feat(atp): build directly from atp source (1/2)#45
Conversation
Prevent bluebuild from pushing the image if it's a PR from an external repo Build atp-common on PR if the according files are edited
There was a problem hiding this comment.
Pull request overview
Adds infrastructure to build AeroThemePlasma (ATP) directly from upstream source into a reusable “atp-common” OCI layer image, and updates CI to support safer PR builds.
Changes:
- Add
atp-common/Containerfileto build ATP from a Kinoite base and export required system files into a scratch image layer. - Add
.github/workflows/build-atp.ymlto build/push/sign theatp-commonimage on changes. - Update
.github/workflows/build.ymlto use a newerblue-build/github-actionand avoid pushing/signing on fork PRs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
atp-common/Containerfile |
Builds ATP from upstream source and collects installed files into /system_files for layering. |
.github/workflows/build.yml |
Updates BlueBuild action version and adds conditional push/sign behavior for fork PRs. |
.github/workflows/build-atp.yml |
Introduces a dedicated workflow to build/push/sign the atp-common OCI image. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
|
|
There was a problem hiding this comment.
This workflow runs podman build but does not install Podman on ubuntu-latest (contrast with .github/workflows/build-rpm.yml, which installs it). Add a Podman setup/install step before the build to prevent the workflow from failing.
| - name: Install Podman | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y podman |
| WORKDIR /build | ||
| RUN git clone https://gitgud.io/wackyideas/aerothemeplasma.git --depth 1 |
There was a problem hiding this comment.
git clone ... --depth 1 makes the build non-reproducible and increases supply-chain risk because it always pulls the current default branch state. Pin the clone to a specific commit/tag (e.g., via a build ARG) so the produced layer is deterministic.
| WORKDIR /build | |
| RUN git clone https://gitgud.io/wackyideas/aerothemeplasma.git --depth 1 | |
| ARG AEROTHEMEPLASMA_REF=<PINNED_COMMIT_OR_TAG> | |
| WORKDIR /build | |
| RUN git clone https://gitgud.io/wackyideas/aerothemeplasma.git aerothemeplasma && \ | |
| cd /build/aerothemeplasma && \ | |
| git checkout "$AEROTHEMEPLASMA_REF" |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
ledif
left a comment
ledif
left a comment
There was a problem hiding this comment.
Thanks, LGTM. We can deal with pinning a specific SHA for a later commit.
Related to #44
This PR adds a Dockerfile and github action config file in order to build ATP from a kinoite ublue image (closest to bazzite).
Then it copies all files to the correct file structure and publish an atp-common image that can be imported (simply by copying the file to the image) in future builds of winblues7.