diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b546ec9..2cbcc7c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,10 +39,9 @@ jobs: run: | sed 's/ghcr.io\/vanilla-os\/core:dev/ghcr.io\/vanilla-os\/core:main/' -i recipe.yml - - uses: vanilla-os/vib-gh-action@v1.0.6 + - uses: vanilla-os/vib-gh-action@v1.1.0 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.6.1' - uses: actions/upload-artifact@v7 with: diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index b6a4a6e..aab71be 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -48,10 +48,9 @@ jobs: run: | sed 's/ghcr.io\/vanilla-os\/core:dev/ghcr.io\/vanilla-os\/core:main/' -i recipe.yml - - uses: vanilla-os/vib-gh-action@v1.0.6 + - uses: vanilla-os/vib-gh-action@v1.1.0 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.6.1' - uses: actions/upload-artifact@v7 with: @@ -70,6 +69,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.IMAGE_URL }} + labels: org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -82,6 +82,9 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get Git commit timestamps + run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV + - name: Build and push by digest id: build uses: docker/build-push-action@v6 @@ -94,7 +97,9 @@ jobs: cache-to: type=gha,mode=max platforms: linux/${{ matrix.arch }} provenance: false - outputs: type=image,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }} + outputs: type=image,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }},rewrite-timestamp=true + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} - name: Attest pushed image uses: actions/attest-build-provenance@v4 diff --git a/README.md b/README.md index 5d1a575..d331dc3 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,6 @@ Vanilla OS Desktop experience with GNOME. ## Build -> [!NOTE] -> The fsguard compiled plugin `.so` file should be downloaded from the [latest release](https://github.com/Vanilla-OS/vib-fsguard/releases/latest) and be placed under a `plugins` directory beside the `recipe.yml` file. - ```bash vib build recipe.yml podman image build -t vanillaos/desktop . diff --git a/includes.container/usr/share/init.d/010-fsguard.sh b/includes.container/usr/share/init.d/010-fsguard.sh deleted file mode 100644 index 95ffdb1..0000000 --- a/includes.container/usr/share/init.d/010-fsguard.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -PACKAGES=/usr/share/abroot/package-summary -if [ -s "$PACKAGES" ]; then - echo "image not clean due to abroot pkg, skipping FSGuard" - exit 0 -fi - -function failed() { - /usr/bin/plymouth quit - local squashfs="/usr/lib/fswarn/fswarn.squash" - mount -t tmpfs -o rw,size=1G tmpfs /tmp - local tmp="/tmp" - chmod 0755 "$tmp" - unsquashfs -q -L -follow -d /tmp "$squashfs" - mount --rbind /dev "$tmp/dev" - - local resolution=$(chroot "$tmp" /bin/bash -c '/usr/sbin/fbset | /bin/grep "mode " | /bin/sed "s/\"//g" | /bin/sed "s/-0//g" | /usr/bin/gawk '\''BEGIN{FS=" "}; {print $2}'\''') - clear - tput cnorm - echo -e "\033[1;0H" - chroot "$tmp" /bin/bash -c "convert -resize $resolution -background black -gravity center -extent $resolution /verification_failed.png bgra:/dev/fb0" - echo -e "\033[999;0H" - read -sn1 input - if [[ "$input" == "c" ]]; then - echo -e "\033[1;0H" - chroot "$tmp" /bin/bash -c "convert -resize $resolution -background black -gravity center -extent $resolution /continue_confirm.png bgra:/dev/fb0" - echo -e "\033[999;0H" - read -sn1 input - if [[ "$input" == "y" ]]; then - return - else - poweroff -f - fi - else - poweroff -f - fi -} - -/usr/sbin/FsGuard verify "/FsGuard/filelist" -if [[ $? -ne 0 ]]; then - failed -fi diff --git a/modules/80-printers.yml b/modules/80-printers.yml index 4bb57df..52fe0a6 100644 --- a/modules/80-printers.yml +++ b/modules/80-printers.yml @@ -14,3 +14,6 @@ sources: # Config - system-config-printer-common - system-config-printer-udev +cleanup: + - /etc/ssl/certs/ssl-cert-snakeoil.pem + - /etc/ssl/private/ssl-cert-snakeoil.key diff --git a/recipe.yml b/recipe.yml index e16c082..9448433 100644 --- a/recipe.yml +++ b/recipe.yml @@ -1,6 +1,6 @@ name: Vanilla Desktop id: desktop -vibversion: 1.0.6 +vibversion: 1.1.0 stages: - id: build @@ -14,6 +14,17 @@ stages: runs: commands: - echo 'APT::Install-Recommends "1";' > /etc/apt/apt.conf.d/01norecommends + cleanup: + - /boot/initrd.img* + - /tmp/* + - /var/cache/apt/pkgcache.bin + - /var/cache/debconf + - /var/cache/dictionaries-common + - /var/cache/fontconfig + - /var/cache/ldconfig + - /var/cache/man + - /var/lib/dbus/machine-id + - /var/log/* modules: - name: init-setup @@ -86,23 +97,11 @@ stages: - apt clean - lpkg --lock - rsync -a /etc/ /sysconf/ + cleanup: + - /sysconf/resolv.conf - - name: fsguard - type: fsguard - CustomFsGuard: false - FsGuardLocation: "/usr/sbin/FsGuard" - GenerateKey: true - FilelistPaths: ["/usr/bin"] - modules: - - name: remove-prev-fsguard - type: shell - commands: - - rm -rf /FsGuard - - rm -f ./minisign.pub ./minisign.key - - chmod +x /usr/share/init.d/010-fsguard.sh - - - name: cleanup2 - type: shell +- id: initrd + base: build + runs: commands: - - rm -rf /tmp/* - - rm -rf /var/tmp/* + - touch $(readlink -f /initrd.img)