Merge branch 'ublue-os-main' into live

.github/workflows/build-bluefin-toolbox.yml

@@ -3,7 +3,7 @@ on:
   schedule:
     - cron: '20 22 * * *'  # 10:20pm everyday
   pull_request:
-  merge_group:    
+  merge_group:
   workflow_dispatch:
 env:
     IMAGE_NAME: bluefin-cli
@@ -24,11 +24,19 @@ jobs:
       id-token: write
     strategy:
       fail-fast: false
-    steps: 
+    steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
-
+
+      - name: Verify base container
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: wolfi-base
+          cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
+          oidc-issuer: https://token.actions.githubusercontent.com
+          registry: cgr.dev/chainguard
+
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v5
@@ -73,8 +81,6 @@ jobs:
           registry: ${{ steps.registry_case.outputs.lowercase }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3

.github/workflows/build-fedora-toolbox.yml

@@ -3,7 +3,7 @@ on:
   schedule:
     - cron: '20 22 * * *'  # 10:20pm everyday
   pull_request:
-  merge_group:    
+  merge_group:
   workflow_dispatch:
 env:
     IMAGE_NAME: fedora-toolbox
@@ -24,11 +24,16 @@ jobs:
       id-token: write
     strategy:
       fail-fast: false
-    steps: 
+    steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
-
+
+      - name: Verify Fedora distrobox
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: fedora-distrobox:latest
+
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v5
@@ -50,7 +55,7 @@ jobs:
           tags: ${{ env.IMAGE_TAGS }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
-          
+
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry
@@ -73,17 +78,14 @@ jobs:
           registry: ${{ steps.registry_case.outputs.lowercase }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
-            
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-            
+
       # Sign container
       - uses: sigstore/[email protected]
         if: github.event_name != 'pull_request'

.github/workflows/build-ubuntu-toolbox.yml

@@ -3,7 +3,7 @@ on:
   schedule:
     - cron: '20 22 * * *'  # 10:20pm everyday
   pull_request:
-  merge_group:    
+  merge_group:
   workflow_dispatch:
 env:
     IMAGE_NAME: ubuntu-toolbox
@@ -24,11 +24,18 @@ jobs:
       id-token: write
     strategy:
       fail-fast: false
-    steps: 
+    steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
-
+
+      - name: Verify Ubuntu toolbox
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: ubuntu-toolbox:22.04
+          pubkey: https://raw.githubusercontent.com/toolbx-images/images/main/quay.io-toolbx-images.pub
+          registry: quay.io/toolbx-images
+
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v5
@@ -50,7 +57,7 @@ jobs:
           tags: ${{ env.IMAGE_TAGS }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
-          
+
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry
@@ -73,17 +80,14 @@ jobs:
           registry: ${{ steps.registry_case.outputs.lowercase }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
-            
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-            
+
       # Sign container
       - uses: sigstore/[email protected]
         if: github.event_name != 'pull_request'

.github/workflows/build-wolfi-toolbox.yml

@@ -3,7 +3,7 @@ on:
   schedule:
     - cron: '20 22 * * *'  # 10:20pm everyday
   pull_request:
-  merge_group:    
+  merge_group:
   workflow_dispatch:
 env:
     IMAGE_NAME: wolfi-toolbox
@@ -24,11 +24,19 @@ jobs:
       id-token: write
     strategy:
       fail-fast: false
-    steps: 
+    steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
-
+
+      - name: Verify base container
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: wolfi-base
+          cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
+          oidc-issuer: https://token.actions.githubusercontent.com
+          registry: cgr.dev/chainguard
+
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v5
@@ -73,8 +81,6 @@ jobs:
           registry: ${{ steps.registry_case.outputs.lowercase }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3

.github/workflows/build.yml

@@ -41,13 +41,27 @@ jobs:
             is_stable_version: true
             is_gts_version: false
     steps:
-      - name: Maximize build space
-        uses: ublue-os/remove-unwanted-software@v6
-
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Verify base image
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: silverblue-${{ matrix.image_flavor }}:${{ matrix.major_version }}
+
+      - name: Verify Chainguard images
+        if: matrix.base_name != 'bluefin'
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: dive, flux, helm, ko, minio, kubectl
+          cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
+          oidc-issuer: https://token.actions.githubusercontent.com
+          registry: cgr.dev/chainguard
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v6
+
       - name: Check just syntax
         uses: ublue-os/just-action@v1
 
@@ -185,8 +199,6 @@ jobs:
           registry: ${{ steps.registry_case.outputs.lowercase }}
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3

Containerfile

@@ -73,6 +73,7 @@ RUN wget https://copr.fedorainfracloud.org/coprs/ublue-os/bling/repo/fedora-$(rp
     /tmp/build.sh && \
     /tmp/image-info.sh && \
     pip install --prefix=/usr yafti && \
+    pip install --prefix=/usr topgrade && \
     mkdir -p /usr/etc/flatpak/remotes.d && \
     wget -q https://dl.flathub.org/repo/flathub.flatpakrepo -P /usr/etc/flatpak/remotes.d && \
     cp /tmp/ublue-update.toml /usr/etc/ublue-update/ublue-update.toml && \
@@ -91,10 +92,10 @@ RUN wget https://copr.fedorainfracloud.org/coprs/ublue-os/bling/repo/fedora-$(rp
     rm -f /etc/yum.repos.d/charm.repo && \
     rm -f /etc/yum.repos.d/_copr_ublue-os-bling.repo && \
     rm -f /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \
-    rm -f /usr/share/applications/fish.desktop && \
-    rm -f /usr/share/applications/htop.desktop && \
-    rm -f /usr/share/applications/nvtop.desktop && \
-    rm -fr /usr/share/applications/gnome-system-monitor.desktop && \
+    echo "Hidden=true" >> /usr/share/applications/fish.desktop && \
+    echo "Hidden=true" >> /usr/share/applications/htop.desktop && \
+    echo "Hidden=true" >> /usr/share/applications/nvtop.desktop && \
+    echo "Hidden=true" >> /usr/share/applications/gnome-system-monitor.desktop && \
     sed -i 's/#DefaultTimeoutStopSec.*/DefaultTimeoutStopSec=15s/' /etc/systemd/user.conf && \
     sed -i 's/#DefaultTimeoutStopSec.*/DefaultTimeoutStopSec=15s/' /etc/systemd/system.conf && \
     sed -i '/^PRETTY_NAME/s/Silverblue/Bluefin/' /usr/lib/os-release && \
@@ -133,9 +134,13 @@ RUN wget https://copr.fedorainfracloud.org/coprs/ganto/lxc4/repo/fedora-"${FEDOR
 RUN /tmp/build.sh && \
     /tmp/image-info.sh
 
+## power-profiles-daemon with amd p-state support, remove when this is upstream
+RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:ublue-os:staging power-profiles-daemon
+
 RUN wget https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -O /tmp/docker-compose && \
     install -c -m 0755 /tmp/docker-compose /usr/bin
 
+COPY --from=cgr.dev/chainguard/dive:latest /usr/bin/dive /usr/bin/dive
 COPY --from=cgr.dev/chainguard/flux:latest /usr/bin/flux /usr/bin/flux
 COPY --from=cgr.dev/chainguard/helm:latest /usr/bin/helm /usr/bin/helm
 COPY --from=cgr.dev/chainguard/ko:latest /usr/bin/ko /usr/bin/ko
@@ -152,7 +157,11 @@ RUN wget https://raw.githubusercontent.com/ahmetb/kubectx/master/kubectx -O /usr
     chmod +x /usr/bin/kubectx /usr/bin/kubens
 
 # Set up services
-RUN systemctl enable podman.socket && \
+RUN systemctl enable docker.socket && \
+    systemctl enable podman.socket && \
+    systemctl enable swtpm-workaround.service && \
+    systemctl enable bluefin-dx-groups.service && \
+    systemctl enable --global bluefin-dx-user-vscode.service && \
     systemctl disable pmie.service && \
     systemctl disable pmlogger.service
 

README.md

@@ -17,8 +17,8 @@ A familiar(ish) Ubuntu desktop for Fedora Silverblue. It strives to cover these
 
 # Documentation
 
-1. [Bluefin](http://universal-blue.discourse.group/t/introduction-to-bluefin/41)
+1. [Bluefin](https://universal-blue.discourse.group/t/introduction-to-bluefin/41)
 2. [Discussions and Announcements](https://universal-blue.discourse.group/c/bluefin/6) - strongly recommended!
-3. [Developer Experience Edition](http://universal-blue.discourse.group/t/bluefin-dx-the-bluefin-developer-experience/39)
-4. [Administrator's Guide](http://universal-blue.discourse.group/t/bluefin-administrators-guide/40)
+3. [Developer Experience Edition](https://universal-blue.discourse.group/t/bluefin-dx-the-bluefin-developer-experience/39)
+4. [Administrator's Guide](https://universal-blue.discourse.group/t/bluefin-administrators-guide/40)
 5. [Framework Images](https://universal-blue.org/images/framework/)

dx/usr/bin/bluefin-dx-groups

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# SCRIPT VERSION
+GROUP_SETUP_VER=1
+GROUP_SETUP_VER_FILE="/etc/ublue/dx-groups"
+GROUP_SETUP_VER_RAN=$(cat "$GROUP_SETUP_VER_FILE")
+
+# Run script if updated
+if [[ -f $GROUP_SETUP_VER_FILE && "$GROUP_SETUP_VER" = "$GROUP_SETUP_VER_RAN" ]]; then
+  echo "Group setup has already run. Exiting..."
+  exit 0
+fi
+
+# Setup Groups
+wheelarray=($(getent group wheel | cut -d ":" -f 4 | tr  ',' '\n'))
+for user in $wheelarray
+do
+  usermod -aG docker $user
+  usermod -aG incus-admin $user
+  usermod -aG lxd $user
+  usermod -aG libvirt $user
+done
+
+# Prevent future executions
+echo "Writing state file"
+echo "$GROUP_SETUP_VER" > "$GROUP_SETUP_VER_FILE"

dx/usr/bin/bluefin-dx-user-vscode

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# SCRIPT VERSION
+USER_SETUP_VER=1
+USER_SETUP_VER_FILE="$HOME/.bluefin-vscode-configured"
+USER_SETUP_VER_RAN=$(cat "$USER_SETUP_VER_FILE")
+
+# Run script if updated
+if [[ -f $USER_SETUP_VER_FILE && "$USER_SETUP_VER" = "$USER_SETUP_VER_RAN" ]]; then
+  echo "User setup has already run. Exiting..."
+  exit 0
+fi
+
+# Setup VSCode
+# Pre-install preferred VSCode Extensions
+code --install-extension ms-vscode-remote.remote-containers
+code --install-extension ms-azuretools.vscode-docker
+
+# Prevent future executions
+echo "Writing state file"
+echo "$USER_SETUP_VER" > "$USER_SETUP_VER_FILE"