-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
- Loading branch information
Showing
3 changed files
with
189 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| name: "Wolfi Linux: Build and push toolbx images" | ||
|
|
||
| permissions: read-all | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - wolfi/** | ||
| - .github/workflows/wolfi.yaml | ||
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - wolfi/** | ||
| - .github/workflows/wolfi.yaml | ||
| schedule: | ||
| - cron: '0 0 * * MON' | ||
|
|
||
| env: | ||
| distro: 'wolfi' | ||
| distro_pretty: 'wolfi Linux' | ||
| latest_release: 'latest' | ||
| platforms: 'linux/amd64, linux/arm64' | ||
| registry: 'quay.io/toolbx-images' | ||
|
|
||
| # Prevent multiple workflow runs from racing to ensure that pushes are made | ||
| # sequentially for the main branch. Also cancel in progress workflow runs for | ||
| # pull requests only. | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | ||
|
|
||
| jobs: | ||
| build-push-images: | ||
| strategy: | ||
| matrix: | ||
| release: ['latest'] | ||
|
|
||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up QEMU for multi-arch builds | ||
| shell: bash | ||
| run: | | ||
| sudo apt update | ||
| sudo apt install qemu-user-static | ||
| - name: Build container image | ||
| uses: redhat-actions/buildah-build@v2 | ||
| if: env.latest_release != matrix.release | ||
| with: | ||
| platforms: ${{ env.platforms }} | ||
| context: ${{ env.distro }}/${{ matrix.release }} | ||
| image: ${{ env.distro }}-toolbox | ||
| tags: ${{ matrix.release }} | ||
| containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile | ||
| layers: false | ||
| oci: true | ||
|
|
||
| - name: Build container image (latest tag) | ||
| uses: redhat-actions/buildah-build@v2 | ||
| if: env.latest_release == matrix.release | ||
| with: | ||
| platforms: ${{ env.platforms }} | ||
| context: ${{ env.distro }}/${{ matrix.release }} | ||
| image: ${{ env.distro }}-toolbox | ||
| tags: ${{ matrix.release }} latest | ||
| containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile | ||
| layers: false | ||
| oci: true | ||
|
|
||
| - name: Push to Container Registry | ||
| uses: redhat-actions/push-to-registry@v2 | ||
| id: push | ||
| if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release | ||
| with: | ||
| username: ${{ secrets.BOT_USERNAME }} | ||
| password: ${{ secrets.BOT_SECRET }} | ||
| image: ${{ env.distro }}-toolbox | ||
| registry: ${{ env.registry }} | ||
| tags: ${{ matrix.release }} | ||
|
|
||
| - name: Push to Container Registry (latest tag) | ||
| uses: redhat-actions/push-to-registry@v2 | ||
| id: push-latest | ||
| if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release | ||
| with: | ||
| username: ${{ secrets.BOT_USERNAME }} | ||
| password: ${{ secrets.BOT_SECRET }} | ||
| image: ${{ env.distro }}-toolbox | ||
| registry: ${{ env.registry }} | ||
| tags: ${{ matrix.release }} latest | ||
|
|
||
| - name: Login to Container Registry | ||
| uses: redhat-actions/podman-login@v1 | ||
| if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' | ||
| with: | ||
| registry: ${{ env.registry }} | ||
| username: ${{ secrets.BOT_USERNAME }} | ||
| password: ${{ secrets.BOT_SECRET }} | ||
|
|
||
| - uses: sigstore/cosign-installer@v3.3.0 | ||
| if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' | ||
|
|
||
| - name: Sign container image | ||
| if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release | ||
| run: | | ||
| cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} | ||
| env: | ||
| COSIGN_EXPERIMENTAL: false | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | ||
|
|
||
| - name: Sign container image (latest) | ||
| if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release | ||
| run: | | ||
| cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} | ||
| env: | ||
| COSIGN_EXPERIMENTAL: false | ||
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| FROM cgr.dev/chainguard/wolfi-base:latest | ||
|
|
||
| LABEL com.github.containers.toolbox="true" \ | ||
| name="wolfi-toolbox" \ | ||
| version="latest" \ | ||
| usage="This image is meant to be used with the toolbox or distrobox command" \ | ||
| summary="Base image for creating Wolfi Linux toolbox containers" \ | ||
| maintainer="Luca Di Maio <luca.dimaio1@gmail.com>" | ||
|
|
||
| # Install extra packages | ||
| COPY extra-packages / | ||
| RUN apk update && \ | ||
| apk upgrade && \ | ||
| cat /extra-packages | xargs apk add | ||
| RUN rm /extra-packages | ||
|
|
||
| # Enable password less sudo | ||
| # using sudoers instead of toolbox filename here, so that in case of rootful | ||
| # distroboxes, the NOPASSWD can be deactivated for security reasons. | ||
| RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers | ||
|
|
||
| # Copy the os-release file | ||
| RUN cp -p /etc/os-release /usr/lib/os-release |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| bash | ||
| bc | ||
| busybox | ||
| bzip2 | ||
| coreutils | ||
| curl | ||
| diffutils | ||
| findmnt | ||
| findutils | ||
| gnupg | ||
| gnutar | ||
| gpg | ||
| iproute2 | ||
| iputils | ||
| keyutils | ||
| less | ||
| libcap | ||
| man-db | ||
| mesa | ||
| mount | ||
| ncurses | ||
| ncurses-terminfo | ||
| net-tools | ||
| openssh-client | ||
| pigz | ||
| posix-libc-utils | ||
| procps | ||
| rsync | ||
| shadow | ||
| sudo | ||
| tcpdump | ||
| tree | ||
| tzdata | ||
| umount | ||
| unzip | ||
| util-linux | ||
| util-linux-login | ||
| util-linux-misc | ||
| vulkan-loader | ||
| wget | ||
| xauth | ||
| xz | ||
| zip |