bluebuild #98
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: bluebuild | |
| on: | |
| schedule: | |
| - cron: | |
| "00 06 * * *" # build at 06:00 UTC every day | |
| # (20 minutes after last ublue images start building) | |
| push: | |
| branches: [main] # feature branches build via pull_request; only main publishes | |
| paths-ignore: # don't rebuild if only documentation has changed | |
| - "**.md" | |
| pull_request: | |
| workflow_dispatch: # allow manually triggering builds | |
| concurrency: | |
| # only run one build at a time | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| bluebuild: | |
| name: Build Custom Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false # stop GH from cancelling all matrix builds if one fails | |
| matrix: | |
| recipe: | |
| # !! Add your recipes here | |
| - recipe-gnome.yml | |
| - recipe-gnome-nvidia.yml | |
| steps: | |
| # Check out ourselves first so the kernel signing key is in the workspace | |
| # before the build action runs (it skips its own checkout below). | |
| - uses: actions/checkout@v7 | |
| with: | |
| persist-credentials: false | |
| # Materialize the Secure Boot (MOK) private key the recipes mount as a | |
| # build secret to sign the CachyOS kernel and the nvidia modules. Stored | |
| # base64-encoded in the KERNEL_SIGNING_SECRET repo secret; the public cert | |
| # is committed in the image tree. See `just generate-secureboot-key`. | |
| - name: Extract kernel signing key | |
| shell: bash | |
| env: | |
| KERNEL_SIGNING_SECRET: ${{ secrets.KERNEL_SIGNING_SECRET }} | |
| run: | | |
| if [ -z "${KERNEL_SIGNING_SECRET}" ]; then | |
| echo "::error::KERNEL_SIGNING_SECRET is not set (run 'just generate-secureboot-key' and add it)." >&2 | |
| exit 1 | |
| fi | |
| echo "${KERNEL_SIGNING_SECRET}" | base64 -d > MOK.priv | |
| # the build is fully handled by the reusable github action | |
| - name: Build Custom Image | |
| uses: blue-build/github-action@v1.11 | |
| with: | |
| recipe: ${{ matrix.recipe }} | |
| cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
| registry_token: ${{ github.token }} | |
| pr_event_number: ${{ github.event.number }} | |
| # We checked out above (to stage MOK.priv); don't let the action wipe it. | |
| skip_checkout: true | |
| # enabled by default, disable if your image is small and you want faster builds | |
| maximize_build_space: true | |
| generate-release: | |
| name: Generate Release | |
| needs: bluebuild | |
| # Only on main: PRs don't publish images to diff, and pushes to feature | |
| # branches must not create releases or re-point the release tag. | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write | |
| uses: ./.github/workflows/generate_release.yml |