build.yml

---
name: Build Image
on:
  pull_request:
    branches:
      - main
  schedule:
    - cron: "05 10 * * *" # 10:05am UTC everyday
  merge_group:
  push:
    branches:
      - main
    paths-ignore:
      - "**/README.md"
  workflow_dispatch:

env:
  IMAGE_NAME: "rs-main-test" # the name of the image produced by this build, matches repo names
  IMAGE_DESC: "CentOS Stream-based image for basing off of "
  IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}"
  DEFAULT_TAG: "latest"
  CENTOS_VERSION: "stream10"
  PLATFORMS: "amd64 arm64"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

jobs:
  generate_matrix:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Set matrix
        id: set-matrix
        run: |
          # turn the comma separated string into a list
          platforms=(${{ env.PLATFORMS }})
          MATRIX="{\"include\":[]}"
          for platform in "${platforms[@]}"; do
            MATRIX=$(echo $MATRIX | jq ".include += [{\"platform\": \"$platform\"}]")
          done
          echo "matrix=$(echo $MATRIX | jq -c '.')" >> $GITHUB_OUTPUT

  build_push:
    name: Build and push image
    runs-on: ubuntu-24.04
    needs: generate_matrix
    container:
      image: redhat/ubi9:latest
      options: --privileged
    strategy:
      fail-fast: false
      matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}}
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Setup Container
        run: |
          dnf install -y \
            git \
            podman \
            skopeo

          echo -e "#!/bin/bash\nexec \"\$@\"" > /usr/bin/sudo
          chmod +x /usr/bin/sudo

          mkdir -p /home/runner/work/${{ github.repository }}/${{ github.repository }}

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Setup Just
        uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2

      - name: Check Just Syntax
        shell: bash
        run: |
          just check

      # - name: Maximize build space
      #   uses: ublue-os/remove-unwanted-software@517622d6452028f266b7ba4cc9a123b5f58a6b53 # v7
      #   with:
      #     remove-codeql: true

      - name: Build Image
        id: build-image
        shell: bash
        run: |
          just=$(which just)
          $just build "${IMAGE_NAME}" "${DEFAULT_TAG}"

      # Reprocess raw-img using rechunker which will delete it
      - name: Run Rechunker
        id: rechunk
        uses: hhd-dev/rechunk@602e6d62558ab23e15e8764ce06e26c0f328da71 # v1.0.1
        with:
          rechunk: "ghcr.io/hhd-dev/rechunk:v1.0.1"
          ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
          prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
          skip_compression: true
          version: ${{ env.CENTOS_VERSION }}

      - name: Load in podman
        id: load
        run: |
          IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
          rm -rf ${{ steps.rechunk.outputs.location }}
          podman image tag $IMAGE ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}

          IMAGE=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}
          IMAGE_DIGEST=$(podman image inspect --format '{{.Digest}}' $IMAGE)
          echo "image=$IMAGE" >> $GITHUB_OUTPUT
          echo "digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        # if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Push the image to GHCR (Image Registry)
      - name: Push To GHCR
        # if: github.event_name != 'pull_request'
        id: push
        env:
          IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}
          IMAGE_NAME: ${{ env.IMAGE_NAME }}
          IMAGE_DIGEST: ${{ steps.load.outputs.digest }}
          PLATFORM: ${{ matrix.platform }}
        run: |
          podman tag ${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}:${DEFAULT_TAG} $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM
          for i in {1..3}; do
            podman push --digestfile=/tmp/digestfile $IMAGE_REGISTRY/$IMAGE_NAME:$DEFAULT_TAG-$PLATFORM && break || sleep $((5 * i));
          done
          REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile)
          echo "remote_image_digest=$REMOTE_IMAGE_DIGEST" >> $GITHUB_OUTPUT
          cat /tmp/digestfile

      # This section is optional and only needs to be enabled in you plan on distributing
      # your project to others to consume. You will need to create a public and private key
      # using Cosign and save the private key as a repository secret in Github for this workflow
      # to consume. For more details, review the image signing section of the README.
      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)

      - name: Sign container image
        #if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
        run: |
          IMAGE_FULL="${{ env.IMAGE_REGISTRY }}/${IMAGE_NAME}"
          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_FULL}@${{ steps.push.outputs.remote_image_digest }}
        env:
          TAGS: ${{ steps.push.outputs.digest }}
          COSIGN_EXPERIMENTAL: false
          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

      - name: Create job outputs
        env:
          IMAGE_NAME: ${{ env.IMAGE_NAME }}
          PLATFORM: ${{ matrix.platform }}
          DIGEST: ${{ steps.push.outputs.remote_image_digest }}
        run: |
          mkdir -p /tmp/outputs/digests
          echo "${DIGEST}" > /tmp/outputs/digests/${IMAGE_NAME}-${PLATFORM}.txt

      - name: Upload Output Artifacts
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.IMAGE_NAME }}-${{ matrix.platform }}
          retention-days: 1
          if-no-files-found: error
          path: |
            /tmp/outputs/digests/*.txt

  manifest:
    runs-on: ubuntu-latest
    needs:
      - build_push
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Get current date
        id: date
        run: |
          # Should generate a timestamp like what is defined on the ArtifactHub documentation
          # E.G: 2022-02-08T15:38:15Z'
          # https://artifacthub.io/docs/topics/repositories/container-images/
          # https://linux.die.net/man/1/date
          echo "date=$(date -u +%Y\-%m\-%d\T%H\:%M\:%S\Z)" >> $GITHUB_OUTPUT

      - name: Image Metadata
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
        id: metadata
        with:
          tags: |
            type=raw,value=latest
            type=raw,value=latest.{{date 'YYYYMMDD'}}
            type=raw,value={{date 'YYYYMMDD'}}
            type=raw,value=${{ env.CENTOS_VERSION }}
            type=raw,value=${{ env.CENTOS_VERSION }}.{{date 'YYYYMMDD'}}
            type=sha,enable=${{ github.event_name == 'pull_request' }}
            type=ref,event=pr
          labels: |
            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/refs/heads/main/README.md
            org.opencontainers.image.created=${{ steps.date.outputs.date }}
            org.opencontainers.image.description=${{ env.IMAGE_DESC }}
            org.opencontainers.image.documentation=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
            org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}/blob/main/Containerfile
            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
            org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
            org.opencontainers.image.vendor=${{ github.repository_owner }}
            org.opencontainers.image.version=${{ env.CENTOS_VERSION }}
            io.artifacthub.package.deprecated=false
            io.artifacthub.package.keywords=bootc,centos,ublue,universal-blue
            io.artifacthub.package.license=Apache-2.0
            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
            io.artifacthub.package.maintainers=[{\"name\":\"tulilirockz\",\"email\":\"tulilirockz@outlook.com\"},{\"name\":\"castrojo\", \"email\": \"jorge.castro@gmail.com\"}]
            io.artifacthub.package.prerelease=true
            containers.bootc=1
          sep-tags: " "
          sep-annotations: " "

      - name: Fetch Build Outputs
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          pattern: ${{ env.IMAGE_NAME }}-*
          merge-multiple: true
          path: /tmp/artifacts

      - name: Load Outputs
        id: load-outputs
        run: |
          DIGESTS_JSON=$(jq -n '{}')
          for digest_file in /tmp/artifacts/*.txt; do
            # Extract the platform from the file name
            PLATFORM=$(basename $digest_file | rev | cut -d'-' -f1 | rev | cut -d'.' -f1)
            DIGEST=$(cat $digest_file)
            # Add the platform and digest to the JSON object
            DIGESTS_JSON=$(echo "$DIGESTS_JSON" | jq --arg key "$PLATFORM" --arg value "$DIGEST" '. + {($key): $value}')
          done
          echo "DIGESTS_JSON=$(echo $DIGESTS_JSON | jq -c '.')" >> $GITHUB_OUTPUT

      - name: Create Manifest
        id: create-manifest
        run: |
          podman manifest create ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
          echo "MANIFEST=${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT

      - name: Populate Manifest
        env:
          MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }}
          DIGESTS_JSON: ${{ steps.load-outputs.outputs.DIGESTS_JSON }}
          LABELS: ${{ steps.metadata.outputs.labels }}
        run: |
          DIGESTS=$(echo "$DIGESTS_JSON" | jq -c '.')
          PLATFORMS=(${{ env.PLATFORMS }})
          for platform in ${PLATFORMS[@]}; do
            digest=$(echo $DIGESTS | jq -r ".$platform")
            echo "Adding ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest for $platform"
            podman manifest add $MANIFEST ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@$digest --arch $platform
          done

          # Apply labels to the manifest
          for label in $(echo $LABELS | tr ' ' '\n'); do
            podman manifest annotate $MANIFEST --annotation $label
          done

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push Manifest
        env:
          MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }}
          TAGS: ${{ steps.metadata.outputs.tags }}
          IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}
          IMAGE_NAME: ${{ env.IMAGE_NAME }}
        run: |
          for tag in $(echo $TAGS | tr ' ' '\n'); do
            podman manifest push --all=false $MANIFEST $IMAGE_REGISTRY/$IMAGE_NAME:$tag
          done