refactor build-iso to build-bootable-artifacts

leverages https://github.com/osbuild/bootc-image-builder-action instead of unmaintained original bootc-image-builder-action

Author: eseiker

.github/actions/build-bootable-artifacts/action.yml

@@ -0,0 +1,120 @@
+---
+name: Build bootable artifacts
+
+inputs:
+  platform:
+    description: The platform to build the image for (e.g., "x86_64", "arm64")
+    required: true
+  image:
+    description: Full podman image reference, including hash (e.g., "registry.example.com/image@sha256")
+    required: true
+  image-name:
+    description: Name of the image, will be used to name the artifact files (e.g., "my-image")
+    required: true
+  image-types:
+    description: The types of bootable artifacts to build (e.g., "iso,raw")
+    required: false
+    default: "iso"
+  update_is_signed:
+    description: Whether the image is signed or not
+    required: false
+  update_origin_ref:
+    description: Image reference to update from (e.g., "{image}:latest")
+    required: true
+  config-file:
+    description: Path to the bootable artifacts configuration file
+    required: true
+  use-librepo:
+    description: "Use librepo to download the image"
+    required: false
+  additional-args:
+    description: "Additional arguments to pass to the bootc-image-builder"
+    required: false
+  REGISTRY:
+    description: The container registry URL (e.g., "registry.example.com")
+    required: true
+  REGISTRY_USER:
+    description: The username for the container registry login
+    required: true
+  REGISTRY_TOKEN:
+    description: The token for authenticating with the container registry
+    required: true
+
+outputs:
+  output_directory:
+    description: The directory where the built artifacts and checksums are stored
+    value: ${{ steps.rename.outputs.output_directory }}
+  artifact_basename:
+    description: The base name of the artifacts
+    value: ${{ steps.rename.outputs.artifact_basename }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Login to Container Registry
+      uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+      with:
+        registry: ${{ inputs.REGISTRY }}
+        username: ${{ inputs.REGISTRY_USER }}
+        password: ${{ inputs.REGISTRY_TOKEN }}
+
+    - name: Set up environment
+      id: set-env
+      shell: bash
+      run: |
+        ARCH=${{ inputs.platform }}
+        echo "CLEAN_ARCH=${ARCH//\//_}" >> "$GITHUB_ENV"
+
+    - name: Prepare bootable artifacts configuration
+      shell: bash
+      run: |
+        [ "${{ inputs.update_is_signed }}" = "true" ] && SIG="--enforce-container-sigpolicy"
+
+        sed -i 's#<UPDATE_IMAGE_REF>#${{ inputs.update_origin_ref }}#g' ${{ inputs.config-file }}
+        sed -i "s#<IMAGE_SIGNED>#${SIG}#g" ${{ inputs.config-file }}
+        cat ${{ inputs.config-file }}
+
+        [ "${{ inputs.use-librepo }}" = "true" ] && USE_LIBREPO="True" || USE_LIBREPO="False"
+        ADDITIONAL_ARGS="--target-arch=${{ env.CLEAN_ARCH }} --use-librepo=${USE_LIBREPO} ${{ inputs.additional-args }}"
+
+        echo "ADDITIONAL_ARGS=${ADDITIONAL_ARGS}" >> "$GITHUB_ENV"
+
+        if [[ "${ADDITIONAL_ARGS}" == *"--installer-payload-ref"* ]]; then
+          INSTALLER_PAYLOAD_REF=$(echo "${ADDITIONAL_ARGS}" | grep -oP '(?<=--installer-payload-ref[= ])\S+')
+          sudo podman pull "${INSTALLER_PAYLOAD_REF}"
+        fi
+
+    - name: Build bootable artifacts
+      id: build
+      uses: osbuild/bootc-image-builder-action@4503a3445240ffc85cccf8f57d7cab5634e351e2
+      with:
+        config-file: ${{ inputs.config-file }}
+        image: ${{ inputs.image }}
+        additional-args: ${{ env.ADDITIONAL_ARGS }}
+        types: ${{ inputs.image-types }}
+
+    - name: Rename bootable artifacts
+      id: rename
+      env:
+        OUTPUT_PATH: output-${{ env.CLEAN_ARCH }}
+      shell: bash
+      run: |
+        set -x
+        mkdir -p ${{ env.OUTPUT_PATH }}
+        OUTPUT_DIRECTORY="$(realpath ${{ env.OUTPUT_PATH }})"
+        ARTIFACT_BASENAME="${{ inputs.image-name }}-${{ env.CLEAN_ARCH }}"
+
+        echo '${{ steps.build.outputs.output-paths }}' | jq -c '.[]' | while read -r artifact; do
+          ARTIFACT_PATH=$(echo "$artifact" | jq -r '.path')
+          ARTIFACT_CHECKSUM=$(echo "$artifact" | jq -r '.checksum')
+          ARTIFACT_EXTENSION=$(echo "$ARTIFACT_PATH" | awk -F. '{print $NF}')
+
+          ARTIFACT_NAME="${ARTIFACT_BASENAME}.${ARTIFACT_EXTENSION}"
+          CHECKSUM_NAME="${ARTIFACT_NAME}-CHECKSUM"
+
+          cp "$ARTIFACT_PATH" "${OUTPUT_DIRECTORY}/${ARTIFACT_NAME}"
+          echo "$ARTIFACT_CHECKSUM" > "${OUTPUT_DIRECTORY}/${CHECKSUM_NAME}"
+        done
+
+        echo "output_directory=${OUTPUT_DIRECTORY}" >> "${GITHUB_OUTPUT}"
+        echo "artifact_basename=${ARTIFACT_BASENAME}" >> "${GITHUB_OUTPUT}"

.github/actions/build-iso/action.yml

@@ -7,10 +7,19 @@ inputs:
     required: true
   variant:
     description: The variant of the image to build
-    required: true
+    required: false
+    default: ""
   containerfile:
     description: The path to the Containerfile used for building the image
     required: true
+  stage:
+    description: The stage to build in the Containerfile
+    required: false
+    default: ""
+  extra-args:
+    description: Additional arguments to pass to the podman build command
+    required: false
+    default: ""
   image-name:
     description: The name of the image to build
     required: true
@@ -99,6 +108,8 @@ runs:
       shell: bash
       env:
         IMAGE_TAG: ${{ inputs.image-tag }}-${{ env.CLEAN_ARCH }}
+        STAGE_ARGS: --target=${{ inputs.stage }}
+        EXTRA_ARGS: ${{ inputs.extra-args }}
       run: |
         echo "::group::Build Image"
         sudo podman build \
@@ -113,6 +124,8 @@ runs:
           --build-arg VARIANT=${{ inputs.variant }} \
           -t ${{ inputs.image-name }}:${IMAGE_TAG} \
           -f ${{ inputs.containerfile }} \
+          ${{ env.STAGE_ARGS }} \
+          ${{ env.EXTRA_ARGS }} \
           .
 
         echo "image-id=$(cat /tmp/image-id)" >> $GITHUB_OUTPUT

.github/actions/build/action.yml

@@ -2,8 +2,8 @@
 name: Upload to GitHub Actions Artifacts
 
 inputs:
-  artifact_name:
-    description: "The name of the artifact to upload"
+  artifact_basename:
+    description: "The basename of the artifacts to upload"
     required: true
   directory:
     description: "The directory containing the files to upload"
@@ -12,11 +12,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Upload ISOs and Checksum to Job Artifacts
+    - name: Upload Bootable Artifacts and Checksums to Job Artifacts
       id: upload-gh
       uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
       with:
-        name: ${{ inputs.artifact_name }}
+        name: ${{ inputs.artifact_basename }}
         path: ${{ inputs.directory }}
         if-no-files-found: error
         compression-level: 0
@@ -26,5 +26,5 @@ runs:
     - name: Summary
       shell: bash
       run: |
-        echo "Artifact URL: ${{ steps.upload-gh.outputs.artifact-url }}" >> $GITHUB_STEP_SUMMARY
+        echo "Artifact: ${{ steps.upload-gh.outputs.artifact-url }}" >> $GITHUB_STEP_SUMMARY
         echo "Digest: ${{ steps.upload-gh.outputs.artifact-digest }}" >> $GITHUB_STEP_SUMMARY

.github/actions/upload-gh/action.yml

@@ -8,6 +8,10 @@ inputs:
   bucket:
     description: "The Cloudflare R2 bucket to upload the files to"
     required: true
+  path:
+    description: "The path to the files to upload, relative to the bucket root"
+    required: true
+    default: ""
   R2_ACCOUNT_ID:
     description: "The Cloudflare R2 account ID"
     required: true
@@ -30,4 +34,4 @@ runs:
         r2-secret-access-key: ${{ inputs.R2_SECRET_ACCESS_KEY }}
         r2-bucket: ${{ inputs.bucket }}
         source-dir: ${{ inputs.directory }}
-        destination-dir: ./
+        destination-dir: ${{ inputs.path }}

.github/actions/upload-r2/action.yml

@@ -6,17 +6,12 @@ inputs:
     description: "The directory containing the files to upload"
     required: true
   bucket:
-    description: "The Cloudflare R2 bucket to upload the files to"
+    description: "The Amazon S3 bucket to upload the files to"
     required: true
   path:
-    description: "The path to the files to upload, relative to the directory"
-    required: true
-  iso-name:
-    description: "The name of the ISO file to upload"
-    required: true
-  checksum-name:
-    description: "The name of the checksum file to upload"
+    description: "The path to the files to upload, relative to the bucket root"
     required: true
+    default: ""
   aws-default-region:
     description: "The AWS region to use for S3 uploads"
     required: true
@@ -46,18 +41,4 @@ runs:
         # Upload the files to S3 bucket
         aws s3 cp ${{ inputs.directory }} \
             s3://${BUCKET}/${{ inputs.path }}/ \
-            --recursive
-
-          # Make them uploaded file publicly available
-        aws s3api put-object-tagging \
-            --bucket ${BUCKET} \
-            --key ${{ inputs.path }}/${{ inputs.iso-name }} \
-            --tagging 'TagSet={Key=public,Value=yes}'
-
-        aws s3api put-object-tagging \
-            --bucket ${BUCKET} \
-            --key ${{ inputs.path }}/${{ inputs.checksum-name }} \
-            --tagging 'TagSet={Key=public,Value=yes}'
-
-        echo "ISO: https://${BUCKET}.s3-accelerate.dualstack.amazonaws.com/${{ inputs.path }}/${{ inputs.iso-name }}" >> $GITHUB_STEP_SUMMARY
-        echo "Digest: https://${BUCKET}.s3-accelerate.dualstack.amazonaws.com/${{ inputs.path }}/${{ inputs.checksum-name }}" >> $GITHUB_STEP_SUMMARY
+            --recursive --acl public-read