From 9efe273250842c5aa4caf59b5051c3b01f6d07fc Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 15:15:59 -0300 Subject: [PATCH 01/10] allow squash --- .github/workflows/os.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 1eccb57..8bd03e8 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -65,6 +65,8 @@ jobs: # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + with: + buildkitd-flags: --allow-insecure-entitlement security.insecure # Login against a Docker registry except on PR # https://github.com/docker/login-action From 5c455fe24d9a491be30d43c67fee8a70e019134b Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 15:17:16 -0300 Subject: [PATCH 02/10] add this file for rebuild --- .github/workflows/os.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 8bd03e8..e579aac 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -14,6 +14,7 @@ on: - 'etc/**' - 'usr/**' - 'repo/**' + - '.github/workflows/os.yml' env: # Use docker.io for Docker Hub if empty From 26c59d36464ec163939ec71acaf7d964ad7d742f Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 15:22:00 -0300 Subject: [PATCH 03/10] upgrade versions --- .github/workflows/os.yml | 75 ++++++++++++---------------------------- 1 file changed, 22 insertions(+), 53 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index e579aac..9fac5cc 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -1,38 +1,27 @@ name: os -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - on: schedule: - - cron: '0 5 8,18,28 * *' # 5 am three times every month + - cron: '0 5 8,18,28 * *' push: paths: - - 'Dockerfile' - - 'etc/**' - - 'usr/**' - - 'repo/**' - - '.github/workflows/os.yml' + - 'Dockerfile' + - 'etc/**' + - 'usr/**' + - 'repo/**' + - '.github/workflows/os.yml' + workflow_dispatch: # Gør det muligt at starte den manuelt til test env: - # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / IMAGE_NAME: ${{ github.repository }} - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - jobs: build: - runs-on: ubuntu-latest permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. id-token: write steps: @@ -45,74 +34,54 @@ jobs: - name: Get current date id: date - run: echo "::set-output name=date::$(date +'%Y%m%d')" - - - name: Test with environment variables - run: echo $DATE - env: - DATE: ${{ steps.date.outputs.date }} + run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Opdateret til v4 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@v3.3.0 # Opdateret version with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.2' - # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + uses: docker/setup-buildx-action@v3 # Opdateret til v3 with: + # Vigtigt: Aktiverer experimental support i BuildKit buildkitd-flags: --allow-insecure-entitlement security.insecure - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@v3 # Opdateret til v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v5 # Opdateret til v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@v5 # Opdateret til v5 with: context: . push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }}, ${{ steps.meta.outputs.tags }}-10, ${{ steps.meta.outputs.tags }}-10.${{ steps.date.outputs.date }} - # labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + tags: | + ${{ steps.meta.outputs.tags }} + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:10 + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:10.${{ steps.date.outputs.date }} + # Da caching alligevel ikke virkede, har jeg fjernet cache-to/from + # Det gør buildet mere rent, når vi bruger squash squash: true - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From 8240c62c9c20121da8a0cd2333a92328b19f83cc Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 15:25:52 -0300 Subject: [PATCH 04/10] fix lower case repo name --- .github/workflows/os.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 9fac5cc..732ea16 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -61,22 +61,23 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 # Opdateret til v5 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # Her tvinger vi tags til at være lowercase og definerer dine versioner + tags: | + type=raw,value=latest + type=raw,value=10 + type=raw,value=10.${{ steps.date.outputs.date }} - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@v5 # Opdateret til v5 + uses: docker/build-push-action@v5 with: context: . push: ${{ github.event_name != 'pull_request' }} - tags: | - ${{ steps.meta.outputs.tags }} - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:10 - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:10.${{ steps.date.outputs.date }} - # Da caching alligevel ikke virkede, har jeg fjernet cache-to/from - # Det gør buildet mere rent, når vi bruger squash + # Nu bruger vi udelukkende tags fra meta-trinnet, som er lowercase-sikre + tags: ${{ steps.meta.outputs.tags }} squash: true - name: Sign the published Docker image From 612c9ecaef6f9f45d7c070a12a08b91883404946 Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 15:29:19 -0300 Subject: [PATCH 05/10] fix squash --- .github/workflows/os.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 732ea16..e0a3a74 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -76,9 +76,9 @@ jobs: with: context: . push: ${{ github.event_name != 'pull_request' }} - # Nu bruger vi udelukkende tags fra meta-trinnet, som er lowercase-sikre tags: ${{ steps.meta.outputs.tags }} - squash: true + # Erstat 'squash: true' med denne linje: + outputs: type=image,name=target,squash=true - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} From 47c45172862e15ee17f6eaf4d422bcf82602fa5a Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 15:52:59 -0300 Subject: [PATCH 06/10] use buildah instead of docker --- .github/workflows/os.yml | 84 +++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 39 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index e0a3a74..fc460e3 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -10,10 +10,11 @@ on: - 'usr/**' - 'repo/**' - '.github/workflows/os.yml' - workflow_dispatch: # Gør det muligt at starte den manuelt til test + workflow_dispatch: env: REGISTRY: ghcr.io + # Vi tvinger navnet til lowercase her for en sikkerheds skyld IMAGE_NAME: ${{ github.repository }} jobs: @@ -37,52 +38,57 @@ jobs: run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - name: Checkout repository - uses: actions/checkout@v4 # Opdateret til v4 - - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.3.0 # Opdateret version - with: - cosign-release: 'v2.2.2' - - - name: Setup Docker buildx - uses: docker/setup-buildx-action@v3 # Opdateret til v3 - with: - # Vigtigt: Aktiverer experimental support i BuildKit - buildkitd-flags: --allow-insecure-entitlement security.insecure - - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 # Opdateret til v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + uses: actions/checkout@v4 + # Vi bruger stadig metadata-action til at generere alle vores tags (inkl. branch) - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # Her tvinger vi tags til at være lowercase og definerer dine versioner tags: | - type=raw,value=latest + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} type=raw,value=10 type=raw,value=10.${{ steps.date.outputs.date }} - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - # Erstat 'squash: true' med denne linje: - outputs: type=image,name=target,squash=true + # Buildah Login + - name: Log into GHCR + if: github.event_name != 'pull_request' + run: | + buildah login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ${{ env.REGISTRY }} - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + # Build med Buildah (Squash er indbygget her) + - name: Build image with Buildah + id: build-image + run: | + # Vi tager det første tag fra meta-action som primært build-navn + PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) + + buildah bud \ + --squash \ + --format docker \ + --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ + -t "$PRIMARY_TAG" . + + echo "primary_tag=$PRIMARY_TAG" >> $GITHUB_OUTPUT + + # Push alle tags med Buildah + - name: Push to GHCR + if: github.event_name != 'pull_request' + run: | + # Loop igennem alle de tags, som metadata-action genererede + for tag in $(echo "${{ steps.meta.outputs.tags }}"); do + echo "Pushing tag: $tag" + buildah push "$tag" + done + + # Cosign (valgfrit - her bruger vi det primære tag til signering) + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3.3.0 + + - name: Sign image + if: github.event_name != 'pull_request' + run: | + cosign sign --yes ${{ steps.build-image.outputs.primary_tag }} From b79f7ee984414b38dbb1d01965a8f05a6ef6a1c6 Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 16:17:11 -0300 Subject: [PATCH 07/10] . --- .github/workflows/os.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index fc460e3..aa457dd 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -66,8 +66,6 @@ jobs: PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) buildah bud \ - --squash \ - --format docker \ --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ -t "$PRIMARY_TAG" . From 435d2fd4196bddf661576eb188205b4d98cb7abd Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 16:34:12 -0300 Subject: [PATCH 08/10] maximize build space and fix image not found error --- .github/workflows/os.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index aa457dd..8354a6f 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -14,7 +14,6 @@ on: env: REGISTRY: ghcr.io - # Vi tvinger navnet til lowercase her for en sikkerheds skyld IMAGE_NAME: ${{ github.repository }} jobs: @@ -27,11 +26,15 @@ jobs: steps: - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v1 + uses: easimon/maximize-build-space@master with: + root-reserve-mb: 512 + swap-size-mb: 1024 remove-dotnet: 'true' remove-android: 'true' remove-haskell: 'true' + remove-codeql: 'true' + remove-docker-images: 'true' - name: Get current date id: date @@ -40,7 +43,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - # Vi bruger stadig metadata-action til at generere alle vores tags (inkl. branch) - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 @@ -52,36 +54,34 @@ jobs: type=raw,value=10 type=raw,value=10.${{ steps.date.outputs.date }} - # Buildah Login - name: Log into GHCR if: github.event_name != 'pull_request' run: | buildah login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ${{ env.REGISTRY }} - # Build med Buildah (Squash er indbygget her) - name: Build image with Buildah id: build-image run: | - # Vi tager det første tag fra meta-action som primært build-navn - PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) - + # Vi bygger med et fast navn 'raw-img' lokalt buildah bud \ --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ - -t "$PRIMARY_TAG" . + -t raw-img . + # Vi gemmer det første rigtige tag til senere brug (fx signering) + PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) echo "primary_tag=$PRIMARY_TAG" >> $GITHUB_OUTPUT - # Push alle tags med Buildah - name: Push to GHCR if: github.event_name != 'pull_request' run: | # Loop igennem alle de tags, som metadata-action genererede for tag in $(echo "${{ steps.meta.outputs.tags }}"); do - echo "Pushing tag: $tag" + echo "Tagging and pushing: $tag" + # VI TILFØJER DETTE TRIN: Giv raw-img det rigtige navn før push + buildah tag raw-img "$tag" buildah push "$tag" done - # Cosign (valgfrit - her bruger vi det primære tag til signering) - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3.3.0 @@ -89,4 +89,6 @@ jobs: - name: Sign image if: github.event_name != 'pull_request' run: | - cosign sign --yes ${{ steps.build-image.outputs.primary_tag }} + # Vi skal bruge buildah tag igen her for at sikre at PRIMARY_TAG findes lokalt + buildah tag raw-img "${{ steps.build-image.outputs.primary_tag }}" + cosign sign --yes "${{ steps.build-image.outputs.primary_tag }}" From c6f054b672a88889820726afe06d40ce73186a63 Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 16:39:07 -0300 Subject: [PATCH 09/10] go back to previous maximize space repo but upgrade version to ver 5. --- .github/workflows/os.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 8354a6f..ee01f9c 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -26,15 +26,11 @@ jobs: steps: - name: Maximize build space - uses: easimon/maximize-build-space@master + uses: AdityaGarg8/remove-unwanted-software@v5 with: - root-reserve-mb: 512 - swap-size-mb: 1024 remove-dotnet: 'true' remove-android: 'true' remove-haskell: 'true' - remove-codeql: 'true' - remove-docker-images: 'true' - name: Get current date id: date From 5c8d0902d89ebbdd4c257cd5b44761d5c6670ad8 Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Mon, 5 Jan 2026 16:58:50 -0300 Subject: [PATCH 10/10] fix sign error and tag names --- .github/workflows/os.yml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index ee01f9c..10e0f8c 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: read packages: write - id-token: write + id-token: write # Påkrævet til cosign keyless signering steps: - name: Maximize build space @@ -44,11 +44,12 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # Vi konstruerer tags her med branch-navnet som præfiks tags: | type=ref,event=branch type=raw,value=latest,enable={{is_default_branch}} - type=raw,value=10 - type=raw,value=10.${{ steps.date.outputs.date }} + type=raw,value=${{ github.ref_name }}-10 + type=raw,value=${{ github.ref_name }}-10.${{ steps.date.outputs.date }} - name: Log into GHCR if: github.event_name != 'pull_request' @@ -58,22 +59,20 @@ jobs: - name: Build image with Buildah id: build-image run: | - # Vi bygger med et fast navn 'raw-img' lokalt + # Vi bygger med 'raw-img' lokalt buildah bud \ --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ -t raw-img . - # Vi gemmer det første rigtige tag til senere brug (fx signering) + # Gem det primære tag til signering (vi tager det første fra listen) PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) echo "primary_tag=$PRIMARY_TAG" >> $GITHUB_OUTPUT - name: Push to GHCR if: github.event_name != 'pull_request' run: | - # Loop igennem alle de tags, som metadata-action genererede for tag in $(echo "${{ steps.meta.outputs.tags }}"); do echo "Tagging and pushing: $tag" - # VI TILFØJER DETTE TRIN: Giv raw-img det rigtige navn før push buildah tag raw-img "$tag" buildah push "$tag" done @@ -82,9 +81,15 @@ jobs: if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3.3.0 + # VI TILFØJER LOGIN TIL COSIGN HER + - name: Log into GHCR (Cosign) + if: github.event_name != 'pull_request' + run: | + cosign login ${{ env.REGISTRY }} -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} + - name: Sign image if: github.event_name != 'pull_request' run: | - # Vi skal bruge buildah tag igen her for at sikre at PRIMARY_TAG findes lokalt - buildah tag raw-img "${{ steps.build-image.outputs.primary_tag }}" + # Vi signerer det primære tag. + # Vi bruger --yes til at acceptere betingelserne automatisk. cosign sign --yes "${{ steps.build-image.outputs.primary_tag }}"