name: Build veilor-os OCI (BlueBuild)

# v0.7 spike — builds the bootable OCI image used by the bootstrap
# kickstart's `ostreecontainer` directive. Active only on the
# `v0.7-bluebuild-spike` branch until the spike passes success
# criteria (see bluebuild/README.md).
#
# Reference: https://blue-build.org/how-to/setup-build-action/
#
# Security note: all `${{ }}` interpolations in this file are restricted
# to vetted GitHub-controlled values (repository_owner, run number,
# secrets, signed action outputs). No `github.event.issue.title` or
# similar untrusted-user-input is read in run blocks.

on:
  push:
    branches: [v0.7-bluebuild-spike]
    paths:
      - 'bluebuild/**'
      - 'overlay/**'
      - 'assets/**'
      - 'scripts/**'
      - '.github/workflows/build-bluebuild.yml'
  pull_request:
    branches: [main, v0.7-bluebuild-spike]
  schedule:
    # Rebuild weekly so we pick up upstream secureblue + Fedora updates.
    - cron: '0 6 * * 1'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  build:
    name: Build + sign + push OCI
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    permissions:
      contents: read
      packages: write           # push to ghcr.io/veilor-org/veilor-os
      id-token: write           # cosign keyless signing via Sigstore
      attestations: write       # SLSA build provenance

    env:
      OCI_IMAGE: ghcr.io/${{ github.repository_owner }}/veilor-os
      OCI_TAG: latest

    steps:
      - name: Checkout
        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
        uses: actions/checkout@v4.1.7

      - name: Free up disk
        run: |
          sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android
          sudo apt-get clean
          df -h

      # BlueBuild action wraps: image build, cosign sign (keyless via
      # Sigstore), GHCR push. Pinned to a commit SHA per CI hardening
      # agent 8 (2026-05-05 wave). The trailing comment records the
      # tag the SHA resolved from, so future bumps stay legible.
      - name: Build + push veilor-os OCI
        id: bluebuild
        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
        with:
          recipe: bluebuild/recipe.yml
          registry_token: ${{ secrets.GITHUB_TOKEN }}
          pr_event_number: ${{ github.event.number }}
          maximize_build_space: true

      - name: Smoke-test OCI image
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
        run: |
          podman pull "$OCI_IMAGE:$OCI_TAG"
          podman run --rm "$OCI_IMAGE:$OCI_TAG" /bin/bash -c '
            set -e
            echo "-- os-release"
            head -5 /etc/os-release
            echo "-- sudo present"; which sudo
            echo "-- mullvad-browser present"; which mullvad-browser
            echo "-- yggdrasil present"; which yggdrasil
            echo "-- tailscale present"; which tailscale
          '

      - name: SBOM (SPDX)
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
        # Pinned to last v0 tag confirmed to ship on node20. The `@v0`
        # floating tag rolls forward and will eventually pull a node24
        # release. TODO(infra): SHA pin in a follow-up sweep.
        uses: anchore/sbom-action@v0.17.2
        with:
          image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
          format: spdx-json
          output-file: veilor-os-oci.spdx.json

      - name: Build provenance attestation
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
        # Pinned to last v2 tag confirmed to ship on node20.
        uses: actions/attest-build-provenance@v2.2.3
        with:
          subject-name: ${{ env.OCI_IMAGE }}
          subject-digest: ${{ steps.bluebuild.outputs.digest }}