Skip to content

Commit

Permalink
chore: sync (#3)
Browse files Browse the repository at this point in the history
* fix: accommodate new justfile organization

* fix: remove image-info.json from base image if it exists (#162)

* fix: remove image-info.json from base image if it exists

This just makes it so if the user forgets to run the signing script and somehow installs `ublue-update`, `ublue-update` won't try to rebase them to the base image they chose

* docs: clearer comment for image-info remove line

---------

Co-authored-by: xyny <[email protected]>

* chore(ci): Maximize build space (#165)

* docs: module working directory, style guides

* docs: how to refer to modules in module READMEs

* docs: chore: remove ":" from Example configuration
this change should be propagated to bling

* docs: grammar recommendations

* docs: correct title casing in style guide

* docs: yaml not yml, directions qualifier

* fix: ublue-update failure when signing image

* chore: rm deprecated fonts bling from recipe

* fix: specify image name in policy.json (#176)

There was talk on the discord about not being able to pull in images with podman because the signing policy included *every* image inside of the user's ghcr account. Which means that images not signed with the same key won't be able to be pulled down

* chore: update bling list (#181)

* chore: update bling list

* Review comments

* docs (README): run 'rpm-ostree rebase' without sudo (#183)

* build(deps): bump ASzc/change-string-case-action from 5 to 6 (#178)

Bumps [ASzc/change-string-case-action](https://github.com/aszc/change-string-case-action) from 5 to 6.
- [Release notes](https://github.com/aszc/change-string-case-action/releases)
- [Commits](ASzc/change-string-case-action@v5...v6)

---
updated-dependencies:
- dependency-name: ASzc/change-string-case-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Bump to Fedora 39 (#186)

* Bump release-iso workflow to Fedora 39

* Pin isogenerator version

It is recommended in order to avoid some unexpected changes to the maintainer.

* Update other recipe & containerfile to reflect Fedora 39 change

* chore(ci): Build at 16:30 UTC (#187)

Nvidia images are now being built at 15:30 UTC. Startingpoint images should be built one hour after that.

* build(deps): bump mikefarah/yq from 4.35.1 to 4.40.1 (#189)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.35.1 to 4.40.1.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.35.1...v4.40.1)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (#188)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@v3.1.2...v3.2.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump mikefarah/yq from 4.40.1 to 4.40.2 (#192)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.1 to 4.40.2.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.40.1...v4.40.2)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: delete all previous ISOs when re-releasing (#185)

* fix: use -R flag to select repo on iso-deleting `gh` commands

* feat: add just syntax checker (#194)

* feat: add just syntax checker

* fix: create empty file to pass just syntax check

* fix: use relative path to pass just syntax check

* fix: justfiles cannot be empty to pass the syntax check

* fix: format justfiles

* docs: 100-bling.just explain purpose

---------

Co-authored-by: xyny <[email protected]>

* fix: typo (#199)

* build(deps): bump mikefarah/yq from 4.40.2 to 4.40.3 (#200)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.2 to 4.40.3.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.40.2...v4.40.3)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix: release-iso.yml to not fail if no images are returned (#202)

Builds started failing once #195 was merged. This fixed the release-iso workflow for me.

* build(deps): bump mikefarah/yq from 4.40.3 to 4.40.4 (#201)

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.3 to 4.40.4.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.40.3...v4.40.4)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: do not format just files in CI (#205)

* feat: Check that cosign.pub matches private key (#193)

This avoids images which can't be updated due to `invalid signature`
errors because cosign.pub doesn't match the private key actually used
for signing. The error is caught early in the build process as there's
no point creating an image if cosign.pub is wrong.

Co-authored-by: mjs <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Kyle Gospodnetich <[email protected]>
Co-authored-by: gerblesh <[email protected]>
Co-authored-by: plata <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: fiftydinar <[email protected]>
Co-authored-by: Lordus Kordus <[email protected]>
Co-authored-by: RJ Trujillo <[email protected]>
Co-authored-by: ArtikusHG <[email protected]>
Co-authored-by: qoijjj <[email protected]>
Co-authored-by: David Personette <[email protected]>
Co-authored-by: Menno Finlay-Smits <[email protected]>
Co-authored-by: mjs <[email protected]>
  • Loading branch information
13 people authored Dec 17, 2023
1 parent 8a81f9b commit e83bacd
Show file tree
Hide file tree
Showing 9 changed files with 83 additions and 20 deletions.
44 changes: 35 additions & 9 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# This workflow builds every branch of the repository daily at 20:22 UTC, one hour after ublue-os/nvidia builds.
# The images are also built after pushuing changes or pull requests.
# This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
# The images are also built after pushing changes or pull requests.
# The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
# Only the branch called `live` is published.


name: build-ublue
on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
schedule:
- cron: "20 22 * * *"
- cron: "30 16 * * *"
push:
branches:
- live
Expand Down Expand Up @@ -43,12 +43,41 @@ jobs:
# !!!

steps:
- name: Maximize build space
uses: AdityaGarg8/remove-unwanted-software@v1
with:
remove-dotnet: 'true'
remove-android: 'true'
remove-haskell: 'true'

# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4

# Confirm that cosign.pub matches SIGNING_SECRET
- uses: sigstore/[email protected]
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'

- name: Check SIGNING_SECRET matches cosign.pub
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PASSWORD: ""
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
shell: bash
run: |
echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
if [ -z "$delta" ]; then
echo "cosign.pub matches SIGNING_SECRET"
else
echo "cosign.pub does not match SIGNING_SECRET"
echo "$delta"
exit 1
fi
- name: Add yq (for reading recipe.yml)
uses: mikefarah/yq@v4.35.1
uses: mikefarah/yq@v4.40.4

- name: Gather image data from recipe
run: |
Expand Down Expand Up @@ -119,13 +148,13 @@ jobs:
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}

- name: Lowercase Image
id: image_case
uses: ASzc/change-string-case-action@v5
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_NAME }}

Expand Down Expand Up @@ -173,9 +202,6 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

# Sign container
- uses: sigstore/[email protected]
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'

- name: Sign container image
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
run: |
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/release-iso.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@ jobs:
permissions:
contents: write
container:
image: fedora:38
image: fedora:39
options: --privileged
steps:
- uses: actions/checkout@v4
- name: Generate ISO
uses: ublue-os/isogenerator@main
uses: ublue-os/isogenerator@v2.2.0
id: isogenerator
with:
image-name: ${{ github.event.repository.name }}
installer-repo: releases
installer-major-version: 38
installer-major-version: 39
boot-menu-path: boot_menu.yml
- name: install github CLI
run: |
Expand All @@ -35,6 +35,7 @@ jobs:
GITHUB_TOKEN: ${{ github.token }}
run: |
if gh release list -R ${{ github.repository_owner }}/${{ github.event.repository.name }} | grep "auto-iso"; then
gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs --no-run-if-empty -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber
else
gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }}
Expand Down
2 changes: 1 addition & 1 deletion Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
# does nothing if the image is built in the cloud.

# !! Warning: changing these might not do anything for you. Read comment above.
ARG IMAGE_MAJOR_VERSION=38
ARG IMAGE_MAJOR_VERSION=39
ARG BASE_IMAGE_URL=ghcr.io/ublue-os/silverblue-main

FROM ${BASE_IMAGE_URL}:${IMAGE_MAJOR_VERSION}
Expand Down
11 changes: 10 additions & 1 deletion build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,11 @@ run_module() {
MODULE="$1"
TYPE=$(echo "$MODULE" | yq '.type')
if [[ "$TYPE" != "null" ]]; then
cd "$CONFIG_DIRECTORY"
# If type is found, that means that the module config
# has been declared inline, and thus is safe to pass to the module
echo "=== Launching module of type: $TYPE ==="
bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE"
bash "$MODULE_DIRECTORY/$TYPE/$TYPE.sh" "$MODULE"
else
# If the type is not found, that means that the module config
# is in a separate file, and has to be read from it
Expand Down Expand Up @@ -62,4 +63,12 @@ OS_VERSION="$(grep -Po '(?<=VERSION_ID=)\d+' /usr/lib/os-release)"
# Welcome.
echo "Building $IMAGE_NAME from $BASE_IMAGE:$OS_VERSION."

# Remove old image-info.json from main image
# (this file is added back by signing.sh, but shouldn't exist
# with wrong details in an unsigned image)
IMAGE_INFO="/usr/share/ublue-os/image-info.json"
if [ -f "$IMAGE_INFO" ]; then
rm -v "$IMAGE_INFO"
fi

run_modules "$RECIPE_FILE"
2 changes: 2 additions & 0 deletions config/files/usr/share/ublue-os/just/100-bling.just
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# this file is a placeholder,
# making changes here is not supported
2 changes: 1 addition & 1 deletion config/files/usr/share/ublue-os/just/60-custom.just
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
!include /usr/share/ublue-os/just/100-bling.just
!include 100-bling.just

# Include some of your custom scripts here!

Expand Down
8 changes: 6 additions & 2 deletions config/recipe.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,18 @@ modules:

- type: bling # configure what to pull in from ublue-os/bling
install:
- fonts # selection of common good free fonts
- justfiles # add "!include /usr/share/ublue-os/just/bling.just"
- justfiles # add "!include /usr/share/ublue-os/just/100-bling.just"
# in your custom.just (added by default) or local justfile
- nix-installer # shell shortcuts for determinate system's nix installers
- ublue-os-wallpapers
# - ublue-update # https://github.com/ublue-os/ublue-update
# - 1password # install 1Password (stable) and `op` CLI tool
# - dconf-update-service # a service unit that updates the dconf db on boot
# - devpod # https://devpod.sh/ as an rpm
# - gnome-vrr # enables gnome-vrr for your image
# - container-tools # installs container-related tools onto /usr/bin: kind, kubectx, docker-compose and kubens
# - laptop # installs TLP and configures your system for laptop usage
# - flatpaksync # allows synchronization of user-installed flatpaks, see separate documentation section


- type: yafti # if included, yafti and it's dependencies (pip & libadwaita)
Expand Down
4 changes: 2 additions & 2 deletions config/scripts/signing.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$IMAGE_NAME".pub
FILE=/usr/etc/containers/policy.json

yq -i -o=j '.transports.docker |=
{"'"$IMAGE_REGISTRY"'": [
{"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub",
Expand All @@ -24,7 +24,7 @@ yq -i -o=j '.transports.docker |=
+ .' "$FILE"

IMAGE_REF="ostree-image-signed:docker://$IMAGE_REGISTRY/$IMAGE_NAME"
printf '{\n"image-ref": "'"$IMAGE_REF"'",\n"image-default-tag": "latest"\n}' > /usr/share/ublue-os/image-info.json
printf '{\n"image-ref": "'"$IMAGE_REF"'",\n"image-tag": "latest"\n}' > /usr/share/ublue-os/image-info.json

cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml
sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml
23 changes: 22 additions & 1 deletion modules/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ Modules get only the configuration options given to them in the recipe.yml, not

Additionally, each module has access to four environment variables, `CONFIG_DIRECTORY` pointing to the Startingpoint directory in `/usr/share/ublue-os/`, `IMAGE_NAME` being the name of the image as declared in the recipe, `BASE_IMAGE` being the URL of the container image used as the base (FROM) in the image, and `OS_VERSION` being the `VERSION_ID` from `/usr/lib/os-release`.

When running modules, the working directory is the `CONFIG_DIRECTORY`.

A helper bash function called `get_yaml_array` is exported from the main build script.
```bash
# "$1" is the first cli argument, being the module configuration.
Expand All @@ -22,4 +24,23 @@ All bash-based modules should start with the following lines to ensure the image
```bash
#!/usr/bin/env bash
set -oue pipefail
```
```

## Style directions for official modules

These are general directions for writing official modules and their documentation to follow to keep a consistent style. Not all of these are to be mindlessly followed, especially the ones about grammar and writing style. It's good to keep these in mind if you intend to contribute back upstream, though, so that your module doesn't feel out of place.

### Bash

- Start with `#!/usr/bin/env bash` and `set -oue pipefail`
- Don't print "===", this is only for encapsulating the output of _different_ modules in `build.sh`
- Print something on each step and on errors for easier debugging
- Use CAPITALIZED names for variables that are read from the configuration

### README

- Title should be "`type` Module for Startingpoint", where the name/type of the module is a noun that shows the module's purpose
- There should be a subtitle "Example configuration", under which there should be a loosely documented yaml block showcasing each of the module's configuration options
- For a YAML block, specify the language as "yaml", not "yml" (MkDocs only supports "yaml")
- At the start of each paragraph, refer to the module using its name or with "the module", not "it" or "the script"
- Use passive grammar when talking about the user, ie. "should be used", "can be configured", preferring references to what the module does, ie. "This module downloads the answer to the question of life, the universe and everything..."

0 comments on commit e83bacd

Please sign in to comment.