fix: un-hardcode repo+owner, sign commits via API

.github/ISSUE_TEMPLATE/container-request.yaml

@@ -7,8 +7,8 @@ body:
   - type: markdown
     attributes:
       value: |
-        Doing you due diligence and filling out this form throughly 
-        will gauge how serious your request is.
+        Doing your due diligence and filling out this form thoroughly
+        will help determine if your request shall be entertained.
 
   - type: input
     id: application-name

.github/scripts/prepare-matrices.py

@@ -11,6 +11,7 @@
 
 from os.path import isfile
 
+repo_owner = os.environ.get('REPO_OWNER', os.environ.get('GITHUB_REPOSITORY_OWNER'))
 
 TESTABLE_PLATFORMS = ["linux/amd64"]
 
@@ -47,7 +48,7 @@ def get_latest_version(subdir, channel_name):
 
 def get_published_version(image_name):
     r = requests.get(
-        f"https://api.github.com/users/onedr0p/packages/container/{image_name}/versions",
+        f"https://api.github.com/users/{repo_owner}/packages/container/{image_name}/versions",
         headers={
             "Accept": "application/vnd.github.v3+json",
             "Authorization": "token " + os.environ["TOKEN"]
@@ -187,4 +188,4 @@ def get_image_metadata(subdir, meta, forRelease=False, force=False, channels=Non
                     if imageToBuild is not None:
                         imagesToBuild["images"].extend(imageToBuild["images"])
                         imagesToBuild["imagePlatforms"].extend(imageToBuild["imagePlatforms"])
-    print(json.dumps(imagesToBuild))
+    print(json.dumps(imagesToBuild))

.github/scripts/render-readme.py

@@ -5,6 +5,9 @@
 
 from jinja2 import Environment, PackageLoader, select_autoescape
 
+repo_owner = os.environ.get('REPO_OWNER', os.environ.get('GITHUB_REPOSITORY_OWNER'))
+repo_name = os.environ.get('REPO_NAME', os.environ.get('GITHUB_REPOSITORY'))
+
 env = Environment(
     loader=PackageLoader("render-readme"),
     autoescape=select_autoescape()
@@ -25,10 +28,9 @@ def load_metadata_file(file_path):
         return load_metadata_file_yaml(file_path)
     return None
 
-# TODO: remove hard-coded repo owner
 def get_latest_image(name):
     r = requests.get(
-        f"https://api.github.com/users/onedr0p/packages/container/{name}/versions",
+        f"https://api.github.com/users/{repo_owner}/packages/container/{name}/versions",
         headers={
             "Accept": "application/vnd.github.v3+json",
             "Authorization": "token " + os.environ["GITHUB_TOKEN"]
@@ -62,11 +64,12 @@ def get_latest_image(name):
                 image = {
                     "name": name,
                     "channel": channel["name"],
-                    "html_url": ""
+                    "html_url": "",
+                    "owner": repo_owner
                 }
                 gh_data = get_latest_image(name)
                 if gh_data is not None:
-                    image["html_url"] = f"https://github.com/onedr0p/containers/pkgs/container/{name}"
+                    image["html_url"] = f"https://github.com/{repo_name}/pkgs/container/{name}"
                     image["tags"] = sorted(gh_data["metadata"]["container"]["tags"])
                 if meta["base"]:
                     base_images.append(image)
@@ -75,4 +78,4 @@ def get_latest_image(name):
 
     template = env.get_template("README.md.j2")
     with open("./README.md", "w") as f:
-        f.write(template.render(base_images=base_images, app_images=app_images))
+        f.write(template.render(base_images=base_images, app_images=app_images))

.github/scripts/templates/README.md.j2

@@ -19,7 +19,7 @@ _An opinionated collection of container images_
 
 </div>
 
-Welcome to our container images, if looking for a container start by [browsing the container packages](https://github.com/onedr0p?tab=packages&repo_name=containers).
+Welcome to our container images, if looking for a container start by [browsing the GitHub Packages page for this repo's packages](https://github.com/onedr0p?tab=packages&repo_name=containers).
 
 ## Mission statement
 
@@ -68,7 +68,7 @@ Each Image will be built with a `rolling` tag, along with tags specific to it's
 Container | Channel | Image | Latest Tags
 --- | --- | --- | ---
 {% for image in app_images | sort(attribute="name") -%}
-[{{ image.name }}]({{ image.html_url }}) | {{ image.channel }} | ghcr.io/onedr0p/{{ image.name }} |
+[{{ image.name }}]({{ image.html_url }}) | {{ image.channel }} | ghcr.io/{{ image.owner }}/{{ image.name }} |
 {%- set space = joiner(" ") -%}
 {%- for tag in image.tags -%}
 {{ space() }}![{{ tag }}](https://img.shields.io/badge/{{ tag.replace("-", "--") }}-{% if tag == "latest" %}green{% else %}blue{% endif %}?style=flat-square)

.github/workflows/build-images.yaml

@@ -27,7 +27,7 @@ on:
         description: Force rebuild
     secrets:
       BOT_APP_ID:
-        description: The ID of the GitHub App
+        description: The App ID of the GitHub App
         required: true
       BOT_APP_PRIVATE_KEY:
         description: The private key of the GitHub App
@@ -40,6 +40,10 @@ jobs:
     outputs:
       matrices: ${{ steps.prepare-matrices.outputs.matrices }}
     steps:
+      - name: Lowercase repository owner
+        shell: bash
+        run: echo "LOWERCASE_REPO_OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> "${GITHUB_ENV}"
+
       - name: Generate Token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
         id: app-token
@@ -89,7 +93,14 @@ jobs:
       fail-fast: false
       matrix:
         image: ["${{ fromJSON(needs.prepare.outputs.matrices).imagePlatforms }}"]
+    permissions:
+      contents: read
+      packages: write
     steps:
+      - name: Lowercase repository owner
+        shell: bash
+        run: echo "LOWERCASE_REPO_OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV
+
       - name: Log Matrix Input
         shell: bash
         run: |
@@ -160,10 +171,10 @@ jobs:
         shell: bash
         run: |
           if [[ "${{ inputs.pushImages }}" == "true" ]]; then
-              image_name="ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}"
+              image_name="ghcr.io/${{ env.LOWERCASE_REPO_OWNER }}/${{ matrix.image.name }}"
               outputs="type=image,name=${image_name},push-by-digest=true,name-canonical=true,push=true"
           else
-              image_name="ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:zztesting"
+              image_name="ghcr.io/${{ env.LOWERCASE_REPO_OWNER }}/${{ matrix.image.name }}:zztesting"
               outputs="type=docker,name=${image_name},push=false"
           fi
           echo "image_name=${image_name}" >> $GITHUB_OUTPUT
@@ -185,11 +196,11 @@ jobs:
           cache-to: type=gha,mode=max
           labels: |-
             org.opencontainers.image.title=${{ matrix.image.name }}
-            org.opencontainers.image.url=https://ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
-            org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/containers
+            org.opencontainers.image.url=https://ghcr.io/${{ env.LOWERCASE_REPO_OWNER }}/${{ matrix.image.name }}
+            org.opencontainers.image.source=https://github.com/${{ env.LOWERCASE_REPO_OWNER }}/containers
             org.opencontainers.image.version=${{ matrix.image.version }}
             org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.vendor=${{ github.repository_owner }}
+            org.opencontainers.image.vendor=${{ env.LOWERCASE_REPO_OWNER }}
 
       - name: Run Goss Tests
         id: dgoss
@@ -240,6 +251,10 @@ jobs:
         image: ["${{ fromJSON(needs.prepare.outputs.matrices).images }}"]
       fail-fast: false
     steps:
+      - name: Lowercase repository owner
+        shell: bash
+        run: echo "LOWERCASE_REPO_OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> "${GITHUB_ENV}"
+
       - name: Download Digests
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -286,14 +301,14 @@ jobs:
           TAGS: ${{ toJSON(matrix.image.tags) }}
         shell: bash
         run: |
-          docker buildx imagetools create $(jq -cr '. | map("-t ghcr.io/${{ github.repository_owner }}/${{matrix.image.name}}:" + .) | join(" ")'  <<< "$TAGS") \
-              $(printf 'ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@sha256:%s ' *)
+          docker buildx imagetools create $(jq -cr '. | map("-t ghcr.io/${{ env.LOWERCASE_REPO_OWNER }}/${{matrix.image.name}}:" + .) | join(" ")'  <<< "$TAGS") \
+              $(printf 'ghcr.io/${{ env.LOWERCASE_REPO_OWNER }}/${{ matrix.image.name }}@sha256:%s ' *)
 
       - name: Inspect image
         id: inspect
         shell: bash
         run: |
-          docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ matrix.image.tags[0] }}
+          docker buildx imagetools inspect ghcr.io/${{ env.LOWERCASE_REPO_OWNER }}/${{ matrix.image.name }}:${{ matrix.image.tags[0] }}
 
       - name: Build successful
         id: build-success

.github/workflows/render-readme.yaml

@@ -5,7 +5,7 @@ on:
   workflow_call:
     secrets:
       BOT_APP_ID:
-        description: The ID of the GitHub App
+        description: The App ID of the GitHub App
         required: true
       BOT_APP_PRIVATE_KEY:
         description: The private key of the GitHub App
@@ -40,15 +40,24 @@ jobs:
 
       - name: Render README
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
         shell: bash
         run: python ./.github/scripts/render-readme.py
 
       - name: Commit Changes
-        shell: bash
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          FILE_TO_COMMIT: README.md
+          DESTINATION_BRANCH: main
         run: |
-          git config --global user.name "bot-ross"
-          git config --global user.email "98030736+bot-ross[bot]@users.noreply.github.com"
-          git add ./README.md
-          git commit -m "Render README.md" || echo "No changes to commit"
-          git push origin || echo "No changes to push"
+          export TODAY=$(date -u '+%Y-%m-%d')
+          export MESSAGE="chore: regenerate $FILE_TO_COMMIT for $TODAY [skip ci]"
+          export SHA=$(git rev-parse $DESTINATION_BRANCH:$FILE_TO_COMMIT)
+          export CONTENT=$(base64 -i $FILE_TO_COMMIT)
+          gh api --method PUT /repos/:owner/:repo/contents/$FILE_TO_COMMIT \
+              --field message="$MESSAGE" \
+              --field content="$CONTENT" \
+              --field encoding="base64" \
+              --field branch="$DESTINATION_BRANCH" \
+              --field sha="$SHA" \
+              || echo "No changes to push"

.github/workflows/renovate.yaml

@@ -24,6 +24,8 @@ on:
 env:
   DRY_RUN: false
   LOG_LEVEL: debug
+  RENOVATE_PLATFORM: "github"
+  RENOVATE_PLATFORM_COMMIT: "true"
   RENOVATE_ONBOARDING_CONFIG_FILE_NAME: .github/renovate.json5
   RENOVATE_AUTODISCOVER: true
   RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}"