feat: initial implementation

ublue-os · Jun 30, 2024 · 06eca84 · 06eca84
1 parent aa072c3
commit 06eca84
Show file tree

Hide file tree

Showing 7 changed files with 259 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,3 @@
+## Thank you for contributing to the Universal Blue project!
+
+Please [read the Contributor's Guide](https://universal-blue.org/contributing.html) before submitting a pull request.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -0,0 +1,13 @@
+on:
+  push:
+    branches:
+      - main
+name: release-please
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: google-github-actions/release-please-action@v4
+        with:
+          release-type: simple
+          package-name: release-please-action
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -0,0 +1,189 @@
+name: Cache Fsync
+on:
+  merge_group:
+  schedule:
+    - cron: "45 2 * * * *" # 0245 UTC everyday
+  workflow_dispatch:
+
+env:
+  IMAGE_NAME: fsync
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: fsync
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        fedora_version:
+          - 39
+          - 40
+    steps:
+      - name: Checkout Push to Registry action
+        uses: actions/checkout@v4
+
+      - name: Verify Akmods Image
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: akmods:fsync-40
+          pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub
+          registry: ghcr.io/ublue-os
+
+      - name: Get Fsync Kernel Version
+        id: Version
+        uses: Wandalen/[email protected]
+        with:
+          attempt_limit: 3
+          attempt_delay: 15000
+          command: |
+            kernel_release=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:fsync-40 | jq -r '.Labels["ostree.linux"] | split(".fc")[0]')
+            kernel_major_minor_patch=$(echo "$kernel_release" | cut -d '.' -f 1)
+            ver=$(skopeo inspect docker://registry.fedoraproject.com/fedora:${{ matrix.fedora_version }} | jq -r '.Labels["org.opencontainers.image.version"]')
+            if [ -z "$ver" ] || [ "null" = "$ver" ]; then
+              echo "inspected image version must not be empty or null"
+              exit 1
+            fi
+            echo "version=$ver" >> $GITHUB_ENV
+            echo "kernel_release=${kernel_release}" >> $GITHUB_ENV
+            echo "kernel_major_minor_patch=${kernel_major_minor_patch}" >> $GITHUB_ENV
+
+      - name: Checkout Push to Registry Action
+        uses: actions/checkout@v4
+
+      - name: Generate Tags
+        id: generate_tags
+        shell: bash
+        run: |
+          tag=${{ env.kernel_major_minor_patch }}-fc${{ matrix.fedora_version }}
+          COMMIT_TAGS=()
+          COMMIT_TAGS+=("pr-${{ github.event_number }}-${tag}")
+          COMMIT_TAGS+=("${GITHUB_SHA::7}-${tag}")
+
+          BUILD_TAG=(${tag})
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+              echo "Generated the following commit tags: "
+              for TAG in "${COMMIT_TAGS[@]}"; do
+                  echo "${TAG}"
+              done
+
+              alias_tags=("${COMMIT_TAGS[@]}")
+          else
+              alias_tags=("${BUILD_TAGS[@]}")
+          fi
+
+          echo "Generated the following build tags: "
+          for TAG in "${BUILD_TAGS[@]}"; do
+              echo "${TAG}"
+          done
+
+          echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
+
+      - name: Pull Image
+        uses: Wandalen/[email protected]
+        with:
+          attempt_limit: 3
+          attempt_delay: 15000
+          command: |
+            podman pull registry.fedoraproject.com/fedora:${{ matrix.fedora_version }}
+            pomdan pull scratch
+
+      - name: Build Metadata
+        uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
+            org.opencontainers.image.description=A caching layer for sentry/kernel-fsync fsync kernel's
+            org.opencontainers.image.version=${{ env.version }}
+            ostree.linux=${{ env.kernel_major_minor_patch }}.fc${{ matrix.fedora_version }}.x86_64
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
+            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4
+
+      - name: Build Image
+        id: build_image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          containerfiles: |
+            ./Containerfile
+          image: ${{ env.IMAGE_NAME }}
+          tags: ${{ steps.generate_tags.outputs.build_tags }}
+          build-args: |
+            FEDORA_VERSION=${{ matrix.fedora_version }}
+            KERNEL_VERSION=${{ env.kernel_major_minor_patch }}
+          labels: ${{ steps.meta.outputs.labels }}
+          oci: false
+
+      - name: Lowercase Registry
+        id: registry_case
+        uses: ASzc/change-string-case-action@v6
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      - name: Push to GHCR
+        uses: Wandalen/[email protected]
+        id: push
+        if: github.event_name != 'pull_request'
+        env:
+          REGISTRY_USER: ${{ github.actor }}
+          REGISTRY_PASSWORD: ${{ github.token }}
+        with:
+          action: redhat-actions/push-to-registry@v2
+          attempt_limit: 3
+          attempt_delay: 15000
+          with: |
+            image: ${{ steps.build_image.outputs.image }}
+            tags: ${{ steps.build_image.outputs.tags }}
+            registry: ${{ steps.registry_case.outputs.lowercase }}
+            username: ${{ env.REGISTRY_USER }}
+            password: ${{ env.REGISTRY_PASSWORD }}
+            extra-args: |
+              --disable-content-trust
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Sign container
+      - uses: sigstore/[email protected]
+        if: github.event_name != 'pull_request'
+
+      - name: Sign container image
+        if: github.event_name != 'pull_request'
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+        env:
+          TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Echo outputs
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "${{ toJSON(steps.push.outputs) }}"
+
+  check:
+    name: Check all builds successful
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - name: Exit on failure
+        if: ${{ needs.build.result == 'failure' }}
+        shell: bash
+        run: exit 1
+      - name: Exit
+        shell: bash
+        run: exit 0
diff --git a/Containerfile b/Containerfile
@@ -0,0 +1,15 @@
+ARG SOURCE_IMAGE=${BASE_IMAGE:-fedora}
+ARG SOURCE_REPO=${registry.fedoraproject.org}
+ARG BASE_IMAGE=${${SOURCE_REPO}/${SOURCE_IMAGE}}
+ARG FEDORA_VERSION=${FEDORA_VERSION:-40}
+
+# Build from base-main since its our smallest image and we control the tags
+FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder
+ARG KERNEL_VERSION=${:-}
+
+COPY fetch.sh /
+
+RUN /fetch.sh
+
+FROM scratch as rpms
+COPY --from=builder /tmp/rpms /tmp/rpms
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
+cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+-----END PUBLIC KEY-----
diff --git a/fetch.sh b/fetch.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/bash
+
+set -eoux pipefail
+
+kernel_version="${KERNEL_VERSION}".fc"${FEDORA_VERSION}".x86_64
+
+curl -LsSf -o /etc/yum.repos.d/_copr_sentry-kernel-ba.repo \
+    https://copr.fedorainfracloud.org/coprs/sentry/kernel-fsync/repo/fedora-"$(rpm -E %fedora)"/sentry-kernel-fsync-fedora-"$(rpm -E %fedora)".repo
+
+dnf install -y 'dnf-command(download)'
+
+dnf download -y \
+    kernel-"${kernel_version}" \
+    kernel-core-"${kernel_version}" \
+    kernel-devel-matched-"${kernel_version}" \
+    kernel-modules-"${kernel_version}" \
+    kernel-modules-core-"${kernel_version}" \
+    kernel-modules-extra-"${kernel_version}" \
+    kernel-headers-"${kernel_version}" \
+    kernel-devel-"${kernel_version}"
+
+mkdir -p /tmp/rpms
+
+mv /kernel-*.rpm /tmp/rpms
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		## Thank you for contributing to the Universal Blue project!

		Please [read the Contributor's Guide](https://universal-blue.org/contributing.html) before submitting a pull request.