[pull] dev from live

.github/workflows/build.yml

@@ -30,29 +30,55 @@ jobs:
 
       matrix:
         recipe:
-          - silverflow-nvidia-38.yml
           - silverflow-nvidia-39.yml
 
     steps:
-      - name: Maximize build space
-        uses: ublue-os/remove-unwanted-software@v6
 
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      # Confirm that cosign.pub matches SIGNING_SECRET
+      - uses: sigstore/[email protected]
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+
+      - name: Check SIGNING_SECRET matches cosign.pub
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PASSWORD: ""
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+        shell: bash
+        run: |
+          echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
+          delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
+          if [ -z "$delta" ]; then
+            echo "cosign.pub matches SIGNING_SECRET"
+          else
+            echo "cosign.pub does not match SIGNING_SECRET"
+            echo "$delta"
+            exit 1
+          fi
+
       - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/[email protected].2
+        uses: mikefarah/[email protected].5
 
       - name: Gather image data from recipe
         run: |
           echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
           echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
           echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "BASE_IMAGE_URL=$(yq '.base-image' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
+          BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }})
+          echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV
+          echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
           echo "IS_LATEST_VERSION=$(yq '.is_latest_version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
           echo "IS_STABLE_VERSION=$(yq '.is_stable_version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
 
+      - name: Verify base image
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
+
       - name: Get current version
         id: labels
         run: |
@@ -128,6 +154,13 @@ jobs:
         with:
           string: ${{ env.IMAGE_NAME }}
 
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v2
+        with:
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image
@@ -173,9 +206,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/[email protected]
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-
       - name: Sign container image
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |

.github/workflows/release-iso.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Generate ISO  
-        uses: ublue-os/isogenerator@v2.2.0
+        uses: ublue-os/isogenerator@v2.3.1
         id: isogenerator
         with:
           image-name: ${{ github.event.repository.name }}
@@ -35,7 +35,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
           if gh release list -R ${{ github.repository_owner }}/${{ github.event.repository.name }} | grep "auto-iso"; then
-            gh release view auto-iso --json assets -q .assets[].name | xargs -L 1 gh release delete-asset auto-iso 
+            gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs --no-run-if-empty -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
             gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
           else
             gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}

config/common_modules/scripts.yml

@@ -1,6 +1,4 @@
 type: script
 scripts:
   - signing.sh
-  - container-tools.sh
-  - udev-rules.sh
   - systemwide-themes.sh

config/files/usr/share/ublue-os/just/100-bling.just

@@ -0,0 +1,2 @@
+# this file is a placeholder,
+# making changes here is not supported

config/files/usr/share/ublue-os/just/60-custom.just

@@ -1,31 +1,17 @@
-
-# Install JetBrains Toolbox | https://www.jetbrains.com/toolbox-app/
-jetbrains-toolbox:
-  #!/usr/bin/env bash
-  @pushd "$(mktemp -d)"
-  @echo "Get latest JetBrains Toolbox version"
-  # Get the json with latest releases
-  curl -sSfL -o releases.json "https://data.services.jetbrains.com/products/releases?code=TBA&latest=true&type=release"
-  # Extract information
-  BUILD_VERSION=$(jq -r '.TBA[0].build' ./releases.json)
-  DOWNLOAD_LINK=$(jq -r '.TBA[0].downloads.linux.link' ./releases.json)
-  CHECKSUM_LINK=$(jq -r '.TBA[0].downloads.linux.checksumLink' ./releases.json)
-  @echo "Installing JetBrains Toolbox ${BUILD_VERSION}"
-  curl -sSfL -O "${DOWNLOAD_LINK}"
-  curl -sSfL "${CHECKSUM_LINK}" | sha256sum -c
-  tar zxf jetbrains-toolbox-"${BUILD_VERSION}".tar.gz
-  @echo "Launching JetBrains Toolbox"
-  ./jetbrains-toolbox-"${BUILD_VERSION}"/jetbrains-toolbox
+import '100-bling.just'
+# Include some of your custom scripts here!
 
 # Run the yafti setup tool
 yafti:
-  yafti /usr/share/ublue-os/firstboot/yafti.yml -f
-
-# Install mamba | https://github.com/conda-forge/miniforge
-mamba:
-  #!/usr/bin/env bash
-  pushd "$(mktemp -d)"
-  @echo "Get latest Miniforge3 version"
-  curl -L -O "https://github.com/conda-forge/miniforge/releases/latest/download/Miniforge3-$(uname)-$(uname -m).sh"
-  HOMEDIR=$( getent passwd "$USER" | cut -d: -f6 )
-  bash Miniforge3-$(uname)-$(uname -m).sh -b -p "${HOMEDIR}/mambaforge/"
+    yafti /usr/share/ublue-os/firstboot/yafti.yml -f
+
+
+# Install pdm (modern Python package and dependency manager) | https://pdm-project.org/latest/
+install-pdm:
+    #!/usr/bin/env bash
+    cd ~/Downloads || exit
+    curl -sSLO https://pdm-project.org/install-pdm.py
+    curl -sSL https://pdm-project.org/install-pdm.py.sha256 | sha256sum -c -
+    HOMEDIR=$( getent passwd "$USER" | cut -d: -f6 )
+    python3 install-pdm.py --path "${HOMEDIR}/pdm"
+    rm install-pdm.py

config/silverflow-nvidia-39.yml

@@ -8,7 +8,6 @@ is_stable_version: true
 modules:
   - from-file: common_modules/files.yml
   - from-file: common_modules/rpm-ostree.yml
-  - from-file: common_modules/kmods-installer.yml
   - from-file: common_modules/bling.yml
   - from-file: common_modules/fonts.yml
 

cosign.pub

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXYzStePguRGhjLNuWA9i5YNlW6JN
-8l+feUSk8ItS8bbgpzaVexBEawOS+0td2YA2svct01p7LKWaggywLMFXBQ==
------END PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMHM7/qr9HTYvKHqBliMZsThvkiUE
+htJYXuleEJmQP7FJZWUd+Z6Eui+io/ZjV54jJSkg3r1eFap5tKwiuwTTmA==
+-----END PUBLIC KEY-----