bluebuild #441
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: bluebuild | |
on: | |
schedule: | |
- cron: | |
"05 06 * * *" # build at 06:05 UTC every day | |
# (25 minutes after last ublue images start building) | |
push: | |
paths-ignore: | |
- "**.md" | |
- "build-isos" | |
- "**/trivy.yml" | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
cancel-in-progress: true | |
env: | |
REPO_OWNER: ${{ github.repository_owner }} | |
jobs: | |
bluebuild: | |
name: Build Custom Image | |
runs-on: ubuntu-24.04 | |
permissions: | |
security-events: write | |
contents: read | |
packages: write | |
strategy: | |
fail-fast: true | |
matrix: | |
package: | |
- aubertit | |
- buttgenbachit | |
#- carbonatcyanotrichit | |
- flaviramea | |
steps: | |
- name: Maximize build space | |
uses: easimon/maximize-build-space@master | |
with: | |
remove-docker-images: true | |
overprovision-lvm: true | |
- name: Convert to compressed filesystem | |
shell: bash | |
run: | | |
# https://github.com/easimon/maximize-build-space/issues/23 | |
# https://github.com/easimon/maximize-build-space/pull/37 | |
WORKSPACE_OWNER="$(stat -c '%U:%G' "${GITHUB_WORKSPACE}")" | |
VG_NAME=buildvg | |
LV_NAME="/dev/mapper/${VG_NAME}-buildlv" | |
cd ~ | |
sudo umount "${LV_NAME}" | |
# https://github.com/radxa/armbian-compile-action/commit/82fe40188f2f3b4dbd4ae8fb9c64f49f117085c7 | |
sudo mkfs.btrfs -L buildlv -M -m single --force "${LV_NAME}" | |
sudo mount -o defaults,noatime,compress=zstd:3,discard=sync "${LV_NAME}" "${GITHUB_WORKSPACE}" | |
sudo chown -R "$WORKSPACE_OWNER" "${GITHUB_WORKSPACE}" | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Get default branch name | |
run: echo "DEFAULT_BRANCH=${{ github.event.repository.default_branch }}" >$GITHUB_ENV | |
- name: Check if on default (main) or test (rechunk) branch to rechunk it | |
run: | | |
if [[ "${{ github.ref_name }}" = "$DEFAULT_BRANCH" || "${{ github.ref_name }}" = 'rechunk' ]]; then | |
echo "IS_DEFAULT=true" >$GITHUB_ENV | |
else | |
echo "IS_DEFAULT=false" >$GITHUB_ENV | |
fi | |
- name: Build Custom Image | |
uses: blue-build/[email protected] | |
with: | |
rechunk: "${{ env.IS_DEFAULT }}" | |
recipe: recipe-${{ matrix.package }}.yml | |
cosign_private_key: ${{ secrets.SIGNING_SECRET }} | |
registry_token: ${{ github.token }} | |
pr_event_number: ${{ github.event.number }} | |
- name: Force repository owner to lowercase | |
run: echo "IMAGE_REF=ghcr.io/${REPO_OWNER@L}/${{ matrix.package }}" >> ${GITHUB_ENV} | |
- name: Generate SARIF for Custom Image with Trivy | |
uses: aquasecurity/[email protected] | |
with: | |
output: trivy-results.sarif | |
github-pat: ${{ secrets.GITHUB_TOKEN }} | |
image-ref: "${{ env.IMAGE_REF }}" | |
severity: MEDIUM,HIGH,CRITICAL | |
scan-type: image | |
scanners: vuln | |
format: sarif | |
env: | |
TRIVY_USERNAME: ${{ github.actor }} | |
TRIVY_PASSWORD: ${{ github.token }} | |
if: env.IS_DEFAULT == 'true' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
category: trivy-${{ matrix.package }} | |
sarif_file: trivy-results.sarif | |
if: env.IS_DEFAULT == 'true' |