From fec18b6bf3807c71080646b0bc4ef4ffe2494452 Mon Sep 17 00:00:00 2001 From: ExistingPerson Date: Tue, 31 Mar 2026 10:59:37 +0200 Subject: [PATCH 01/11] Test rechunk --- .github/workflows/build-main.yml | 100 +++++++++++++------------------ 1 file changed, 43 insertions(+), 57 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index d2c467b..cd7ce11 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -72,15 +72,19 @@ jobs: echo "DESKTOP=$DESKTOP" >> $GITHUB_OUTPUT echo "EDITION=$EDITION" >> $GITHUB_OUTPUT - echo "BASE=$BASE" >> $GITHUB_OUTPUT echo "FULL_NAME=$FULL_NAME" >> $GITHUB_OUTPUT - echo "FULL_NAME: $FULL_NAME, BASE: $BASE" # Pro debug - name: Checkout - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5 + uses: actions/checkout@v4 + with: + submodules: true + + - name: Install Podman via Homebrew + run: | + brew install podman - name: Maximize build space - uses: ublue-os/remove-unwanted-software@695eb75bc387dbcd9685a8e72d23439d8686cba6 + uses: ublue-os/remove-unwanted-software@v7 with: extra-squeeze: true @@ -90,105 +94,87 @@ jobs: - name: Get current date id: date run: | - echo "date_iso=$(date -u +%Y-%m-%d\T%H:%M:%S\Z)" >> $GITHUB_OUTPUT + echo "date_iso=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT echo "date_tag=$(date -u +%Y%m%d)" >> $GITHUB_OUTPUT - echo "date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT" - name: Image Metadata - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@v5 id: metadata with: images: ${{ env.IMAGE_REGISTRY }}/${{ steps.dynamic_vars.outputs.FULL_NAME }} tags: | - type=raw,value=${{ env.DEFAULT_TAG }} # Vytvoří tag :latest - type=raw,value=${{ steps.date.outputs.date_tag }} # Vytvoří tag :20251126 + type=raw,value=${{ env.DEFAULT_TAG }} + type=raw,value=${{ steps.date.outputs.date_tag }} type=sha,enable=${{ github.event_name == 'pull_request' }} type=ref,event=pr labels: | + containers.bootc=1 io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md org.opencontainers.image.description=${{ env.IMAGE_DESC }} org.opencontainers.image.created=${{ steps.date.outputs.date_iso }} - org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md - org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile - type=raw,value=${{ steps.date.outputs.date_tag }} - org.opencontainers.image.description=${{ env.IMAGE_DESC }} org.opencontainers.image.title=${{ steps.dynamic_vars.outputs.FULL_NAME }} - org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} org.opencontainers.image.vendor=${{ github.repository_owner }} - org.opencontainers.image.version=${{ env.DEFAULT_TAG }}.${{ steps.date.outputs.date_tag }} - io.artifacthub.package.deprecated=false - io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }} - io.artifacthub.package.license=Apache-2.0 - io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }} - io.artifacthub.package.prerelease=false - containers.bootc=1 - sep-tags: " " - sep-annotations: " " - name: Build Image id: build run: | FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" - DESKTOP="${{ steps.dynamic_vars.outputs.DESKTOP }}" - EDITION="${{ steps.dynamic_vars.outputs.EDITION }}" - BASE="${{ steps.dynamic_vars.outputs.BASE }}" - sudo buildah build \ - --storage-driver=overlay \ + podman build \ --format=docker \ --file ./Containerfile \ - --tag "$FULL_IMAGE_NAME":${{ env.DEFAULT_TAG }} \ - --build-arg DESKTOP="$DESKTOP" \ - --build-arg EDITION="$EDITION" \ - --build-arg BASE="$BASE" \ + --tag "${FULL_IMAGE_NAME}-bootc:latest" \ + --build-arg DESKTOP="${{ steps.dynamic_vars.outputs.DESKTOP }}" \ + --build-arg EDITION="${{ steps.dynamic_vars.outputs.EDITION }}" \ . - echo "full_image_name=$FULL_IMAGE_NAME" >> "$GITHUB_OUTPUT" + - name: Rechunk Image + id: rechunk + run: | + FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" + + export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}-bootc")" + + podman run --rm --privileged \ + -v /var/lib/containers:/var/lib/containers \ + -v /etc/containers:/etc/containers \ + -e CHUNKAH_CONFIG_STR \ + ghcr.io/travier/chunkah:latest \ + rechunk "${FULL_IMAGE_NAME}-bootc" - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - run: echo "${{ secrets.GITHUB_TOKEN }}" | sudo skopeo login --username ${{ github.actor }} --password-stdin ghcr.io + if: github.event_name != 'pull_request' + run: echo "${{ secrets.GITHUB_TOKEN }}" | podman login --username ${{ github.actor }} --password-stdin ghcr.io - name: Push Image To GHCR - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' id: push run: | - IMAGE_REF="${{ steps.rechunk.outputs.ref || format('containers-storage:localhost/{0}:{1}', steps.dynamic_vars.outputs.FULL_NAME, env.DEFAULT_TAG) }}" + FULL_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" + IMAGE_REF="localhost/${FULL_NAME}-bootc:latest" - DIGEST=$(sudo skopeo inspect --format '{{.Digest}}' "$IMAGE_REF") + DIGEST=$(podman inspect --format '{{.Digest}}' "$IMAGE_REF") echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" TAGS_FOR_SIGNING="" - for tag in ${{ steps.metadata.outputs.tags }}; do - echo "Image registry: ${{ env.IMAGE_REGISTRY }}" - echo "Full name: ${{ steps.dynamic_vars.outputs.FULL_NAME }}" - echo "Image ref: $IMAGE_REF" - - dest_image="ghcr.io/existingperson08/${{ steps.dynamic_vars.outputs.FULL_NAME }}:latest" - echo "dest_image: $dest_image" - - sudo skopeo copy "$IMAGE_REF" docker://$dest_image - echo "Pushed $dest_image" - TAGS_FOR_SIGNING="${TAGS_FOR_SIGNING} $dest_image" + podman push "$IMAGE_REF" "$tag" + TAGS_FOR_SIGNING="${TAGS_FOR_SIGNING} $tag" done echo "tags_for_signing=$TAGS_FOR_SIGNING" >> "$GITHUB_OUTPUT" - name: Install Cosign - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + uses: sigstore/cosign-installer@v3 + if: github.event_name != 'pull_request' - name: Sign main container image - if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + if: github.event_name != 'pull_request' run: | - for image_ref in ${{ steps.push.outputs.tags }}; do + for image_ref in ${{ steps.push.outputs.tags_for_signing }}; do echo "Signing: ${image_ref}" cosign sign -y --key env://COSIGN_PRIVATE_KEY ${image_ref} done env: - TAGS: ${{ steps.metadata.outputs.tags }} - COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - COSIGN_REGISTRY_USERNAME: ${{ github.actor }} - COSIGN_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + COSIGN_EXPERIMENTAL: false From aecda0f5434b9aeef9e0a83a172a5b6e7daa4814 Mon Sep 17 00:00:00 2001 From: ExistingPerson Date: Tue, 31 Mar 2026 11:03:07 +0200 Subject: [PATCH 02/11] Fix podman installation --- .github/workflows/build-main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index cd7ce11..01755ba 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -79,10 +79,6 @@ jobs: with: submodules: true - - name: Install Podman via Homebrew - run: | - brew install podman - - name: Maximize build space uses: ublue-os/remove-unwanted-software@v7 with: @@ -146,6 +142,11 @@ jobs: if: github.event_name != 'pull_request' run: echo "${{ secrets.GITHUB_TOKEN }}" | podman login --username ${{ github.actor }} --password-stdin ghcr.io + - name: Install Podman from Brew + if: inputs.publish + run: | + /home/linuxbrew/.linuxbrew/bin/brew install podman + - name: Push Image To GHCR if: github.event_name != 'pull_request' id: push From f15c8ba5dbf1f4ce4db66a871ab47951ba3c3e3c Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 11:51:24 +0000 Subject: [PATCH 03/11] Minor fixes --- .github/workflows/build-main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 01755ba..4be62f8 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -135,7 +135,7 @@ jobs: -v /var/lib/containers:/var/lib/containers \ -v /etc/containers:/etc/containers \ -e CHUNKAH_CONFIG_STR \ - ghcr.io/travier/chunkah:latest \ + quay.io/coreos/chunkah \ rechunk "${FULL_IMAGE_NAME}-bootc" - name: Login to GitHub Container Registry @@ -143,7 +143,6 @@ jobs: run: echo "${{ secrets.GITHUB_TOKEN }}" | podman login --username ${{ github.actor }} --password-stdin ghcr.io - name: Install Podman from Brew - if: inputs.publish run: | /home/linuxbrew/.linuxbrew/bin/brew install podman From af3289b3bfb08e03610ba45cf61683792594af3a Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 12:03:06 +0000 Subject: [PATCH 04/11] Fix rechunk command --- .github/workflows/build-main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 4be62f8..1622608 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -119,7 +119,7 @@ jobs: podman build \ --format=docker \ --file ./Containerfile \ - --tag "${FULL_IMAGE_NAME}-bootc:latest" \ + --tag "${FULL_IMAGE_NAME}-beta:latest" \ --build-arg DESKTOP="${{ steps.dynamic_vars.outputs.DESKTOP }}" \ --build-arg EDITION="${{ steps.dynamic_vars.outputs.EDITION }}" \ . @@ -129,14 +129,14 @@ jobs: run: | FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" - export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}-bootc")" - - podman run --rm --privileged \ - -v /var/lib/containers:/var/lib/containers \ - -v /etc/containers:/etc/containers \ - -e CHUNKAH_CONFIG_STR \ - quay.io/coreos/chunkah \ - rechunk "${FULL_IMAGE_NAME}-bootc" + export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}-beta")" + podman run --rm "--mount=type=image,src=${FULL_IMAGE_NAME}-beta,dest=/chunkah" -e CHUNKAH_CONFIG_STR quay.io/coreos/chunkah build --label ostree.bootable=1 --compressed --max-layers 128 | \ + podman load | \ + sort -n | \ + head -n1 | \ + cut -d, -f2 | \ + cut -d: -f3 | \ + xargs -I{} podman tag {} "${FULL_IMAGE_NAME}-beta" - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' @@ -151,7 +151,7 @@ jobs: id: push run: | FULL_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" - IMAGE_REF="localhost/${FULL_NAME}-bootc:latest" + IMAGE_REF="localhost/${FULL_NAME}-beta:latest" DIGEST=$(podman inspect --format '{{.Digest}}' "$IMAGE_REF") echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" From e32f4d9cbc7b4f06783165cd0366aea74122125a Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 16:00:05 +0000 Subject: [PATCH 05/11] Fix rechunk again --- .github/workflows/build-main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 1622608..9733130 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -128,9 +128,12 @@ jobs: id: rechunk run: | FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" - + export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}-beta")" - podman run --rm "--mount=type=image,src=${FULL_IMAGE_NAME}-beta,dest=/chunkah" -e CHUNKAH_CONFIG_STR quay.io/coreos/chunkah build --label ostree.bootable=1 --compressed --max-layers 128 | \ + podman run --rm \ + "--mount=type=image,src=${FULL_IMAGE_NAME}-beta,target=/chunkah" \ + -e CHUNKAH_CONFIG_STR \ + quay.io/coreos/chunkah build --label ostree.bootable=1 --compressed --max-layers 128 | \ podman load | \ sort -n | \ head -n1 | \ From 81cc989360eb7d2c5ef684a348cf287b4e890ea5 Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 16:23:36 +0000 Subject: [PATCH 06/11] Fix pushing to ghcr --- .github/workflows/build-main.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 9733130..d361735 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -152,17 +152,21 @@ jobs: - name: Push Image To GHCR if: github.event_name != 'pull_request' id: push + env: + RAW_TAGS: ${{ steps.metadata.outputs.tags }} + FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }} run: | - FULL_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" IMAGE_REF="localhost/${FULL_NAME}-beta:latest" DIGEST=$(podman inspect --format '{{.Digest}}' "$IMAGE_REF") echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" TAGS_FOR_SIGNING="" - for tag in ${{ steps.metadata.outputs.tags }}; do + + for tag in $RAW_TAGS; do + echo "Pushing tag: $tag" podman push "$IMAGE_REF" "$tag" - TAGS_FOR_SIGNING="${TAGS_FOR_SIGNING} $tag" + TAGS_FOR_SIGNING="${TAGS_FOR_SIGNING}${TAGS_FOR_SIGNING:+ }$tag" done echo "tags_for_signing=$TAGS_FOR_SIGNING" >> "$GITHUB_OUTPUT" @@ -174,10 +178,11 @@ jobs: - name: Sign main container image if: github.event_name != 'pull_request' run: | - for image_ref in ${{ steps.push.outputs.tags_for_signing }}; do + for image_ref in $TAGS_TO_SIGN; do echo "Signing: ${image_ref}" - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${image_ref} + cosign sign -y --key env://COSIGN_PRIVATE_KEY "${image_ref}" done env: + TAGS_TO_SIGN: ${{ steps.push.outputs.tags_for_signing }} COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} COSIGN_EXPERIMENTAL: false From 45cd2bffbb3fee0a538caa47a3c730ed81bb7074 Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 16:51:49 +0000 Subject: [PATCH 07/11] Fix cosign --- .github/workflows/build-main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index d361735..6ab83d8 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -177,12 +177,12 @@ jobs: - name: Sign main container image if: github.event_name != 'pull_request' - run: | - for image_ref in $TAGS_TO_SIGN; do - echo "Signing: ${image_ref}" - cosign sign -y --key env://COSIGN_PRIVATE_KEY "${image_ref}" - done env: - TAGS_TO_SIGN: ${{ steps.push.outputs.tags_for_signing }} COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} COSIGN_EXPERIMENTAL: false + DIGEST: ${{ steps.push.outputs.digest }} + FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }} + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u ${{ github.actor }} --password-stdin + echo "Signing: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" + cosign sign -y --key env://COSIGN_PRIVATE_KEY "ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" From 94ec8d1dc948e21cea73add5ee032440fd871245 Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:10:51 +0000 Subject: [PATCH 08/11] Fix cosign again --- .github/workflows/build-main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 6ab83d8..79b141c 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -179,10 +179,9 @@ jobs: if: github.event_name != 'pull_request' env: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - COSIGN_EXPERIMENTAL: false DIGEST: ${{ steps.push.outputs.digest }} FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }} run: | echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u ${{ github.actor }} --password-stdin - echo "Signing: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" + echo "Signing rechunked image: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" cosign sign -y --key env://COSIGN_PRIVATE_KEY "ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" From f0da325e3853fd00da7179b354e89005da97e5ce Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:37:46 +0000 Subject: [PATCH 09/11] Lowercase url --- .github/workflows/build-main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 79b141c..14690b9 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -181,7 +181,11 @@ jobs: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} DIGEST: ${{ steps.push.outputs.digest }} FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }} + OWNER: ${{ github.repository_owner }} run: | + RAW_URL="ghcr.io/${OWNER}/${FULL_NAME}@${DIGEST}" + LOWER_URL=$(echo "$RAW_URL" | tr '[:upper:]' '[:lower:]') + echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u ${{ github.actor }} --password-stdin echo "Signing rechunked image: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" - cosign sign -y --key env://COSIGN_PRIVATE_KEY "ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" + cosign sign -y --key env://COSIGN_PRIVATE_KEY "$LOWER_URL" From 0425de9dc5d04954289e9e923ff4d9374ff59b84 Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Wed, 1 Apr 2026 19:58:16 +0000 Subject: [PATCH 10/11] Remove beta tag It even didn worked --- .github/workflows/build-main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 14690b9..1558c52 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -119,7 +119,7 @@ jobs: podman build \ --format=docker \ --file ./Containerfile \ - --tag "${FULL_IMAGE_NAME}-beta:latest" \ + --tag "${FULL_IMAGE_NAME}:latest" \ --build-arg DESKTOP="${{ steps.dynamic_vars.outputs.DESKTOP }}" \ --build-arg EDITION="${{ steps.dynamic_vars.outputs.EDITION }}" \ . @@ -129,9 +129,9 @@ jobs: run: | FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" - export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}-beta")" + export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}")" podman run --rm \ - "--mount=type=image,src=${FULL_IMAGE_NAME}-beta,target=/chunkah" \ + "--mount=type=image,src=${FULL_IMAGE_NAME},target=/chunkah" \ -e CHUNKAH_CONFIG_STR \ quay.io/coreos/chunkah build --label ostree.bootable=1 --compressed --max-layers 128 | \ podman load | \ @@ -139,7 +139,7 @@ jobs: head -n1 | \ cut -d, -f2 | \ cut -d: -f3 | \ - xargs -I{} podman tag {} "${FULL_IMAGE_NAME}-beta" + xargs -I{} podman tag {} "${FULL_IMAGE_NAME}" - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' @@ -156,7 +156,7 @@ jobs: RAW_TAGS: ${{ steps.metadata.outputs.tags }} FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }} run: | - IMAGE_REF="localhost/${FULL_NAME}-beta:latest" + IMAGE_REF="localhost/${FULL_NAME}:latest" DIGEST=$(podman inspect --format '{{.Digest}}' "$IMAGE_REF") echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" From 92a0e23a5222624c58b099ced71269e17f6fcec9 Mon Sep 17 00:00:00 2001 From: ExistingPerson <164225044+ExistingPerson08@users.noreply.github.com> Date: Thu, 2 Apr 2026 09:30:10 +0000 Subject: [PATCH 11/11] Small improvments to workflow --- .github/workflows/build-main.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 1558c52..3972a2b 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -125,6 +125,7 @@ jobs: . - name: Rechunk Image + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: rechunk run: | FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}" @@ -142,15 +143,16 @@ jobs: xargs -I{} podman tag {} "${FULL_IMAGE_NAME}" - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: echo "${{ secrets.GITHUB_TOKEN }}" | podman login --username ${{ github.actor }} --password-stdin ghcr.io - name: Install Podman from Brew + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) run: | /home/linuxbrew/.linuxbrew/bin/brew install podman - name: Push Image To GHCR - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: push env: RAW_TAGS: ${{ steps.metadata.outputs.tags }} @@ -173,10 +175,10 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@v3 - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - name: Sign main container image - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) env: COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} DIGEST: ${{ steps.push.outputs.digest }} @@ -187,5 +189,5 @@ jobs: LOWER_URL=$(echo "$RAW_URL" | tr '[:upper:]' '[:lower:]') echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u ${{ github.actor }} --password-stdin - echo "Signing rechunked image: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" + echo "Signing image: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}" cosign sign -y --key env://COSIGN_PRIVATE_KEY "$LOWER_URL"