This repository is meant to blossom into custom Universal Blue image tailored for creatives. This Project naturally falls into the same family of other Universal Blue systems, such as;
Warning
Everything below this message is boilerplate stuff that came with the template, Please ignore for now as it all WILL be changed.
Working knowledge in the following topics:
- Containers
- rpm-ostree
- Fedora Silverblue (and other Fedora Atomic variants)
- Github Workflows
This file defines the operations used to customize the selected image. It contains examples of possible modifications, including how to:
- change the upstream from which the custom image is derived
- add additional RPM packages
- add binaries as a layer from other images
This workflow creates your custom OCI image and publishes it to the Github Container Registry (GHCR). By default, the image name will match the Github repository name.
Container signing is important for end-user security and is enabled on all Universal Blue images. It is recommended you set this up, and by default the image builds will fail if you don't.
This provides users a method of verifying the image.
-
Install the cosign CLI tool
-
Run inside your repo folder:
cosign generate-key-pair
- Do NOT put in a password when it asks you to, just press enter. The signing key will be used in GitHub Actions and will not work if it is encrypted.
Warning
Be careful to never accidentally commit cosign.key
into your git repo.
-
Add the private key to GitHub
-
This can also be done manually. Go to your repository settings, under Secrets and Variables -> Actions Add a new secret and name it
SIGNING_SECRET
, then paste the contents ofcosign.key
into the secret and save it. Make sure it's the .key file and not the .pub file. Once done, it should look like this: -
(CLI instructions) If you have the
github-cli
installed, run:
gh secret set SIGNING_SECRET < cosign.key
-
-
Commit the
cosign.pub
file into your git repository
This template includes a Containerfile and a Github workflow for building the container image. As soon as the workflow is enabled in your repository, it will build the container image and push it to the Github Container Registry.