diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index 128c7a3..4647e67 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -25,10 +25,17 @@ jobs: GH_TOKEN: ${{ github.token }} build: - runs-on: ubuntu-latest - needs: [verify-image] + strategy: + fail-fast: false + matrix: + include: + - runner: ubuntu-latest + arch: amd64 + - runner: ubuntu-24.04-arm + arch: arm64 + runs-on: ${{ matrix.runner }} + needs: verify-image permissions: - contents: write # Allow actions to create release packages: write # Allow pushing images to GHCR attestations: write # To create and write attestations id-token: write # Additional permissions for the persistence of the attestations @@ -48,8 +55,9 @@ jobs: - uses: actions/upload-artifact@v4 with: - name: Containerfile - path: Containerfile + name: Containerfile + path: Containerfile + overwrite: true - name: Generate image name run: | @@ -57,28 +65,11 @@ jobs: echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV" echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/core" >> "$GITHUB_ENV" - - name: Extra image tag branch - if: ${{ github.ref_type != 'tag' }} - run: | - echo "EXTRA_TAG=ref,event=branch" >> "$GITHUB_ENV" - - - name: Extra image tag release - if: ${{ github.ref_type == 'tag' }} - run: | - echo "EXTRA_TAG=raw,main" >> "$GITHUB_ENV" - - name: Docker meta - id: docker_meta + id: meta uses: docker/metadata-action@v5 with: - images: | - ${{ env. IMAGE_URL }} - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{raw}} - type=semver,pattern=v{{major}} - type=${{ env.EXTRA_TAG }} + images: ${{ env.IMAGE_URL }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -91,19 +82,19 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and Push the Docker image - id: push + - name: Build and push by digest + id: build uses: docker/build-push-action@v6 with: context: . file: Containerfile - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.docker_meta.outputs.tags }} - labels: ${{ steps.docker_meta.outputs.labels }} + tags: ${{ env.IMAGE_URL }} + labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - platforms: linux/amd64 + platforms: linux/${{ matrix.arch }} provenance: false + outputs: type=image,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }} - name: Attest pushed image uses: actions/attest-build-provenance@v3 @@ -111,15 +102,91 @@ jobs: if: ${{ github.event_name != 'pull_request' }} with: subject-name: ${{ env.IMAGE_URL }} - subject-digest: ${{ steps.push.outputs.digest }} + subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: false + - name: Export digest + if: ${{ github.event_name != 'pull_request' }} + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + if: ${{ github.event_name != 'pull_request' }} + with: + name: digests-${{ matrix.arch }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + if: ${{ github.event_name != 'pull_request' }} + needs: build + permissions: + contents: write # Allow actions to create release + packages: write # Allow pushing images to GHCR + + steps: + - name: Generate image name + run: | + REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" + echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV" + echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/core" >> "$GITHUB_ENV" + + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: digests-* + merge-multiple: true + + - name: Extra image tag branch + if: ${{ github.ref_type != 'tag' }} + run: | + echo "EXTRA_TAG=ref,event=branch" >> "$GITHUB_ENV" + + - name: Extra image tag release + if: ${{ github.ref_type == 'tag' }} + run: | + echo "EXTRA_TAG=raw,main" >> "$GITHUB_ENV" + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE_URL }} + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{raw}} + type=semver,pattern=v{{major}} + type=${{ env.EXTRA_TAG }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Package Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.IMAGE_URL }}@sha256:%s ' *) + differ: runs-on: ubuntu-latest + if: github.ref_type == 'tag' && github.repository == 'vanilla-os/core-image' + needs: merge container: image: ghcr.io/vanilla-os/core:main - if: github.ref_type == 'tag' && github.repository == 'vanilla-os/core-image' - needs: build steps: - uses: actions/checkout@v5 diff --git a/modules/01-kernel.yml b/modules/01-kernel.yml index 06c2377..9e1cc1a 100644 --- a/modules/01-kernel.yml +++ b/modules/01-kernel.yml @@ -4,3 +4,8 @@ sources: - packages: - linux-image-amd64 - linux-headers-amd64 + only-arches: [amd64] + - packages: + - linux-image-arm64 + - linux-headers-arm64 + only-arches: [arm64] diff --git a/modules/05-firmware.yml b/modules/05-firmware.yml index dcd5ca6..73ce20b 100644 --- a/modules/05-firmware.yml +++ b/modules/05-firmware.yml @@ -8,9 +8,11 @@ sources: - firmware-iwlwifi - firmware-realtek - firmware-atheros - - intel-microcode - - amd64-microcode - b43-fwcutter - firmware-b43-installer - firmware-brcm80211 - firmware-sof-signed + - packages: + - intel-microcode + - amd64-microcode + only-arches: [amd64] diff --git a/modules/100-modules.yml b/modules/100-modules.yml index 21d50b8..9fab50c 100644 --- a/modules/100-modules.yml +++ b/modules/100-modules.yml @@ -5,7 +5,9 @@ sources: - dkms - bolt - inputattach - - iucode-tool - cryptsetup-initramfs - acpi-call-dkms - libsasl2-modules + - packages: + - iucode-tool + only-arches: [amd64] diff --git a/modules/110-fwupd.yml b/modules/110-fwupd.yml index abed2f6..dae72a1 100644 --- a/modules/110-fwupd.yml +++ b/modules/110-fwupd.yml @@ -3,4 +3,9 @@ type: apt sources: - packages: - fwupd + - packages: - fwupd-amd64-signed + only-arches: [amd64] + - packages: + - fwupd-arm64-signed + only-arches: [arm64] diff --git a/modules/40-essentials.yml b/modules/40-essentials.yml index 5b945b0..c71816a 100644 --- a/modules/40-essentials.yml +++ b/modules/40-essentials.yml @@ -17,11 +17,19 @@ sources: - ibus-table - laptop-detect - efibootmgr - - grub-efi-amd64 - - grub-efi-amd64-bin - - grub-efi-amd64-signed - shim-signed - - shim-helpers-amd64-signed - uidmap - minisign - zram-tools + - packages: + - grub-efi-amd64 + - grub-efi-amd64-bin + - grub-efi-amd64-signed + - shim-helpers-amd64-signed + only-arches: [amd64] + - packages: + - grub-efi-arm64 + - grub-efi-arm64-bin + - grub-efi-arm64-signed + - shim-helpers-arm64-signed + only-arches: [arm64]