scottk/coreos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/coreos.git synced 2025-10-30 01:22:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: edit build to be fcos only

Browse Source
This commit is contained in:
qoijjj
2024-08-25 14:10:07 -07:00
parent 860c197052
commit 6c8be6f0a1
1 changed files with 14 additions and 280 deletions
Download Patch File Download Diff File Expand all files Collapse all files

294
.github/workflows/reusable-build.yml vendored
View File

@@ -97,20 +97,30 @@ jobs:
strategy:
fail-fast: false
matrix:
image_suffix:
- ""
nvidia_tag:
- "-nvidia"
- ""
zfs_tag:
- "-zfs"
- ""
exclude:
- nvidia_tag: ""
zfs_tag: ""
include:
- image_suffix: ""
description: An OCI image of Fedora CoreOS
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
# sent env variables which depend on the matrix
- name: Matrix variables
shell: bash
run: |
set -x
IMAGE_NAME=ucore${{ matrix.image_suffix }}
echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
- name: Pull base and kmod images
uses: Wandalen/wretry.action@v3.5.0
with:
@@ -331,286 +341,10 @@ jobs:
run: |
echo "${{ toJSON(steps.push.outputs) }}"
build_ucore:
name: ucore
runs-on: ubuntu-24.04
if: always() && !cancelled()
needs: [workflow_info, stream_info]
permissions:
contents: read
packages: write
id-token: write
env:
FEDORA_VERSION: ${{ needs.stream_info.outputs.fedora}}
IMAGE_VERSION: ${{ needs.stream_info.outputs.image}}
KERNEL_FLAVOR: coreos-${{ inputs.coreos_version }}
KERNEL_VERSION: ${{ needs.stream_info.outputs.kernel}}
PR_PREFIX: ${{ needs.workflow_info.outputs.pr_prefix }}
strategy:
fail-fast: false
matrix:
image_suffix:
- "-minimal"
- ""
- "-hci"
nvidia_tag:
- "-nvidia"
- ""
zfs_tag:
- "-zfs"
- ""
include:
- image_suffix: "-minimal"
description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM
- image_suffix: ""
description: An OCI image of Fedora CoreOS with a few extra tools, hardware support, and storage utilities
- image_suffix: "-hci"
description: A hyper-converged infrastructure OCI image of Fedora CoreOS (storage + hypervisor)
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
# sent env variables which depend on the matrix
- name: Matrix variables
shell: bash
run: |
set -x
IMAGE_NAME=ucore${{ matrix.image_suffix }}
echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
- name: Pull base and kmod images
uses: Wandalen/wretry.action@v3.5.0
with:
attempt_limit: 3
attempt_delay: 15000
command: |
# pull the base image used for FROM in containerfile so
# we can retry on that unfortunately common failure case
podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }}
podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/config:latest
- name: Verify versions
shell: bash
run: |
set -x
if [ -z "${{ env.FEDORA_VERSION }}" ] || [ "null" = "${{ env.FEDORA_VERSION }}" ]; then
echo "env.FEDORA_VERSION must not be empty or null"
exit 1
fi
if [ -z "${{ env.IMAGE_VERSION }}" ] || [ "null" = "${{ env.IMAGE_VERSION }}" ]; then
echo "env.IMAGE_VERSION must not be empty or null"
exit 1
fi
if [ -z "${{ env.KERNEL_VERSION }}" ] || [ "null" = "${{ env.KERNEL_VERSION }}" ]; then
echo "env.KERNEL_VERSION must not be empty or null"
exit 1
fi
skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled coreos image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled kernel-cache image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Verify versions (nvidia)
if: matrix.nvidia_tag == '-nvidia'
shell: bash
run: |
set -x
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Verify versions (ZFS)
if: matrix.zfs_tag == '-zfs'
shell: bash
run: |
set -x
skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}")
COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}")
BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
if [[ "${COREOS_VERSION}" == "stable" ]]; then
BUILD_TAGS+=("latest")
fi
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md
org.opencontainers.image.description=${{ matrix.description }}
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ env.IMAGE_VERSION }}
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./ucore/Containerfile
context: ./ucore
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
COREOS_VERSION=${{ inputs.coreos_version }}
FEDORA_VERSION=${{ env.FEDORA_VERSION }}
IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }}
KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }}
PR_PREFIX=${{ env.PR_PREFIX }}
NVIDIA_TAG=${{ matrix.nvidia_tag }}
ZFS_TAG=${{ matrix.zfs_tag }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
extra-args: |
--target=${{ env.IMAGE_NAME }}
- name: Check Secureboot
shell: bash
run: |
set -x
if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
sudo apt update
sudo apt install sbsigntool curl openssl
fi
podman run -d --rm --name ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
podman cp ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz .
podman rm -f ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
sbverify --list vmlinuz
curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
openssl x509 -in kernel-sign.der -out kernel-sign.crt
openssl x509 -in akmods.der -out akmods.crt
sbverify --cert kernel-sign.crt vmlinuz || exit 1
sbverify --cert akmods.crt vmlinuz || exit 1
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: Wandalen/wretry.action@v3.5.0
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
action: redhat-actions/push-to-registry@v2
attempt_limit: 3
attempt_delay: 15000
with: |
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Sign container
- uses: sigstore/cosign-installer@v3.6.0
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
check:
name: Check all successful
runs-on: ubuntu-latest
needs: [build_fcos, build_ucore]
needs: [build_fcos]
steps:
- name: Exit
shell: bash