From 77b4ce071a52581c4ebb2df6e698d7f9b3f1f2be Mon Sep 17 00:00:00 2001 From: Tulip Blossom Date: Wed, 18 Dec 2024 00:52:28 -0300 Subject: [PATCH] feat: initial work for building (based on image-template) --- .github/dependabot.yml | 11 +++ .github/workflows/build.yml | 157 ++++++++++++++++++++++++++++++++++++ .gitignore | 1 + Containerfile | 12 +++ Justfile | 99 +++++++++++++++++++++++ README.md | 5 +- build.sh | 8 ++ 7 files changed, 291 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build.yml create mode 100644 .gitignore create mode 100644 Containerfile create mode 100644 Justfile create mode 100755 build.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..92c44a8 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..1cc24e4 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,157 @@ +--- +name: build-centos-image +on: + pull_request: + branches: + - main + schedule: + - cron: '05 10 * * *' # 10:05am UTC everyday + push: + branches: + - main + paths-ignore: + - '**/README.md' + workflow_dispatch: + +env: + MY_IMAGE_NAME: "${{ github.event.repository.name }}" + MY_IMAGE_DESC: "CentOS Stream-based images" + IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} + cancel-in-progress: true + +jobs: + build_push: + name: Build and push image + runs-on: ubuntu-24.04 + + permissions: + contents: read + packages: write + id-token: write + + steps: + # Checkout push-to-registry action GitHub repository + - name: Checkout Push to Registry action + uses: actions/checkout@v4 + + - name: Maximize build space + uses: ublue-os/remove-unwanted-software@v7 + + - name: Generate tags + id: generate-tags + shell: bash + run: | + # Generate a timestamp for creating an image version history + TIMESTAMP="$(date +%Y%m%d)" + COMMIT_TAGS=() + BUILD_TAGS=() + + # Have tags for tracking builds during pull request + SHA_SHORT="${GITHUB_SHA::7}" + COMMIT_TAGS+=("pr-${{ github.event.number }}") + COMMIT_TAGS+=("${SHA_SHORT}") + + # Append matching timestamp tags to keep a version history + for TAG in "${BUILD_TAGS[@]}"; do + BUILD_TAGS+=("${TAG}-${TIMESTAMP}") + done + + BUILD_TAGS+=("${TIMESTAMP}") + BUILD_TAGS+=("latest") + + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + echo "Generated the following commit tags: " + for TAG in "${COMMIT_TAGS[@]}"; do + echo "${TAG}" + done + + alias_tags=("${COMMIT_TAGS[@]}") + else + alias_tags=("${BUILD_TAGS[@]}") + fi + + echo "Generated the following build tags: " + for TAG in "${BUILD_TAGS[@]}"; do + echo "${TAG}" + done + + echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT + + # Build metadata + - name: Image Metadata + uses: docker/metadata-action@v5 + id: meta + with: + images: | + ${{ env.MY_IMAGE_NAME }} + + labels: | + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md + org.opencontainers.image.description=${{ env.MY_IMAGE_DESC }} + org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }} + + # Build image using Buildah action + - name: Build Image + id: build_image + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./Containerfile + # Postfix image name with -custom to make it a little more descriptive + # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format + image: ${{ env.MY_IMAGE_NAME }} + tags: | + ${{ steps.generate-tags.outputs.alias_tags }} + labels: ${{ steps.meta.outputs.labels }} + oci: false + + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@v6 + with: + string: ${{ env.IMAGE_REGISTRY }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push Image to GHCR + uses: redhat-actions/push-to-registry@v2 + id: push + env: + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + with: + image: ${{ steps.build_image.outputs.image }} + tags: ${{ steps.build_image.outputs.tags }} + registry: ${{ steps.registry_case.outputs.lowercase }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + extra-args: | + --compression-format=zstd + + # This section is optional and only needs to be enabled if you plan on distributing + # your project for others to consume. You will need to create a public and private key + # using Cosign and save the private key as a repository secret in Github for this workflow + # to consume. For more details, review the image signing section of the README. + + # Sign container + - uses: sigstore/cosign-installer@v3.7.0 + if: github.event_name != 'pull_request' + + - name: Sign container image + if: github.event_name != 'pull_request' + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} + env: + TAGS: ${{ steps.push.outputs.digest }} + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2f01194 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +cosign.key diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..116b982 --- /dev/null +++ b/Containerfile @@ -0,0 +1,12 @@ +ARG MAJOR_VERSION="${CENTOS_MAJOR_VERSION:-stream10}" + +FROM quay.io/centos-bootc/centos-bootc:$MAJOR_VERSION + +COPY build.sh /tmp/build.sh + +RUN chmod +x /tmp/build.sh &&\ + /tmp/build.sh && \ + dnf clean all && \ + ostree container commit + +RUN bootc container lint diff --git a/Justfile b/Justfile new file mode 100644 index 0000000..1fa1ced --- /dev/null +++ b/Justfile @@ -0,0 +1,99 @@ +repo_organization := "centos-workstation-folks" +image_name := "centos-workstation" + +[private] +default: + @just --list + +# Check Just Syntax +[group('Just')] +check: + #!/usr/bin/bash + find . -type f -name "*.just" | while read -r file; do + echo "Checking syntax: $file" + just --unstable --fmt --check -f $file + done + echo "Checking syntax: Justfile" + just --unstable --fmt --check -f Justfile + +# Fix Just Syntax +[group('Just')] +fix: + #!/usr/bin/bash + find . -type f -name "*.just" | while read -r file; do + echo "Checking syntax: $file" + just --unstable --fmt -f $file + done + echo "Checking syntax: Justfile" + just --unstable --fmt -f Justfile || { exit 1; } + +# Clean Repo +[group('Utility')] +clean: + #!/usr/bin/bash + set -eoux pipefail + touch _build + find *_build* -exec rm -rf {} \; + rm -f previous.manifest.json + rm -f changelog.md + rm -f output.env + +# Sudo Clean Repo +[group('Utility')] +[private] +sudo-clean: + just sudoif just clean + +# sudoif bash function +[group('Utility')] +[private] +sudoif command *args: + #!/usr/bin/bash + function sudoif(){ + if [[ "${UID}" -eq 0 ]]; then + "$@" + elif [[ "$(command -v sudo)" && -n "${SSH_ASKPASS:-}" ]] && [[ -n "${DISPLAY:-}" || -n "${WAYLAND_DISPLAY:-}" ]]; then + /usr/bin/sudo --askpass "$@" || exit 1 + elif [[ "$(command -v sudo)" ]]; then + /usr/bin/sudo "$@" || exit 1 + else + exit 1 + fi + } + sudoif {{ command }} {{ args }} + +build centos_version="stream10" tag="latest": + #!/usr/bin/env bash + tag={{ tag }} + image_name={{ image_name }} + centos_version={{ centos_version }} + + # Get Version + if [[ "${tag}" =~ stable ]]; then + ver="${centos_version}.$(date +%Y%m%d)" + else + ver="${tag}-${centos_version}.$(date +%Y%m%d)" + fi + + + BUILD_ARGS=() + BUILD_ARGS+=("--build-arg" "CENTOS_MAJOR_VERSION=${centos_version}") + # BUILD_ARGS+=("--build-arg" "IMAGE_NAME=${image_name}") + # BUILD_ARGS+=("--build-arg" "IMAGE_VENDOR={{ repo_organization }}") + if [[ -z "$(git status -s)" ]]; then + BUILD_ARGS+=("--build-arg" "SHA_HEAD_SHORT=$(git rev-parse --short HEAD)") + fi + + LABELS=() + LABELS+=("--label" "org.opencontainers.image.title=${image_name}") + LABELS+=("--label" "org.opencontainers.image.version=${ver}") + # LABELS+=("--label" "ostree.linux=${kernel_release}") + LABELS+=("--label" "io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md") + LABELS+=("--label" "io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4") + LABELS+=("--label" "org.opencontainers.image.description=CentOS based images") + + podman build \ + "${BUILD_ARGS[@]}" \ + "${LABELS[@]}" \ + --tag "${image_name}:${tag}" \ + . diff --git a/README.md b/README.md index 8c46928..00f6ebf 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ -# centos-workstation -bootc base image from Centos Stream10 +# CentOS Workstation + +CentOS Stream-based images so that you can build your own ones easier. diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..d32507e --- /dev/null +++ b/build.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +set -euox pipefail + +dnf config-manager --set-enabled crb +dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm + +dnf -y install @multimedia gstreamer1-plugins-{bad-*,good-*,base} lame*