Move brave-keyring rebuild to silverblue-shared-builder-brave

.github/workflows/build.yml

@@ -39,6 +39,33 @@ jobs:
           extra-args: |
             --disable-content-trust
 
+  silverblue-shared-builder-brave-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Build container image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          context: "silverblue-shared-builder-brave"
+          containerfiles: "silverblue-shared-builder-brave/Containerfile"
+          image: silverblue-shared-builder-brave
+          layers: false
+          oci: true
+
+      - name: Push to ghcr.io
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: silverblue-shared-builder-brave
+          tags: "latest"
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --disable-content-trust
+
+
   silverblue-zfs-base-build:
     runs-on: ubuntu-latest
     steps:

silverblue-shared-builder-brave/Containerfile

@@ -0,0 +1,21 @@
+FROM fedora:40 as builder
+
+# Setup dnf
+RUN dnf install -y dnf-plugins-core && \
+    dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo && \
+    rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc && \
+    dnf clean metadata
+
+# Download the brave-keyring rpm
+RUN cd /root && \
+    dnf download brave-browser brave-keyring liberation-fonts && \
+    dnf -y install rpmrebuild && \
+    dnf clean metadata
+
+# Rebuild the brave-keyring rpm (needs to be rebuilt without %post to make it compatible with silverblue)
+RUN cd /root && \
+    rpmrebuild --package --change-files='echo > "$RPMREBUILD_TMPDIR/work/post.1"' -d ./new_pkg/ brave-keyring*.rpm && \
+    ls -la --color /root/new_pkg/noarch
+
+FROM scratch
+COPY --from=builder /root/new_pkg/noarch /rpms

silverblue-shared-builder-brave/build.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+RED='\033[0;31m'
+NO_COLOR='\033[0m'
+
+set -eou pipefail
+
+
+err_report() {
+    echo
+    echo
+    echo -e "${RED}Error $1 occured on line $2${NO_COLOR}"
+    echo
+    exit $1
+}
+
+trap 'err_report $? $LINENO' ERR
+
+cd $(dirname $0)
+
+IMGNAME=$(basename $PWD)
+DATESTAMP=$(date +%Y-%m-%d)
+
+time podman build $@ . -t "${IMGNAME}:${DATESTAMP}" -t "${IMGNAME}:latest" -t "ghcr.io/twiest/${IMGNAME}:latest"

silverblue-shared-builder-brave/files/download-kernels.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Adapted / simplified for my use case from:
+#     https://github.com/ublue-os/kernel-cache/tree/main
+
+set -euo pipefail
+
+mkdir /tmp/rpms
+cd /tmp/rpms
+
+arch=x86_64
+kernel_release=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:stable | jq -r '.Labels["ostree.linux"]')
+
+kernel_major=$(echo "$kernel_release" | cut -d '.' -f 1)
+kernel_minor=$(echo "$kernel_release" | cut -d '.' -f 2)
+kernel_patch=$(echo "$kernel_release" | cut -d '.' -f 3 | cut -d '-' -f 1)
+kernel_distro_magic=$(echo "$kernel_release" | cut -d '.' -f 3 | cut -d '-' -f 2)
+kernel_distro=$(echo "$kernel_release" | cut -d '.' -f 4)
+kernel_arch=$(echo "$kernel_release" | cut -d '.' -f 5)
+kernel_version=${kernel_major}.${kernel_minor}.${kernel_patch}-${kernel_distro_magic}.${kernel_distro}.${kernel_arch}
+
+if [ $# -gt 0 ] && [ "$1" == "--debug" ]; then
+    echo kernel_major: $kernel_major
+    echo kernel_minor: $kernel_minor
+    echo kernel_patch: $kernel_patch
+    echo kernel_distro_magic: $kernel_distro_magic
+    echo kernel_distro: $kernel_distro
+    echo kernel_arch: $kernel_arch
+    echo kernel_version: $kernel_version
+fi
+
+
+kernel_pkg_base="https://kojipkgs.fedoraproject.org/packages/kernel/${kernel_major}.${kernel_minor}.${kernel_patch}/${kernel_distro_magic}.${kernel_distro}/${kernel_arch}"
+
+for pkg in kernel kernel-modules kernel-modules-core kernel-modules-extra kernel-devel kernel-devel-matched kernel-uki-virt; do
+  echo "Running: dnf download -y ${kernel_pkg_base}/${pkg}-$kernel_version.rpm"
+  dnf download -y "${kernel_pkg_base}/${pkg}-$kernel_version.rpm"
+  echo
+done
+
+echo --------------------------------------------------------------------------------
+echo
+echo Results:
+echo
+pwd
+ls -la --color
+echo
+echo --------------------------------------------------------------------------------

silverblue-thinkpad-t470/Containerfile

@@ -1,23 +1,4 @@
-FROM fedora:40 as builder
-
-# Setup dnf
-RUN dnf install -y dnf-plugins-core && \
-    dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo && \
-    rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc && \
-    dnf clean metadata
-
-# Download the brave-keyring rpm
-RUN cd /root && \
-    dnf download brave-browser brave-keyring liberation-fonts && \
-    dnf -y install rpmrebuild && \
-    dnf clean metadata
-
-# Rebuild the brave-keyring rpm (needs to be rebuilt without %post to make it compatible with silverblue)
-RUN cd /root && \
-    rpmrebuild --package --change-files='echo > "$RPMREBUILD_TMPDIR/work/post.1"' -d ./new_pkg/ brave-keyring*.rpm && \
-    ls -la --color /root/new_pkg/noarch
-
-
+FROM ghcr.io/twiest/silverblue-shared-builder-brave:latest as builder
 
 FROM ghcr.io/twiest/silverblue-base:latest
 
@@ -52,7 +33,7 @@ RUN mv /usr/share/python-validity/playground /usr/share/python-validity-playgrou
     echo 'L /var/lib/python-validity/playground - - - - /usr/share/python-validity-playground' >> /usr/lib/tmpfiles.d/python-validity.conf
 
 # Install rebuilt / silverblue compatible brave-keyring
-COPY --from=builder /root/new_pkg/noarch/brave-keyring*.rpm /tmp
+COPY --from=builder /rpms/brave-keyring*.rpm /tmp
 RUN rpm-ostree install /tmp/brave-keyring*.rpm && \
     rm /tmp/brave-keyring*.rpm && \
     # cleanup and verification stage