-
Notifications
You must be signed in to change notification settings - Fork 0
77 lines (72 loc) · 2.83 KB
/
Copy pathbuild.yml
File metadata and controls
77 lines (72 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: bluebuild
on:
schedule:
- cron:
"00 06 * * *" # build at 06:00 UTC every day
# (20 minutes after last ublue images start building)
push:
branches: [main] # feature branches build via pull_request; only main publishes
paths-ignore: # don't rebuild if only documentation has changed
- "**.md"
pull_request:
workflow_dispatch: # allow manually triggering builds
concurrency:
# only run one build at a time
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true
jobs:
bluebuild:
name: Build Custom Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false # stop GH from cancelling all matrix builds if one fails
matrix:
recipe:
# !! Add your recipes here
- recipe-gnome.yml
- recipe-gnome-nvidia.yml
steps:
# Check out ourselves first so the kernel signing key is in the workspace
# before the build action runs (it skips its own checkout below).
- uses: actions/checkout@v7
with:
persist-credentials: false
# Materialize the Secure Boot (MOK) private key the recipes mount as a
# build secret to sign the CachyOS kernel and the nvidia modules. Stored
# base64-encoded in the KERNEL_SIGNING_SECRET repo secret; the public cert
# is committed in the image tree. See `just generate-secureboot-key`.
- name: Extract kernel signing key
shell: bash
env:
KERNEL_SIGNING_SECRET: ${{ secrets.KERNEL_SIGNING_SECRET }}
run: |
if [ -z "${KERNEL_SIGNING_SECRET}" ]; then
echo "::error::KERNEL_SIGNING_SECRET is not set (run 'just generate-secureboot-key' and add it)." >&2
exit 1
fi
echo "${KERNEL_SIGNING_SECRET}" | base64 -d > MOK.priv
# the build is fully handled by the reusable github action
- name: Build Custom Image
uses: blue-build/github-action@v1.11
with:
recipe: ${{ matrix.recipe }}
cosign_private_key: ${{ secrets.SIGNING_SECRET }}
registry_token: ${{ github.token }}
pr_event_number: ${{ github.event.number }}
# We checked out above (to stage MOK.priv); don't let the action wipe it.
skip_checkout: true
# enabled by default, disable if your image is small and you want faster builds
maximize_build_space: true
generate-release:
name: Generate Release
needs: bluebuild
# Only on main: PRs don't publish images to diff, and pushes to feature
# branches must not create releases or re-point the release tag.
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
permissions:
contents: write
uses: ./.github/workflows/generate_release.yml