ExistingPerson08 · ExistingPerson08 · Apr 2, 2026 · Mar 31, 2026 · Mar 31, 2026 · Apr 1, 2026
diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml
@@ -72,15 +72,15 @@ jobs:
 
           echo "DESKTOP=$DESKTOP" >> $GITHUB_OUTPUT
           echo "EDITION=$EDITION" >> $GITHUB_OUTPUT
-          echo "BASE=$BASE" >> $GITHUB_OUTPUT
           echo "FULL_NAME=$FULL_NAME" >> $GITHUB_OUTPUT
-          echo "FULL_NAME: $FULL_NAME, BASE: $BASE" # Pro debug
 
       - name: Checkout
-        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5
+        uses: actions/checkout@v4
+        with:
+          submodules: true
 
       - name: Maximize build space
-        uses: ublue-os/remove-unwanted-software@695eb75bc387dbcd9685a8e72d23439d8686cba6
+        uses: ublue-os/remove-unwanted-software@v7
         with:
           extra-squeeze: true
 
@@ -90,105 +90,104 @@ jobs:
       - name: Get current date
         id: date
         run: |
-          echo "date_iso=$(date -u +%Y-%m-%d\T%H:%M:%S\Z)" >> $GITHUB_OUTPUT
+          echo "date_iso=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT
           echo "date_tag=$(date -u +%Y%m%d)" >> $GITHUB_OUTPUT
-          echo "date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
 
       - name: Image Metadata
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@v5
         id: metadata
         with:
           images: ${{ env.IMAGE_REGISTRY }}/${{ steps.dynamic_vars.outputs.FULL_NAME }}
           tags: |
-            type=raw,value=${{ env.DEFAULT_TAG }} # Vytvoří tag :latest
-            type=raw,value=${{ steps.date.outputs.date_tag }} # Vytvoří tag :20251126
+            type=raw,value=${{ env.DEFAULT_TAG }}
+            type=raw,value=${{ steps.date.outputs.date_tag }}
             type=sha,enable=${{ github.event_name == 'pull_request' }}
             type=ref,event=pr
           labels: |
+            containers.bootc=1
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
             org.opencontainers.image.description=${{ env.IMAGE_DESC }}
             org.opencontainers.image.created=${{ steps.date.outputs.date_iso }}
-            org.opencontainers.image.documentation=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
-            org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile
-            type=raw,value=${{ steps.date.outputs.date_tag }}
-            org.opencontainers.image.description=${{ env.IMAGE_DESC }}
             org.opencontainers.image.title=${{ steps.dynamic_vars.outputs.FULL_NAME }}
-            org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
             org.opencontainers.image.vendor=${{ github.repository_owner }}
-            org.opencontainers.image.version=${{ env.DEFAULT_TAG }}.${{ steps.date.outputs.date_tag }}
-            io.artifacthub.package.deprecated=false
-            io.artifacthub.package.keywords=${{ env.IMAGE_KEYWORDS }}
-            io.artifacthub.package.license=Apache-2.0
-            io.artifacthub.package.logo-url=${{ env.IMAGE_LOGO_URL }}
-            io.artifacthub.package.prerelease=false
-            containers.bootc=1
-          sep-tags: " "
-          sep-annotations: " "
 
       - name: Build Image
         id: build
         run: |
           FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}"
-          DESKTOP="${{ steps.dynamic_vars.outputs.DESKTOP }}"
-          EDITION="${{ steps.dynamic_vars.outputs.EDITION }}"
-          BASE="${{ steps.dynamic_vars.outputs.BASE }}"
 
-          sudo buildah build \
-            --storage-driver=overlay \
+          podman build \
             --format=docker \
             --file ./Containerfile \
-            --tag "$FULL_IMAGE_NAME":${{ env.DEFAULT_TAG }} \
-            --build-arg DESKTOP="$DESKTOP" \
-            --build-arg EDITION="$EDITION" \
-            --build-arg BASE="$BASE" \
+            --tag "${FULL_IMAGE_NAME}:latest" \
+            --build-arg DESKTOP="${{ steps.dynamic_vars.outputs.DESKTOP }}" \
+            --build-arg EDITION="${{ steps.dynamic_vars.outputs.EDITION }}" \
             .
 
-          echo "full_image_name=$FULL_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+      - name: Rechunk Image
+        if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
+        id: rechunk
+        run: |
+          FULL_IMAGE_NAME="${{ steps.dynamic_vars.outputs.FULL_NAME }}"
+
+          export CHUNKAH_CONFIG_STR="$(podman inspect "${FULL_IMAGE_NAME}")"
+          podman run --rm \
+            "--mount=type=image,src=${FULL_IMAGE_NAME},target=/chunkah" \
+            -e CHUNKAH_CONFIG_STR \
+            quay.io/coreos/chunkah build --label ostree.bootable=1 --compressed --max-layers 128 | \
+            podman load | \
+            sort -n | \
+            head -n1 | \
+            cut -d, -f2 | \
+            cut -d: -f3 | \
+            xargs -I{} podman tag {} "${FULL_IMAGE_NAME}"
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | sudo skopeo login --username ${{ github.actor }} --password-stdin ghcr.io
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | podman login --username ${{ github.actor }} --password-stdin ghcr.io
+
+      - name: Install Podman from Brew
+        if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
+        run: |
+          /home/linuxbrew/.linuxbrew/bin/brew install podman
 
       - name: Push Image To GHCR
         if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
         id: push
+        env:
+          RAW_TAGS: ${{ steps.metadata.outputs.tags }}
+          FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }}
         run: |
-          IMAGE_REF="${{ steps.rechunk.outputs.ref || format('containers-storage:localhost/{0}:{1}', steps.dynamic_vars.outputs.FULL_NAME, env.DEFAULT_TAG) }}"
+          IMAGE_REF="localhost/${FULL_NAME}:latest"
 
-          DIGEST=$(sudo skopeo inspect --format '{{.Digest}}' "$IMAGE_REF")
+          DIGEST=$(podman inspect --format '{{.Digest}}' "$IMAGE_REF")
           echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
           TAGS_FOR_SIGNING=""
-
-          for tag in ${{ steps.metadata.outputs.tags }}; do
-            echo "Image registry: ${{ env.IMAGE_REGISTRY }}"
-            echo "Full name: ${{ steps.dynamic_vars.outputs.FULL_NAME }}"
-            echo "Image ref: $IMAGE_REF"
-
-            dest_image="ghcr.io/existingperson08/${{ steps.dynamic_vars.outputs.FULL_NAME }}:latest"
-            echo "dest_image: $dest_image"
-
-            sudo skopeo copy "$IMAGE_REF" docker://$dest_image
-            echo "Pushed $dest_image"
-            TAGS_FOR_SIGNING="${TAGS_FOR_SIGNING} $dest_image"
+
+          for tag in $RAW_TAGS; do
+            echo "Pushing tag: $tag"
+            podman push "$IMAGE_REF" "$tag"
+            TAGS_FOR_SIGNING="${TAGS_FOR_SIGNING}${TAGS_FOR_SIGNING:+ }$tag"
           done
 
           echo "tags_for_signing=$TAGS_FOR_SIGNING" >> "$GITHUB_OUTPUT"
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+        uses: sigstore/cosign-installer@v3
         if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
 
       - name: Sign main container image
         if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
-        run: |
-          for image_ref in ${{ steps.push.outputs.tags }}; do
-            echo "Signing: ${image_ref}"
-            cosign sign -y --key env://COSIGN_PRIVATE_KEY ${image_ref}
-          done
         env:
-          TAGS: ${{ steps.metadata.outputs.tags }}
-          COSIGN_EXPERIMENTAL: false
           COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-          COSIGN_REGISTRY_USERNAME: ${{ github.actor }}
-          COSIGN_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          DIGEST: ${{ steps.push.outputs.digest }}
+          FULL_NAME: ${{ steps.dynamic_vars.outputs.FULL_NAME }}
+          OWNER: ${{ github.repository_owner }}
+        run: |
+          RAW_URL="ghcr.io/${OWNER}/${FULL_NAME}@${DIGEST}"
+          LOWER_URL=$(echo "$RAW_URL" | tr '[:upper:]' '[:lower:]')
+
+          echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u ${{ github.actor }} --password-stdin
+          echo "Signing image: ghcr.io/${{ github.repository_owner }}/${FULL_NAME}@${DIGEST}"
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY "$LOWER_URL"