chore: sync

.github/workflows/build.yml

@@ -1,13 +1,13 @@
-# This workflow builds every branch of the repository daily at 20:22 UTC, one hour after ublue-os/nvidia builds.
-# The images are also built after pushuing changes or pull requests.
+# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
+# The images are also built after pushing changes or pull requests.
 # The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
 # Only the branch called `live` is published.
 
 
 name: build-ublue
 on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
   schedule:
-    - cron: "20 22 * * *"
+    - cron: "30 16 * * *"
   push:
     branches:
       - live
@@ -43,12 +43,41 @@ jobs:
 # !!!
 
     steps:
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v1
+        with:
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      # Confirm that cosign.pub matches SIGNING_SECRET
+      - uses: sigstore/[email protected]
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+
+      - name: Check SIGNING_SECRET matches cosign.pub
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PASSWORD: ""
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+        shell: bash
+        run: |
+          echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
+          delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
+          if [ -z "$delta" ]; then
+            echo "cosign.pub matches SIGNING_SECRET"
+          else
+            echo "cosign.pub does not match SIGNING_SECRET"
+            echo "$delta"
+            exit 1
+          fi
+
       - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/yq@v4.35.1
+        uses: mikefarah/yq@v4.40.4
 
       - name: Gather image data from recipe
         run: |
@@ -119,13 +148,13 @@ jobs:
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry
         id: registry_case
-        uses: ASzc/change-string-case-action@v5
+        uses: ASzc/change-string-case-action@v6
         with:
           string: ${{ env.IMAGE_REGISTRY }}
 
       - name: Lowercase Image
         id: image_case
-        uses: ASzc/change-string-case-action@v5
+        uses: ASzc/change-string-case-action@v6
         with:
           string: ${{ env.IMAGE_NAME }}
 
@@ -173,9 +202,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/[email protected]
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-
       - name: Sign container image
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |

.github/workflows/release-iso.yml

@@ -13,17 +13,17 @@ jobs:
     permissions:
       contents: write
     container: 
-      image: fedora:38
+      image: fedora:39
       options: --privileged
     steps:
       - uses: actions/checkout@v4
       - name: Generate ISO  
-        uses: ublue-os/isogenerator@main
+        uses: ublue-os/isogenerator@v2.2.0
         id: isogenerator
         with:
           image-name: ${{ github.event.repository.name }}
           installer-repo: releases
-          installer-major-version: 38
+          installer-major-version: 39
           boot-menu-path: boot_menu.yml
       - name: install github CLI
         run: |
@@ -35,6 +35,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
           if gh release list -R ${{ github.repository_owner }}/${{ github.event.repository.name }} | grep "auto-iso"; then
+            gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs --no-run-if-empty -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
             gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
           else
             gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}

Containerfile

@@ -9,7 +9,7 @@
 # does nothing if the image is built in the cloud.
 
 # !! Warning: changing these might not do anything for you. Read comment above.
-ARG IMAGE_MAJOR_VERSION=38
+ARG IMAGE_MAJOR_VERSION=39
 ARG BASE_IMAGE_URL=ghcr.io/ublue-os/silverblue-main
 
 FROM ${BASE_IMAGE_URL}:${IMAGE_MAJOR_VERSION}

build.sh

@@ -23,10 +23,11 @@ run_module() {
     MODULE="$1"
     TYPE=$(echo "$MODULE" | yq '.type')
     if [[ "$TYPE" != "null" ]]; then
+        cd "$CONFIG_DIRECTORY"
         # If type is found, that means that the module config
         # has been declared inline, and thus is safe to pass to the module
         echo "=== Launching module of type: $TYPE ==="
-            bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE"
+        bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE"
     else
         # If the type is not found, that means that the module config
         # is in a separate file, and has to be read from it
@@ -62,4 +63,12 @@ OS_VERSION="$(grep -Po '(?<=VERSION_ID=)\d+' /usr/lib/os-release)"
 # Welcome.
 echo "Building $IMAGE_NAME from $BASE_IMAGE:$OS_VERSION."
 
+# Remove old image-info.json from main image
+# (this file is added back by signing.sh, but shouldn't exist
+# with wrong details in an unsigned image)
+IMAGE_INFO="/usr/share/ublue-os/image-info.json"
+if [ -f "$IMAGE_INFO" ]; then
+    rm -v "$IMAGE_INFO"
+fi
+
 run_modules "$RECIPE_FILE"

config/files/usr/share/ublue-os/just/100-bling.just

@@ -0,0 +1,2 @@
+# this file is a placeholder,
+# making changes here is not supported

config/files/usr/share/ublue-os/just/60-custom.just

@@ -1,4 +1,4 @@
-!include /usr/share/ublue-os/just/100-bling.just
+!include 100-bling.just
 
 # Include some of your custom scripts here!
 

config/recipe.yml

@@ -61,14 +61,18 @@ modules:
 
   - type: bling # configure what to pull in from ublue-os/bling
     install:
-      - fonts # selection of common good free fonts
-      - justfiles # add "!include /usr/share/ublue-os/just/bling.just"
+      - justfiles # add "!include /usr/share/ublue-os/just/100-bling.just"
                   # in your custom.just (added by default) or local justfile
       - nix-installer # shell shortcuts for determinate system's nix installers
       - ublue-os-wallpapers
       # - ublue-update # https://github.com/ublue-os/ublue-update
+      # - 1password # install 1Password (stable) and `op` CLI tool
       # - dconf-update-service # a service unit that updates the dconf db on boot
       # - devpod # https://devpod.sh/ as an rpm
+      # - gnome-vrr # enables gnome-vrr for your image
+      # - container-tools # installs container-related tools onto /usr/bin: kind, kubectx, docker-compose and kubens
+      # - laptop # installs TLP and configures your system for laptop usage
+      # - flatpaksync # allows synchronization of user-installed flatpaks, see separate documentation section
 
 
   - type: yafti # if included, yafti and it's dependencies (pip & libadwaita)

config/scripts/signing.sh

@@ -11,7 +11,7 @@ cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$IMAGE_NAME".pub
 FILE=/usr/etc/containers/policy.json
 
 yq -i -o=j '.transports.docker |=
-    {"'"$IMAGE_REGISTRY"'": [
+    {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
             {
                 "type": "sigstoreSigned",
                 "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub",
@@ -24,7 +24,7 @@ yq -i -o=j '.transports.docker |=
 + .' "$FILE"
 
 IMAGE_REF="ostree-image-signed:docker://$IMAGE_REGISTRY/$IMAGE_NAME"
-printf '{\n"image-ref": "'"$IMAGE_REF"'",\n"image-default-tag": "latest"\n}' > /usr/share/ublue-os/image-info.json
+printf '{\n"image-ref": "'"$IMAGE_REF"'",\n"image-tag": "latest"\n}' > /usr/share/ublue-os/image-info.json
 
 cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml
 sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml

modules/README.md

@@ -8,6 +8,8 @@ Modules get only the configuration options given to them in the recipe.yml, not
 
 Additionally, each module has access to four environment variables, `CONFIG_DIRECTORY` pointing to the Startingpoint directory in `/usr/share/ublue-os/`, `IMAGE_NAME` being the name of the image as declared in the recipe, `BASE_IMAGE` being the URL of the container image used as the base (FROM) in the image, and `OS_VERSION` being the `VERSION_ID` from `/usr/lib/os-release`.
 
+When running modules, the working directory is the `CONFIG_DIRECTORY`.
+
 A helper bash function called `get_yaml_array` is exported from the main build script.
 ```bash
 # "$1" is the first cli argument, being the module configuration.
@@ -22,4 +24,23 @@ All bash-based modules should start with the following lines to ensure the image
 ```bash
 #!/usr/bin/env bash
 set -oue pipefail
-```
+```
+
+## Style directions for official modules
+
+These are general directions for writing official modules and their documentation to follow to keep a consistent style. Not all of these are to be mindlessly followed, especially the ones about grammar and writing style. It's good to keep these in mind if you intend to contribute back upstream, though, so that your module doesn't feel out of place.
+
+### Bash
+
+- Start with `#!/usr/bin/env bash` and `set -oue pipefail`
+- Don't print "===", this is only for encapsulating the output of _different_ modules in `build.sh`
+- Print something on each step and on errors for easier debugging
+- Use CAPITALIZED names for variables that are read from the configuration
+
+### README
+
+- Title should be "`type` Module for Startingpoint", where the name/type of the module is a noun that shows the module's purpose
+- There should be a subtitle "Example configuration", under which there should be a loosely documented yaml block showcasing each of the module's configuration options
+    - For a YAML block, specify the language as "yaml", not "yml" (MkDocs only supports "yaml")
+- At the start of each paragraph, refer to the module using its name or with "the module", not "it" or "the script"
+- Use passive grammar when talking about the user, ie. "should be used", "can be configured", preferring references to what the module does, ie. "This module downloads the answer to the question of life, the universe and everything..."