diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..84ed640 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,72 @@ +name: Publish and Sign Container Image + +env: + REGISTRY: ghcr.io + +on: + push: + branches: + - main + paths: + - .github/workflows/build.yml + - "**/Dockerfile" + schedule: + - cron: "17 07 * * 0" + +jobs: + build-push-image: + runs-on: ubuntu-24.04 + + permissions: + contents: read + packages: write + id-token: write + + strategy: + fail-fast: false + matrix: + include: + - image: spotify + file: distroboxes/spotify/Containerfile + - image: steam + file: distroboxes/steam/Containerfile + + steps: + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + with: + cosign-release: "v2.4.1" + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}-container + tags: | + latest + type=sha,format=long + + - name: Log into ${{ env.REGISTRY }} + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ github.token }} + + - name: Build and push container image + id: push-step + uses: docker/build-push-action@v6 + with: + push: true + file: ${{ matrix.file }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Sign the container image + run: cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}-container@${{ steps.push-step.outputs.digest }} ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}-container:latest diff --git a/distroboxes/spotify/Containerfile b/distroboxes/spotify/Containerfile index 4e92206..3c84523 100644 --- a/distroboxes/spotify/Containerfile +++ b/distroboxes/spotify/Containerfile @@ -6,9 +6,12 @@ LABEL com.github.containers.toolbox="true" \ summary="Container containing official spotify player." \ maintainer="shubhamsharma@posteo.in" -COPY --chmod=644 root/etc/apt/sources.list.d/spotify.list /etc/apt/sources.list.d/spotify.list -COPY --chmod=644 root/etc/apt/trusted.gpg.d/spotify.gpg /etc/apt/trusted.gpg.d/spotify.gpg - +RUN curl -sS https://download.spotify.com/debian/pubkey_6224F9941A8AA6D1.gpg | \ + gpg --dearmor --yes -o /etc/apt/trusted.gpg.d/spotify.gpg && \ + echo "deb http://repository.spotify.com stable non-free" | \ + tee /etc/apt/sources.list.d/spotify.list && \ + ln -sf /usr/share/spotify/spotify.desktop /usr/share/applications/spotify.desktop && \ + ln -sf /usr/share/spotify/icons/spotify_icon.ico /usr/share/icons/spotify.ico RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get -y upgrade && \ DEBIAN_FRONTEND=noninteractive apt-get -y install \ diff --git a/distroboxes/spotify/root/etc/apt/sources.list.d/spotify.list b/distroboxes/spotify/root/etc/apt/sources.list.d/spotify.list deleted file mode 100644 index 5e07ba9..0000000 --- a/distroboxes/spotify/root/etc/apt/sources.list.d/spotify.list +++ /dev/null @@ -1 +0,0 @@ -deb http://repository.spotify.com stable non-free \ No newline at end of file diff --git a/distroboxes/spotify/root/etc/apt/trusted.gpg.d/spotify.gpg b/distroboxes/spotify/root/etc/apt/trusted.gpg.d/spotify.gpg deleted file mode 100644 index 33f9689..0000000 Binary files a/distroboxes/spotify/root/etc/apt/trusted.gpg.d/spotify.gpg and /dev/null differ