Better signing, modifications from someone's fork

ublue-os · Feb 7, 2024 · 180b9b3 · 180b9b3
1 parent e66e117
commit 180b9b3
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 53 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,9 +8,6 @@ on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-wor
   pull_request:
   workflow_dispatch:
 
-env:
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
 # Only deploys the branch named "live". Ignores all other branches, to allow
 # having "development" branches without interfering with GHCR image uploads.
 jobs:
@@ -38,28 +35,31 @@ jobs:
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Install cosign
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        uses: sigstore/[email protected]
+
       - name: Add yq (for reading desc.yml)
         uses: mikefarah/[email protected]
 
+      # important here is to lowercase image related variables like IMAGE_REGISTRY
+      # and IMAGE_NAME because docker does not allow uppercase chars in the whole image name.
+
       - name: Gather image data from description
         run: |
-          echo "IMAGE_NAME=$(yq '.name' ./desc.yml)" >> $GITHUB_ENV
+          echo "IMAGE_TITLE=$(yq '.title' ./desc.yml)" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${GITHUB_REPOSITORY_OWNER@L}/$(yq '.name | downcase' ./desc.yml)" >> $GITHUB_ENV
           echo "IMAGE_DESCRIPTION=$(yq '.description' ./desc.yml)" >> $GITHUB_ENV
           echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./desc.yml)" >> $GITHUB_ENV
-
-      - name: Get current version
-        id: labels
-        run: |
-          ver=$(skopeo inspect docker://quay.io/fedora/fedora-silverblue:${{ env.IMAGE_MAJOR_VERSION }} | jq -r '.Labels["org.opencontainers.image.version"]')
-          echo "VERSION=$ver" >> $GITHUB_OUTPUT
+          echo "IMAGE_REGISTRY=$(yq '.image-registry | downcase' ./desc.yml)" >> GITHUB_ENV
 
       - name: Generate tags
         id: generate-tags
         shell: bash
         run: |
           # Generate a timestamp for creating an image version history
           TIMESTAMP="$(date +%Y%m%d)"
-          MAJOR_VERSION="$(echo ${{ steps.labels.outputs.VERSION }} | cut -d . -f 1)"
+          MAJOR_VERSION="${IMAGE_MAJOR_VERSION}"
           COMMIT_TAGS=()
           BUILD_TAGS=()
           # Have tags for tracking builds during pull request
@@ -99,26 +99,13 @@ jobs:
           images: |
             ${{ env.IMAGE_NAME }}
           labels: |
-            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
+            org.opencontainers.image.title=${{ env.IMAGE_TITLE }}
+            org.opencontainers.image.ref.name=${{ env.IMAGE_NAME }}
+            org.opencontainers.image.version=${{ env.IMAGE_MAJOR_VERSION }}
             org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/drakulix/infinity/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/33131755?s=200&v=4
-
-      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
-      # https://github.com/macbre/push-to-ghcr/issues/12
-      - name: Lowercase Registry
-        id: registry_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_REGISTRY }}
-
-      - name: Lowercase Image
-        id: image_case
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ env.IMAGE_NAME }}
-
+      
       - name: Install qemu dependency
         run: |
           sudo apt-get update
@@ -137,36 +124,42 @@ jobs:
           archs: ${{ matrix.arch }}
           build-args: |
             IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }}
-            IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       # Push the image to GHCR (Image Registry)
       - name: Push To GHCR
         uses: redhat-actions/push-to-registry@v2
         id: push
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        env:
-          REGISTRY_USER: ${{ github.actor }}
-          REGISTRY_PASSWORD: ${{ github.token }}
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
+          registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Echo outputs
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"
+          
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign --yes ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
diff --git a/Containerfile b/Containerfile
@@ -1,5 +1,5 @@
 ARG IMAGE_MAJOR_VERSION=39
-ARG BASE_IMAGE_URL=quay.io/fedora/fedora-silverblue
+ARG BASE_IMAGE_URL=quay.io/fedora-ostree-desktops/base
 
 FROM registry.fedoraproject.org/fedora:${IMAGE_MAJOR_VERSION} AS cosmic-builder
 
@@ -47,15 +47,7 @@ RUN git clone --recurse-submodules https://github.com/pop-os/system76-wallpapers
 
 
 FROM ${BASE_IMAGE_URL}:${IMAGE_MAJOR_VERSION}
-ARG IMAGE_REGISTRY=ghcr.io/drakulix
 
-RUN rpm-ostree uninstall gnome-control-center gnome-control-center-filesystem gnome-shell mutter gdm gnome-shell-extension-common gnome-session gnome-session-xsession gnome-classic-session gnome-session-wayland-session gnome-initial-setup gnome-shell-extension-background-logo gnome-shell-extension-window-list gnome-shell-extension-places-menu gnome-browser-connector gnome-shell-extension-launch-new-instance gnome-shell-extension-apps-menu xdg-desktop-portal-gnome yelp xorg-x11-xinit ibus ibus-anthy ibus-hangul ibus-anthy-python ibus-libpinyin ibus-libzhuyin ibus-m17n ibus-setup ibus-typing-booster
-# aarch specific
-RUN if [ `uname -m` == "aarch64" ]; then rpm-ostree uninstall xorg-x11-server-Xorg xorg-x11-drv-nouveau xorg-x11-drv-wacom xorg-x11-drv-qxl xorg-x11-drv-libinput xorg-x11-drv-amdgpu xorg-x11-drv-fbdev xorg-x11-drv-evdev xorg-x11-drv-ati xorg-x11-drv-armsoc; fi
-RUN if [ `uname -m` == "x86_64" ]; then rpm-ostree uninstall xorg-x11-server-Xorg xorg-x11-drv-nouveau xorg-x11-drv-wacom xorg-x11-drv-qxl xorg-x11-drv-libinput xorg-x11-drv-amdgpu xorg-x11-drv-fbdev xorg-x11-drv-evdev xorg-x11-drv-ati xorg-x11-drv-intel xorg-x11-drv-openchrome xorg-x11-drv-vesa xorg-x11-drv-vmware; fi
-
-# Silverblue packages, we want as well, once we can swap to a proper base image
-# RUN rpm-ostree install ModemManager NetworkManager-adsl NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-ppp NetworkManager-wwan adobe-source-code-pro-fonts at-spi2-atk at-spi2-core avahi dconf fprintd-pam glx-utils gnome-software gvfs-afc gvfs-afp gvfs-archive gvfs-fuse gvfs-goa gvfs-gphoto2 gvfs-mtp gvfs-smb librsvg2 libsane-hpaio mesa-dri-drivers mesa-libEGL mesa-vulkan-drivers nautilus orca plymouth-system-theme polkit rygel systemd-oomd-defaults tracker tracker-miners xdg-user-dirs-gtk 
 
 # Cosmic dependencies
 RUN rpm-ostree install \
@@ -97,7 +89,7 @@ RUN ln -s /usr/bin/pop-launcher /usr/lib/pop-launcher/plugins/web/web
 
 COPY --from=wallpapers-builder /system76-wallpapers/backgrounds /usr/share/backgrounds/pop
 
-RUN rm /etc/systemd/system/display-manager.service && ln -s /usr/lib/systemd/system/cosmic-greeter.service /etc/systemd/system/display-manager.service
+RUN ln -s /usr/lib/systemd/system/cosmic-greeter.service /etc/systemd/system/display-manager.service
 RUN rm -rf /var/lib/greetd
 
 RUN rpm-ostree cleanup -m && ostree container commit

diff --git a/desc.yml b/desc.yml
@@ -1,3 +1,5 @@
 name: infinity
+title: infinity
 description: Fedora based ostree image with the COSMIC desktop environment
+image-registry: ghcr.io
 image-version: 39