Skip to content
This repository was archived by the owner on Apr 11, 2026. It is now read-only.
build-secureblue

build-secureblue #89

Sign in to view logs

build-secureblue

build-secureblue #89

Workflow file for this run

.github/workflows/build.yml at a2a26d1
# Copyright 2025 The Secureblue Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
name: build-secureblue
permissions: {}
on:
schedule:
- cron: "00 6 * * *" # build at 6:00 UTC every day
push:
branches-ignore: # don't rebuild for dependabot
- 'dependabot/**'
paths-ignore: # don't rebuild if only documentation has changed
- "**.md"
workflow_dispatch: # allow manually triggering builds
jobs:
bluebuild:
name: Build secureblue
if: github.triggering_actor == 'royaloughtness' || ${{ github.event_name == 'schedule' }} || ${{ github.event_name == 'push' }}
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false # stop GH from cancelling all matrix builds if one fails
matrix:
recipe:
# general
- general/recipe-silverblue-main.yml
# Disabling unused recipes on personal fork:
# - general/recipe-silverblue-nvidia.yml
# - general/recipe-silverblue-nvidia-open.yml
# - general/recipe-kinoite-main.yml
# - general/recipe-kinoite-nvidia.yml
# - general/recipe-kinoite-nvidia-open.yml
# - general/recipe-sericea-main.yml
# - general/recipe-sericea-nvidia.yml
# - general/recipe-sericea-nvidia-open.yml
# - general/recipe-cosmic-main.yml
# - general/recipe-cosmic-nvidia.yml
# - general/recipe-cosmic-nvidia-open.yml
# server
# - securecore/recipe-securecore-main.yml
# - securecore/recipe-securecore-nvidia.yml
# - securecore/recipe-securecore-nvidia-open.yml
# - securecore/recipe-securecore-zfs-main.yml
# - securecore/recipe-securecore-zfs-nvidia.yml
# - securecore/recipe-securecore-zfs-nvidia-open.yml
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Gather image data from recipe
shell: bash
env:
RECIPE: ${{ matrix.recipe }}
run: |
echo "IMAGE_NAME=$(grep '^name:' ./recipes/${RECIPE} | sed 's/^name: //')" >> $GITHUB_ENV
echo "IMAGE_MAJOR_VERSION=$(grep '^image-version:' ./recipes/${RECIPE}| sed 's/^image-version: //')" >> $GITHUB_ENV
BASE_IMAGE=$(grep '^base-image:' ./recipes/${RECIPE} | sed 's/^base-image: //')
echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
- name: Verify base image
if: ${{ ! contains(env.IMAGE_NAME, 'securecore') }}
uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
registry: 'quay.io/fedora-ostree-desktops'
pubkey: 'https://gitlab.com/fedora/ostree/ci-test/-/raw/main/quay.io-fedora-ostree-desktops.pub'
- name: Retrieve Signing Key
shell: bash
env:
KERNEL_PRIVKEY: ${{ secrets.KERNEL_PRIVKEY }}
run: |
echo "${KERNEL_PRIVKEY}" > ./files/scripts/certs/private_key.priv
- name: Build secureblue
uses: blue-build/github-action@968216e45d3f5f23de24f7804259e1384cf5f358 # v1.8.3
with:
cli_version: v0.9.19
recipe: ${{ matrix.recipe }}
cosign_private_key: ${{ secrets.SIGNING_SECRET }}
registry_token: ${{ github.token }}
pr_event_number: ${{ github.event.number }}
maximize_build_space: true
squash: true
skip_checkout: true
use_cache: false