bluebuild #149
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: bluebuild | |
| on: | |
| schedule: | |
| - cron: | |
| "00 06 * * *" | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - "**.md" | |
| pull_request: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| bluebuild: | |
| name: Build Custom Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| recipe: | |
| - recipe.yml | |
| steps: | |
| - name: Build Custom Image | |
| uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1.11.1 | |
| with: | |
| recipe: ${{ matrix.recipe }} | |
| cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
| registry_token: ${{ github.token }} | |
| pr_event_number: ${{ github.event.number }} | |
| maximize_build_space: true | |
| - name: Set lowercase image ref | |
| if: github.event_name != 'pull_request' | |
| run: echo "IMAGE_REF=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_ENV" | |
| # Scan the source tree rather than the full OS image. | |
| # The OS image is a multi-GB Fedora Silverblue base with thousands of | |
| # system packages — scanning it via `syft scan <image>` exceeds the | |
| # runner's memory/time limits. Fedora provides its own SBOMs for base | |
| # packages. This SBOM covers our custom services and configuration. | |
| - name: Generate SBOM | |
| if: github.event_name != 'pull_request' | |
| uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1 | |
| with: | |
| path: . | |
| format: cyclonedx-json | |
| output-file: sbom.cdx.json | |
| - name: Attest SBOM | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cosign attest --type cyclonedx \ | |
| --predicate sbom.cdx.json \ | |
| --key env://COSIGN_PRIVATE_KEY \ | |
| "$IMAGE_REF" | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
| # Publish the image digest so users can pin installs to an exact build. | |
| # The digest appears in the workflow summary and as an artifact. | |
| - name: Extract and publish image digest | |
| if: github.event_name != 'pull_request' | |
| id: digest | |
| run: | | |
| DIGEST=$(skopeo inspect "docker://${IMAGE_REF}:latest" 2>/dev/null | jq -r '.Digest' || echo "") | |
| if [ -z "$DIGEST" ] || [ "$DIGEST" = "null" ]; then | |
| echo "WARNING: Could not extract image digest" | |
| echo "digest=unknown" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" | |
| echo "${DIGEST}" > IMAGE_DIGEST | |
| echo "## Image Digest" >> "$GITHUB_STEP_SUMMARY" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| echo "Pinned install reference:" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| echo "sudo bash secai-bootstrap.sh --digest ${DIGEST}" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| echo "Full image ref: \`${IMAGE_REF}@${DIGEST}\`" >> "$GITHUB_STEP_SUMMARY" | |
| fi |