chore: Cleanup images and use hash for exports tag (#158)

I noticed that making changes to the exports script before a release
could cause modules to not build properly if breaking changes got pushed
out. To prevent this, I'm making it so that the hash of the commit is
put in the tag for the exports script image and that the CLI tool will
use that hash when building the `Containerfile`.

.github/workflows/build-pr.yml

@@ -14,6 +14,8 @@ jobs:
   build:
     timeout-minutes: 60
     runs-on: ubuntu-latest
+    outputs:
+      export: ${{ steps.build.outputs.export }}
 
     steps:
       - name: Maximize build space
@@ -23,8 +25,6 @@ jobs:
         if: env.EARTHLY_SAT_TOKEN == null
 
       - uses: earthly/actions-setup@v1
-        with:
-          version: v0.8.4
 
       - name: Earthly login
         env:
@@ -39,8 +39,22 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.ref }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: github.token != null
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
       - name: Run build
-        run: earthly --ci +build
+        id: build
+        run: |
+          if [ -n "${{ github.token }}" ]; then
+            earthly --ci --push +exports-script
+            echo "export=true" >> "$GITHUB_OUTPUT"
+          fi
+          earthly --ci +build
 
   integration-tests:
     permissions:
@@ -49,14 +63,16 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build
+    if: needs.build.outputs.export == 'true'
 
     steps:
       - name: Maximize build space
         uses: ublue-os/remove-unwanted-software@v6
+        env:
+          EARTHLY_SAT_TOKEN: ${{ secrets.EARTHLY_SAT_TOKEN }}
+        if: env.EARTHLY_SAT_TOKEN == null
 
       - uses: earthly/actions-setup@v1
-        with:
-          version: v0.8.4
 
       - name: Earthly login
         env:
@@ -73,7 +89,6 @@ jobs:
           ref: ${{ github.event.pull_request.ref }}
 
       - name: Run integration tests
-        if: github.repository == 'blue-build/cli'
         run: earthly --ci -P ./integration-tests+all
 
   docker-build:
@@ -85,6 +100,7 @@ jobs:
       id-token: write
     needs:
       - build
+    if: needs.build.outputs.export == 'true'
 
     steps:
       - name: Maximize build space
@@ -92,8 +108,6 @@ jobs:
 
       - uses: sigstore/cosign-installer@v3.3.0
       - uses: earthly/actions-setup@v1
-        with:
-          version: v0.8.4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -107,7 +121,7 @@ jobs:
         run: |
           earthly account login --token ${{ secrets.EARTHLY_SAT_TOKEN }} >> /dev/null
           earthly org s blue-build
-          earthly sat s blue-build-integration-tests
+          earthly sat s blue-build-pr
 
       - uses: actions/checkout@v4
         with:
@@ -115,7 +129,7 @@ jobs:
 
       - name: Install bluebuild
         run: |
-          earthly -a +install/bluebuild --BUILD_TARGET=x86_64-unknown-linux-musl /usr/local/bin/bluebuild
+          earthly -a +installer/bluebuild /usr/local/bin/bluebuild
 
       - name: Expose GitHub Runtime
         uses: crazy-max/ghaction-github-runtime@v3
@@ -130,8 +144,4 @@ jobs:
           cd integration-tests/test-repo
           bluebuild template -vv | tee Containerfile
           grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1
-          if [ -n "$GH_TOKEN" ] && [ -n "$COSIGN_PRIVATE_KEY" ]; then
-            bluebuild build --push -vv
-          else
-            bluebuild build -vv
-          fi
+          bluebuild build --push -vv

.github/workflows/build.yml

@@ -28,8 +28,6 @@ jobs:
         if: env.EARTHLY_SAT_TOKEN == null
 
       - uses: earthly/actions-setup@v1
-        with:
-          version: v0.8.4
 
       - name: Earthly login
         env:
@@ -56,21 +54,27 @@ jobs:
         if: github.repository == 'blue-build/cli'
         run: earthly --push --ci +build
 
+      - name: Run build fork
+        if: github.repository != 'blue-build/cli'
+        run: earthly --ci +build
+
   integration-tests:
     permissions:
       packages: write
     timeout-minutes: 60
     runs-on: ubuntu-latest
+    if: github.repository == 'blue-build/cli'
     needs:
       - build
 
     steps:
       - name: Maximize build space
         uses: ublue-os/remove-unwanted-software@v6
+        env:
+          EARTHLY_SAT_TOKEN: ${{ secrets.EARTHLY_SAT_TOKEN }}
+        if: env.EARTHLY_SAT_TOKEN == null
 
       - uses: earthly/actions-setup@v1
-        with:
-          version: v0.8.4
 
       - name: Earthly login
         env:
@@ -97,6 +101,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+    if: github.repository == 'blue-build/cli'
     needs:
       - build
 
@@ -106,8 +111,6 @@ jobs:
 
       - uses: sigstore/cosign-installer@v3.3.0
       - uses: earthly/actions-setup@v1
-        with:
-          version: v0.8.4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -121,7 +124,7 @@ jobs:
         run: |
           earthly account login --token ${{ secrets.EARTHLY_SAT_TOKEN }} >> /dev/null
           earthly org s blue-build
-          earthly sat s blue-build-integration-tests
+          earthly sat s blue-build-main
 
       - uses: actions/checkout@v4
         with:
@@ -129,7 +132,7 @@ jobs:
 
       - name: Install bluebuild
         run: |
-          earthly -a +install/bluebuild --BUILD_TARGET=x86_64-unknown-linux-musl /usr/local/bin/bluebuild
+          earthly -a +installer/bluebuild /usr/local/bin/bluebuild
 
       - name: Expose GitHub Runtime
         uses: crazy-max/ghaction-github-runtime@v3

Earthfile

@@ -41,7 +41,9 @@ exports-script:
 	LABEL org.opencontainers.image.source="https://github.com/blue-build/cli"
 	COPY exports.sh /
 	RUN chmod +x exports.sh
-	SAVE IMAGE --push $IMAGE:exports
+
+	ARG EARTHLY_GIT_HASH
+	SAVE IMAGE --push $IMAGE:$EARTHLY_GIT_HASH-exports
 
 common:
 	FROM ghcr.io/blue-build/earthly-lib/cargo-builder
@@ -52,6 +54,8 @@ common:
 	COPY --keep-ts *.md /app
 	COPY --keep-ts LICENSE /app
 	COPY --keep-ts build.rs /app
+	COPY --keep-ts --dir .git/ /app
+	RUN touch build.rs
 
 	DO cargo+INIT
 
@@ -77,14 +81,23 @@ blue-build-cli:
 
 	COPY (+install/bluebuild --BUILD_TARGET="x86_64-unknown-linux-gnu") /usr/bin/bluebuild
 
-	ARG TAG
-	ARG LATEST=false
-
 	RUN mkdir -p /bluebuild
 	WORKDIR /bluebuild
 	ENTRYPOINT ["bluebuild"]
 
-	DO cargo+SAVE_IMAGE --IMAGE=$IMAGE --TAG=$TAG --LATEST=$LATEST
+	ARG TAG
+	ARG LATEST=false
+
+	IF [ -n "$TAG" ]
+		SAVE IMAGE --push $IMAGE:$TAG
+
+		IF [ "$LATEST" = "true" ]
+			SAVE IMAGE --push $IMAGE:latest
+		END
+	ELSE
+		ARG EARTHLY_GIT_BRANCH
+		SAVE IMAGE --push $IMAGE:$EARTHLY_GIT_BRANCH
+	END
 
 blue-build-cli-alpine:
 	FROM alpine
@@ -96,14 +109,22 @@ blue-build-cli-alpine:
 	COPY +cosign/cosign /usr/bin/cosign
 	COPY (+install/bluebuild --BUILD_TARGET="x86_64-unknown-linux-musl") /usr/bin/bluebuild
 
-	ARG TAG
-	ARG LATEST=false
-
 	RUN mkdir -p /bluebuild
 	WORKDIR /bluebuild
 	ENTRYPOINT ["bluebuild"]
 
-	DO cargo+SAVE_IMAGE --IMAGE=$IMAGE --TAG=$TAG --LATEST=$LATEST --ALPINE=true
+	ARG TAG
+	IF [ -n "$TAG" ]
+		SAVE IMAGE --push $IMAGE:$TAG-alpine
+
+		ARG LATEST=false
+		IF [ "$LATEST" = "true" ]
+			SAVE IMAGE --push $IMAGE:latest-alpine
+		END
+	ELSE
+		ARG EARTHLY_GIT_BRANCH
+		SAVE IMAGE --push $IMAGE:$EARTHLY_GIT_BRANCH-alpine
+	END
 
 installer:
 	FROM alpine
@@ -114,8 +135,18 @@ installer:
 	CMD ["cat", "/install.sh"]
 
 	ARG TAG
-	ARG LATEST=false
-	DO cargo+SAVE_IMAGE --IMAGE=$IMAGE --TAG=$TAG --LATEST=$LATEST --INSTALLER=true
+	IF [ -n "$TAG" ]
+		SAVE IMAGE --push $IMAGE:$TAG-installer
+
+		ARG LATEST=false
+		IF [ "$LATEST" = "true" ]
+			SAVE IMAGE --push $IMAGE:latest-installer
+		END
+	ELSE
+		ARG EARTHLY_GIT_BRANCH
+		SAVE IMAGE --push $IMAGE:$EARTHLY_GIT_BRANCH-installer
+	END
+	SAVE ARTIFACT /out/bluebuild
 
 cosign:
 	FROM gcr.io/projectsigstore/cosign

build.rs

@@ -7,12 +7,7 @@ fn main() -> SdResult<()> {
     shadow_rs::new_hook(hook)
 }
 
-fn hook(file: &File) -> SdResult<()> {
-    append_write_const(file)?;
-    Ok(())
-}
-
-fn append_write_const(mut file: &File) -> SdResult<()> {
+fn hook(mut file: &File) -> SdResult<()> {
     let hash = Command::new("git")
         .args(["rev-parse", "HEAD"])
         .output()

src/commands/template.rs

@@ -10,7 +10,7 @@ use clap::Args;
 use log::{debug, info, trace};
 use typed_builder::TypedBuilder;
 
-use crate::drivers::Driver;
+use crate::{drivers::Driver, shadow};
 
 use super::{BlueBuildCommand, DriverArgs};
 
@@ -86,6 +86,7 @@ impl TemplateCommand {
             .recipe(&recipe_de)
             .recipe_path(recipe_path.as_path())
             .registry(self.get_registry())
+            .exports_tag(shadow::BB_COMMIT_HASH)
             .build();
 
         let output_str = template.render()?;

template/src/lib.rs

@@ -27,6 +27,9 @@ pub struct ContainerFileTemplate<'a> {
 
     #[builder(setter(into))]
     registry: Cow<'a, str>,
+
+    #[builder(setter(into))]
+    exports_tag: Cow<'a, str>,
 }
 
 #[derive(Debug, Clone, Template, TypedBuilder)]

template/templates/modules/modules.j2

@@ -27,7 +27,7 @@ RUN \
       {%- if type == "akmods" %}
   --mount=type=bind,from=stage-akmods-{{ module.generate_akmods_info(os_version).stage_name }},src=/rpms,dst=/tmp/rpms,rw \
       {%- endif %}
-  --mount=type=bind,from=ghcr.io/blue-build/cli:exports,src=/exports.sh,dst=/tmp/exports.sh \
+  --mount=type=bind,from=ghcr.io/blue-build/cli:{{ exports_tag }}-exports,src=/exports.sh,dst=/tmp/exports.sh \
   --mount=type=cache,dst=/var/cache/rpm-ostree,id=rpm-ostree-cache-{{ recipe.name }}-{{ recipe.image_version }},sharing=locked \
   echo "========== Start {{ type|capitalize }} module ==========" \
   && chmod +x /tmp/modules/{{ type }}/{{ type }}.sh \