--- name: Build Custom Image on: pull_request: branches: - main schedule: - cron: '05 10 * * *' # 10:05am UTC everyday push: branches: - main paths-ignore: - '**/README.md' workflow_dispatch: env: MY_IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names MY_IMAGE_DESC: "My Customized Universal Blue Image" IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit ARTIFACTHUB_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4" # You should put your own image here so that you get a fancy profile image on https://artifacthub.io/! concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.brand_name}}-${{ inputs.stream_name }} cancel-in-progress: true jobs: build_push: name: Build and push image runs-on: ubuntu-24.04 permissions: contents: read packages: write id-token: write steps: # These stage versions are pinned by https://github.com/renovatebot/renovate - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Get current date id: date run: | # This generates a timestamp like what is defined on the ArtifactHub documentation # E.G: 2022-02-08T15:38:15Z' # https://artifacthub.io/docs/topics/repositories/container-images/ # https://linux.die.net/man/1/date echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT # Image metadata for https://artifacthub.io/ - This is optional but is highly recommended so we all can get a index of all the custom images # The metadata by itself is not going to do anything, you choose if you want your image to be on ArtifactHub or not. - name: Image Metadata uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 id: metadata with: # This generates all the tags for your image, you can add custom tags here too! # By default, it should generate "latest" and "latest.(date here)". tags: | type=raw,value=latest type=raw,value=latest.{{date 'YYYYMMDD'}} type=raw,value={{date 'YYYYMMDD'}} type=sha,enable=${{ github.event_name == 'pull_request' }} type=ref,event=pr labels: | io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md org.opencontainers.image.created=${{ steps.date.outputs.date }} org.opencontainers.image.description=${{ env.IMAGE_DESC }} org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} org.opencontainers.image.vendor=${{ github.repository_owner }} org.opencontainers.image.version=latest io.artifacthub.package.deprecated=false io.artifacthub.package.keywords=bootc,ublue,universal-blue io.artifacthub.package.license=Apache-2.0 io.artifacthub.package.logo-url=${{ env.ARTIFACTHUB_LOGO_URL }} io.artifacthub.package.prerelease=false containers.bootc=1 sep-tags: " " sep-annotations: " " - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 with: containerfiles: | ./Containerfile # Postfix image name with -custom to make it a little more descriptive # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} oci: false # These `if` statements are so that pull requests for your custom images do not make it publish any packages under your name without you knowing # They also check if the runner is on the default branch so that things like the merge queue (if you enable it), are going to work - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push To GHCR uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push with: registry: ${{ env.IMAGE_REGISTRY }} image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} # This section is optional and only needs to be enabled if you plan on distributing # your project for others to consume. You will need to create a public and private key # using Cosign and save the private key as a repository secret in Github for this workflow # to consume. For more details, review the image signing section of the README. - name: Install Cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - name: Sign container image if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}" for tag in ${{ steps.metadata.outputs.tags }}; do cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag done env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}