From 6c8be6f0a18d10f41e312cb0c0ba28fc72f49b7f Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Sun, 25 Aug 2024 14:10:07 -0700 Subject: [PATCH] chore: edit build to be fcos only --- .github/workflows/reusable-build.yml | 294 ++------------------------- 1 file changed, 14 insertions(+), 280 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 02c7606..135e3b2 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -97,20 +97,30 @@ jobs: strategy: fail-fast: false matrix: + image_suffix: + - "" nvidia_tag: - "-nvidia" - "" zfs_tag: - "-zfs" - "" - exclude: - - nvidia_tag: "" - zfs_tag: "" + include: + - image_suffix: "" + description: An OCI image of Fedora CoreOS steps: # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 + # sent env variables which depend on the matrix + - name: Matrix variables + shell: bash + run: | + set -x + IMAGE_NAME=ucore${{ matrix.image_suffix }} + echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV + - name: Pull base and kmod images uses: Wandalen/wretry.action@v3.5.0 with: @@ -331,286 +341,10 @@ jobs: run: | echo "${{ toJSON(steps.push.outputs) }}" - build_ucore: - name: ucore - runs-on: ubuntu-24.04 - if: always() && !cancelled() - needs: [workflow_info, stream_info] - permissions: - contents: read - packages: write - id-token: write - env: - FEDORA_VERSION: ${{ needs.stream_info.outputs.fedora}} - IMAGE_VERSION: ${{ needs.stream_info.outputs.image}} - KERNEL_FLAVOR: coreos-${{ inputs.coreos_version }} - KERNEL_VERSION: ${{ needs.stream_info.outputs.kernel}} - PR_PREFIX: ${{ needs.workflow_info.outputs.pr_prefix }} - - strategy: - fail-fast: false - matrix: - image_suffix: - - "-minimal" - - "" - - "-hci" - nvidia_tag: - - "-nvidia" - - "" - zfs_tag: - - "-zfs" - - "" - include: - - image_suffix: "-minimal" - description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM - - image_suffix: "" - description: An OCI image of Fedora CoreOS with a few extra tools, hardware support, and storage utilities - - image_suffix: "-hci" - description: A hyper-converged infrastructure OCI image of Fedora CoreOS (storage + hypervisor) - - steps: - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action - uses: actions/checkout@v4 - - # sent env variables which depend on the matrix - - name: Matrix variables - shell: bash - run: | - set -x - IMAGE_NAME=ucore${{ matrix.image_suffix }} - echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV - - - name: Pull base and kmod images - uses: Wandalen/wretry.action@v3.5.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base image used for FROM in containerfile so - # we can retry on that unfortunately common failure case - podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} - podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/config:latest - - - name: Verify versions - shell: bash - run: | - set -x - if [ -z "${{ env.FEDORA_VERSION }}" ] || [ "null" = "${{ env.FEDORA_VERSION }}" ]; then - echo "env.FEDORA_VERSION must not be empty or null" - exit 1 - fi - if [ -z "${{ env.IMAGE_VERSION }}" ] || [ "null" = "${{ env.IMAGE_VERSION }}" ]; then - echo "env.IMAGE_VERSION must not be empty or null" - exit 1 - fi - if [ -z "${{ env.KERNEL_VERSION }}" ] || [ "null" = "${{ env.KERNEL_VERSION }}" ]; then - echo "env.KERNEL_VERSION must not be empty or null" - exit 1 - fi - skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json - kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled coreos image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled kernel-cache image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - - name: Verify versions (nvidia) - if: matrix.nvidia_tag == '-nvidia' - shell: bash - run: | - set -x - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - - name: Verify versions (ZFS) - if: matrix.zfs_tag == '-zfs' - shell: bash - run: | - set -x - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - - name: Generate tags - id: generate-tags - shell: bash - run: | - # Generate a timestamp for creating an image version history - TIMESTAMP="$(date +%Y%m%d)" - COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}" - - COMMIT_TAGS=() - BUILD_TAGS=() - - # Have tags for tracking builds during pull request - SHA_SHORT="${GITHUB_SHA::7}" - COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}") - COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}") - - BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}") - - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "Generated the following commit tags: " - for TAG in "${COMMIT_TAGS[@]}"; do - echo "${TAG}" - done - - alias_tags=("${COMMIT_TAGS[@]}") - else - if [[ "${COREOS_VERSION}" == "stable" ]]; then - BUILD_TAGS+=("latest") - fi - - alias_tags=("${BUILD_TAGS[@]}") - fi - - echo "Generated the following build tags: " - for TAG in "${BUILD_TAGS[@]}"; do - echo "${TAG}" - done - - echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@v5 - id: meta - with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md - org.opencontainers.image.description=${{ matrix.description }} - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ env.IMAGE_VERSION }} - - # Build image using Buildah action - - name: Build Image - id: build_image - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./ucore/Containerfile - context: ./ucore - image: ${{ env.IMAGE_NAME }} - tags: | - ${{ steps.generate-tags.outputs.alias_tags }} - build-args: | - COREOS_VERSION=${{ inputs.coreos_version }} - FEDORA_VERSION=${{ env.FEDORA_VERSION }} - IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} - KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }} - PR_PREFIX=${{ env.PR_PREFIX }} - NVIDIA_TAG=${{ matrix.nvidia_tag }} - ZFS_TAG=${{ matrix.zfs_tag }} - labels: ${{ steps.meta.outputs.labels }} - oci: false - extra-args: | - --target=${{ env.IMAGE_NAME }} - - - name: Check Secureboot - shell: bash - run: | - set -x - if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then - sudo apt update - sudo apt install sbsigntool curl openssl - fi - podman run -d --rm --name ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 - podman cp ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . - podman rm -f ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) - sbverify --list vmlinuz - curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der - curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der - openssl x509 -in kernel-sign.der -out kernel-sign.crt - openssl x509 -in akmods.der -out akmods.crt - sbverify --cert kernel-sign.crt vmlinuz || exit 1 - sbverify --cert akmods.crt vmlinuz || exit 1 - - # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. - # https://github.com/macbre/push-to-ghcr/issues/12 - - name: Lowercase Registry - id: registry_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_REGISTRY }} - - # Push the image to GHCR (Image Registry) - - name: Push To GHCR - uses: Wandalen/wretry.action@v3.5.0 - id: push - if: github.event_name != 'pull_request' - env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - with: - action: redhat-actions/push-to-registry@v2 - attempt_limit: 3 - attempt_delay: 15000 - with: | - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ steps.registry_case.outputs.lowercase }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - if: github.event_name != 'pull_request' - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Sign container - - uses: sigstore/cosign-installer@v3.6.0 - if: github.event_name != 'pull_request' - - - name: Sign container image - if: github.event_name != 'pull_request' - run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} - env: - TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} - COSIGN_EXPERIMENTAL: false - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - - - name: Echo outputs - if: github.event_name != 'pull_request' - run: | - echo "${{ toJSON(steps.push.outputs) }}" - check: name: Check all successful runs-on: ubuntu-latest - needs: [build_fcos, build_ucore] + needs: [build_fcos] steps: - name: Exit shell: bash