-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathaction.yml
More file actions
369 lines (342 loc) · 14.6 KB
/
action.yml
File metadata and controls
369 lines (342 loc) · 14.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
name: "BlueBuild"
description: "Build a custom OS image"
inputs:
recipe:
description: |
The [recipe](https://blue-build.org/reference/recipe/) file to build the image from, relative to the `config/` or `recipes/` directory.
required: true
default: "recipe.yml"
cosign_private_key:
description: |
The Sigstore/cosign secret used to sign the image.
Example: `${{ secrets.SIGNING_SECRET }}`
required: true
push:
description: |
Whether to push the image to a container registry.
required: false
default: "true"
registry_token:
description: |
The token used to sign into the container registry.
Example: `${{ github.token }}`
required: false
default: ""
registry_username:
description: |
The username used to sign into the container registry.
required: false
default: ${{ github.repository_owner }}
pr_event_number:
description: |
The event number used to tag images pushed from pull requests.
Example: `${{ github.event.number }}`
required: true
maximize_build_space:
description: |
Whether to run the unwanted software remover to maximize build space in the GitHub builder.
Disable this with 'false' if your image doesn't take up a lot of space and you'd rather have shorter build times.
required: false
default: "true"
use_unstable_cli:
description: |
If true, this action pulls the `main` branch of blue-build/cli instead of the stable version the current action version is configured to use by default.
This feature is useful for testing new features, but should not be used in production.
Input must match the string 'true' for the unstable version to be used.
required: false
default: "false"
cli_version:
description: |
Set this with a tag, sha, or branch name for the blue-build/cli repo to use that particular version of the CLI tool. This will override the `use_unstable_cli` input for the action.
required: false
registry:
description: |
The container registry to push the built image to.
required: false
default: "ghcr.io"
registry_namespace:
description: |
The namespace on the registry to push to.
Example: `ublue-os`
required: false
default: ${{ github.repository_owner }}
build_chunked_oci:
description: |
Uses `rpm-ostree compose build-chunked-oci` to rechunk the image, allowing for smaller images and smaller updates.
This will increase the build-time and take up more space during build-time.
required: false
default: "false"
max_layers:
description: |
Maximum number of layers to use when rechunking with `build-chunked-oci`.
required: false
default: 128
rechunk:
description: |
Rechunk the ostree-based result images with [github.com/hhd-dev/rechunk](https://github.com/hhd-dev/rechunk) for more efficient diffs and updates. (lower image size, better download speed, better update resuming)
Will make your builds considerably slower. This is an experimental option, as it can cause issues with file permissions in some scenarios, so enable on your own risk.
*Warning*: This option will be deprecated in the future.
required: false
default: "false"
rechunk_clear_plan:
description: |
Disregard previous build's layer plan when rechunking.
required: false
default: "false"
use_cache:
description: |
Make use of layer cache by pushing the layers to the registry. Input must match the string 'true' for the step to be enabled.
required: false
default: "false"
retry_push_count:
description: |
The number of times to retry pushing the image.
required: false
default: "0"
squash:
description: |
Uses buildah to squash the build's layers into a single layer. Use of this option
disables cache. Conflicts with adding `--build-driver` or `--squash` to the build opts.
required: false
default: "false"
build_opts:
description: |
Provide options to the call to the BlueBuild CLI build command. If you use this with
the squash input set to true and provide either of the `--build-driver` or `--squash` flags
an error will occur and the action will not run.
required: false
default: " "
working_directory:
description: |
Changes working directory for whole build.
For example, setting this to `./abc/` would cause for the recipe to be read from `./abc/recipes/recipe.yml`.
required: false
default: ./
skip_checkout:
description: |
Set to true to skip doing the actions/checkout step.
This allows you to checkout manually before calling bluebuild/github-action
and to modify files (such as supplying build information to other scripts) before building.
required: false
default: "false"
verify_install:
description: |
Set to true verify the cosign signature for the Blue-Build cli
required: false
default: "false"
runs:
using: "composite"
steps:
- name: Validate inputs
shell: bash
env:
INPUT_BUILD_CHUNKED_OCI: ${{ inputs.build_chunked_oci }}
INPUT_RECHUNK: ${{ inputs.rechunk }}
INPUT_RECHUNK_CLEAR_PLAN: ${{ inputs.rechunk_clear_plan }}
INPUT_SQUASH: ${{ inputs.squash }}
BUILD_OPTS: ${{ inputs.build_opts }}
github_action_path: ${{ github.action_path }}
run: |
"${github_action_path}/build_opts_check.sh"
# building custom images might take a lot of space,
# so it's best to remove unneeded softawre
- name: Maximize build space
if: ${{ inputs.maximize_build_space == 'true' }}
uses: hastd/free-disk-space@68572aeaadb7f76bd408246328e95926323402b5 # v0.1.2
with:
# skip freeing more disk space if runner already has lots of available space
skip-if-available: "80G"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
if: ${{ inputs.squash != 'true' && inputs.build_chunked_oci != 'true' && inputs.rechunk != 'true' }}
with:
driver: docker-container
cache-binary: ${{ inputs.use_cache }}
- name: Get Ubuntu version
id: ubuntu_version
shell: bash
run: |
VERSION=$(awk -F= '/^VERSION_ID=/ {gsub(/"/, "", $2); print $2}' /etc/os-release)
echo "Ubuntu version is $VERSION"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
# that is compatible with BlueBuild
- name: Setup Podman
if: ${{ (inputs.squash == 'true' || inputs.build_chunked_oci == 'true' || inputs.rechunk == 'true') && steps.ubuntu_version.outputs.version == '22.04' }}
shell: bash
run: |
set -euo pipefail
# from https://askubuntu.com/questions/1414446/whats-the-recommended-way-of-installing-podman-4-in-ubuntu-22-04
ubuntu_version='22.04'
key_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}/Release.key"
sources_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}"
echo "deb ${sources_url}/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list
curl -fLsS --retry 5 "${key_url}" | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
sudo apt-get update
sudo apt-get install -y podman
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
with:
install-dir: /usr/bin
use-sudo: true
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Install the slsa-verifier
if: ${{ inputs.verify_install == 'true' }}
uses: slsa-framework/slsa-verifier/actions/installer@ea584f4502babc6f60d9bc799dbbb13c1caa9ee6 # v2.7.1
# clones user's repo
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: ${{ inputs.skip_checkout == 'false' }}
with:
persist-credentials: false
- name: Set container policy to validate Blue-Build cli signature
if: ${{ inputs.verify_install == 'true' }}
shell: bash
run: |
set -euo pipefail
POLICY_FILE="/etc/containers/policy.json"
CLI_IMAGE_REGISTRY="ghcr.io/blue-build/cli"
MODULES_IMAGE_REGISTRY="ghcr.io/blue-build/modules"
CLI_IMAGE_PUBKEY="/etc/pki/containers/blue-build-cli.pub"
MODULES_IMAGE_PUBKEY="/etc/pki/containers/blue-build-modules.pub"
sudo mkdir -p /etc/pki/containers
curl -fLsS --retry 5 https://raw.githubusercontent.com/blue-build/cli/refs/heads/main/cosign.pub | sudo tee "${CLI_IMAGE_PUBKEY}" > /dev/null
curl -fLsS --retry 5 https://raw.githubusercontent.com/blue-build/modules/refs/heads/main/cosign.pub | sudo tee "${MODULES_IMAGE_PUBKEY}" > /dev/null
# add public keys for BlueBuild CLI and modules to container policy
jq --arg cli_image_registry "${CLI_IMAGE_REGISTRY}" \
--arg cli_image_pubkey "${CLI_IMAGE_PUBKEY}" \
--arg modules_image_registry "${MODULES_IMAGE_REGISTRY}" \
--arg modules_image_pubkey "${MODULES_IMAGE_PUBKEY}" \
'.transports.docker += {
$cli_image_registry: [
{
"type": "sigstoreSigned",
"keyPath": $cli_image_pubkey,
"signedIdentity": {
"type": "matchRepository"
}
}
],
$modules_image_registry: [
{
"type": "sigstoreSigned",
"keyPath": $modules_image_pubkey,
"signedIdentity": {
"type": "matchRepository"
}
}
]
}' "${POLICY_FILE}" > POLICY.tmp
sudo mv POLICY.tmp "${POLICY_FILE}"
# enable sigstore attachments for BlueBuild container verification
sudo mkdir -p /etc/containers/registries.d
cat <<'EOF' | sudo tee /etc/containers/registries.d/blue-build.yaml > /dev/null
docker:
ghcr.io/blue-build:
use-sigstore-attachments: true
EOF
- name: Determine Vars
id: build_vars
shell: bash
env:
RECIPE: ${{ inputs.recipe }}
USE_UNSTABLE_CLI: ${{ inputs.use_unstable_cli }}
CLI_VERSION: ${{ inputs.cli_version }}
AUTH_HEADER: "Authorization: Bearer ${{ github.token }}"
run: |
set -euo pipefail
if [[ "${USE_UNSTABLE_CLI}" == "true" && -z "${CLI_VERSION}" ]]; then
CLI_VERSION_TAG="main"
REPO_TAG="main"
VERIFY_FLAG="--source-branch"
elif [ -n "${CLI_VERSION}" ]; then
CLI_VERSION_TAG="${CLI_VERSION}"
REPO_TAG="${CLI_VERSION}"
if [[ "${CLI_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
VERIFY_FLAG="--source-tag"
else
VERIFY_FLAG="--source-branch"
fi
else
REPO_TAG=$(curl -fLsS --variable '%AUTH_HEADER' --expand-header '{{AUTH_HEADER}}' --retry 5 https://api.github.com/repos/blue-build/cli/tags | jq -r '.[0].name')
CLI_VERSION_TAG="v0.9"
VERIFY_FLAG="--source-tag"
fi
echo "cli_version=${CLI_VERSION_TAG}" >> "${GITHUB_OUTPUT}"
echo "repo_tag=${REPO_TAG}" >> "${GITHUB_OUTPUT}"
echo "verify_flag=${VERIFY_FLAG}" >> "${GITHUB_OUTPUT}"
RECIPE_PATH=""
if [ -f "./config/${RECIPE}" ]; then
RECIPE_PATH="./config/${RECIPE}"
else
RECIPE_PATH="./recipes/${RECIPE}"
fi
echo "recipe_path=${RECIPE_PATH}" >> "${GITHUB_OUTPUT}"
- name: Install BlueBuild
shell: bash
env:
CLI_VERSION_TAG: ${{ steps.build_vars.outputs.cli_version }}
REPO_TAG: ${{ steps.build_vars.outputs.repo_tag }}
VERIFY_FLAG: ${{ steps.build_vars.outputs.verify_flag }}
VERIFY_INSTALL: ${{ inputs.verify_install }}
run: |
set -euo pipefail
CLI_INSTALLER_IMAGE="ghcr.io/blue-build/cli:${CLI_VERSION_TAG}-installer"
if [ "$VERIFY_INSTALL" = "true" ]; then
docker pull "${CLI_INSTALLER_IMAGE}"
CLI_INSTALLER_IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' "${CLI_INSTALLER_IMAGE}")
slsa-verifier verify-image "${CLI_INSTALLER_IMAGE}" \
--source-uri github.com/blue-build/cli \
"${VERIFY_FLAG}" "${REPO_TAG}"
fi
sudo docker create \
--name blue-build-installer \
"${CLI_INSTALLER_IMAGE}"
sudo docker cp blue-build-installer:/out/bluebuild /usr/bin/bluebuild
sudo docker rm blue-build-installer
bluebuild --version
# blue-build/cli does the heavy lifting
- name: Build Image
shell: bash
working-directory: ${{ inputs.working_directory }}
env:
COSIGN_PRIVATE_KEY: ${{ inputs.cosign_private_key }}
GH_TOKEN: ${{ inputs.registry_token }}
BB_BUILD_PUSH: ${{ inputs.push }}
BB_PASSWORD: ${{ inputs.registry_token }}
BB_USERNAME: ${{ inputs.registry_username }}
BB_REGISTRY: ${{ inputs.registry }}
BB_REGISTRY_NAMESPACE: ${{ inputs.registry_namespace }}
GH_PR_EVENT_NUMBER: ${{ inputs.pr_event_number }}
BB_CACHE_LAYERS: ${{ inputs.use_cache }}
BB_RETRY_PUSH_COUNT: ${{ inputs.retry_push_count }}
BB_SQUASH: ${{ inputs.squash }}
BB_BUILD_CHUNKED_OCI: ${{ inputs.build_chunked_oci }}
BB_BUILD_CHUNKED_OCI_MAX_LAYERS: ${{ inputs.max_layers }}
BB_BUILD_REMOVE_BASE_IMAGE: "true"
BB_RECHUNK: ${{ inputs.rechunk }}
BB_BUILD_RECHUNK_CLEAR_PLAN: ${{ inputs.rechunk_clear_plan }}
RECIPE_PATH: ${{ steps.build_vars.outputs.recipe_path }}
RUST_LOG_STYLE: always
CLICOLOR_FORCE: "1"
BUILD_OPTS: ${{ inputs.build_opts }}
run: |
read -r -a BUILD_OPTS <<< "${BUILD_OPTS}"
if [ "${BB_SQUASH}" = "true" ]; then
BUILD_OPTS+=("--build-driver" "podman" "--squash")
fi
if [ "${BB_BUILD_CHUNKED_OCI}" = "false" ]; then
unset BB_BUILD_CHUNKED_OCI_MAX_LAYERS
unset BB_BUILD_REMOVE_BASE_IMAGE
fi
RUN_SUDO=""
if [ "${BB_RECHUNK}" = "true" ]; then
RUN_SUDO=1
BUILD_OPTS+=("--rechunk")
fi
if [ "${BB_RETRY_PUSH_COUNT}" != '0' ]; then
BUILD_OPTS+=("--retry-push" "--retry-count" "${BB_RETRY_PUSH_COUNT}")
fi
if [ -n "$RUN_SUDO" ]; then
sudo -E bluebuild build -v "${BUILD_OPTS[@]}" "${RECIPE_PATH}"
else
bluebuild build -v "${BUILD_OPTS[@]}" "${RECIPE_PATH}"
fi