chore: sync (#3)

* fix: accommodate new justfile organization

* fix: remove image-info.json from base image if it exists (#162)

* fix: remove image-info.json from base image if it exists

This just makes it so if the user forgets to run the signing script and somehow installs `ublue-update`, `ublue-update` won't try to rebase them to the base image they chose

* docs: clearer comment for image-info remove line

---------

Co-authored-by: xyny <[email protected]>

* chore(ci): Maximize build space (#165)

* docs: module working directory, style guides

* docs: how to refer to modules in module READMEs

* docs: chore: remove ":" from Example configuration
this change should be propagated to bling

* docs: grammar recommendations

* docs: correct title casing in style guide

* docs: yaml not yml, directions qualifier

* fix: ublue-update failure when signing image

* chore: rm deprecated fonts bling from recipe

* fix: specify image name in policy.json (#176)

There was talk on the discord about not being able to pull in images with podman because the signing policy included *every* image inside of the user's ghcr account. Which means that images not signed with the same key won't be able to be pulled down

* chore: update bling list (#181)

* chore: update bling list

* Review comments

* docs (README): run 'rpm-ostree rebase' without sudo (#183)

* build(deps): bump ASzc/change-string-case-action from 5 to 6 (#178)

Bumps [ASzc/change-string-case-action](https://github.com/aszc/change-string-case-action) from 5 to 6.
- [Release notes](https://github.com/aszc/change-string-case-action/releases)
- [Commits](ASzc/change-string-case-action@v5...v6)

---
updated-dependencies:
- dependency-name: ASzc/change-string-case-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Bump to Fedora 39 (#186)

* Bump release-iso workflow to Fedora 39

* Pin isogenerator version

It is recommended in order to avoid some unexpected changes to the maintainer.

* Update other recipe & containerfile to reflect Fedora 39 change

* chore(ci): Build at 16:30 UTC (#187)

Nvidia images are now being built at 15:30 UTC. Startingpoint images should be built one hour after that.

* build(deps): bump mikefarah/yq from 4.35.1 to 4.40.1 (#189)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.35.1 to 4.40.1.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.35.1...v4.40.1)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (#188)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@v3.1.2...v3.2.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump mikefarah/yq from 4.40.1 to 4.40.2 (#192)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.1 to 4.40.2.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.40.1...v4.40.2)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: delete all previous ISOs when re-releasing (#185)

* fix: use -R flag to select repo on iso-deleting `gh` commands

* feat: add just syntax checker (#194)

* feat: add just syntax checker

* fix: create empty file to pass just syntax check

* fix: use relative path to pass just syntax check

* fix: justfiles cannot be empty to pass the syntax check

* fix: format justfiles

* docs: 100-bling.just explain purpose

---------

Co-authored-by: xyny <[email protected]>

* fix: typo (#199)

* build(deps): bump mikefarah/yq from 4.40.2 to 4.40.3 (#200)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.2 to 4.40.3.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.40.2...v4.40.3)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix: release-iso.yml to not fail if no images are returned (#202)

Builds started failing once #195 was merged. This fixed the release-iso workflow for me.

* build(deps): bump mikefarah/yq from 4.40.3 to 4.40.4 (#201)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.3 to 4.40.4.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.40.3...v4.40.4)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: do not format just files in CI (#205)

* feat: Check that cosign.pub matches private key (#193)

This avoids images which can't be updated due to `invalid signature`
errors because cosign.pub doesn't match the private key actually used
for signing. The error is caught early in the build process as there's
no point creating an image if cosign.pub is wrong.

Co-authored-by: mjs <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Kyle Gospodnetich <[email protected]>
Co-authored-by: gerblesh <[email protected]>
Co-authored-by: plata <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: fiftydinar <[email protected]>
Co-authored-by: Lordus Kordus <[email protected]>
Co-authored-by: RJ Trujillo <[email protected]>
Co-authored-by: ArtikusHG <[email protected]>
Co-authored-by: qoijjj <[email protected]>
Co-authored-by: David Personette <[email protected]>
Co-authored-by: Menno Finlay-Smits <[email protected]>
Co-authored-by: mjs <[email protected]>

.github/workflows/build.yml

@@ -1,13 +1,13 @@
-# This workflow builds every branch of the repository daily at 20:22 UTC, one hour after ublue-os/nvidia builds.
-# The images are also built after pushuing changes or pull requests.
+# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
+# The images are also built after pushing changes or pull requests.
 # The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
 # Only the branch called `live` is published.
 
 
 name: build-ublue
 on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
   schedule:
-    - cron: "20 22 * * *"
+    - cron: "30 16 * * *"
   push:
     branches:
       - live
@@ -43,12 +43,41 @@ jobs:
 # !!!
 
     steps:
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v1
+        with:
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      # Confirm that cosign.pub matches SIGNING_SECRET
+      - uses: sigstore/[email protected]
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+
+      - name: Check SIGNING_SECRET matches cosign.pub
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PASSWORD: ""
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+        shell: bash
+        run: |
+          echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
+          delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
+          if [ -z "$delta" ]; then
+            echo "cosign.pub matches SIGNING_SECRET"
+          else
+            echo "cosign.pub does not match SIGNING_SECRET"
+            echo "$delta"
+            exit 1
+          fi
+
       - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/yq@v4.35.1
+        uses: mikefarah/yq@v4.40.4
 
       - name: Gather image data from recipe
         run: |
@@ -119,13 +148,13 @@ jobs:
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry
         id: registry_case
-        uses: ASzc/change-string-case-action@v5
+        uses: ASzc/change-string-case-action@v6
         with:
           string: ${{ env.IMAGE_REGISTRY }}
 
       - name: Lowercase Image
         id: image_case
-        uses: ASzc/change-string-case-action@v5
+        uses: ASzc/change-string-case-action@v6
         with:
           string: ${{ env.IMAGE_NAME }}
 
@@ -173,9 +202,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/[email protected]
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-
       - name: Sign container image
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |

.github/workflows/release-iso.yml

@@ -13,17 +13,17 @@ jobs:
     permissions:
       contents: write
     container: 
-      image: fedora:38
+      image: fedora:39
       options: --privileged
     steps:
       - uses: actions/checkout@v4
       - name: Generate ISO  
-        uses: ublue-os/isogenerator@main
+        uses: ublue-os/isogenerator@v2.2.0
         id: isogenerator
         with:
           image-name: ${{ github.event.repository.name }}
           installer-repo: releases
-          installer-major-version: 38
+          installer-major-version: 39
           boot-menu-path: boot_menu.yml
       - name: install github CLI
         run: |
@@ -35,6 +35,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
           if gh release list -R ${{ github.repository_owner }}/${{ github.event.repository.name }} | grep "auto-iso"; then
+            gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs --no-run-if-empty -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
             gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
           else
             gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}

Containerfile

@@ -9,7 +9,7 @@
 # does nothing if the image is built in the cloud.
 
 # !! Warning: changing these might not do anything for you. Read comment above.
-ARG IMAGE_MAJOR_VERSION=38
+ARG IMAGE_MAJOR_VERSION=39
 ARG BASE_IMAGE_URL=ghcr.io/ublue-os/silverblue-main
 
 FROM ${BASE_IMAGE_URL}:${IMAGE_MAJOR_VERSION}

build.sh

@@ -23,10 +23,11 @@ run_module() {
     MODULE="$1"
     TYPE=$(echo "$MODULE" | yq '.type')
     if [[ "$TYPE" != "null" ]]; then
+        cd "$CONFIG_DIRECTORY"
         # If type is found, that means that the module config
         # has been declared inline, and thus is safe to pass to the module
         echo "=== Launching module of type: $TYPE ==="
-            bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE"
+        bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE"
     else
         # If the type is not found, that means that the module config
         # is in a separate file, and has to be read from it
@@ -62,4 +63,12 @@ OS_VERSION="$(grep -Po '(?<=VERSION_ID=)\d+' /usr/lib/os-release)"
 # Welcome.
 echo "Building $IMAGE_NAME from $BASE_IMAGE:$OS_VERSION."
 
+# Remove old image-info.json from main image
+# (this file is added back by signing.sh, but shouldn't exist
+# with wrong details in an unsigned image)
+IMAGE_INFO="/usr/share/ublue-os/image-info.json"
+if [ -f "$IMAGE_INFO" ]; then
+    rm -v "$IMAGE_INFO"
+fi
+
 run_modules "$RECIPE_FILE"

config/files/usr/share/ublue-os/just/100-bling.just

@@ -0,0 +1,2 @@
+# this file is a placeholder,
+# making changes here is not supported

config/files/usr/share/ublue-os/just/60-custom.just

@@ -1,4 +1,4 @@
-!include /usr/share/ublue-os/just/100-bling.just
+!include 100-bling.just
 
 # Include some of your custom scripts here!
 

config/recipe.yml

@@ -61,14 +61,18 @@ modules:
 
   - type: bling # configure what to pull in from ublue-os/bling
     install:
-      - fonts # selection of common good free fonts
-      - justfiles # add "!include /usr/share/ublue-os/just/bling.just"
+      - justfiles # add "!include /usr/share/ublue-os/just/100-bling.just"
                   # in your custom.just (added by default) or local justfile
       - nix-installer # shell shortcuts for determinate system's nix installers
       - ublue-os-wallpapers
       # - ublue-update # https://github.com/ublue-os/ublue-update
+      # - 1password # install 1Password (stable) and `op` CLI tool
       # - dconf-update-service # a service unit that updates the dconf db on boot
       # - devpod # https://devpod.sh/ as an rpm
+      # - gnome-vrr # enables gnome-vrr for your image
+      # - container-tools # installs container-related tools onto /usr/bin: kind, kubectx, docker-compose and kubens
+      # - laptop # installs TLP and configures your system for laptop usage
+      # - flatpaksync # allows synchronization of user-installed flatpaks, see separate documentation section
 
 
   - type: yafti # if included, yafti and it's dependencies (pip & libadwaita)

config/scripts/signing.sh

@@ -11,7 +11,7 @@ cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$IMAGE_NAME".pub
 FILE=/usr/etc/containers/policy.json
 
 yq -i -o=j '.transports.docker |=
-    {"'"$IMAGE_REGISTRY"'": [
+    {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
             {
                 "type": "sigstoreSigned",
                 "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub",
@@ -24,7 +24,7 @@ yq -i -o=j '.transports.docker |=
 + .' "$FILE"
 
 IMAGE_REF="ostree-image-signed:docker://$IMAGE_REGISTRY/$IMAGE_NAME"
-printf '{\n"image-ref": "'"$IMAGE_REF"'",\n"image-default-tag": "latest"\n}' > /usr/share/ublue-os/image-info.json
+printf '{\n"image-ref": "'"$IMAGE_REF"'",\n"image-tag": "latest"\n}' > /usr/share/ublue-os/image-info.json
 
 cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml
 sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml

modules/README.md

@@ -8,6 +8,8 @@ Modules get only the configuration options given to them in the recipe.yml, not
 
 Additionally, each module has access to four environment variables, `CONFIG_DIRECTORY` pointing to the Startingpoint directory in `/usr/share/ublue-os/`, `IMAGE_NAME` being the name of the image as declared in the recipe, `BASE_IMAGE` being the URL of the container image used as the base (FROM) in the image, and `OS_VERSION` being the `VERSION_ID` from `/usr/lib/os-release`.
 
+When running modules, the working directory is the `CONFIG_DIRECTORY`.
+
 A helper bash function called `get_yaml_array` is exported from the main build script.
 ```bash
 # "$1" is the first cli argument, being the module configuration.
@@ -22,4 +24,23 @@ All bash-based modules should start with the following lines to ensure the image
 ```bash
 #!/usr/bin/env bash
 set -oue pipefail
-```
+```
+
+## Style directions for official modules
+
+These are general directions for writing official modules and their documentation to follow to keep a consistent style. Not all of these are to be mindlessly followed, especially the ones about grammar and writing style. It's good to keep these in mind if you intend to contribute back upstream, though, so that your module doesn't feel out of place.
+
+### Bash
+
+- Start with `#!/usr/bin/env bash` and `set -oue pipefail`
+- Don't print "===", this is only for encapsulating the output of _different_ modules in `build.sh`
+- Print something on each step and on errors for easier debugging
+- Use CAPITALIZED names for variables that are read from the configuration
+
+### README
+
+- Title should be "`type` Module for Startingpoint", where the name/type of the module is a noun that shows the module's purpose
+- There should be a subtitle "Example configuration", under which there should be a loosely documented yaml block showcasing each of the module's configuration options
+    - For a YAML block, specify the language as "yaml", not "yml" (MkDocs only supports "yaml")
+- At the start of each paragraph, refer to the module using its name or with "the module", not "it" or "the script"
+- Use passive grammar when talking about the user, ie. "should be used", "can be configured", preferring references to what the module does, ie. "This module downloads the answer to the question of life, the universe and everything..."