Skip to content

more firefox deenshittification #218

more firefox deenshittification

more firefox deenshittification #218

Workflow file for this run

name: Build Filotimo OCI Image
on:
pull_request:
branches:
- main
schedule:
- cron: '5 6 */2 * *'
push:
branches:
- main
paths-ignore:
- '**/README.md'
workflow_dispatch:
inputs:
fresh-rechunk:
description: 'Clear rechunk history'
type: boolean
default: false
env:
IMAGE_DESC: "Filotimo Linux OCI Image"
IMAGE_TAG: "latest"
IMAGE_ARCH: "x86_64"
MAJOR_VERSION: "41"
IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit
KERNEL_FLAVOR: "bazzite"
jobs:
build_push:
name: Build and push image
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image_flavor:
- main
- nvidia
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v7
- name: Matrix Variables
run: |
if [ "${{ matrix.image_flavor }}" = "nvidia" ]; then
echo "IMAGE_NAME=${{ github.event.repository.name }}-${{ matrix.image_flavor }}" >> $GITHUB_ENV
elif [ "${{ matrix.image_flavor }}" = "main" ]; then
echo "IMAGE_NAME=${{ github.event.repository.name }}" >> $GITHUB_ENV
fi
- name: Get Current Fedora Version
id: labels
shell: bash
run: |
set -eo pipefail
ver=$(skopeo inspect docker://ghcr.io/ublue-os/kinoite-main:${{ env.MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
if [ -z "$ver" ] || [ "null" = "$ver" ]; then
echo "inspected image version must not be empty or null"
exit 1
fi
echo "VERSION=$ver" >> $GITHUB_OUTPUT
- name: Check just syntax
uses: ublue-os/just-action@v2
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/filotimo-project/branding/main/icon.png
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
org.opencontainers.image.description=${{ env.IMAGE_DESC }}
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.licenses=Apache-2.0
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=https://github.com/filotimo-project
org.opencontainers.image.vendor=Filotimo Project
- name: Get Kernel Version
id: kernel
shell: bash
run: |
set -xeu pipefail
FEDORA_MAJOR_VERSION="${{ env.MAJOR_VERSION }}"
KERNEL_FLAVOR="${{ env.KERNEL_FLAVOR }}"
REPOS=("${{ env.KERNEL_FLAVOR }}-kernel" "akmods" "akmods-extra" "akmods-nvidia")
declare -A repo_tags
get_tags() {
repo=$1
if [[ "$repo" == "${{ env.KERNEL_FLAVOR }}-kernel" ]]; then
# bazzite-kernel uses the format without the initial flavor in the tag
skopeo list-tags docker://ghcr.io/ublue-os/${repo} | jq -r '.Tags[]' \
| grep "^${FEDORA_MAJOR_VERSION}-[0-9]\+\.[0-9]\+\.[0-9]\+-[0-9]\+\..*\.fc${FEDORA_MAJOR_VERSION}\.x86_64"
else
# Other repos use the format with the flavor in the tag
skopeo list-tags docker://ghcr.io/ublue-os/${repo} | jq -r '.Tags[]' \
| grep "^${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION}-[0-9]\+\.[0-9]\+\.[0-9]\+-[0-9]\+\..*\.fc${FEDORA_MAJOR_VERSION}\.x86_64"
fi
}
for repo in "${REPOS[@]}"; do
tags=$(get_tags "$repo")
repo_tags[$repo]="$tags"
done
extract_full_version() {
echo "$1" | cut -d'-' -f2,3
}
common_versions=($(echo "${repo_tags[${{ env.KERNEL_FLAVOR }}-kernel]}" | while read -r tag; do
full_version=$(extract_full_version "$tag")
if grep -q "$full_version" <<< "${repo_tags[akmods]}" && \
grep -q "$full_version" <<< "${repo_tags[akmods-extra]}" && \
grep -q "$full_version" <<< "${repo_tags[akmods-nvidia]}"; then
echo "$full_version"
fi
done | sort -V))
if [ -n "${common_versions[-1]}" ]; then
echo "KERNEL=${common_versions[-1]}" >> $GITHUB_OUTPUT
else
exit 1
fi
- name: Pull main, akmods, rechunk images
uses: Wandalen/[email protected]
with:
attempt_limit: 3
attempt_delay: 15000
command: |
# pull the base images used for FROM in Containerfile so
# we can retry on that unfortunately common failure case
sudo podman pull docker://ghcr.io/ublue-os/kinoite-main:${{ env.MAJOR_VERSION }}
sudo podman pull docker://ghcr.io/ublue-os/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.MAJOR_VERSION }}-${{ steps.kernel.outputs.KERNEL }}
sudo podman pull docker://ghcr.io/ublue-os/akmods-extra:${{ env.KERNEL_FLAVOR }}-${{ env.MAJOR_VERSION }}-${{ steps.kernel.outputs.KERNEL }}
# Add rechunk as well to remove this source of failure
sudo podman pull ghcr.io/hhd-dev/rechunk:v0.8.3
- name: Build Image
id: build_image
run: |
sudo buildah build \
--build-arg IMAGE_NAME=${{ env.IMAGE_NAME }} \
--build-arg IMAGE_TAG=${{ env.IMAGE_TAG }} \
--build-arg KERNEL_VERSION=${{ steps.kernel.outputs.KERNEL }} \
--build-arg FEDORA_MAJOR_VERSION=${{ env.MAJOR_VERSION }} \
--build-arg TIMESTAMP_TAG=${{ env.TIMESTAMP_TAG }} \
--target ${{ env.IMAGE_NAME }} \
--tag raw-img .
- name: Remove auxiliary images
# We are tight on space, need at least 2x for OSTree
run: |
sudo podman image rm ghcr.io/ublue-os/kinoite-main:${{ env.MAJOR_VERSION }}
sudo podman image rm ghcr.io/ublue-os/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.MAJOR_VERSION }}-${{ steps.kernel.outputs.KERNEL }}
sudo podman image rm ghcr.io/ublue-os/akmods-extra:${{ env.KERNEL_FLAVOR }}-${{ env.MAJOR_VERSION }}-${{ steps.kernel.outputs.KERNEL }}
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}")
COMMIT_TAGS+=("${SHA_SHORT}")
# Append matching timestamp tags to keep a version history
for TAG in "${BUILD_TAGS[@]}"; do
BUILD_TAGS+=("${TAG}-${TIMESTAMP}")
done
BUILD_TAGS+=("${TIMESTAMP}")
BUILD_TAGS+=("latest")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
echo "TIMESTAMP_TAG=$TIMESTAMP" >> $GITHUB_ENV
# Generate the previous image reference used by the Rechunker
- name: Generate previous reference
id: generate-prev-ref
shell: bash
run: |
if [ "${{ github.event.inputs.fresh-rechunk }}" == "true" ]; then
IMAGEREF=""
else
IMAGEREF="${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
fi
echo "ref=${IMAGEREF}" >> $GITHUB_OUTPUT
echo "Generated the following:"
cat $GITHUB_OUTPUT
# Reprocess raw-img using rechunker which will delete it
- name: Run Rechunker
id: rechunk
uses: hhd-dev/[email protected]
with:
rechunk: 'ghcr.io/hhd-dev/rechunk:v0.8.3'
ref: 'raw-img'
prev-ref: '${{ steps.generate-prev-ref.outputs.ref }}'
version: ${{ env.TIMESTAMP_TAG }}
labels: |
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/filotimo-project/branding/main/icon.png
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
org.opencontainers.image.description=${{ env.IMAGE_DESC }}
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.licenses=Apache-2.0
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=https://github.com/filotimo-project
org.opencontainers.image.vendor=Filotimo Project
- name: Load in podman and tag
run: |
IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
sudo rm -rf ${{ steps.rechunk.outputs.output }}
for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
done
# keep for secureboot check TODO
# podman tag $IMAGE rechunked-img
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push Image to GHCR
uses: Wandalen/[email protected]
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
action: redhat-actions/push-to-registry@v2
attempt_limit: 3
attempt_delay: 15000
with: |
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.generate-tags.outputs.alias_tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--compression-format=zstd:chunked
- name: Sign container image
uses: EyeCantCU/cosign-action/[email protected]
if: github.event_name != 'pull_request'
with:
containers: ${{ env.IMAGE_NAME }}
registry: ${{ steps.registry_case.outputs.lowercase }}
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
- name: Echo outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"