From 7e6a2ebb956720a48baf70ad8a66a02849a35329 Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Wed, 11 Mar 2026 20:47:28 -0700 Subject: [PATCH 1/5] feat: Add OCI upload & signing via ORAS and cosign --- .github/workflows/arch.yaml | 63 +++++++++++++++++++++++++++++++- .github/workflows/nobara.yaml | 68 ++++++++++++++++++++++++++++++++++- .github/workflows/ubuntu.yaml | 65 ++++++++++++++++++++++++++++++++- 3 files changed, 193 insertions(+), 3 deletions(-) diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml index fb48cf2..a877424 100644 --- a/.github/workflows/arch.yaml +++ b/.github/workflows/arch.yaml @@ -2,9 +2,22 @@ name: Build (arch) on: workflow_dispatch: + inputs: + version: + description: 'Enter a tagged OGC kernel version in the format -ogc' + required: true push: + tags: + - 'v*' -permissions: read-all +permissions: + contents: read + packages: write + id-token: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-arch: @@ -29,6 +42,7 @@ jobs: rm -rf /opt-host/hostedtoolcache rm -rf /opt-host/az df -h + - name: Checkout sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -59,3 +73,50 @@ jobs: . /home/build/linux/arch/PKGBUILD full_version=${pkgver}-${pkgrel} echo "full_version=$full_version" >> "$GITHUB_OUTPUT" + + - name: Get OGC version + if: startsWith(github.ref, 'refs/tags/') + id: version + run: | + TAG="${{ github.ref_name }}" + echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" + + - name: Setup ORAS + if: startsWith(github.ref, 'refs/tags/') + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 + + - name: Setup Cosign + if: startsWith(github.ref, 'refs/tags/') + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + + - name: Login to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Push OCI artifact + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/arch" + cd /home/build/linux/arch + oras push "${REPO}:${VERSION}" ./*.pkg.tar.zst + oras tag "${REPO}:${VERSION}" latest + + - name: Sign artifacts + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/arch" + cosign sign --yes "${REPO}:${VERSION}" + cosign sign --yes "${REPO}:latest" + + - name: Verify signature + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/arch" + cosign verify \ + --certificate-identity-regexp=".*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + "${REPO}:${VERSION}" diff --git a/.github/workflows/nobara.yaml b/.github/workflows/nobara.yaml index 3224221..f920ed3 100644 --- a/.github/workflows/nobara.yaml +++ b/.github/workflows/nobara.yaml @@ -2,9 +2,22 @@ name: Build (Nobara) on: workflow_dispatch: + inputs: + version: + description: 'Enter a tagged OGC kernel version in the format -ogc' + required: true push: + tags: + - 'v*' -permissions: read-all +permissions: + contents: read + packages: write + id-token: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-rpm: @@ -29,6 +42,7 @@ jobs: rm -rf /opt-host/hostedtoolcache rm -rf /opt-host/az df -h + - name: Checkout sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -37,6 +51,7 @@ jobs: - name: Dependencies run: | dnf -y builddep nobara/kernel.spec + - name: build run: | TOPDIR="$(pwd)/rpmbuild" @@ -45,3 +60,54 @@ jobs: cp nobara/* $TOPDIR/SOURCES rpmbuild --define "_topdir $TOPDIR" -ba ./nobara/kernel.spec + + - name: Get OGC version + if: startsWith(github.ref, 'refs/tags/') + id: version + run: | + TAG="${{ github.ref_name }}" + echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" + + - name: Setup ORAS + if: startsWith(github.ref, 'refs/tags/') + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 + + - name: Setup Cosign + if: startsWith(github.ref, 'refs/tags/') + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + + - name: Login to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Push OCI artifact + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" + TOPDIR="$(pwd)/rpmbuild" + mkdir -p /tmp/rpms + cp "$TOPDIR"/RPMS/x86_64/*.rpm /tmp/rpms/ 2>/dev/null || true + cp "$TOPDIR"/RPMS/noarch/*.rpm /tmp/rpms/ 2>/dev/null || true + cd /tmp/rpms + oras push "${REPO}:${VERSION}" ./*.rpm + oras tag "${REPO}:${VERSION}" latest + + - name: Sign artifacts + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" + cosign sign --yes "${REPO}:${VERSION}" + cosign sign --yes "${REPO}:latest" + + - name: Verify signature + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" + cosign verify \ + --certificate-identity-regexp=".*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + "${REPO}:${VERSION}" diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index 8399068..4e3ba0b 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -2,9 +2,22 @@ name: Build (ubuntu) on: workflow_dispatch: + inputs: + version: + description: 'Enter a tagged OGC kernel version in the format -ogc' + required: true push: + tags: + - 'v*' -permissions: read-all +permissions: + contents: read + packages: write + id-token: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-deb: @@ -29,6 +42,7 @@ jobs: rm -rf /opt-host/hostedtoolcache rm -rf /opt-host/az df -h + - name: Checkout sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -40,6 +54,7 @@ jobs: apt-get update -y apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git apt-get install -y libunwind-dev libpfm4-dev coccinelle openjdk-17-jdk libcapstone-dev libbabeltrace-dev systemtap-sdt-dev libzstd-dev dwarves zstd libbfd-dev libperl-dev libssl-dev + - name: Get sources run: | wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.19.6.tar.xz @@ -48,8 +63,56 @@ jobs: cd linux-6.19.6 cp ../config .config patch -Np1 < "../monolithic.patch" + - name: Build run: | cd linux-6.19.6 make olddefconfig fakeroot make -j$(nproc) bindeb-pkg + + - name: Get OGC version + if: startsWith(github.ref, 'refs/tags/') + id: version + run: | + TAG="${{ github.ref_name }}" + echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" + + - name: Setup ORAS + if: startsWith(github.ref, 'refs/tags/') + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 + + - name: Setup Cosign + if: startsWith(github.ref, 'refs/tags/') + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + + - name: Login to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Push OCI artifact + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" + cd $GITHUB_WORKSPACE + oras push "${REPO}:${VERSION}" ./*.deb + oras tag "${REPO}:${VERSION}" latest + + - name: Sign artifacts + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" + cosign sign --yes "${REPO}:${VERSION}" + cosign sign --yes "${REPO}:latest" + + - name: Verify signature + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" + cosign verify \ + --certificate-identity-regexp=".*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + "${REPO}:${VERSION}" From eea6cad8623862f933febf4b435a4506f6fdf70b Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Thu, 12 Mar 2026 14:44:19 -0700 Subject: [PATCH 2/5] feat: Add build provenance --- .github/workflows/arch.yaml | 19 +++++++++++++++++-- .github/workflows/nobara.yaml | 18 +++++++++++++++++- .github/workflows/ubuntu.yaml | 19 +++++++++++++++++-- 3 files changed, 51 insertions(+), 5 deletions(-) diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml index a877424..5dcddb0 100644 --- a/.github/workflows/arch.yaml +++ b/.github/workflows/arch.yaml @@ -14,6 +14,7 @@ permissions: contents: read packages: write id-token: write + attestations: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -63,7 +64,7 @@ jobs: - name: Install dependencies run: | - pacman -Syu --noconfirm bc cpio gettext libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra + pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra - name: Build linux package id: build-kernel-package @@ -96,12 +97,26 @@ jobs: - name: Push OCI artifact if: startsWith(github.ref, 'refs/tags/') + id: push run: | VERSION="${{ steps.version.outputs.version }}" REPO="ghcr.io/opengamingcollective/kernel-packages/arch" cd /home/build/linux/arch - oras push "${REPO}:${VERSION}" ./*.pkg.tar.zst + DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest') + if [ -z "$DIGEST" ]; then + echo "::error::Failed to capture digest from oras push" + exit 1 + fi oras tag "${REPO}:${VERSION}" latest + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Attest build provenance + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ghcr.io/opengamingcollective/kernel-packages/arch + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true - name: Sign artifacts if: startsWith(github.ref, 'refs/tags/') diff --git a/.github/workflows/nobara.yaml b/.github/workflows/nobara.yaml index f920ed3..58adc5b 100644 --- a/.github/workflows/nobara.yaml +++ b/.github/workflows/nobara.yaml @@ -14,6 +14,7 @@ permissions: contents: read packages: write id-token: write + attestations: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -51,6 +52,7 @@ jobs: - name: Dependencies run: | dnf -y builddep nobara/kernel.spec + dnf -y install jq - name: build run: | @@ -83,6 +85,7 @@ jobs: - name: Push OCI artifact if: startsWith(github.ref, 'refs/tags/') + id: push run: | VERSION="${{ steps.version.outputs.version }}" REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" @@ -91,8 +94,21 @@ jobs: cp "$TOPDIR"/RPMS/x86_64/*.rpm /tmp/rpms/ 2>/dev/null || true cp "$TOPDIR"/RPMS/noarch/*.rpm /tmp/rpms/ 2>/dev/null || true cd /tmp/rpms - oras push "${REPO}:${VERSION}" ./*.rpm + DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.rpm | jq -r '.digest') + if [ -z "$DIGEST" ]; then + echo "::error::Failed to capture digest from oras push" + exit 1 + fi oras tag "${REPO}:${VERSION}" latest + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Attest build provenance + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ghcr.io/opengamingcollective/kernel-packages/nobara + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true - name: Sign artifacts if: startsWith(github.ref, 'refs/tags/') diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index 4e3ba0b..bebcb97 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -14,6 +14,7 @@ permissions: contents: read packages: write id-token: write + attestations: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -52,7 +53,7 @@ jobs: run: | export DEBIAN_FRONTEND=noninteractive apt-get update -y - apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git + apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex jq kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git apt-get install -y libunwind-dev libpfm4-dev coccinelle openjdk-17-jdk libcapstone-dev libbabeltrace-dev systemtap-sdt-dev libzstd-dev dwarves zstd libbfd-dev libperl-dev libssl-dev - name: Get sources @@ -92,12 +93,26 @@ jobs: - name: Push OCI artifact if: startsWith(github.ref, 'refs/tags/') + id: push run: | VERSION="${{ steps.version.outputs.version }}" REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" cd $GITHUB_WORKSPACE - oras push "${REPO}:${VERSION}" ./*.deb + DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.deb | jq -r '.digest') + if [ -z "$DIGEST" ]; then + echo "::error::Failed to capture digest from oras push" + exit 1 + fi oras tag "${REPO}:${VERSION}" latest + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Attest build provenance + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ghcr.io/opengamingcollective/kernel-packages/ubuntu + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true - name: Sign artifacts if: startsWith(github.ref, 'refs/tags/') From e33bd5e7345485426bf6a009371360076bab9f88 Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Thu, 12 Mar 2026 18:58:29 -0700 Subject: [PATCH 3/5] fix: Use dynamic repo path --- .github/workflows/arch.yaml | 11 +++++++---- .github/workflows/nobara.yaml | 11 +++++++---- .github/workflows/ubuntu.yaml | 11 +++++++---- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml index 5dcddb0..df85d3e 100644 --- a/.github/workflows/arch.yaml +++ b/.github/workflows/arch.yaml @@ -10,6 +10,9 @@ on: tags: - 'v*' +env: + OCI_REPO: ghcr.io/${{ github.repository }}/arch + permissions: contents: read packages: write @@ -100,7 +103,7 @@ jobs: id: push run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/arch" + REPO="${{ env.OCI_REPO }}" cd /home/build/linux/arch DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest') if [ -z "$DIGEST" ]; then @@ -114,7 +117,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 with: - subject-name: ghcr.io/opengamingcollective/kernel-packages/arch + subject-name: ${{ env.OCI_REPO }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true @@ -122,7 +125,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/arch" + REPO="${{ env.OCI_REPO }}" cosign sign --yes "${REPO}:${VERSION}" cosign sign --yes "${REPO}:latest" @@ -130,7 +133,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/arch" + REPO="${{ env.OCI_REPO }}" cosign verify \ --certificate-identity-regexp=".*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ diff --git a/.github/workflows/nobara.yaml b/.github/workflows/nobara.yaml index 58adc5b..3ea1ebc 100644 --- a/.github/workflows/nobara.yaml +++ b/.github/workflows/nobara.yaml @@ -10,6 +10,9 @@ on: tags: - 'v*' +env: + OCI_REPO: ghcr.io/${{ github.repository }}/nobara + permissions: contents: read packages: write @@ -88,7 +91,7 @@ jobs: id: push run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" + REPO="${{ env.OCI_REPO }}" TOPDIR="$(pwd)/rpmbuild" mkdir -p /tmp/rpms cp "$TOPDIR"/RPMS/x86_64/*.rpm /tmp/rpms/ 2>/dev/null || true @@ -106,7 +109,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 with: - subject-name: ghcr.io/opengamingcollective/kernel-packages/nobara + subject-name: ${{ env.OCI_REPO }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true @@ -114,7 +117,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" + REPO="${{ env.OCI_REPO }}" cosign sign --yes "${REPO}:${VERSION}" cosign sign --yes "${REPO}:latest" @@ -122,7 +125,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/nobara" + REPO="${{ env.OCI_REPO }}" cosign verify \ --certificate-identity-regexp=".*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index bebcb97..371b088 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -10,6 +10,9 @@ on: tags: - 'v*' +env: + OCI_REPO: ghcr.io/${{ github.repository }}/ubuntu + permissions: contents: read packages: write @@ -96,7 +99,7 @@ jobs: id: push run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" + REPO="${{ env.OCI_REPO }}" cd $GITHUB_WORKSPACE DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.deb | jq -r '.digest') if [ -z "$DIGEST" ]; then @@ -110,7 +113,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 with: - subject-name: ghcr.io/opengamingcollective/kernel-packages/ubuntu + subject-name: ${{ env.OCI_REPO }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true @@ -118,7 +121,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" + REPO="${{ env.OCI_REPO }}" cosign sign --yes "${REPO}:${VERSION}" cosign sign --yes "${REPO}:latest" @@ -126,7 +129,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') run: | VERSION="${{ steps.version.outputs.version }}" - REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu" + REPO="${{ env.OCI_REPO }}" cosign verify \ --certificate-identity-regexp=".*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ From db1e485d580050ffb1cea9576f0d35c6fac61861 Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Thu, 12 Mar 2026 23:15:44 -0700 Subject: [PATCH 4/5] chore: Ensure the image URI is lowercase, fixes issues with capital letters in GitHub organization or user names --- .github/workflows/arch.yaml | 5 +++++ .github/workflows/nobara.yaml | 5 +++++ .github/workflows/ubuntu.yaml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml index df85d3e..5816022 100644 --- a/.github/workflows/arch.yaml +++ b/.github/workflows/arch.yaml @@ -35,6 +35,11 @@ jobs: options: --privileged steps: + - name: Prepare environment + run: | + # Lowercase the image uri + echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV} + - name: Maximize build space run: | df -h diff --git a/.github/workflows/nobara.yaml b/.github/workflows/nobara.yaml index 3ea1ebc..20edccf 100644 --- a/.github/workflows/nobara.yaml +++ b/.github/workflows/nobara.yaml @@ -35,6 +35,11 @@ jobs: options: --privileged steps: + - name: Prepare environment + run: | + # Lowercase the image uri + echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV} + - name: Maximize build space run: | df -h diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index 371b088..81ee9ca 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -35,6 +35,11 @@ jobs: options: --privileged steps: + - name: Prepare environment + run: | + # Lowercase the image uri + echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV} + - name: Maximize build space run: | df -h From ef37e00401be1f43ce04d11424353589db230b08 Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Thu, 12 Mar 2026 23:21:09 -0700 Subject: [PATCH 5/5] fix: Ensure bash is used in prepare environment step --- .github/workflows/arch.yaml | 1 + .github/workflows/nobara.yaml | 1 + .github/workflows/ubuntu.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml index 5816022..536122b 100644 --- a/.github/workflows/arch.yaml +++ b/.github/workflows/arch.yaml @@ -36,6 +36,7 @@ jobs: steps: - name: Prepare environment + shell: bash run: | # Lowercase the image uri echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV} diff --git a/.github/workflows/nobara.yaml b/.github/workflows/nobara.yaml index 20edccf..db08831 100644 --- a/.github/workflows/nobara.yaml +++ b/.github/workflows/nobara.yaml @@ -36,6 +36,7 @@ jobs: steps: - name: Prepare environment + shell: bash run: | # Lowercase the image uri echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV} diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index 81ee9ca..87cb0e5 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -36,6 +36,7 @@ jobs: steps: - name: Prepare environment + shell: bash run: | # Lowercase the image uri echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV}