Merge branch 'main' into testing #7985
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Bazzite | |
| on: | |
| schedule: | |
| - cron: "40 4 * * 1" # 4:40 utc monday | |
| pull_request: | |
| branches: | |
| - testing | |
| - unstable | |
| paths-ignore: | |
| - "**.md" | |
| - "**.txt" | |
| - "installer/**" | |
| - "repo_content/**" | |
| - "spec_files/**" | |
| - "post_install_files/**" | |
| - "press_kit/**" | |
| - "docs/**" | |
| - ".github/workflows/build_iso*.yml" | |
| push: | |
| branches: | |
| - testing | |
| - unstable | |
| paths-ignore: | |
| - "**.md" | |
| - "**.txt" | |
| - "repo_content/**" | |
| - "spec_files/**" | |
| - "post_install_files/**" | |
| - "press_kit/**" | |
| - ".github/workflows/build_iso*.yml" | |
| merge_group: | |
| workflow_dispatch: | |
| inputs: | |
| handwritten: | |
| description: "Small changelog:" | |
| # Run with this periodically to analyze the image again | |
| # As package drift will make the plan eventually non-ideal | |
| # (existing users will have to redownload most of the image) | |
| fresh-rechunk: | |
| description: "Clear rechunk history" | |
| type: boolean | |
| default: false | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| push-ghcr: | |
| name: Make | |
| runs-on: ubuntu-24.04 | |
| continue-on-error: false | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - bazzite | |
| - bazzite-gnome | |
| - bazzite-deck | |
| - bazzite-deck-gnome | |
| - bazzite-deck-nvidia | |
| - bazzite-deck-nvidia-gnome | |
| - bazzite-nvidia | |
| - bazzite-gnome-nvidia | |
| - bazzite-nvidia-open | |
| - bazzite-gnome-nvidia-open | |
| include: | |
| - fedora_version: 43 | |
| kernel_version: ${{ (github.ref_name == 'testing' || github.ref_name == 'unstable') && 'latest' || 'latest' }} | |
| base_image_flavor: main | |
| arch: x86_64 | |
| steps: | |
| - name: Define base variables | |
| id: base | |
| run: | | |
| IMAGE="${{ matrix.image }}" | |
| if [[ "$IMAGE" == *gnome* ]]; then | |
| BASE_IMAGE_NAME="silverblue" | |
| else | |
| BASE_IMAGE_NAME="kinoite" | |
| fi | |
| echo "base_image_name=$BASE_IMAGE_NAME" >> "$GITHUB_OUTPUT" | |
| # | |
| # Define Container Target | |
| # | |
| if [[ "$IMAGE" == *"deck"* && "$IMAGE" == *"nvidia"* ]]; then | |
| echo "container_target=bazzite-nvidia" >> "$GITHUB_OUTPUT" | |
| echo "nvidia_base=bazzite-deck" >> "$GITHUB_OUTPUT" | |
| echo "install_nvidia=true" >> "$GITHUB_OUTPUT" | |
| elif [[ "$IMAGE" == *"nvidia"* ]]; then | |
| echo "container_target=bazzite-nvidia" >> "$GITHUB_OUTPUT" | |
| echo "nvidia_base=bazzite" >> "$GITHUB_OUTPUT" | |
| echo "install_nvidia=true" >> "$GITHUB_OUTPUT" | |
| elif [[ "$IMAGE" == *"deck"* ]]; then | |
| echo "container_target=bazzite-deck" >> "$GITHUB_OUTPUT" | |
| echo "nvidia_base=bazzite-deck" >> "$GITHUB_OUTPUT" # NOOP | |
| echo "install_nvidia=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "container_target=bazzite" >> "$GITHUB_OUTPUT" | |
| echo "nvidia_base=bazzite" >> "$GITHUB_OUTPUT" # NOOP | |
| echo "install_nvidia=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Nvidia driver version to use | |
| if [[ "$IMAGE" == *"nvidia-open" || "$IMAGE" == *"-deck-nvidia"* ]]; then | |
| echo "nvidia_version=org.bazzite.kernel.nvidia" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "nvidia_version=org.bazzite.kernel.nvidia_lts" >> "$GITHUB_OUTPUT" | |
| fi | |
| # | |
| # Define push and pull registries | |
| # | |
| PULL_REGISTRY=ghcr.io/ublue-os | |
| PUSH_REGISTRY=ghcr.io/${{ github.repository_owner }} | |
| echo "push_registry=${PUSH_REGISTRY}" >> $GITHUB_OUTPUT | |
| echo "pull_registry=${PULL_REGISTRY}" >> $GITHUB_OUTPUT | |
| echo "output_image=${PUSH_REGISTRY}/${{ matrix.image }}" >> $GITHUB_OUTPUT | |
| BASE_IMAGE="${PULL_REGISTRY}/$BASE_IMAGE_NAME-${{ matrix.base_image_flavor }}:${{ matrix.fedora_version }}" | |
| echo "base_image=${BASE_IMAGE}" >> $GITHUB_OUTPUT | |
| if [ "${{ github.event.inputs.fresh-rechunk }}" == "true" ]; then | |
| IMAGEREF="" | |
| else | |
| IMAGEREF="$PULL_REGISTRY/${{ matrix.image }}:stable" | |
| fi | |
| echo "prev_ref=${IMAGEREF}" >> $GITHUB_OUTPUT | |
| KERNEL_URI=ghcr.io/bazzite-org/kernel-bazzite:${{ matrix.kernel_version }}-f${{ matrix.fedora_version }}-${{ matrix.arch }} | |
| echo "kernel_ref=${KERNEL_URI}" >> $GITHUB_OUTPUT | |
| NVIDIA_URI=ghcr.io/bazzite-org/nvidia-drivers | |
| echo "nvidia_ref=${NVIDIA_URI}" >> $GITHUB_OUTPUT | |
| echo "Generated the following:" | |
| cat $GITHUB_OUTPUT | |
| # Checkout push-to-registry action GitHub repository | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: recursive | |
| # Prepare offline documentation | |
| - name: Download offline docs | |
| id: download_offline_docs | |
| continue-on-error: true | |
| env: | |
| docs_repo: ublue-os/docs.bazzite.gg | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| DOCS_DIR="${{ github.workspace }}/system_files/desktop/shared/usr/share/ublue-os/docs/html" | |
| mkdir -p $DOCS_DIR | |
| cd $(mktemp -d) | |
| gh run download --repo=$docs_repo -n github-pages | |
| tar -xC "$DOCS_DIR" -f artifact.tar | |
| - name: Check just syntax | |
| uses: ublue-os/just-action@bda593098a84a84973b002b4377709166a68be52 # v2 | |
| - name: Pull Images and find versions | |
| id: labels | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -eo pipefail | |
| # | |
| # Base Image and version | |
| # | |
| sudo podman pull ${{ steps.base.outputs.base_image }} | |
| sudo skopeo inspect docker://${{ steps.base.outputs.base_image }} > source.json | |
| UPSTREAM_TAG=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json) | |
| if [ -z "$UPSTREAM_TAG" ] || [ "null" = "$UPSTREAM_TAG" ]; then | |
| echo "inspected image version must not be empty or null" | |
| exit 1 | |
| fi | |
| # Remove .0 suffix from upstream tag so we can add our own and | |
| # the wrong one does not end up in the image. | |
| UPSTREAM_TAG="${UPSTREAM_TAG%\.[0-9]}" | |
| FEDORA_VERSION="${{ matrix.fedora_version }}" | |
| SHA_SHORT="${GITHUB_SHA::7}" | |
| if [ -n "${{ github.event.pull_request.number }}" ]; then | |
| VERSION="pr-${FEDORA_VERSION}-${{ github.event.pull_request.number }}" | |
| PRETTY_VERSION="PR (${{ github.event.pull_request.number }}, ${UPSTREAM_TAG})" | |
| elif [[ ${{ github.ref_name }} == "unstable" ]]; then | |
| VERSION="unstable-${UPSTREAM_TAG}" | |
| PRETTY_VERSION="Unstable (F${UPSTREAM_TAG}, #${SHA_SHORT})" | |
| elif [[ ${{ github.ref_name }} == "testing" ]]; then | |
| VERSION="testing-${UPSTREAM_TAG}" | |
| PRETTY_VERSION="Testing (F${UPSTREAM_TAG}, #${SHA_SHORT})" | |
| else | |
| VERSION="${UPSTREAM_TAG}" | |
| PRETTY_VERSION="Stable (F${UPSTREAM_TAG})" | |
| fi | |
| echo "tag=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "pretty=${PRETTY_VERSION}" >> $GITHUB_OUTPUT | |
| # | |
| # Kernel and NVIDIA versions | |
| # | |
| # This needs to be tweaked, we need to verify a digest | |
| # and to confirm it is from a protected branch | |
| gh attestation verify -R bazzite-org/kernel-bazzite \ | |
| "oci://${{ steps.base.outputs.kernel_ref }}" --deny-self-hosted-runners | |
| sudo podman pull ${{ steps.base.outputs.kernel_ref }} | |
| if [ "${{ steps.base.outputs.install_nvidia }}" == "true" ]; then | |
| sudo skopeo inspect docker://${{ steps.base.outputs.kernel_ref }} > kernel_source.json | |
| NVIDIA_VERSION=$(jq -r '.Labels["${{ steps.base.outputs.nvidia_version }}"]' kernel_source.json) | |
| NVIDIA_REF="${{ steps.base.outputs.nvidia_ref }}:${NVIDIA_VERSION}-f${{ matrix.fedora_version }}-${{ matrix.arch }}" | |
| # Same as above, we verify the uri moments before we pull it | |
| gh attestation verify -R bazzite-org/nvidia-drivers \ | |
| "oci://$NVIDIA_REF" --deny-self-hosted-runners --source-ref "refs/heads/master" | |
| sudo podman pull "$NVIDIA_REF" | |
| echo "nvidia_ref=$NVIDIA_REF" >> $GITHUB_OUTPUT | |
| else | |
| echo "nvidia_ref=none" >> $GITHUB_OUTPUT | |
| fi | |
| echo "Generated the following:" | |
| cat $GITHUB_OUTPUT | |
| # Generate a file with all the build-args passed to buildah | |
| - name: Prepare build args file | |
| run: | | |
| cat <<'EOF' >>build_args.txt | |
| BASE_IMAGE_NAME=${{ steps.base.outputs.base_image_name }} | |
| FEDORA_VERSION=${{ matrix.fedora_version }} | |
| BASE_IMAGE=${{ steps.base.outputs.base_image }} | |
| IMAGE_NAME=${{ matrix.image }} | |
| IMAGE_VENDOR=${{ github.repository_owner }} | |
| IMAGE_BRANCH=${{ github.ref_name }} | |
| KERNEL_REF=${{ steps.base.outputs.kernel_ref }} | |
| NVIDIA_REF=${{ steps.labels.outputs.nvidia_ref }} | |
| NVIDIA_BASE=${{ steps.base.outputs.nvidia_base }} | |
| SHA_HEAD_SHORT=${{ steps.base.outputs.sha_head_short }} | |
| VERSION_TAG=${{ steps.labels.outputs.tag }} | |
| VERSION_PRETTY=${{ steps.labels.outputs.pretty }} | |
| ARCH=${{ matrix.arch }} | |
| EOF | |
| # Build image using buildah and save it to raw-img | |
| - name: Build Image | |
| id: build_image | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| sudo -E buildah build \ | |
| --target ${{ steps.base.outputs.container_target }} \ | |
| --build-arg-file build_args.txt \ | |
| --secret "id=GITHUB_TOKEN,env=GITHUB_TOKEN" \ | |
| --tag raw-img . | |
| # Reprocess raw-img using rechunker which will delete it | |
| - name: Run Rechunker | |
| id: rechunk | |
| uses: ublue-os/legacy-rechunk@a925083d9af7cb04b3e2a6e8c01bfa495f38b710 # v1.0.0 | |
| with: | |
| rechunk: "ghcr.io/ublue-os/legacy-rechunk:v1.0.0-x86_64" | |
| ref: "raw-img" | |
| prev-ref: "${{ steps.base.outputs.prev_ref }}" | |
| version: "${{ steps.labels.outputs.tag }}" | |
| labels: | | |
| io.artifacthub.package.logo-url=https://raw.githubusercontent.com/ublue-os/bazzite/main/repo_content/logo.png | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bazzite/refs/heads/main/README.md | |
| org.opencontainers.image.created=<timestamp> | |
| org.opencontainers.image.description=Bazzite is a custom image that brings the best of Linux gaming to all of your devices - including your favorite handheld. | |
| org.opencontainers.image.licenses=Apache-2.0 | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.source=https://bazzite.gg | |
| org.opencontainers.image.title=Bazzite | |
| org.opencontainers.image.vendor=Universal Blue | |
| org.opencontainers.image.url=https://bazzite.gg | |
| # Generate tags after rechunker runs and checks the primary tag is not duplicated | |
| # If it is, rechunk will suffix it by .1, .2, etc and put it in steps.rechunk.outputs.version | |
| - name: Generate tags | |
| id: generate-tags | |
| shell: bash | |
| run: | | |
| # Common vars for generating tags | |
| VERSION_TAG="${{ steps.rechunk.outputs.version }}" | |
| if [[ ${{ github.ref_name }} == "unstable" ]]; then | |
| BUILD_TAGS=("unstable" "unstable-${{ matrix.fedora_version }}") | |
| elif [[ ${{ github.ref_name }} == "testing" ]]; then | |
| BUILD_TAGS=("testing" "testing-${{ matrix.fedora_version }}") | |
| else | |
| BUILD_TAGS=("stable-${VERSION_TAG}" "latest" "stable" "stable-${{ matrix.fedora_version }}") | |
| fi | |
| echo "Generated the following build tags: " | |
| for TAG in "${BUILD_TAGS[@]}"; do | |
| echo "${TAG}" | |
| done | |
| echo "alias_tags=${BUILD_TAGS[*]}" >> $GITHUB_OUTPUT | |
| - name: Install dgoss | |
| run: | | |
| curl -L \ | |
| https://github.com/goss-org/goss/releases/latest/download/goss-linux-amd64 \ | |
| -o /usr/local/bin/goss | |
| chmod +rx /usr/local/bin/goss | |
| curl -L \ | |
| https://github.com/goss-org/goss/releases/latest/download/dgoss \ | |
| -o /usr/local/bin/dgoss | |
| chmod +rx /usr/local/bin/dgoss | |
| - name: Run goss tests | |
| run: | | |
| sudo tests/dgoss/dgoss-tests.sh tests/dgoss/tests.d "${{ steps.rechunk.outputs.ref }}" | |
| - name: Install Cosign | |
| if: github.event_name != 'pull_request' | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: "v2.6.1" | |
| # Push the image to GHCR (Image Registry) | |
| - name: Push To GHCR and Sign | |
| if: github.event_name != 'pull_request' | |
| uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 | |
| with: | |
| attempt_limit: 3 | |
| attempt_delay: 15000 | |
| command: | | |
| log_sum() { echo "$1" >> $GITHUB_STEP_SUMMARY; } | |
| log_sum '# Push to GHCR result' | |
| log_sum '```' | |
| echo "${{ secrets.GITHUB_TOKEN }}" | sudo podman login ghcr.io -u ${{ github.actor }} --password-stdin | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| # Push unique image id and sign, this way once evergreen tag is published | |
| # It will always be signed | |
| dest_image="${{ steps.base.outputs.output_image }}:${{ steps.rechunk.outputs.version }}" | |
| sudo skopeo copy ${{ steps.rechunk.outputs.ref }} docker://$dest_image | |
| log_sum "$dest_image" | |
| DIGEST=$(sudo skopeo inspect --format '{{.Digest}}' ${{ steps.rechunk.outputs.ref }}) | |
| cosign sign -y --key env://SIGNING_SECRET --new-bundle-format=false \ | |
| "${{ steps.base.outputs.output_image }}@$DIGEST" | |
| for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do | |
| dest_image="${{ steps.base.outputs.output_image }}:$tag" | |
| sudo skopeo copy ${{ steps.rechunk.outputs.ref }} docker://$dest_image | |
| log_sum "$dest_image" | |
| done | |
| log_sum '```' | |
| env: | |
| SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }} | |
| generate_release: | |
| name: Generate Release | |
| needs: [push-ghcr] | |
| if: github.event_name != 'pull_request' | |
| secrets: inherit | |
| uses: ./.github/workflows/generate_release.yml | |
| kickoff_bazzite_dx: | |
| runs-on: ubuntu-24.04 | |
| needs: [generate_release] | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| steps: | |
| - name: Kickoff Bazzite-DX | |
| uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 | |
| continue-on-error: true | |
| with: | |
| token: ${{ secrets.PAT }} | |
| repository: ublue-os/bazzite-dx | |
| event-type: build |