Merge Upstream (#5)

* feat: add support for image signing

* fix: fix build arguments

* docs: update Installation in README

* docs: include more detailed steps in installation section

* docs: remove unneeded verification section

* refactor: clean up image signing to line up more with upstream

* feat: add signature rather than replace to allow rebasing back to uBlue main

* style: format whitespace

* refactor: fix jq, rename cosign.yaml and cosign.pub

* Revert "refactor: clean up image signing to line up more with upstream"

* style: prepend the entry in the JSON rather than append

* fix: remove remnants from earlier image signing method

* fix: remove old signing config, using the one from the config repo instead (blue-build#124)

* fix: lowercase image name for signing

* Updating Gamescope to pull from the most recent package.

* Per the updating tools, it appears that org.gnome.Games is end of life and will no longer get updates.

* Revert "Per the updating tools, it appears that org.gnome.Games is end of life and will no longer get updates."

This reverts commit 0f80d30.

* fix: remove GNOME Games, is deprecated

* chore: justom.just add line break at EOF

* chore: autostart.desktop add line break at EOF

* fix: capitalize first character of comment (blue-build#132)

* feat: ISO build action (blue-build#133)

* feat: base iso release workflow
* does not produce a functional ISO yet
needs boot_menu

* chore(dev): start iso workflow on iso push

* fix: rename release-iso to release-please

* refactor: use github-cli to create release

* fix: remove job dependencies

* chore: basic boot menu

* fix: add permission to create release

* fix: delegate tag for auto-iso releases,..
delete old version when rerunning

* fix: multiline string for multine cmds

* fix: specify gh repo in old release delete

* fix: only create release if doesn't exist

* fix: boot menu double user field

* fix: clobber iso

* chore: neutral defaults for boot menu

* feat: run iso when iso-related changes pushed

* docs: README section for ISO

* fix: always get version tags (blue-build#134)

---------

Co-authored-by: Scott Ames <[email protected]>

---------

Co-authored-by: gerblesh <[email protected]>
Co-authored-by: Jorge O. Castro <[email protected]>
Co-authored-by: ER <[email protected]>
Co-authored-by: Waffleophagus <[email protected]>
Co-authored-by: plata <[email protected]>
Co-authored-by: jh-devv <[email protected]>
Co-authored-by: EinoHR <[email protected]>
Co-authored-by: Scott Ames <[email protected]>

.github/workflows/build.yml

@@ -64,13 +64,19 @@ jobs:
           echo "FEDORA_MAJOR_VERSION=$(yq '.fedora-version' ./${{ matrix.recipe }})" >> $GITHUB_ENV
           echo "BASE_IMAGE_URL=$(yq '.base-image' ./${{ matrix.recipe }})" >> $GITHUB_ENV
 
+      - name: Get current version
+        id: labels
+        run: |
+          ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.FEDORA_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
+          echo "VERSION=$ver" >> $GITHUB_OUTPUT
+
       - name: Generate tags
         id: generate-tags
         shell: bash
         run: |
           # Generate a timestamp for creating an image version history
           TIMESTAMP="$(date +%Y%m%d)"
-          MAJOR_VERSION="${{ env.FEDORA_MAJOR_VERSION }}"
+          MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)"
           COMMIT_TAGS=()
           BUILD_TAGS=()
           # Have tags for tracking builds during pull request
@@ -98,12 +104,6 @@ jobs:
           done
           echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
 
-      - name: Get current version
-        id: labels
-        run: |
-          ver=$(skopeo inspect docker://${{ env.BASE_IMAGE_URL }}:${{ env.FEDORA_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
-          echo "VERSION=$ver" >> $GITHUB_OUTPUT
-
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v4
@@ -120,11 +120,11 @@ jobs:
 
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
-      - name: Lowercase Registry
-        id: registry_case
+      - name: Lowercase Image
+        id: image_case
         uses: ASzc/change-string-case-action@v5
         with:
-          string: ${{ env.IMAGE_REGISTRY }}
+          string: ${{ env.IMAGE_NAME }}
 
       # Build image using Buildah action
       - name: Build Image
@@ -176,7 +176,7 @@ jobs:
       - name: Sign container image
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.image_case.outputs.lowercase }}@${TAGS}
         env:
           TAGS: ${{ steps.push.outputs.digest }}
           COSIGN_EXPERIMENTAL: false

.github/workflows/release-iso.yml

@@ -0,0 +1,46 @@
+on:
+  push:
+    paths:
+      - 'boot_menu.yml'
+      - '.github/workflows/release-iso.yml'
+  workflow_dispatch:
+
+name: release-iso
+jobs:
+  release-iso:
+    name: Generate and Release ISOs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    container: 
+      image: fedora:38
+      options: --privileged
+    steps:
+      - uses: actions/checkout@v3
+      - name: Generate ISO  
+        uses: ublue-os/isogenerator@main
+        id: isogenerator
+        with:
+          image-name: ${{ github.event.repository.name }}
+          installer-repo: releases
+          installer-major-version: 38
+          boot-menu-path: boot_menu.yml
+      - name: install github CLI
+        run: |
+          sudo dnf install 'dnf-command(config-manager)' -y
+          sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
+          sudo dnf install gh -y
+      - name: Upload ISO
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          if gh release list -R ${{ github.repository_owner }}/${{ github.event.repository.name }} | grep "auto-iso"; then
+            gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
+          else
+            gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
+          fi
+      - name: Upload SHA256SUM
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run:
+          gh release upload auto-iso ${{ steps.isogenerator.outputs.sha256sum-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber

Containerfile

@@ -28,11 +28,10 @@ ARG IMAGE_REGISTRY=ghcr.io/ublue-os
 COPY usr /usr
 
 # Copy public key
-COPY cosign.pub /usr/etc/pki/containers/cosign.pub
+COPY cosign.pub /usr/share/ublue-os/cosign.pub
+
 # Copy base signing config
 COPY usr/etc/containers /usr/etc/
-# Copy greetd & systemd configs
-COPY etc /etc
 
 # Copy greetd & systemd configs
 COPY etc /etc

README.md

@@ -116,6 +116,16 @@ This repository by default also supports signing
 
 The `latest` tag will automatically point to the latest build. That build will still always use the Fedora version specified in `recipe.yml`, so you won't get accidentally updated to the next major version.
 
+## ISO
+
+This template includes a simple Github Action to build and release an ISO of your image. 
+
+To run the action, simply edit the `boot_menu.yml` by changing all the references to `ublue-os/startingpoint` to your repository. This should trigger the action automatically.
+
+The Action uses [isogenerator](https://github.com/ublue-os/isogenerator) and works in a similar manner to the official Universal Blue ISO. If you have any issues, you should first check [the documentation page on installation](https://universal-blue.org/installation/). The ISO is a netinstaller and should always pull the latest version of your image.
+
+Note that this release-iso action is not a replacement for a full-blown release automation like [release-please](https://github.com/googleapis/release-please).
+
 ## Just
 
 The `just` task runner is included in `ublue-os/main`-derived images, and we have provided several template commands which help you perform further customization after first boot.
@@ -145,4 +155,4 @@ After doing that, you'll be able to run the following commands:
 - `just nix-me-up` - Install Nix with dnkmmr69420's Nix Silverblue install script
 - `just update` - Update rpm-ostree, flatpaks, and distroboxes in one command
 
-Check the [just website](https://just.systems) for tips on modifying and adding your own recipes.
+Check the [just website](https://just.systems) for tips on modifying and adding your own recipes.

boot_menu.yml

@@ -0,0 +1,5 @@
+ublue_variants:
+  - label: ublue-os/startingpoint
+    ks: /kickstart/ublue-os.ks
+    flavors:
+      - label: startingpoint

scripts/build.sh

@@ -111,5 +111,34 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then
     fi
 fi
 
+# Setup container signing
+echo "Setup container signing in policy.json and cosign.yaml"
+echo "Registry to write: $IMAGE_REGISTRY"
+
+# Copy Name
+NAME=$(get_yaml_string '.name')
+cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$NAME".pub
+
+# Work around the fact that jq doesn't have an "inplace" option
+FILE=/usr/etc/containers/policy.json
+TMP=/tmp/policy.json
+
+jq '.transports.docker |= 
+    {"'"$IMAGE_REGISTRY"'": [
+            {
+                "type": "sigstoreSigned",
+                "keyPath": "/usr/etc/pki/containers/'"$NAME"'.pub",
+                "signedIdentity": {
+                    "type": "matchRepository"
+                }
+            }
+        ]
+    }
++ .' $FILE > $TMP
+mv -f $TMP $FILE
+
+cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$NAME".yaml
+sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$NAME".yaml
+
 # Run "post" scripts.
 run_scripts "post"

usr/share/ublue-os/firstboot/launcher/autostart.desktop

@@ -6,4 +6,4 @@ Categories=Utility;System;
 Exec=/usr/share/ublue-os/firstboot/launcher/autostart.sh
 Icon=application-x-executable
 Terminal=false
-Type=Application
+Type=Application

usr/share/ublue-os/firstboot/yafti.yml

@@ -100,10 +100,9 @@ screens:
           packages:
             - Bottles: com.usebottles.bottles
             - Discord: com.discordapp.Discord
-            - GNOME Games: org.gnome.Games
             - Heroic Games Launcher: com.heroicgameslauncher.hgl
             - Steam: com.valvesoftware.Steam
-            - Gamescope (Utility): com.valvesoftware.Steam.Utility.gamescope
+            - Gamescope (Utility): org.freedesktop.Platform.VulkanLayer.gamescope
             - MangoHUD (Utility): org.freedesktop.Platform.VulkanLayer.MangoHud//22.08
             - SteamTinkerLaunch (Utility): com.valvesoftware.Steam.Utility.steamtinkerlaunch
             - Proton Updater for Steam: net.davidotek.pupgui2

usr/share/ublue-os/just/custom.just

@@ -1,6 +1,6 @@
 !include /usr/share/ublue-os/just/bling.just
 
-# install all flatpaks defined in recipe.yml
+# Install all flatpaks defined in recipe.yml
 setup-flatpaks:
   #!/usr/bin/env bash
   echo 'Installing flatpaks from the ublue recipe ...'
@@ -10,4 +10,4 @@ setup-flatpaks:
       flatpak install --user --noninteractive flathub $pkg; \
   done
 
-# Include some of your custom scripts here! 
+# Include some of your custom scripts here!