Cut over to Forgejo (monolith-os) + rotate signing keys #24

Open

TheDarkWizard wants to merge 11 commits from forgejo-cutover into main

pull from: forgejo-cutover

merge into: monolith-os:main

monolith-os:main

monolith-os:no-overview-at-startup

Conversation 1 Commits 11 Files changed 17 +113 -77

TheDarkWizard commented 2026-06-30 03:17:38 +00:00

Owner

Copy link

Repoints the whole project from GitHub/GHCR to the self-hosted Forgejo at
forge.waywardinn.com under the monolith-os org, drops the monolith- image
prefix (gnome / gnome-nvidia), and rotates both signing keys.

Build / registry

• build.yml: push to forge.waywardinn.com/monolith-os with the Forgejo Actions
  token; drop id-token and GH-runner space-maximizing
• generate-iso.yml: Forgejo base image + registry login; drop GH-only disk reclaim
• generate_release.yml: Forgejo login + image refs; create the release via the
  Forgejo API (replaces softprops/action-gh-release)
• pr-rebase-hint.yml: Forgejo image ref + comment via the Forgejo API (replaces gh CLI)
• changelog.py: commit/release links point at Forgejo
• CODEOWNERS: BlueBuild template maintainers -> repo owner
• removed .github/dependabot.yml (Forgejo ignores it; Renovate to follow)

Image / docs

• recipes: image names + os-release URLs
• iso/justfile/README: image refs, badge, rebase + verify commands

Signing keys (rotated)

• New cosign + MOK keypairs; public halves committed here. Private halves set as
  Forgejo secrets SIGNING_SECRET / KERNEL_SIGNING_SECRET. No machine had the old
  MOK cert enrolled, so rotation is free.

Notes

• Also carries the No-overview-at-start-up commit (this branch was cut from it),
  so PR #23 becomes redundant.
• Verify on the runner: blue-build action pushing to the Forgejo registry with
  the Actions token (packages:write), and upload-artifact@v4 against this Forgejo
  version (may need v3 or push ISOs to the server instead).
• rechunk intentionally NOT enabled (not in blue-build/github-action@v1.11 yet).

Repoints the whole project from GitHub/GHCR to the self-hosted Forgejo at forge.waywardinn.com under the monolith-os org, drops the monolith- image prefix (gnome / gnome-nvidia), and rotates both signing keys. ## Build / registry - build.yml: push to forge.waywardinn.com/monolith-os with the Forgejo Actions token; drop id-token and GH-runner space-maximizing - generate-iso.yml: Forgejo base image + registry login; drop GH-only disk reclaim - generate_release.yml: Forgejo login + image refs; create the release via the Forgejo API (replaces softprops/action-gh-release) - pr-rebase-hint.yml: Forgejo image ref + comment via the Forgejo API (replaces gh CLI) - changelog.py: commit/release links point at Forgejo - CODEOWNERS: BlueBuild template maintainers -> repo owner - removed .github/dependabot.yml (Forgejo ignores it; Renovate to follow) ## Image / docs - recipes: image names + os-release URLs - iso/justfile/README: image refs, badge, rebase + verify commands ## Signing keys (rotated) - New cosign + MOK keypairs; public halves committed here. Private halves set as Forgejo secrets SIGNING_SECRET / KERNEL_SIGNING_SECRET. No machine had the old MOK cert enrolled, so rotation is free. ## Notes - Also carries the No-overview-at-start-up commit (this branch was cut from it), so PR #23 becomes redundant. - Verify on the runner: blue-build action pushing to the Forgejo registry with the Actions token (packages:write), and upload-artifact@v4 against this Forgejo version (may need v3 or push ISOs to the server instead). - rechunk intentionally NOT enabled (not in blue-build/github-action@v1.11 yet).

TheDarkWizard added 3 commits 2026-06-30 03:17:38 +00:00

Add No overview at start-up extension ... 40a9f1b8f0

GNOME shows the Activities overview at boot before extensions finish
enabling, so gnome-ui-tune's overview tweaks don't apply to that first
overview until it's toggled. Suppressing the startup overview means the
first overview the user opens is post-load, so the tweaks apply correctly.

Adds no-overview@fthx (v23, supports GNOME 50) via the install list and
enables it in the gschema override.

Rotate cosign and MOK signing keys ... 69f4ef5346

Both private keys were only ever in the GitHub Actions secrets (write-only,
unrecoverable) and absent from local checkouts, so rotate rather than recover
ahead of the Forgejo cutover. Commits the new public halves; the new private
keys go into the Forgejo SIGNING_SECRET / KERNEL_SIGNING_SECRET secrets.

No machine has the old MOK cert enrolled yet, so rotating it now is free.

Cut over to Forgejo (forge.waywardinn.com/monolith-os) ... aca9199643

Repoint everything from GitHub/GHCR to the self-hosted Forgejo at
forge.waywardinn.com under the monolith-os org, and drop the monolith-
prefix from image names (now gnome / gnome-nvidia).

- recipes: image names + os-release URLs
- justfile: BB_REGISTRY/namespace, generate-iso default, secret hint
- iso: Containerfile/build.sh base + install image refs
- README: badge, image table, rebase/verify commands, registry blurb
- build.yml: push to Forgejo registry w/ Actions token; drop id-token
  and GH-runner space-maximizing
- generate-iso.yml: Forgejo base image + registry login; drop GH-only
  disk reclaim
- generate_release.yml: Forgejo registry login + image refs; create the
  release via the Forgejo API instead of softprops/action-gh-release
- pr-rebase-hint.yml: Forgejo image ref + post the comment via the
  Forgejo API instead of the gh CLI
- changelog.py: commit/release links point at Forgejo
- CODEOWNERS: BlueBuild template maintainers -> repo owner
- drop .github/dependabot.yml (Forgejo ignores it; Renovate to follow)

forgejo-actions commented 2026-06-30 03:17:43 +00:00

Copy link

🧪 Test this PR on a real install

Once the build checks on this PR pass, a signed test image is published for each edition. Pick the one matching your hardware and, from an existing Monolith install (which already has the signing policy), rebase onto it:

gnome

rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome:pr-24-44
systemctl reboot

gnome-nvidia

rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome-nvidia:pr-24-44
systemctl reboot

The tags are rebuilt on every new commit here, so rpm-ostree upgrade pulls the latest build. When you're done testing, return to your edition's released image (:latest).

The test tags stop updating once this PR is merged or closed.

### 🧪 Test this PR on a real install **Once the build checks on this PR pass**, a signed test image is published for each edition. Pick the one matching your hardware and, from an existing Monolith install (which already has the signing policy), rebase onto it: **`gnome`** ```bash rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome:pr-24-44 systemctl reboot ``` **`gnome-nvidia`** ```bash rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome-nvidia:pr-24-44 systemctl reboot ``` The tags are rebuilt on every new commit here, so `rpm-ostree upgrade` pulls the latest build. When you're done testing, return to your edition's released image (`:latest`). _The test tags stop updating once this PR is merged or closed._

TheDarkWizard added 1 commit 2026-06-30 03:27:23 +00:00

Resolve blue-build action from github.com ... ccc7d91e25

This Forgejo resolves bare uses: from data.forgejo.org, which doesn't mirror
blue-build/github-action; pin the full github.com URL so the runner can fetch
it. Temporary until DEFAULT_ACTIONS_URL=github (or moving to the CLI).

TheDarkWizard added 1 commit 2026-06-30 03:34:04 +00:00

Pin blue-build action to lightweight v1.11.1 tag ... a47ce8a519

v1.11 is an annotated tag; this Forgejo runner mishandles annotated tags
(resolves to the tag-object SHA, checks out the dereferenced commit, then
fails on the mismatch). v1.11.1 is the same commit as a lightweight tag.

TheDarkWizard added 1 commit 2026-06-30 03:48:01 +00:00

Revert blue-build action to bare ref for Renovate ... 0f52eb61cf

DEFAULT_ACTIONS_URL=github now resolves bare uses: from github.com, so drop the
full-URL workaround. Bare owner/repo@ref is what Renovate's github-actions
manager bumps, so this needs no customManager later. Stays on v1.11.1 (the
runner mishandles the annotated v1.11 tag).

TheDarkWizard added 1 commit 2026-06-30 04:07:54 +00:00

Name matrix build jobs by recipe ... b532230e81

Forgejo doesn't auto-append the matrix value to the job name like GitHub does
(it just suffixes -1), so include ${{ matrix.recipe }} explicitly for readable
per-edition job names on both.

TheDarkWizard added 1 commit 2026-06-30 04:11:27 +00:00

Rename release caller job to disambiguate Forgejo rows ... 8956366e3d

Forgejo renders a reusable-workflow call as two rows (caller + callee). Both
were named 'Generate Release'; rename the caller to 'Release' so they read
'Release' / 'Generate Release' instead of two identical names.

TheDarkWizard added 1 commit 2026-06-30 04:19:43 +00:00

Pin blue-build cli_version to skip github.com API lookup ... b1fc12612e

The action resolves the latest CLI tag by curling api.github.com with the
Actions token as bearer auth. On Forgejo that token is a Forgejo token, which
github.com rejects with 401 (and act-22.04's old curl couldn't parse the
--variable flag the call uses). Pinning cli_version uses the value directly and
skips the lookup. v0.9.35 is current latest.

TheDarkWizard added 1 commit 2026-06-30 06:24:29 +00:00

Fix registry push auth + signing registry ... 94f8230eaa

- Push 401 (reqPackageAccess): the auto Actions token can't write packages to
  the monolith-os org. Use a write:package PAT (REGISTRY_TOKEN secret) with a
  username that has org access.
- Signing baked ghcr.io into the cosign policy because BB_REGISTRY wasn't set in
  the action env (only the justfile sets it). Pin BB_REGISTRY/NAMESPACE on the
  job so IMAGE_REGISTRY matches the real push target.

TheDarkWizard added 1 commit 2026-06-30 07:24:09 +00:00

Push images via registry.waywardinn.com to dodge the Cloudflare 413 ... 3bfbcadfc1

forge.waywardinn.com sits behind a Cloudflare tunnel that caps request bodies at
100MB, so large layer pushes fail with a 413. registry.waywardinn.com is a direct
grey-cloud record to the origin, so point only the blue-build push target at it.
Pulls, the cosign policy (BB_REGISTRY), the README, and the ISO stay on
forge.waywardinn.com. Forgejo stores the image as monolith-os/<edition> no matter
which host pushed it, so tunnel pulls resolve the same package.

Some checks failed

Hide all checks

bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Successful in 11m11s

Details

bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 11m36s

Details

bluebuild / Generate Release (pull_request) Has been skipped

Details

bluebuild / Release (pull_request) Failing after 0s

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin forgejo-cutover:forgejo-cutover

git switch forgejo-cutover

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff forgejo-cutover

git switch forgejo-cutover

git rebase main

git switch main

git merge --ff-only forgejo-cutover

git switch forgejo-cutover

git rebase main

git switch main

git merge --no-ff forgejo-cutover

git switch main

git merge --squash forgejo-cutover

git switch main

git merge --ff-only forgejo-cutover

git switch main

git merge forgejo-cutover

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something isn't working

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

github_actions

Pull requests that update GitHub Actions code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

wontfix

This will not be worked on

No labels

bug

dependencies

documentation

duplicate

enhancement

github_actions

good first issue

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

monolith-os/monolith!24

No description provided.