To keep things as consistent as possible, we're switching to using the
GITHUB_TOKEN env var for login instead. Env vars were also all pulled
out into their own constants to make things more consistent.
This change also includes prioritizing public/private key signing over
OIDC keyless for GitHub for an easier transition. It would require the
user to delete their `cosign.pub` file from their repo in order to start
using the keyless method.
Trailing newlines is something that we will never need as an
information, so it can only cause issues with parsing yaml values.
I scratched my head for 10 minutes on why my variable has a trailing
newline when I use `readarray -t` everywhere. Then I remembered
get_yaml_array function.
This should not affect current working modules at all, but it would be
good to test before landing.
Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
After setting up the tmpfs mount for /var, rpm-ostree started to not
have cache throughout the single build. This creates a cache for
rpm-ostree that is tied to the specific recipe being built. This will
allow subsequent builds of a recipe to be faster and not interfere with
the cache of another recipe, especially if they are on different OS
versions
the `SIGSTORE_ID_TOKEN` env var is not declared inside of github
actions, however the block that does OIDC signing requires it, this
changes it so that it matches for `GITHUB_TOKEN` in the second block
instead of `SIGSTORE_ID_TOKEN`, (hopefully) using OIDC instead of pubkey
auth
This allows scripts to create as many files as they need in /tmp and
/var without having to worry about them being included in the final
image. Now the last instruction will only be the ostree container commit
required for running the bluebuild CLI directly from podman (needed for
latest version of bluebuild for github action)
---------
Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
This change will follow the patter that was established with the GitLab
pipeline. Users will be able to have their images signed by GitHub's
OIDC. This will allow users to rebase directly onto a signed image and
forego using the siging module.
This allows us to prevent creating extra layers just to run the modules.
Using the bind mount, we are able to connect to a working container that
holds the files needed for building.
https://github.com/ublue-os/bling/blob/main/Containerfile the
containerfile copies an empty folder in these locations for backwards
compatability. `/tmp/files` and `/tmp/rpms` have been deprecated from
bling, all of the RPMs have mostly moved to COPR or ublue-os/config
Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
## Goals
This PR adds snippets which is being discussed in #41 .
It will generate snippet lines for *ONLY* our containerfile module
- [x] allow for modules to specify snippets
- [x] append snippets to module run inside Containerfile
- [ ] write supporting test
## Preview
Recipe.yml
```yml
# image will be published to ghcr.io/<user>/<name>
name: orora
description: A starting point for further customization of uBlue images. Make your own! https://ublue.it/making-your-own/
base-image: ghcr.io/ublue-os/silverblue-main
image-version: latest # latest is also supported if you want new updates ASAP
modules:
- type: signing
snippets:
- COPY --from=ghcr.io/blue-build/cli:latest-installer /out/BLUEBUILD /usr/bin/BLUEBUILD
```
Generated Container File snippet
```docker
RUN chmod +x /tmp/modules/signing/signing.sh && source /tmp/exports.sh && /tmp/modules/signing/signing.sh '{"type":"signing","snippets":["COPY --from=ghcr.io/blue-build/cli:latest-installer /out/BLUEBUILD /usr/bin/BLUEBUILD"]}'
COPY --from=ghcr.io/blue-build/cli:latest-installer /out/BLUEBUILD /usr/bin/BLUEBUILD
```
---------
Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
Add a bug report + completions command(not complete yet) so that new
users can easily submit bugs to us, and I wanted completions for bb
(super easy with clap)
---------
Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
