents: read @@ -51,7 +72,103 @@ jobs: uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 with: remove-codeql: true - + + - name: Build Image + id: build-image + shell: bash + run: | + just=$(which just) + sudo $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" + + # Reprocess raw-img using rechunker which will delete it + - name: Run Rechunker + id: rechunk + uses: hhd-dev/rechunk@602e6d62558ab23e15e8764ce06e26c0f328da71 # v1.0.1 + with: + rechunk: "ghcr.io/hhd-dev/rechunk:v1.0.1" + ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + skip_compression: true + version: ${{ env.CENTOS_VERSION }} + + - name: Load in podman and tag + run: | + IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) + sudo rm -rf ${{ steps.rechunk.outputs.output }} + podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} + skopeo inspect --raw docker://$IMAGE + IMAGE_DIGEST=$(skopeo inspect docker://$IMAGE | jq -r '.Digest') + echo "image=$IMAGE" >> $GITHUB_OUTPUT + echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT + + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Push the image to GHCR (Image Registry) + - name: Push To GHCR + # if: github.event_name != 'pull_request' + id: push + env: + IMAGE_REGISTRY: ${{ steps.registry_case.outputs.lowercase }} + IMAGE_NAME: ${{ env.IMAGE_NAME }} + IMAGE_DIGEST: ${{ steps.load.outputs.digest }} + run: | + for i in {1..3}; do + podman push --remove-signatures --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME@${IMAGE_DIGEST} && break || sleep $((5 * i)); + done + REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile) + echo "remote_image_digest=$REMOTE_IMAGE_DIGEST" >> $GITHUB_OUTPUT + + # This section is optional and only needs to be enabled in you plan on distributing + # your project to others to consume. You will need to create a public and private key + # using Cosign and save the private key as a repository secret in Github for this workflow + # to consume. For more details, review the image signing section of the README. + - name: Install Cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + + - name: Sign container image + #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + run: | + IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_FULL}@${{ steps.push.outputs.remote_image_digest }} + env: + TAGS: ${{ steps.push.outputs.digest }} + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + + - name: Create job outputs + env: + IMAGE_NAME: ${{ env.IMAGE_NAME }} + PLATFORM: ${{ matrix.platform }} + DIGEST: ${{ steps.push.outputs.remote_image_digest }} + run: | + mkdir -p /tmp/outputs/digests + echo "${DIGEST}" > /tmp/outputs/digests/${IMAGE_NAME}-${PLATFORM}.txt + + - name: Upload Output Artifacts + uses: actions/upload-artifact@v4 + with: + name: ${{ env.IMAGE_NAME }}-${{ matrix.platform }} + retention-days: 1 + if-no-files-found: error + path: | + /tmp/outputs/digests/*.txt + + manifest: + runs-on: ubuntu-latest + needs: + - build_push + permissions: + contents: read + packages: write + id-token: write + steps: - name: Get current date id: date run: | @@ -93,68 +210,69 @@ jobs: sep-tags: " " sep-annotations: " " - - name: Build Image - id: build-image - shell: bash + - name: Fetch Build Outputs + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 + with: + pattern: ${{ env.IMAGE_NAME }}-*.txt + merge-multiple: true + path: /tmp/artifacts + + - name: Load Outputs + id: load-outputs run: | - just=$(which just) - sudo $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" + DIGESTS_JSON=$(jq -n '{}') + for file in /tmp/artifacts/*.txt; do + # Extract the platform from the file name + PLATFORM=$(basename $digest_file | rev | cut -d'-' -f1 | rev | cut -d'.' -f1) + DIGEST=$(cat $digest_file) + # Add the platform and digest to the JSON object + DIGESTS_JSON=$(echo "$DIGESTS_JSON" | jq --arg key "$PLATFORM" --arg value "$DIGEST" '. + {($key): $value}') + done + echo "DIGESTS_JSON=$(echo $DIGESTS_JSON | jq -c '.')" >> $GITHUB_OUTPUT - # Reprocess raw-img using rechunker which will delete it - - name: Run Rechunker - id: rechunk - uses: hhd-dev/rechunk@602e6d62558ab23e15e8764ce06e26c0f328da71 # v1.0.1 - with: - rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' - ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" - prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" - skip_compression: true - version: ${{ env.CENTOS_VERSION }} - labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator + - name: Create Manifest + id: create-manifest + run: | + podman manifest create ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + echo "MANIFEST=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT - - name: Load in podman and tag + - name: Populate Manifest + env: + MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }} + DIGESTS_JSON: ${{ steps.load-outputs.outputs.DIGESTS_JSON }} run: | - IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) - sudo rm -rf ${{ steps.rechunk.outputs.output }} - for tag in ${{ steps.metadata.outputs.tags }}; do - podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag + DIGESTS=$(echo "$DIGESTS_JSON" | jq -c '.') + PLATFORMS=(${{ env.PLATFORMS }}) + for platform in ${PLATFORMS[@]}; do + digest=$(echo $DIGESTS | jq -r ".$platform") + podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$digest --arch $platform done - - name: Login to GitHub Container Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + - name: Login to GHCR + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Push the image to GHCR (Image Registry) - - name: Push To GHCR - uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - id: push - with: - registry: ${{ env.IMAGE_REGISTRY }} - image: ${{ env.IMAGE_NAME }} - tags: ${{ steps.metadata.outputs.tags }} - - # This section is optional and only needs to be enabled in you plan on distributing - # your project to others to consume. You will need to create a public and private key - # using Cosign and save the private key as a repository secret in Github for this workflow - # to consume. For more details, review the image signing section of the README. - - - name: Install Cosign - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - - - name: Sign container image - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + - name: Tag Manifest + id: tag-manifest + env: + TAGS: ${{ steps.metadata.outputs.tags }} run: | - IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" - for tag in ${{ steps.metadata.outputs.tags }}; do - cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag + MANIFEST_TAGS=() + for tag in $(echo $TAGS | tr ' ' '\n'); do + podman manifest tag ${{ steps.create-manifest.outputs.MANIFEST }} ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$tag + MANIFEST_TAGS+=(${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$tag) done + MANIFEST_TAGS_JSON=$(printf '%s\n' "${MANIFEST_TAGS[@]}" | jq -R . | jq -cs .) + echo "MANIFEST_TAGS_JSON=${MANIFEST_TAGS_JSON}" >> $GITHUB_OUTPUT + + - name: Push Manifest env: - TAGS: ${{ steps.push.outputs.digest }} - COSIGN_EXPERIMENTAL: false - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }} + MANIFEST_TAGS_JSON: ${{ steps.tag-manifest.outputs.MANIFEST_TAGS_JSON }} + run: | + for tag in $(echo $MANIFEST_TAGS_JSON | jq -r '.[]'); do + podman manifest push --all=false $MANIFEST $tag + done From 697a8f4821cd2fd19db4a70d6985faadd66568c4 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 09:43:54 +0000 Subject: [PATCH 02/44] fix: correct justfile build image name --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 48a45db..a274bb4 100644 --- a/Justfile +++ b/Justfile @@ -91,7 +91,7 @@ build $target_image=image_name $tag=default_tag: podman build \ "${BUILD_ARGS[@]}" \ --pull=newer \ - --tag "${image_name}:${tag}" \ + --tag "${target_image}:${tag}" \ . _rootful_load_image $target_image=image_name $tag=default_tag: From 2da1e03362b8c6316c6a9d13c6688b05be12b56b Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 09:44:34 +0000 Subject: [PATCH 03/44] chore: speed up dev builds --- .github/workflows/build.yml | 8 ++++---- Containerfile | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6d54ccd..80d867e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,10 +68,10 @@ jobs: run: | just check - - name: Maximize build space - uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 - with: - remove-codeql: true + # - name: Maximize build space + # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 + # with: + # remove-codeql: true - name: Build Image id: build-image diff --git a/Containerfile b/Containerfile index f36491c..d882bc9 100644 --- a/Containerfile +++ b/Containerfile @@ -5,11 +5,11 @@ FROM quay.io/centos-bootc/centos-bootc:$MAJOR_VERSION #Install codecs, Workstation, EPEL, CRB, etc. -COPY build.sh /tmp/build.sh -RUN --mount=type=bind,from=config,src=/rpms,dst=/tmp/rpms chmod +x /tmp/build.sh && \ - /tmp/build.sh && \ - dnf clean all && \ - ostree container commit +# COPY build.sh /tmp/build.sh +# RUN --mount=type=bind,from=config,src=/rpms,dst=/tmp/rpms chmod +x /tmp/build.sh && \ +# /tmp/build.sh && \ +# dnf clean all && \ +# ostree container commit # Just gotta get this green! RUN bootc container lint From f684ab8d82ebdfc62def027dcaacf75befb4b8d6 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 09:49:30 +0000 Subject: [PATCH 04/44] fix: address rechunked image with correct names --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 80d867e..89d752a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,14 +91,14 @@ jobs: skip_compression: true version: ${{ env.CENTOS_VERSION }} - - name: Load in podman and tag + - name: Load in podman run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) - sudo rm -rf ${{ steps.rechunk.outputs.output }} - podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} - skopeo inspect --raw docker://$IMAGE - IMAGE_DIGEST=$(skopeo inspect docker://$IMAGE | jq -r '.Digest') - echo "image=$IMAGE" >> $GITHUB_OUTPUT + sudo rm -rf ${{ steps.rechunk.outputs.location }} + podman image tag ${{ env.IMAGE_NAME }} ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} + skopeo inspect --raw docker://${{ env.IMAGE_NAME }} + IMAGE_DIGEST=$(skopeo inspect docker://${{ env.IMAGE_NAME }} | jq -r '.Digest') + echo "image=${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry From e181a0602a2fe389944cfead4933fdd1c4977032 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 09:53:48 +0000 Subject: [PATCH 05/44] revert: address rechunked image with correct names --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 89d752a..5b2f672 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -95,10 +95,10 @@ jobs: run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) sudo rm -rf ${{ steps.rechunk.outputs.location }} - podman image tag ${{ env.IMAGE_NAME }} ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} - skopeo inspect --raw docker://${{ env.IMAGE_NAME }} - IMAGE_DIGEST=$(skopeo inspect docker://${{ env.IMAGE_NAME }} | jq -r '.Digest') - echo "image=${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT + podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} + skopeo inspect --raw docker://$IMAGE + IMAGE_DIGEST=$(skopeo inspect docker://$IMAGE | jq -r '.Digest') + echo "image=$IMAGE" >> $GITHUB_OUTPUT echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry From 077afeb297c6a7e31e4830d8b17382fa9a6bda74 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 09:59:26 +0000 Subject: [PATCH 06/44] fix: query full image name in skopeo --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5b2f672..8b309be 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -96,6 +96,8 @@ jobs: IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) sudo rm -rf ${{ steps.rechunk.outputs.location }} podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} + + IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} skopeo inspect --raw docker://$IMAGE IMAGE_DIGEST=$(skopeo inspect docker://$IMAGE | jq -r '.Digest') echo "image=$IMAGE" >> $GITHUB_OUTPUT From 958d153fb7ff537642727cd407a0e03e1d75e9b1 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:06:29 +0000 Subject: [PATCH 07/44] fix: tell skopeo to look at local containers-storage --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8b309be..a2648d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -98,8 +98,8 @@ jobs: podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} - skopeo inspect --raw docker://$IMAGE - IMAGE_DIGEST=$(skopeo inspect docker://$IMAGE | jq -r '.Digest') + skopeo inspect --raw containers-storage:$IMAGE + IMAGE_DIGEST=$(skopeo inspect --raw containers-storage:$IMAGE | jq -r '.Digest') echo "image=$IMAGE" >> $GITHUB_OUTPUT echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT From cdd270902e012d817c8ab769c7bc6e9c9ab1a7cf Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:12:55 +0000 Subject: [PATCH 08/44] fix: tell skopeo to use docker --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a2648d6..d2d8072 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -98,8 +98,9 @@ jobs: podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} - skopeo inspect --raw containers-storage:$IMAGE - IMAGE_DIGEST=$(skopeo inspect --raw containers-storage:$IMAGE | jq -r '.Digest') + podman image ls + skopeo inspect --raw docker://$IMAGE + IMAGE_DIGEST=$(skopeo inspect --raw docker://$IMAGE | jq -r '.Digest') echo "image=$IMAGE" >> $GITHUB_OUTPUT echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT From 6d74b4677f48e3a3c8a54fbd4e272da25795fdaa Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:19:32 +0000 Subject: [PATCH 09/44] fix: switch out skopeo for podman --- .github/workflows/build.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d2d8072..16c76d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -50,7 +50,6 @@ jobs: strategy: fail-fast: false matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} - permissions: contents: read packages: write @@ -98,9 +97,7 @@ jobs: podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} - podman image ls - skopeo inspect --raw docker://$IMAGE - IMAGE_DIGEST=$(skopeo inspect --raw docker://$IMAGE | jq -r '.Digest') + IMAGE_DIGEST=$(podman image inspect --format '{{.Digest}}' $IMAGE) echo "image=$IMAGE" >> $GITHUB_OUTPUT echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT From 4b0657b4e1668cb6358e84fb9249af08eb6db4c3 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:23:51 +0000 Subject: [PATCH 10/44] fix: fetch registry from env --- .github/workflows/build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 16c76d6..e097c98 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,6 +47,9 @@ jobs: name: Build and push image runs-on: ubuntu-24.04 needs: generate_matrix + # container: + # image: registry.redhat.io/ubi9/ubi:latest + # options: --privileged strategy: fail-fast: false matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} @@ -91,6 +94,7 @@ jobs: version: ${{ env.CENTOS_VERSION }} - name: Load in podman + id: load run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) sudo rm -rf ${{ steps.rechunk.outputs.location }} @@ -114,7 +118,7 @@ jobs: # if: github.event_name != 'pull_request' id: push env: - IMAGE_REGISTRY: ${{ steps.registry_case.outputs.lowercase }} + IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} IMAGE_NAME: ${{ env.IMAGE_NAME }} IMAGE_DIGEST: ${{ steps.load.outputs.digest }} run: | From b0e00e64e7cf7b62d71d56a7b7e6bedfc08146dc Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:30:18 +0000 Subject: [PATCH 11/44] fix: do not push a digest --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e097c98..acb7fa0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -122,8 +122,9 @@ jobs: IMAGE_NAME: ${{ env.IMAGE_NAME }} IMAGE_DIGEST: ${{ steps.load.outputs.digest }} run: | + podman tag ${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}:${DEFAULT_TAG} $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM for i in {1..3}; do - podman push --remove-signatures --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME@${IMAGE_DIGEST} && break || sleep $((5 * i)); + podman push --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM && break || sleep $((5 * i)); done REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile) echo "remote_image_digest=$REMOTE_IMAGE_DIGEST" >> $GITHUB_OUTPUT From 50c609f89a3008946ca12fee12a6b1770e6d055c Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:33:40 +0000 Subject: [PATCH 12/44] fix: push the image with platform appended --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index acb7fa0..019981f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -121,6 +121,7 @@ jobs: IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} IMAGE_NAME: ${{ env.IMAGE_NAME }} IMAGE_DIGEST: ${{ steps.load.outputs.digest }} + PLATFORM: ${{ matrix.platform }} run: | podman tag ${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}:${DEFAULT_TAG} $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM for i in {1..3}; do From 5f533bec60515fc8dd8daa8a035db3aed819c741 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:34:32 +0000 Subject: [PATCH 13/44] debug: output digestfile --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 019981f..f82da6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -129,6 +129,7 @@ jobs: done REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile) echo "remote_image_digest=$REMOTE_IMAGE_DIGEST" >> $GITHUB_OUTPUT + cat /tmp/digestfile # This section is optional and only needs to be enabled in you plan on distributing # your project to others to consume. You will need to create a public and private key From c5e94e57e3c5f3a9988feaa949e82ff963b91ed9 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:39:10 +0000 Subject: [PATCH 14/44] fix: correct file variable name in outputs load step --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f82da6c..db3cbc6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -228,7 +228,7 @@ jobs: id: load-outputs run: | DIGESTS_JSON=$(jq -n '{}') - for file in /tmp/artifacts/*.txt; do + for digest_file in /tmp/artifacts/*.txt; do # Extract the platform from the file name PLATFORM=$(basename $digest_file | rev | cut -d'-' -f1 | rev | cut -d'.' -f1) DIGEST=$(cat $digest_file) From 8caf4fc3312937ebf903d4a839c1ce87a383a525 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:43:24 +0000 Subject: [PATCH 15/44] fix: update artifact name to download --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db3cbc6..5ff0aaf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -220,7 +220,7 @@ jobs: - name: Fetch Build Outputs uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: - pattern: ${{ env.IMAGE_NAME }}-*.txt + pattern: ${{ env.IMAGE_NAME }}-* merge-multiple: true path: /tmp/artifacts From 27a654a3d3e92e77b60c2f3dd30407a110fc5da8 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:47:56 +0000 Subject: [PATCH 16/44] debug: output digest and arch --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5ff0aaf..24c0ce0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -252,6 +252,7 @@ jobs: PLATFORMS=(${{ env.PLATFORMS }}) for platform in ${PLATFORMS[@]}; do digest=$(echo $DIGESTS | jq -r ".$platform") + echo "Adding ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$digest for $platform" podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$digest --arch $platform done From 6640bb23f66d34bc5fde7c4ef228dfedc664d936 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:51:32 +0000 Subject: [PATCH 17/44] fix: correct manifest image digest --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 24c0ce0..9c38252 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -252,8 +252,8 @@ jobs: PLATFORMS=(${{ env.PLATFORMS }}) for platform in ${PLATFORMS[@]}; do digest=$(echo $DIGESTS | jq -r ".$platform") - echo "Adding ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$digest for $platform" - podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$digest --arch $platform + echo "Adding ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest for $platform" + podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest --arch $platform done - name: Login to GHCR From 00747c9be6313a5f129edd7160870cac46da9293 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 10:59:34 +0000 Subject: [PATCH 18/44] fix: tag and push manifests in single step --- .github/workflows/build.yml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9c38252..6c1a5e9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -263,24 +263,11 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Tag Manifest - id: tag-manifest - env: - TAGS: ${{ steps.metadata.outputs.tags }} - run: | - MANIFEST_TAGS=() - for tag in $(echo $TAGS | tr ' ' '\n'); do - podman manifest tag ${{ steps.create-manifest.outputs.MANIFEST }} ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$tag - MANIFEST_TAGS+=(${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:$tag) - done - MANIFEST_TAGS_JSON=$(printf '%s\n' "${MANIFEST_TAGS[@]}" | jq -R . | jq -cs .) - echo "MANIFEST_TAGS_JSON=${MANIFEST_TAGS_JSON}" >> $GITHUB_OUTPUT - - name: Push Manifest env: MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }} - MANIFEST_TAGS_JSON: ${{ steps.tag-manifest.outputs.MANIFEST_TAGS_JSON }} + TAGS: ${{ steps.metadata.outputs.tags }} run: | - for tag in $(echo $MANIFEST_TAGS_JSON | jq -r '.[]'); do + for tag in $(echo $TAGS | tr ' ' '\n'); do podman manifest push --all=false $MANIFEST $tag done From 2b7c8aba1a805880e0082b3f62ef457b40276d59 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 11:13:39 +0000 Subject: [PATCH 19/44] fix: push to correct registry and name --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6c1a5e9..6936ebc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -267,7 +267,9 @@ jobs: env: MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }} TAGS: ${{ steps.metadata.outputs.tags }} + IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} + IMAGE_NAME: ${{ env.IMAGE_NAME }} run: | for tag in $(echo $TAGS | tr ' ' '\n'); do - podman manifest push --all=false $MANIFEST $tag + podman manifest push --all=false $MANIFEST $IMAGE_REGISTRY/$IMAGE_NAME:$tag done From fe7806e7c0240231942b1cf45002dacb0e038c07 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 11:18:59 +0000 Subject: [PATCH 20/44] chore: enable mock ARM builds --- .github/workflows/build.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6936ebc..f9cb1aa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,7 +20,7 @@ env: IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" - PLATFORMS: "amd64" + PLATFORMS: "amd64 arm64" concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -247,6 +247,7 @@ jobs: env: MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }} DIGESTS_JSON: ${{ steps.load-outputs.outputs.DIGESTS_JSON }} + LABELS: ${{ steps.metadata.outputs.labels }} run: | DIGESTS=$(echo "$DIGESTS_JSON" | jq -c '.') PLATFORMS=(${{ env.PLATFORMS }}) @@ -256,6 +257,11 @@ jobs: podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest --arch $platform done + # Apply labels to the manifest + for label in $(echo $LABELS | tr ' ' '\n'); do + podman manifest annotate $MANIFEST --annotation $label + done + - name: Login to GHCR uses: docker/login-action@v3 with: From c1ee35a92faa99c6514b90887b1299f175b1bd5d Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 11:24:33 +0000 Subject: [PATCH 21/44] chore: try building in ubi9 --- .github/workflows/build.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f9cb1aa..df910a7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,9 +47,9 @@ jobs: name: Build and push image runs-on: ubuntu-24.04 needs: generate_matrix - # container: - # image: registry.redhat.io/ubi9/ubi:latest - # options: --privileged + container: + image: redhat/ubi9:latest + options: --privileged strategy: fail-fast: false matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} @@ -62,6 +62,12 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Install Podman + run: | + sudo dnf install -y \ + podman \ + skopeo + - name: Setup Just uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2 @@ -80,7 +86,7 @@ jobs: shell: bash run: | just=$(which just) - sudo $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" + $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" # Reprocess raw-img using rechunker which will delete it - name: Run Rechunker @@ -97,7 +103,7 @@ jobs: id: load run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) - sudo rm -rf ${{ steps.rechunk.outputs.location }} + rm -rf ${{ steps.rechunk.outputs.location }} podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} From e074194ba928f34933449dd363dcf6f437801f51 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 11:25:25 +0000 Subject: [PATCH 22/44] fix: remove sudo from dnf install --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df910a7..18ef01a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,7 +64,7 @@ jobs: - name: Install Podman run: | - sudo dnf install -y \ + dnf install -y \ podman \ skopeo From 5f48c6a4de2210de0098484cc350d401ac6542b5 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 11:30:27 +0000 Subject: [PATCH 23/44] fix: no-op sudo --- .github/workflows/build.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18ef01a..5929945 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,15 +59,22 @@ jobs: id-token: write steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - - name: Install Podman + - name: Setup Container run: | dnf install -y \ + git \ podman \ skopeo + echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo + chmod +x /usr/bin/sudo + + # Create a directory Rechunk expects + mkdir -p /home/runner/work/main/main + + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Setup Just uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2 From c48ca99c60d13245088e0d9d00c8d74264be9629 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 13:34:54 +0000 Subject: [PATCH 24/44] fix: roll our own registry login step --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5929945..f97a214 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -119,12 +119,13 @@ jobs: echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - with: + env: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + run: | + echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ github.actor }} --password-stdin $registry # Push the image to GHCR (Image Registry) - name: Push To GHCR From b6045d422f4a2724820cef5af0f39ae6e7cc7fbb Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 13:42:17 +0000 Subject: [PATCH 25/44] fix: hack to get cosign to use Podman creds --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f97a214..02dd343 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -126,6 +126,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} run: | echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ github.actor }} --password-stdin $registry + cat /run/containers/0/auth.json > ~/.docker/config.json # Push the image to GHCR (Image Registry) - name: Push To GHCR From 5582c847c206675780e80257dacf2e8f69f21e72 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 13:48:27 +0000 Subject: [PATCH 26/44] fix: create docker directory if not exists --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 02dd343..c395e59 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -126,6 +126,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} run: | echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ github.actor }} --password-stdin $registry + mkdir -p ~/.docker cat /run/containers/0/auth.json > ~/.docker/config.json # Push the image to GHCR (Image Registry) From 4707c22feaed7402d585356eb587e1bc5013ba60 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 13:58:30 +0000 Subject: [PATCH 27/44] chore: enable full build --- .github/workflows/build.yml | 7 +------ Containerfile | 14 ++++++-------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c395e59..081073e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,7 +45,7 @@ jobs: build_push: name: Build and push image - runs-on: ubuntu-24.04 + runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04' }} needs: generate_matrix container: image: redhat/ubi9:latest @@ -273,11 +273,6 @@ jobs: podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest --arch $platform done - # Apply labels to the manifest - for label in $(echo $LABELS | tr ' ' '\n'); do - podman manifest annotate $MANIFEST --annotation $label - done - - name: Login to GHCR uses: docker/login-action@v3 with: diff --git a/Containerfile b/Containerfile index d882bc9..394edff 100644 --- a/Containerfile +++ b/Containerfile @@ -5,11 +5,9 @@ FROM quay.io/centos-bootc/centos-bootc:$MAJOR_VERSION #Install codecs, Workstation, EPEL, CRB, etc. -# COPY build.sh /tmp/build.sh -# RUN --mount=type=bind,from=config,src=/rpms,dst=/tmp/rpms chmod +x /tmp/build.sh && \ -# /tmp/build.sh && \ -# dnf clean all && \ -# ostree container commit - -# Just gotta get this green! -RUN bootc container lint +COPY build.sh /tmp/build.sh +RUN --mount=type=bind,from=config,src=/rpms,dst=/tmp/rpms chmod +x /tmp/build.sh && \ + /tmp/build.sh && \ + dnf clean all && \ + ostree container commit && \ + bootc container lint From ae31f0c73661b1c8bfb05b3fd34039e3de0dcab3 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 15:13:59 +0000 Subject: [PATCH 28/44] chore: build single architecture in PRs --- .github/workflows/build.yml | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 081073e..3dcc912 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,14 +4,11 @@ on: pull_request: branches: - main + paths-ignore: + - "**.md" schedule: - cron: "05 10 * * *" # 10:05am UTC everyday merge_group: - push: - branches: - - main - paths-ignore: - - "**/README.md" workflow_dispatch: env: @@ -20,7 +17,8 @@ env: IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" - PLATFORMS: "amd64 arm64" + # PRs should only build for amd64. The rest are pushed, so we should build for all platforms + PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64, arm64' }} concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -66,6 +64,7 @@ jobs: podman \ skopeo + # Rechunk requires sudo, so we need to create a dummy sudo echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo chmod +x /usr/bin/sudo @@ -80,13 +79,7 @@ jobs: - name: Check Just Syntax shell: bash - run: | - just check - - # - name: Maximize build space - # uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7 - # with: - # remove-codeql: true + run: just check - name: Build Image id: build-image @@ -106,7 +99,7 @@ jobs: skip_compression: true version: ${{ env.CENTOS_VERSION }} - - name: Load in podman + - name: Load Image id: load run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) @@ -130,7 +123,7 @@ jobs: cat /run/containers/0/auth.json > ~/.docker/config.json # Push the image to GHCR (Image Registry) - - name: Push To GHCR + - name: Push to GHCR # if: github.event_name != 'pull_request' id: push env: @@ -155,7 +148,7 @@ jobs: uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - - name: Sign container image + - name: Sign Image #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" @@ -165,7 +158,7 @@ jobs: COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - - name: Create job outputs + - name: Create Job Outputs env: IMAGE_NAME: ${{ env.IMAGE_NAME }} PLATFORM: ${{ matrix.platform }} @@ -192,7 +185,7 @@ jobs: packages: write id-token: write steps: - - name: Get current date + - name: Get Build Date id: date run: | # Should generate a timestamp like what is defined on the ArtifactHub documentation From 6647aa10a46c01b5a39d0d6106d652e1297c0625 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 15:23:45 +0000 Subject: [PATCH 29/44] chore: actually build ARM --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3dcc912..885b572 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,8 @@ env: DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" # PRs should only build for amd64. The rest are pushed, so we should build for all platforms - PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64, arm64' }} + # PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64, arm64' }} + PLATFORMS: "amd64, arm64" concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -43,7 +44,7 @@ jobs: build_push: name: Build and push image - runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04' }} + runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || format('runs-on,runner=1cpu-linux-{0},run-id={1}', matrix.arch, github.run_id) }} needs: generate_matrix container: image: redhat/ubi9:latest From b7a373b671f136be9193b750878b263972dfe54d Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 15:26:04 +0000 Subject: [PATCH 30/44] fix: builder runner logic --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 885b572..8fa1c24 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,7 +44,7 @@ jobs: build_push: name: Build and push image - runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || format('runs-on,runner=1cpu-linux-{0},run-id={1}', matrix.arch, github.run_id) }} + runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || format('runs-on,runner=1cpu-linux-{0},run-id={1}', matrix.platform, github.run_id) }} needs: generate_matrix container: image: redhat/ubi9:latest From 44e0e9bc07d73aa7443e37a9c0373e658e212ecd Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 15:27:56 +0000 Subject: [PATCH 31/44] fix: make platforms space-separated --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8fa1c24..a75baf0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,8 +18,8 @@ env: DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" # PRs should only build for amd64. The rest are pushed, so we should build for all platforms - # PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64, arm64' }} - PLATFORMS: "amd64, arm64" + # PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64 arm64' }} + PLATFORMS: "amd64 arm64" concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} From 09abead59e4c08a6ecbcbccea863df07dc5129e6 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 18:38:34 +0000 Subject: [PATCH 32/44] chore: bump rechunk to v1.1.0 --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a75baf0..298b99d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,6 +46,7 @@ jobs: name: Build and push image runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || format('runs-on,runner=1cpu-linux-{0},run-id={1}', matrix.platform, github.run_id) }} needs: generate_matrix + timeout-minutes: 30 container: image: redhat/ubi9:latest options: --privileged @@ -92,9 +93,9 @@ jobs: # Reprocess raw-img using rechunker which will delete it - name: Run Rechunker id: rechunk - uses: hhd-dev/rechunk@602e6d62558ab23e15e8764ce06e26c0f328da71 # v1.0.1 + uses: hhd-dev/rechunk@v1.1.0 with: - rechunk: "ghcr.io/hhd-dev/rechunk:v1.0.1" + rechunk: "ghcr.io/hhd-dev/rechunk:v1.1.0" ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" skip_compression: true From 1be021cd0b282c7d7132cbfc936383f4a941fb4f Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 18:59:07 +0000 Subject: [PATCH 33/44] fix: create another directory Rechunk expects --- .github/workflows/build.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 298b99d..6d4d86b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,8 @@ env: IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" - # PRs should only build for amd64. The rest are pushed, so we should build for all platforms + # PRs should only build for amd64 (because ARM is costly). The rest are pushed to the registry, + # so we should build for all platforms # PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64 arm64' }} PLATFORMS: "amd64 arm64" @@ -72,6 +73,7 @@ jobs: # Create a directory Rechunk expects mkdir -p /home/runner/work/main/main + mkdir -p /home/runner/_work/main/main - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -92,6 +94,7 @@ jobs: # Reprocess raw-img using rechunker which will delete it - name: Run Rechunker + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: rechunk uses: hhd-dev/rechunk@v1.1.0 with: @@ -102,6 +105,7 @@ jobs: version: ${{ env.CENTOS_VERSION }} - name: Load Image + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: load run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) @@ -126,7 +130,7 @@ jobs: # Push the image to GHCR (Image Registry) - name: Push to GHCR - # if: github.event_name != 'pull_request' + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push env: IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} @@ -148,10 +152,10 @@ jobs: # to consume. For more details, review the image signing section of the README. - name: Install Cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - name: Sign Image - #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_FULL}@${{ steps.push.outputs.remote_image_digest }} @@ -161,6 +165,7 @@ jobs: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Create Job Outputs + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: IMAGE_NAME: ${{ env.IMAGE_NAME }} PLATFORM: ${{ matrix.platform }} @@ -170,6 +175,7 @@ jobs: echo "${DIGEST}" > /tmp/outputs/digests/${IMAGE_NAME}-${PLATFORM}.txt - name: Upload Output Artifacts + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) uses: actions/upload-artifact@v4 with: name: ${{ env.IMAGE_NAME }}-${{ matrix.platform }} @@ -180,6 +186,7 @@ jobs: manifest: runs-on: ubuntu-latest + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) needs: - build_push permissions: From 27b90ae8e03fac1ef491d8900fe7c4571989eedb Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 19:44:26 +0000 Subject: [PATCH 34/44] chore: finalise configuration --- .github/workflows/build.yml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6d4d86b..d6a3373 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,15 +12,18 @@ on: workflow_dispatch: env: - IMAGE_NAME: "rs-main-test" # the name of the image produced by this build, matches repo names + IMAGE_NAME: "main" # the name of the image produced by this build, matches repo names IMAGE_DESC: "CentOS Stream-based image for basing off of " IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" - # PRs should only build for amd64 (because ARM is costly). The rest are pushed to the registry, - # so we should build for all platforms - # PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64 arm64' }} - PLATFORMS: "amd64 arm64" + + # While we are using self-hosted runners, please only build on ARM64 when the image will be pushed + # to a registry. This is because the runners are not free, and I want to protect my wallet. + # + # Thanks, + # Robert (p5) + PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64 arm64' }} concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -92,9 +95,8 @@ jobs: just=$(which just) $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" - # Reprocess raw-img using rechunker which will delete it - name: Run Rechunker - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: rechunk uses: hhd-dev/rechunk@v1.1.0 with: @@ -105,7 +107,7 @@ jobs: version: ${{ env.CENTOS_VERSION }} - name: Load Image - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: load run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) @@ -118,7 +120,7 @@ jobs: echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: registry: ghcr.io username: ${{ github.actor }} @@ -130,7 +132,7 @@ jobs: # Push the image to GHCR (Image Registry) - name: Push to GHCR - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push env: IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} @@ -152,10 +154,10 @@ jobs: # to consume. For more details, review the image signing section of the README. - name: Install Cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - name: Sign Image - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_FULL}@${{ steps.push.outputs.remote_image_digest }} @@ -165,7 +167,7 @@ jobs: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Create Job Outputs - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: IMAGE_NAME: ${{ env.IMAGE_NAME }} PLATFORM: ${{ matrix.platform }} @@ -175,7 +177,7 @@ jobs: echo "${DIGEST}" > /tmp/outputs/digests/${IMAGE_NAME}-${PLATFORM}.txt - name: Upload Output Artifacts - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) uses: actions/upload-artifact@v4 with: name: ${{ env.IMAGE_NAME }}-${{ matrix.platform }} @@ -186,7 +188,7 @@ jobs: manifest: runs-on: ubuntu-latest - # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) needs: - build_push permissions: From 035b7d5ab84fc43965dc2f7d3887ff27fdd7c7ed Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 23:32:14 +0000 Subject: [PATCH 35/44] chore: switch to centos:stream10 builder and add labels to manifest --- .github/workflows/build.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d6a3373..8600181 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ on: workflow_dispatch: env: - IMAGE_NAME: "main" # the name of the image produced by this build, matches repo names + IMAGE_NAME: "rs-main-test" # the name of the image produced by this build, matches repo names IMAGE_DESC: "CentOS Stream-based image for basing off of " IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" @@ -52,7 +52,7 @@ jobs: needs: generate_matrix timeout-minutes: 30 container: - image: redhat/ubi9:latest + image: quay.io/centos/centos:stream10 options: --privileged strategy: fail-fast: false @@ -277,6 +277,11 @@ jobs: podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest --arch $platform done + # Apply the labels to the manifest + for label in $(echo $LABELS | tr ' ' '\n'); do + podman manifest annotate --index --annotation=$label $MANIFEST + done + - name: Login to GHCR uses: docker/login-action@v3 with: From 7483259c8160e8067b82c52ad7369941d312635b Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 23:42:56 +0000 Subject: [PATCH 36/44] fix: install whereis on the runner --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8600181..4911a6b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,7 +68,8 @@ jobs: dnf install -y \ git \ podman \ - skopeo + skopeo \ + whereis # Rechunk requires sudo, so we need to create a dummy sudo echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo From 53964ae5a703303999dc83e007b60cdb1be68314 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 5 Jan 2025 23:44:32 +0000 Subject: [PATCH 37/44] fix: install which on the runner --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4911a6b..394052e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -69,7 +69,7 @@ jobs: git \ podman \ skopeo \ - whereis + which # Rechunk requires sudo, so we need to create a dummy sudo echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo From da458fa7ec9d6ca96c433bd61222727f7bc696c0 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 6 Jan 2025 00:04:33 +0000 Subject: [PATCH 38/44] revert: go back to ubi9 --- .github/workflows/build.yml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 394052e..12508f2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,7 +52,7 @@ jobs: needs: generate_matrix timeout-minutes: 30 container: - image: quay.io/centos/centos:stream10 + image: redhat/ubi9:latest options: --privileged strategy: fail-fast: false @@ -68,8 +68,7 @@ jobs: dnf install -y \ git \ podman \ - skopeo \ - which + skopeo # Rechunk requires sudo, so we need to create a dummy sudo echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo @@ -97,7 +96,7 @@ jobs: $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" - name: Run Rechunker - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: rechunk uses: hhd-dev/rechunk@v1.1.0 with: @@ -108,7 +107,7 @@ jobs: version: ${{ env.CENTOS_VERSION }} - name: Load Image - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: load run: | IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) @@ -121,7 +120,7 @@ jobs: echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: registry: ghcr.io username: ${{ github.actor }} @@ -133,7 +132,7 @@ jobs: # Push the image to GHCR (Image Registry) - name: Push to GHCR - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push env: IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }} @@ -155,10 +154,10 @@ jobs: # to consume. For more details, review the image signing section of the README. - name: Install Cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - name: Sign Image - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_FULL}@${{ steps.push.outputs.remote_image_digest }} @@ -168,7 +167,7 @@ jobs: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - name: Create Job Outputs - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: IMAGE_NAME: ${{ env.IMAGE_NAME }} PLATFORM: ${{ matrix.platform }} @@ -178,7 +177,7 @@ jobs: echo "${DIGEST}" > /tmp/outputs/digests/${IMAGE_NAME}-${PLATFORM}.txt - name: Upload Output Artifacts - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) uses: actions/upload-artifact@v4 with: name: ${{ env.IMAGE_NAME }}-${{ matrix.platform }} @@ -189,7 +188,7 @@ jobs: manifest: runs-on: ubuntu-latest - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) needs: - build_push permissions: From 0201bfd340e14ec4e1e793fe4b9c30b9db4b94af Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 27 Jan 2025 21:02:52 +0000 Subject: [PATCH 39/44] chore: switch to GitHub runners --- .github/workflows/build.yml | 28 ++-------------------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 12508f2..e3719ba 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,13 +17,7 @@ env: IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" DEFAULT_TAG: "latest" CENTOS_VERSION: "stream10" - - # While we are using self-hosted runners, please only build on ARM64 when the image will be pushed - # to a registry. This is because the runners are not free, and I want to protect my wallet. - # - # Thanks, - # Robert (p5) - PLATFORMS: ${{ github.event_name == 'pull_request' && 'amd64' || 'amd64 arm64' }} + PLATFORMS: 'amd64 arm64' concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -48,12 +42,9 @@ jobs: build_push: name: Build and push image - runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || format('runs-on,runner=1cpu-linux-{0},run-id={1}', matrix.platform, github.run_id) }} + runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04-arm' }} needs: generate_matrix timeout-minutes: 30 - container: - image: redhat/ubi9:latest - options: --privileged strategy: fail-fast: false matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} @@ -63,21 +54,6 @@ jobs: id-token: write steps: - - name: Setup Container - run: | - dnf install -y \ - git \ - podman \ - skopeo - - # Rechunk requires sudo, so we need to create a dummy sudo - echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo - chmod +x /usr/bin/sudo - - # Create a directory Rechunk expects - mkdir -p /home/runner/work/main/main - mkdir -p /home/runner/_work/main/main - - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 From c809e4582189aef07b3d21d436e89a065f3726d1 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 27 Jan 2025 21:06:42 +0000 Subject: [PATCH 40/44] fix: do not remove software on arm --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8b8b9bf..2863872 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,6 +58,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Maximize build space + if: matrix.platform != 'arm64' uses: ublue-os/remove-unwanted-software@5a8b0374222a6fffddb1be9516b5fece9483bed0 # v8 with: remove-codeql: true From 2b629e7f8cfca3b2b64c1802e427b0f01c133cc5 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 27 Jan 2025 21:10:40 +0000 Subject: [PATCH 41/44] fix: install Podman in ARM64 --- .github/workflows/build.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2863872..6543193 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,6 +54,13 @@ jobs: id-token: write steps: + - name: Install dependencies + if: matrix.platform == 'arm64' + run: | + sudo apt update -y + sudo apt install -y \ + podman + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 From fd3e26e186dc9683434a08c1a5b433d6c74d84ab Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 27 Jan 2025 21:18:46 +0000 Subject: [PATCH 42/44] fix: build with root --- .github/workflows/build.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6543193..d1b24a2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -82,7 +82,7 @@ jobs: shell: bash run: | just=$(which just) - $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" + sudo $just build "${IMAGE_NAME}" "${DEFAULT_TAG}" - name: Run Rechunker # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) @@ -99,12 +99,12 @@ jobs: # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: load run: | - IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) - rm -rf ${{ steps.rechunk.outputs.location }} - podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} + IMAGE=$(sudo podman pull ${{ steps.rechunk.outputs.ref }}) + sudo rm -rf ${{ steps.rechunk.outputs.location }} + sudo podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }} - IMAGE_DIGEST=$(podman image inspect --format '{{.Digest}}' $IMAGE) + IMAGE_DIGEST=$(sudo podman image inspect --format '{{.Digest}}' $IMAGE) echo "image=$IMAGE" >> $GITHUB_OUTPUT echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT @@ -115,7 +115,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} run: | - echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ github.actor }} --password-stdin $registry + echo ${{ secrets.GITHUB_TOKEN }} | sudo podman login -u ${{ github.actor }} --password-stdin $registry mkdir -p ~/.docker cat /run/containers/0/auth.json > ~/.docker/config.json @@ -129,9 +129,9 @@ jobs: IMAGE_DIGEST: ${{ steps.load.outputs.digest }} PLATFORM: ${{ matrix.platform }} run: | - podman tag ${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}:${DEFAULT_TAG} $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM + sudo podman tag ${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}:${DEFAULT_TAG} $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM for i in {1..3}; do - podman push --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM && break || sleep $((5 * i)); + sudo podman push --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM && break || sleep $((5 * i)); done REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile) echo "remote_image_digest=$REMOTE_IMAGE_DIGEST" >> $GITHUB_OUTPUT From f3842aec13018e62de8651cb810f17c7f467cbc9 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 27 Jan 2025 21:30:26 +0000 Subject: [PATCH 43/44] fix: use sudo --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d1b24a2..0d8e141 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -117,7 +117,7 @@ jobs: run: | echo ${{ secrets.GITHUB_TOKEN }} | sudo podman login -u ${{ github.actor }} --password-stdin $registry mkdir -p ~/.docker - cat /run/containers/0/auth.json > ~/.docker/config.json + sudo cat /run/containers/0/auth.json > ~/.docker/config.json # Push the image to GHCR (Image Registry) - name: Push to GHCR From ad244ad003a85c271ce24ebb9433964a1b5556e3 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Mon, 27 Jan 2025 22:43:55 +0000 Subject: [PATCH 44/44] fix: add docker login --- .github/workflows/build.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0d8e141..a8e4bfe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -116,8 +116,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} run: | echo ${{ secrets.GITHUB_TOKEN }} | sudo podman login -u ${{ github.actor }} --password-stdin $registry - mkdir -p ~/.docker - sudo cat /run/containers/0/auth.json > ~/.docker/config.json + echo ${{ secrets.GITHUB_TOKEN }} | docker login -u ${{ github.actor }} --password-stdin $registry # Push the image to GHCR (Image Registry) - name: Push to GHCR