From 653baf0d4520206c36a806027edf2c736d11690e Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 23 Dec 2025 22:06:47 +0000 Subject: [PATCH 1/6] fix: disable cosign new signing bundle (#5) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8644ff4..8007054 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,7 +76,7 @@ jobs: REMOTE_IMAGE_DIGEST: ${{ steps.push.outputs.remote_image_digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - run: cosign sign -y --key env://COSIGN_PRIVATE_KEY "${IMAGE_REGISTRY}/${IMAGE_NAME}@${REMOTE_IMAGE_DIGEST}" + run: cosign sign -y --new-bundle-format=false --key env://COSIGN_PRIVATE_KEY "${IMAGE_REGISTRY}/${IMAGE_NAME}@${REMOTE_IMAGE_DIGEST}" - name: Create Job Outputs if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) From f9f8659fc48e1ca644f0a7a3f923420992d7b7bf Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 23 Dec 2025 22:08:55 +0000 Subject: [PATCH 2/6] fix: add missing --use-signing-config=false cosign flag --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8007054..e66d31c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,7 +76,7 @@ jobs: REMOTE_IMAGE_DIGEST: ${{ steps.push.outputs.remote_image_digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - run: cosign sign -y --new-bundle-format=false --key env://COSIGN_PRIVATE_KEY "${IMAGE_REGISTRY}/${IMAGE_NAME}@${REMOTE_IMAGE_DIGEST}" + run: cosign sign -y --new-bundle-format=false --use-signing-config=false --key env://COSIGN_PRIVATE_KEY "${IMAGE_REGISTRY}/${IMAGE_NAME}@${REMOTE_IMAGE_DIGEST}" - name: Create Job Outputs if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) From 877cec7efd97e7b5f97f7ff1f702dd37e37d38c1 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 23 Dec 2025 22:10:50 +0000 Subject: [PATCH 3/6] fix: disable new bundle format for manifest --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e66d31c..71fdbba 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -239,5 +239,5 @@ jobs: podman manifest push --all=false --digestfile=/tmp/digestfile "${TARGET_MANIFEST}" "${TARGET_MANIFEST}:${TAG}" done <<< "${TAGS}" - cosign sign -y --key env://COSIGN_PRIVATE_KEY "${TARGET_MANIFEST}@$(< /tmp/digestfile)" + cosign sign -y --new-bundle-format=false --use-signing-config=false --key env://COSIGN_PRIVATE_KEY "${TARGET_MANIFEST}@$(< /tmp/digestfile)" done From a7fbd884e7a21bf75cb57686f6cd3a5bbc7fe60b Mon Sep 17 00:00:00 2001 From: renner <80410025+renner0e@users.noreply.github.com> Date: Tue, 23 Dec 2025 23:33:13 +0100 Subject: [PATCH 4/6] docs: add URL for deps (#6) --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f8ee8bd..712a2fb 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,9 @@ This repository builds an OCI container image that packages: - Security limits and tmpfiles configuration The image is designed to be consumed by custom bootc-based container images. +## Dependencies + +[See upstream Docs](https://docs.brew.sh/Homebrew-on-Linux) ## Using in Custom bootc Images From ad96f9d54429cdc29e59c5eba7ee224729998c2a Mon Sep 17 00:00:00 2001 From: Mick Pollard <261833+aussielunix@users.noreply.github.com> Date: Sat, 3 Jan 2026 19:59:42 +1100 Subject: [PATCH 5/6] add systemctl preset commands to README --- README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 712a2fb..4b17cad 100644 --- a/README.md +++ b/README.md @@ -24,14 +24,23 @@ To include Homebrew in your custom bootc image, copy the files from this reposit ```dockerfile # Copy Homebrew files from the brew image +# And enable COPY --from=ghcr.io/ublue-os/brew:latest /system_files / +RUN --mount=type=cache,dst=/var/cache \ + --mount=type=cache,dst=/var/log \ + --mount=type=tmpfs,dst=/tmp \ + /usr/bin/systemctl preset brew-setup.service && \ + /usr/bin/systemctl preset brew-update.timer && \ + /usr/bin/systemctl preset brew-upgrade.timer + ``` This will: 1. Install the Homebrew tarball to `/usr/share/homebrew.tar.zst` 2. Install all systemd services and timers -3. Add shell integration scripts -4. Configure system limits and tmpfiles +3. Enable all systemd services and timers +4. Add shell integration scripts +5. Configure system limits and tmpfiles On first boot, `brew-setup.service` will automatically: 1. Extract Homebrew to `/var/home/linuxbrew/.linuxbrew` From eddbb1a432c5a4b3d9ef2d524ef23c13f7855e06 Mon Sep 17 00:00:00 2001 From: pricci1 <30800044+pricci1@users.noreply.github.com> Date: Sun, 11 Jan 2026 06:12:34 -0300 Subject: [PATCH 6/6] fix: force brew shellenv to output fish commands (#11) --- system_files/usr/share/fish/vendor_conf.d/ublue-brew.fish | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/usr/share/fish/vendor_conf.d/ublue-brew.fish b/system_files/usr/share/fish/vendor_conf.d/ublue-brew.fish index bb6d10d..76c2cc1 100644 --- a/system_files/usr/share/fish/vendor_conf.d/ublue-brew.fish +++ b/system_files/usr/share/fish/vendor_conf.d/ublue-brew.fish @@ -2,7 +2,7 @@ #shellcheck disable=all if status --is-interactive if [ -d /home/linuxbrew/.linuxbrew ] - eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv fish)" if test -d (brew --prefix)/share/fish/completions set -p fish_complete_path (brew --prefix)/share/fish/completions end