Build a Fedora based container image just for creating and building RPM and also APT repo.
By creating and using this container images, it can save time, resources and energy, because it won't need to update package lists and install dependencies every time when it runs.
I mainly use it on all of my RustDesk repos. (Check my profile)
Build once a week. When new base images available.
This container includes the following packages:
- RPM/APT repo tools: createrepo_c, reprepro, aptly
- Package building: rpm-build, devscripts, ruby, rubygem-json
- Utilities: jq, wget2, tree, gnupg, git, gh, rpm-sign
- Package repackaging: fpm
For more details, please refer to the Dockerfile.
The latest will be latest, and a date (yyyymmdd) tag if you want specific environment or for testing.
Just use the latest tag, it will choose the right architecture automatically.
- amd64
- arm64
Just add container: ghcr.io/xlionjuan/fedora-createrepo-image:latest after runs-on: ubuntu-24.04-arm, if your workflows doesn't need x86 runners, I recommend using ARM runners because it is using lower footprints.
jobs:
build:
runs-on: ubuntu-24.04-arm # Or ubuntu-latest if you really need x86 runners
container: ghcr.io/xlionjuan/fedora-createrepo-image:latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
.....
.....The container will be signed with cosign and GitHub Attestations, you can verify the container before you using it in the workflow.
This is an example workflow for verifying the container before using the container.
jobs:
verify:
name: Verify container
runs-on: ubuntu-24.04-arm
steps:
# If you want to use cosign to verify the container, you should install cosign first.
# You only need to choose one method
- name: Install Cosign
uses: sigstore/cosign-installer@v4.1.0
- name: Verify with cosign
run: |
cosign verify --rekor-url=https://rekor.sigstore.dev \
--certificate-identity-regexp "https://github.com/xlionjuan/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/xlionjuan/fedora-createrepo-image:latest
# Unfortunately, gh can't do anything without login, even just `gh attestation verify` command
# so it needs to login, but NO any permissions are required.
- name: Verify with gh
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify --owner xlionjuan oci://ghcr.io/xlionjuan/fedora-createrepo-image:latest
build:
runs-on: ubuntu-24.04-arm
needs: verify # So this will only runs if "verify" is passed.
container: ghcr.io/xlionjuan/fedora-createrepo-image:latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Do something
run: rpm -qa