feat(ublue-builder): add aarch64 builds #17

Workflow file for this run

.github/workflows/builder.yml at 98a6c20

	name: Build ublue-builder
	on:
	workflow_dispatch: # allow manually triggering builds
	pull_request:
	branches:
	- main
	paths:
	- 'ublue-builder/*'
	push:
	branches:
	- main
	paths:
	- 'ublue-builder/*'
	schedule:
	- cron: '0 0 * * TUE'

	env:
	IMAGE_NAME: ublue-builder-test
	IMAGE_DESC: "Builder image for Universal Blue package building"
	IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}"
	DEFAULT_TAG: "latest"
	PLATFORMS: "amd64,arm64"

	jobs:
	generate_matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:
	- name: Set matrix
	id: set-matrix
	run: \|
	# turn the comma separated string into a list
	platforms=()
	IFS=',' read -r -a platforms <<< "${{ env.PLATFORMS }}"

	MATRIX="{\"include\":[]}"
	for platform in "${platforms[@]}"; do
	MATRIX=$(echo $MATRIX \| jq ".include += [{\"platform\": \"$platform\"}]")
	done
	echo "matrix=$(echo $MATRIX \| jq -c '.')" >> $GITHUB_OUTPUT

	build_push:
	name: Build and push image
	runs-on: ${{ matrix.platform == 'amd64' && 'ubuntu-24.04' \|\| 'ubuntu-24.04-arm' }}
	timeout-minutes: 30
	needs: generate_matrix
	permissions:
	contents: read
	packages: write
	id-token: write
	strategy:
	fail-fast: false
	matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install dependencies
	if: matrix.platform == 'arm64'
	run: \|
	sudo apt update -y
	sudo apt install -y \
	podman

	- name: Build Image
	id: build_image
	uses: redhat-actions/buildah-build@v2
	with:
	containerfiles: \|
	./${{ env.IMAGE_NAME }}/Containerfile
	image: ${{ env.IMAGE_NAME }}
	tags: ${{ env.DEFAULT_TAG }}
	labels: ${{ steps.meta.outputs.labels }}
	oci: true

	- name: Push to GHCR
	# if: github.event_name != 'pull_request'
	id: push
	env:
	IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}
	IMAGE_NAME: ${{ env.IMAGE_NAME }}
	IMAGE_DIGEST: ${{ steps.build_image.outputs.digest }}
	PLATFORM: ${{ matrix.platform }}
	run: \|
	set -x
	sudo podman tag ${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}:${DEFAULT_TAG} $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM
	for i in {1..3}; do
	sudo podman push --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM && break \|\| sleep $((5 * i));
	done
	REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile)
	echo "remote_image_digest=$REMOTE_IMAGE_DIGEST" >> $GITHUB_OUTPUT
	cat /tmp/digestfile

	- name: Install Cosign
	uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
	# if: github.event_name != 'pull_request'

	- name: Sign Image
	# if: github.event_name != 'pull_request'
	run: \|
	IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}"
	cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_FULL}@${{ steps.push.outputs.remote_image_digest }}
	env:
	TAGS: ${{ steps.push.outputs.digest }}
	COSIGN_EXPERIMENTAL: false
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

	- name: Create Job Outputs
	# if: github.event_name != 'pull_request'
	env:
	IMAGE_NAME: ${{ env.IMAGE_NAME }}
	PLATFORM: ${{ matrix.platform }}
	DIGEST: ${{ steps.push.outputs.remote_image_digest }}
	run: \|
	mkdir -p /tmp/outputs/digests
	echo "${DIGEST}" > /tmp/outputs/digests/${IMAGE_NAME}-${PLATFORM}.txt

	- name: Upload Output Artifacts
	# if: github.event_name != 'pull_request'
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
	with:
	name: ${{ env.IMAGE_NAME }}-${{ matrix.platform }}
	retention-days: 1
	if-no-files-found: error
	path: \|
	/tmp/outputs/digests/*.txt

	manifest:
	name: Create shared manifest
	runs-on: ubuntu-latest
	if: always()
	needs:
	- generate_matrix
	- build_push
	container:
	image: quay.io/fedora/fedora:41
	options: --privileged --security-opt seccomp=unconfined
	permissions:
	contents: read
	packages: write
	id-token: write
	outputs:
	image: ${{ steps.push_manifest.outputs.IMAGE }}
	digest: ${{ steps.push_manifest.outputs.DIGEST }}
	steps:
	- name: Install dependencies
	run: \|
	dnf install -y \
	jq \
	git

	dnf copr enable -y rhcontainerbot/podman-next
	dnf install -y podman

	- name: Exit on failure
	env:
	JOBS: ${{ toJson(needs) }}
	run: \|
	echo "Job status:"
	echo $JOBS \| jq -r 'to_entries[] \| " - \(.key): \(.value.result)"'

	for i in $(echo $JOBS \| jq -r 'to_entries[] \| .value.result'); do
	if [ "$i" != "success" ] && [ "$i" != "skipped" ]; then
	echo ""
	echo "Status check not okay!"
	exit 1
	fi
	done

	- name: Get current date
	id: date
	run: \|
	# Should generate a timestamp like what is defined on the ArtifactHub documentation
	# E.G: 2022-02-08T15:38:15Z'
	# https://artifacthub.io/docs/topics/repositories/container-images/
	# https://linux.die.net/man/1/date
	echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT

	- name: Image Metadata
	uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
	id: metadata
	with:
	tags: \|
	type=raw,value=latest
	type=ref,event=pr
	labels: \|
	io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
	org.opencontainers.image.created=${{ steps.date.outputs.date }}
	org.opencontainers.image.description=${{ env.IMAGE_DESC }}
	org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
	org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile
	org.opencontainers.image.title=${{ env.IMAGE_NAME }}
	org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
	org.opencontainers.image.vendor=${{ github.repository_owner }}
	org.opencontainers.image.version=${{ env.DEFAULT_TAG }}
	io.artifacthub.package.deprecated=false
	io.artifacthub.package.keywords=ublue,universal-blue,copr,fedora
	io.artifacthub.package.license=Apache-2.0
	io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
	io.artifacthub.package.maintainers=[{\"name\":\"tulilirockz\",\"email\":\"tulilirockz@outlook.com\"}]

	- name: Fetch Build Outputs
	# if: github.event_name != 'pull_request'
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	pattern: ${{ env.IMAGE_NAME }}-*
	merge-multiple: true
	path: /tmp/artifacts

	- name: Load Outputs
	if: github.event_name != 'pull_request'
	id: load-outputs
	run: \|
	DIGESTS_JSON=$(jq -n '{}')
	for digest_file in /tmp/artifacts/*.txt; do
	# Extract the platform from the file name
	PLATFORM=$(basename $digest_file \| rev \| cut -d'-' -f1 \| rev \| cut -d'.' -f1)
	DIGEST=$(cat $digest_file)
	# Add the platform and digest to the JSON object
	DIGESTS_JSON=$(echo "$DIGESTS_JSON" \| jq --arg key "$PLATFORM" --arg value "$DIGEST" '. + {($key): $value}')
	done
	echo "DIGESTS_JSON=$(echo $DIGESTS_JSON \| jq -c '.')" >> $GITHUB_OUTPUT

	- name: Create Manifest
	if: github.event_name != 'pull_request'
	id: create-manifest
	run: \|
	podman manifest create ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
	echo "MANIFEST=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT

	- name: Populate Manifest
	if: github.event_name != 'pull_request'
	env:
	MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }}
	DIGESTS_JSON: ${{ steps.load-outputs.outputs.DIGESTS_JSON }}
	LABELS: ${{ steps.metadata.outputs.labels }}
	run: \|
	DIGESTS=$(echo "$DIGESTS_JSON" \| jq -c '.')
	# turn the comma separated string into a list
	platforms=()
	IFS=',' read -r -a platforms <<< "${{ inputs.platforms }}"
	for platform in ${platforms[@]}; do
	digest=$(echo $DIGESTS \| jq -r ".$platform")
	echo "Adding ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest for $platform"
	podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest --arch $platform
	done

	# Apply the labels to the manifest (separated by newlines)
	while IFS= read -r label; do
	echo "Applying label $label to manifest"
	podman manifest annotate --index --annotation "$label" $MANIFEST
	done <<< "$LABELS"

	- name: Login to GHCR
	if: github.event_name != 'pull_request'
	run: echo ${{ secrets.GITHUB_TOKEN }} \| podman login -u ${{ github.actor }} --password-stdin ghcr.io

	- name: Push Manifest
	if: github.event_name != 'pull_request'
	id: push_manifest
	env:
	MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }}
	TAGS: ${{ steps.metadata.outputs.tags }}
	IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}
	IMAGE_NAME: ${{ env.IMAGE_NAME }}
	run: \|
	while IFS= read -r tag; do
	podman manifest push --all=false --digestfile=/tmp/digestfile $MANIFEST $IMAGE_REGISTRY/$IMAGE_NAME:$tag
	done <<< "$TAGS"

	DIGEST=$(cat /tmp/digestfile)
	echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
	echo "IMAGE=$IMAGE_REGISTRY/$IMAGE_NAME" >> $GITHUB_OUTPUT

	# Cosign throws errors when ran inside the Fedora container for one reason or another
	# so we move this to another step in order to run on Ubuntu
	sign:
	needs: manifest
	# if: github.event_name != 'pull_request'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- name: Login to GHCR
	run: \|
	echo ${{ secrets.GITHUB_TOKEN }} \| docker login -u ${{ github.actor }} --password-stdin ghcr.io
	echo ${{ secrets.GITHUB_TOKEN }} \| podman login -u ${{ github.actor }} --password-stdin ghcr.io

	- name: Install Cosign
	uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0

	- name: Sign Manifest
	run: \|
	cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE@$DIGEST
	env:
	DIGEST: ${{ needs.manifest.outputs.digest }}
	IMAGE: ${{ needs.manifest.outputs.image }}
	COSIGN_EXPERIMENTAL: false
	COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(ublue-builder): add aarch64 builds #17

Workflow file

feat(ublue-builder): add aarch64 builds #17

Jobs

Run details

Workflow file for this run