Add Fedora Kinoite with Calamares for first boot

The same logic will be used to produce the Asahi remix images.
travier · Jun 4, 2024 · 1c22bda · 1c22bda
1 parent 2cd1eca
commit 1c22bda
Show file tree

Hide file tree

Showing 4 changed files with 159 additions and 0 deletions.
diff --git a/.github/workflows/fedora-kinoite-calamares.yml b/.github/workflows/fedora-kinoite-calamares.yml
@@ -0,0 +1,111 @@
+name: "Build Fedora Kinoite Calamares image"
+
+env:
+  NAME: "fedora-kinoite-calamares"
+  REGISTRY: "quay.io/travier"
+  BASEIMAGE: "quay.io/fedora-ostree-desktops/kinoite:rawhide"
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'fedora-kinoite-calamares/**'
+      - '.github/workflows/fedora-kinoite-calamares.yml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'fedora-kinoite-calamares/**'
+      - '.github/workflows/fedora-kinoite-calamares.yml'
+  # schedule:
+  #   - cron: '0 4 * * *'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Override version label (org.opencontainers.image.version)'
+        required: false
+        default: ''
+
+permissions: read-all
+
+# Prevent multiple workflow runs from racing to ensure that pushes are made
+# sequentialy for the main branch. Also cancel in progress workflow runs for
+# pull requests only.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  build-push-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Figure out version
+        id: version
+        run: |
+          set -ex
+          if [[ -n ${VERSION} ]]; then
+            version="${VERSION}"
+          else
+            version_base="$(skopeo inspect docker://${BASEIMAGE} | jq -r '.Labels."org.opencontainers.image.version"')"
+            version_derived="$(skopeo inspect docker://${REGISTRY}/${NAME} | jq -r '.Labels."org.opencontainers.image.version"')"
+            if [[ -z "${version_derived}" ]]; then
+              version="${version_base}"
+            else
+              if [[ "${version_base}" == "${version_derived}" ]]; then
+                patch="${version_base##*\.}"
+                ((patch++)) || true
+                version="${version_base%\.*}.${patch}"
+              else
+                version="${version_base}"
+              fi
+            fi
+          fi
+          echo "Using version: ${version}"
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+        env:
+          VERSION: ${{ inputs.version }}
+
+      - name: Build container image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ env.NAME }}
+          tags: latest
+          containerfiles: ${{ env.NAME }}/Containerfile
+          context: ${{ env.NAME }}
+          layers: false
+          oci: true
+          labels: org.opencontainers.image.version=${{ steps.version.outputs.version }}
+
+      - name: Push to Container Registry
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.NAME }}
+          registry: ${{ env.REGISTRY }}
+          tags: latest
+
+      - name: Login to Container Registry
+        uses: redhat-actions/podman-login@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+
+      - uses: sigstore/[email protected]
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
+
+      - name: Sign container image
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.NAME }}@${{ steps.push.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
diff --git a/fedora-kinoite-calamares/Containerfile b/fedora-kinoite-calamares/Containerfile
@@ -0,0 +1,18 @@
+# Location not final and subject to change!
+FROM quay.io/fedora-ostree-desktops/kinoite:40
+
+LABEL org.opencontainers.image.title="Fedora Kinoite Calamares"
+LABEL org.opencontainers.image.description="Fedora Kinoite Calamares (First Boot)"
+LABEL org.opencontainers.image.source="https://github.com/travier/fedora-kinoite"
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL quay.expires-after=""
+
+ADD group_asahi-fedora-remix-scripts.repo /etc/yum.repos.d/
+ADD group_asahi-fedora-remix-scripts.gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-group_asahi-fedora-remix-scripts
+
+RUN rpm-ostree install \
+        calamares-firstboot-config
+    && \
+    systemctl enable calamares-firstboot.service \
+    && \
+    ostree container commit
diff --git a/fedora-kinoite-calamares/group_asahi-fedora-remix-scripts.gpg b/fedora-kinoite-calamares/group_asahi-fedora-remix-scripts.gpg
@@ -0,0 +1,19 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGT3QxgBCADY3oDVLpYDZ/Q2Fv6YSS6vygXBa2HIZE3jTft93ctKf+xjshJ7
+cmH2kfAeyjQmHEaz10zdef+ooYfBFKlW7jm7cPCm+xrnn0HE2Vp8bE3WmUbf/sp2
+1SOoypPwvMmlvbkibUZYay/uRaT7NAK2yhZAYxh8jiND0r1D2L10ZvtU9FUwt4Cp
+m5wGRa04cjE5UrOVJbsLokigawftde6zhegUQbqVUv3lrRRGWQcPTQX8tdzryRRZ
+qg+0svfDTNQzf2CEYUYmu+AutphH7yY5d0eBktHqesStRus6Ug1bSfmIoklXeGD9
+9o6sqgbgF2sJFLFPkOpXoZ9xfDPfRlVlrkJFABEBAAG0VkBhc2FoaV9mZWRvcmEt
+cmVtaXgtc2NyaXB0cyAoTm9uZSkgPEBhc2FoaSNmZWRvcmEtcmVtaXgtc2NyaXB0
+c0Bjb3ByLmZlZG9yYWhvc3RlZC5vcmc+iQFXBBMBCABBFiEEswf6Oj1BnTvCXSio
+IkDK2j2nNjcFAmT3QxgCGy8FCQlmAYAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcC
+F4AACgkQIkDK2j2nNjceRAgApidmxhwrYVHKD+beQV1nRX/4vuN4bDGcCVz31CA0
+oEqZLoQ1D+N/C+makhVg3y+SMBgsKUigBaETrZZThSFlp0ZOcrlbKVKHCmz6Mt4M
+DKf35g1qaIrz9fgs9TLGk7c+gJM5pNEuk2xus0E4ueTpHM054jYAUoLDH+Dm4NFy
+Qk4KKFiG73KpK8nLSq+Z1/FqUpYYnIaLcujc0jyZMiIPR1teeHvRYAKWuj+IxakJ
+grjrBFNmx0FzE6YKcTfEZIBU8+oM4DXjVdMPwK09iIPUu1i/xHLl4ulcPwlpLf4I
+STxCLDLpBMpBJRxCNviFe8NPK5J2Q9UXqA6+lyj4n1w+Ag==
+=Cehw
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/fedora-kinoite-calamares/group_asahi-fedora-remix-scripts.repo b/fedora-kinoite-calamares/group_asahi-fedora-remix-scripts.repo
@@ -0,0 +1,11 @@
+[copr:copr.fedorainfracloud.org:group_asahi:fedora-remix-scripts]
+name=Copr repo for fedora-remix-scripts owned by @asahi
+baseurl=https://download.copr.fedorainfracloud.org/results/@asahi/fedora-remix-scripts/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=False
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-group_asahi-fedora-remix-scripts
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
+priority=5