Cut over to Forgejo (monolith-os) + rotate signing keys #24

Open
TheDarkWizard wants to merge 11 commits from forgejo-cutover into main

Repoints the whole project from GitHub/GHCR to the self-hosted Forgejo at
forge.waywardinn.com under the monolith-os org, drops the monolith- image
prefix (gnome / gnome-nvidia), and rotates both signing keys.

Build / registry

  • build.yml: push to forge.waywardinn.com/monolith-os with the Forgejo Actions
    token; drop id-token and GH-runner space-maximizing
  • generate-iso.yml: Forgejo base image + registry login; drop GH-only disk reclaim
  • generate_release.yml: Forgejo login + image refs; create the release via the
    Forgejo API (replaces softprops/action-gh-release)
  • pr-rebase-hint.yml: Forgejo image ref + comment via the Forgejo API (replaces gh CLI)
  • changelog.py: commit/release links point at Forgejo
  • CODEOWNERS: BlueBuild template maintainers -> repo owner
  • removed .github/dependabot.yml (Forgejo ignores it; Renovate to follow)

Image / docs

  • recipes: image names + os-release URLs
  • iso/justfile/README: image refs, badge, rebase + verify commands

Signing keys (rotated)

  • New cosign + MOK keypairs; public halves committed here. Private halves set as
    Forgejo secrets SIGNING_SECRET / KERNEL_SIGNING_SECRET. No machine had the old
    MOK cert enrolled, so rotation is free.

Notes

  • Also carries the No-overview-at-start-up commit (this branch was cut from it),
    so PR #23 becomes redundant.
  • Verify on the runner: blue-build action pushing to the Forgejo registry with
    the Actions token (packages:write), and upload-artifact@v4 against this Forgejo
    version (may need v3 or push ISOs to the server instead).
  • rechunk intentionally NOT enabled (not in blue-build/github-action@v1.11 yet).
Repoints the whole project from GitHub/GHCR to the self-hosted Forgejo at forge.waywardinn.com under the monolith-os org, drops the monolith- image prefix (gnome / gnome-nvidia), and rotates both signing keys. ## Build / registry - build.yml: push to forge.waywardinn.com/monolith-os with the Forgejo Actions token; drop id-token and GH-runner space-maximizing - generate-iso.yml: Forgejo base image + registry login; drop GH-only disk reclaim - generate_release.yml: Forgejo login + image refs; create the release via the Forgejo API (replaces softprops/action-gh-release) - pr-rebase-hint.yml: Forgejo image ref + comment via the Forgejo API (replaces gh CLI) - changelog.py: commit/release links point at Forgejo - CODEOWNERS: BlueBuild template maintainers -> repo owner - removed .github/dependabot.yml (Forgejo ignores it; Renovate to follow) ## Image / docs - recipes: image names + os-release URLs - iso/justfile/README: image refs, badge, rebase + verify commands ## Signing keys (rotated) - New cosign + MOK keypairs; public halves committed here. Private halves set as Forgejo secrets SIGNING_SECRET / KERNEL_SIGNING_SECRET. No machine had the old MOK cert enrolled, so rotation is free. ## Notes - Also carries the No-overview-at-start-up commit (this branch was cut from it), so PR #23 becomes redundant. - Verify on the runner: blue-build action pushing to the Forgejo registry with the Actions token (packages:write), and upload-artifact@v4 against this Forgejo version (may need v3 or push ISOs to the server instead). - rechunk intentionally NOT enabled (not in blue-build/github-action@v1.11 yet).
GNOME shows the Activities overview at boot before extensions finish
enabling, so gnome-ui-tune's overview tweaks don't apply to that first
overview until it's toggled. Suppressing the startup overview means the
first overview the user opens is post-load, so the tweaks apply correctly.

Adds no-overview@fthx (v23, supports GNOME 50) via the install list and
enables it in the gschema override.
Both private keys were only ever in the GitHub Actions secrets (write-only,
unrecoverable) and absent from local checkouts, so rotate rather than recover
ahead of the Forgejo cutover. Commits the new public halves; the new private
keys go into the Forgejo SIGNING_SECRET / KERNEL_SIGNING_SECRET secrets.

No machine has the old MOK cert enrolled yet, so rotating it now is free.
Cut over to Forgejo (forge.waywardinn.com/monolith-os)
Some checks failed
PR Rebase Hint / Post rebase command (pull_request) Successful in 3s
bluebuild / Build Custom Image-1 (pull_request) Failing after 1s
bluebuild / Build Custom Image (pull_request) Failing after 2s
bluebuild / Generate Release-1 (pull_request) Has been skipped
bluebuild / Generate Release (pull_request) Failing after 0s
aca9199643
Repoint everything from GitHub/GHCR to the self-hosted Forgejo at
forge.waywardinn.com under the monolith-os org, and drop the monolith-
prefix from image names (now gnome / gnome-nvidia).

- recipes: image names + os-release URLs
- justfile: BB_REGISTRY/namespace, generate-iso default, secret hint
- iso: Containerfile/build.sh base + install image refs
- README: badge, image table, rebase/verify commands, registry blurb
- build.yml: push to Forgejo registry w/ Actions token; drop id-token
  and GH-runner space-maximizing
- generate-iso.yml: Forgejo base image + registry login; drop GH-only
  disk reclaim
- generate_release.yml: Forgejo registry login + image refs; create the
  release via the Forgejo API instead of softprops/action-gh-release
- pr-rebase-hint.yml: Forgejo image ref + post the comment via the
  Forgejo API instead of the gh CLI
- changelog.py: commit/release links point at Forgejo
- CODEOWNERS: BlueBuild template maintainers -> repo owner
- drop .github/dependabot.yml (Forgejo ignores it; Renovate to follow)

🧪 Test this PR on a real install

Once the build checks on this PR pass, a signed test image is published for each edition. Pick the one matching your hardware and, from an existing Monolith install (which already has the signing policy), rebase onto it:

gnome

rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome:pr-24-44
systemctl reboot

gnome-nvidia

rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome-nvidia:pr-24-44
systemctl reboot

The tags are rebuilt on every new commit here, so rpm-ostree upgrade pulls the latest build. When you're done testing, return to your edition's released image (:latest).

The test tags stop updating once this PR is merged or closed.

### 🧪 Test this PR on a real install **Once the build checks on this PR pass**, a signed test image is published for each edition. Pick the one matching your hardware and, from an existing Monolith install (which already has the signing policy), rebase onto it: **`gnome`** ```bash rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome:pr-24-44 systemctl reboot ``` **`gnome-nvidia`** ```bash rpm-ostree rebase ostree-image-signed:docker://forge.waywardinn.com/monolith-os/gnome-nvidia:pr-24-44 systemctl reboot ``` The tags are rebuilt on every new commit here, so `rpm-ostree upgrade` pulls the latest build. When you're done testing, return to your edition's released image (`:latest`). _The test tags stop updating once this PR is merged or closed._
Resolve blue-build action from github.com
Some checks failed
bluebuild / Build Custom Image-1 (pull_request) Failing after 2s
bluebuild / Build Custom Image (pull_request) Failing after 3s
bluebuild / Generate Release-1 (pull_request) Has been skipped
bluebuild / Generate Release (pull_request) Failing after 0s
ccc7d91e25
This Forgejo resolves bare uses: from data.forgejo.org, which doesn't mirror
blue-build/github-action; pin the full github.com URL so the runner can fetch
it. Temporary until DEFAULT_ACTIONS_URL=github (or moving to the CLI).
Pin blue-build action to lightweight v1.11.1 tag
Some checks failed
bluebuild / Build Custom Image-1 (pull_request) Failing after 37s
bluebuild / Build Custom Image (pull_request) Failing after 38s
bluebuild / Generate Release-1 (pull_request) Has been skipped
bluebuild / Generate Release (pull_request) Failing after 0s
a47ce8a519
v1.11 is an annotated tag; this Forgejo runner mishandles annotated tags
(resolves to the tag-object SHA, checks out the dereferenced commit, then
fails on the mismatch). v1.11.1 is the same commit as a lightweight tag.
Revert blue-build action to bare ref for Renovate
Some checks failed
bluebuild / Build Custom Image-1 (pull_request) Failing after 21s
bluebuild / Build Custom Image (pull_request) Failing after 22s
bluebuild / Generate Release-1 (pull_request) Has been skipped
bluebuild / Generate Release (pull_request) Failing after 0s
0f52eb61cf
DEFAULT_ACTIONS_URL=github now resolves bare uses: from github.com, so drop the
full-URL workaround. Bare owner/repo@ref is what Renovate's github-actions
manager bumps, so this needs no customManager later. Stays on v1.11.1 (the
runner mishandles the annotated v1.11 tag).
Name matrix build jobs by recipe
Some checks failed
bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 12s
bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Failing after 12s
bluebuild / Generate Release-1 (pull_request) Has been skipped
bluebuild / Generate Release (pull_request) Failing after 0s
b532230e81
Forgejo doesn't auto-append the matrix value to the job name like GitHub does
(it just suffixes -1), so include ${{ matrix.recipe }} explicitly for readable
per-edition job names on both.
Rename release caller job to disambiguate Forgejo rows
Some checks failed
bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Failing after 33s
bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 34s
bluebuild / Generate Release (pull_request) Has been skipped
bluebuild / Release (pull_request) Failing after 0s
8956366e3d
Forgejo renders a reusable-workflow call as two rows (caller + callee). Both
were named 'Generate Release'; rename the caller to 'Release' so they read
'Release' / 'Generate Release' instead of two identical names.
Pin blue-build cli_version to skip github.com API lookup
Some checks failed
bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Failing after 16m57s
bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 18m11s
bluebuild / Generate Release (pull_request) Has been skipped
bluebuild / Release (pull_request) Failing after 0s
b1fc12612e
The action resolves the latest CLI tag by curling api.github.com with the
Actions token as bearer auth. On Forgejo that token is a Forgejo token, which
github.com rejects with 401 (and act-22.04's old curl couldn't parse the
--variable flag the call uses). Pinning cli_version uses the value directly and
skips the lookup. v0.9.35 is current latest.
Fix registry push auth + signing registry
Some checks failed
bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Failing after 1m54s
bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 4m9s
bluebuild / Generate Release (pull_request) Has been skipped
bluebuild / Release (pull_request) Failing after 0s
94f8230eaa
- Push 401 (reqPackageAccess): the auto Actions token can't write packages to
  the monolith-os org. Use a write:package PAT (REGISTRY_TOKEN secret) with a
  username that has org access.
- Signing baked ghcr.io into the cosign policy because BB_REGISTRY wasn't set in
  the action env (only the justfile sets it). Pin BB_REGISTRY/NAMESPACE on the
  job so IMAGE_REGISTRY matches the real push target.
Push images via registry.waywardinn.com to dodge the Cloudflare 413
Some checks failed
bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Successful in 11m11s
bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 11m36s
bluebuild / Generate Release (pull_request) Has been skipped
bluebuild / Release (pull_request) Failing after 0s
3bfbcadfc1
forge.waywardinn.com sits behind a Cloudflare tunnel that caps request bodies at
100MB, so large layer pushes fail with a 413. registry.waywardinn.com is a direct
grey-cloud record to the origin, so point only the blue-build push target at it.
Pulls, the cosign policy (BB_REGISTRY), the README, and the ISO stay on
forge.waywardinn.com. Forgejo stores the image as monolith-os/<edition> no matter
which host pushed it, so tunnel pulls resolve the same package.
Some checks failed
bluebuild / Build Custom Image (recipe-gnome.yml) (pull_request) Successful in 11m11s
bluebuild / Build Custom Image (recipe-gnome-nvidia.yml) (pull_request) Failing after 11m36s
bluebuild / Generate Release (pull_request) Has been skipped
bluebuild / Release (pull_request) Failing after 0s
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin forgejo-cutover:forgejo-cutover
git switch forgejo-cutover

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff forgejo-cutover
git switch forgejo-cutover
git rebase main
git switch main
git merge --ff-only forgejo-cutover
git switch forgejo-cutover
git rebase main
git switch main
git merge --no-ff forgejo-cutover
git switch main
git merge --squash forgejo-cutover
git switch main
git merge --ff-only forgejo-cutover
git switch main
git merge forgejo-cutover
git push origin main
Sign in to join this conversation.
No description provided.