Skip to content

Build FCOS

Build FCOS #32

# Adapted from https://github.com/ItalyPaleAle/fcos-layers/blob/main/.github/workflows/build-containers.yaml
# This builds a single image called "fcos" which contains all the additional layers I want in my setup.
#
name: "Build FCOS"
on:
schedule:
# https://crontab.guru/#00_01_*_*_1
- cron: '00 01 * * 1'
# To enable rebuilding every time a commit is pushed to main
# push:
# branches: [ "main" ]
workflow_dispatch:
env:
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Ensure that IMAGE_NAME is all lowercase
- name: Lowercase IMAGE_NAME
run: |
echo "IMAGE_NAME=${IMAGE_NAME,,}" >>${GITHUB_ENV}
# Gets the version of Fedora distribution used in the Fedora CoreOS base image
- name: Set BUILDER_VERSION
run: |
echo "BUILDER_VERSION=$(curl -s "https://builds.coreos.fedoraproject.org/streams/stable.json" | jq -r '.architectures.x86_64.artifacts.metal.release' | cut -d '.' -f 1)" >> "$GITHUB_ENV"
# Install the cosign tool
# https://github.com/sigstore/cosign-installer
- name: Install cosign
uses: sigstore/cosign-installer@main
# with: # Use latest
# cosign-release: 'v2.2.0'
# Add support for building for other platforms with QEMU
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: "linux/amd64,linux/arm64"
# Set up BuildKit Docker container builder to be able to build multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
# Login against a Docker registry
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata for Docker image for base
# https://github.com/docker/metadata-action
- name: "Extract metadata"
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/fcos
tags: |
type=raw,value=stable,enable={{is_default_branch}}
type=raw,value=latest,enable={{is_default_branch}}
type=schedule,pattern={{date 'YYYYMMDD'}}
# Build and push Docker image for base
# For linux/amd64 only
# https://github.com/docker/build-push-action
- name: "Build and push"
id: build-and-push-zfs
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: ./build/fcos-zfs
push: true
# NOTE: ARM64 takes too long to run on github free agents. (5+ hours): Must be built by an ARM64 host.
platforms: "linux/amd64"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: ./build/fcos-zfs/Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign the resulting Docker images digests.
# This will only write to the public Rekor transparency log when the Docker repository is public to avoid leaking data.
# https://github.com/sigstore/cosign
- name: "Sign images"
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push-zfs.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio instance.
run: |
echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}