-
Notifications
You must be signed in to change notification settings - Fork 96
217 lines (194 loc) · 7.08 KB
/
podvm_mkosi.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
name: Create a Pod VM image with mkosi
on:
workflow_dispatch:
inputs:
registry:
default: 'quay.io/confidential-containers'
required: false
type: string
image_tag:
default: ''
required: false
type: string
git_ref:
description: Git ref to checkout the cloud-api-adaptor repository.
required: true
type: string
arch:
description: Which arch we are building the mkosi image for
default: 'amd64'
required: false
type: string
debug:
description: Whether to build the image in debug mode
default: false
required: false
type: boolean
workflow_call:
inputs:
registry:
default: 'quay.io/confidential-containers'
required: false
type: string
image_tag:
default: ''
required: false
type: string
git_ref:
description: Git ref to checkout the cloud-api-adaptor repository.
required: true
type: string
arch:
description: Which arch we are building the mkosi image for
default: 'amd64'
required: false
type: string
debug:
description: Whether to build the image in debug mode
default: false
required: false
type: boolean
outputs:
qcow2_oras_image:
description: The location of the qcow2 oras container this workflow pushed
value: ${{ jobs.build-image.outputs.qcow2_oras_image }}
docker_oci_image:
description: The location of the docker oci container image this workflow pushed
value: ${{ jobs.build-image.outputs.docker_oci_image }}
defaults:
run:
working-directory: src/cloud-api-adaptor
jobs:
build-image:
name: Build mkosi image
runs-on: ${{ inputs.arch == 's390x' && 's390x' || 'ubuntu-24.04' }}
permissions:
contents: read
packages: write
id-token: write
attestations: write
outputs:
qcow2_oras_image: ${{ steps.publish_oras_qcow2.outputs.image }}:${{ steps.publish_oras_qcow2.outputs.tag }}
docker_oci_image: ${{ steps.build_docker_oci.outputs.image }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: "${{ inputs.git_ref }}"
# Required by rootless mkosi
- name: Un-restrict user namespaces
if: inputs.arch == 'amd64'
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
- name: Rebase the code
if: github.event_name == 'pull_request_target'
working-directory: ./
run: |
./hack/ci-helper.sh rebase-atop-of-the-latest-target-branch
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to quay Container Registry
if: ${{ startsWith(inputs.registry, 'quay.io') }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Login to the ghcr Container registry
if: ${{ startsWith(inputs.registry, 'ghcr.io') }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install build dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
alien \
bubblewrap \
dnf \
qemu-utils \
uidmap
sudo snap install yq
- name: Read properties from versions.yaml
run: |
echo "MKOSI_VERSION=$(yq -e '.tools.mkosi' versions.yaml)" >> "$GITHUB_ENV"
echo "ORAS_VERSION=$(yq -e '.tools.oras' versions.yaml)" >> "$GITHUB_ENV"
- name: Install mkosi dependencies
if: ${{ inputs.arch == 's390x' }}
run: |
sudo apt-get update
sudo apt-get install -y bubblewrap alien dnf qemu-utils uidmap
- name: Install mkosi
if: ${{ inputs.arch == 's390x' }}
run: |
git clone -b "${MKOSI_VERSION}" https://github.com/systemd/mkosi
sudo rm -f /usr/local/bin/mkosi
sudo ln -s "$PWD/mkosi/bin/mkosi" /usr/local/bin/mkosi
mkosi --version
- uses: oras-project/setup-oras@v1
with:
version: ${{ env.ORAS_VERSION }}
- name: Build binaries
id: build_binaries
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: make binaries
env:
ARCH: ${{ inputs.arch }}
- name: Build mkosi debug image
if: ${{ inputs.debug == 'true' }}
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: make image-debug
- name: Build mkosi image
if: ${{ inputs.debug != 'true' }}
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: make image
- name: Upload the qcow2 with oras
id: publish_oras_qcow2
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: |
mkdir oras
cd oras
cp ../build/podvm-*.qcow2 .
tar cJf podvm.tar.xz podvm-*.qcow2
image=${{ inputs.registry }}/podvm-generic-fedora
if [ "${{inputs.debug}}" = "true" ]; then
image=${image}-debug
fi
image=${image}-${{ inputs.arch }}
tag=$(git rev-parse --short HEAD)
oras push "${image}:${tag}" podvm.tar.xz
# If the input has a different image-tag then also push it with that tag
if [ -n "${{ inputs.image_tag }}" ] && [ "${{ inputs.image_tag }}" != "${tag}" ];then
oras push "${image}:${{ inputs.image_tag }}" podvm.tar.xz
fi
# add image and digest to output for attestation
echo "image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
echo "tag=${tag}" >> "$GITHUB_OUTPUT"
- uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ steps.publish_oras_qcow2.outputs.image }}
subject-digest: ${{ steps.publish_oras_qcow2.outputs.digest }}
push-to-registry: true
- name: Clean up some space for the docker provider build
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: |
sudo du --max-depth=2 /home/runner || true
sudo du --max-depth=2 /var/lib || true
sudo rm -rf ./build
sudo rm -rf ./mkosi.cache
- name: Build and push image for docker provider
id: build_docker_oci
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: |
tag=$(git rev-parse --short HEAD)
PODVM_TAG=${tag} make image-container
PODVM_TAG=${tag} make push-image-container
arch=$(uname -m)
arch=${arch/x86_64/amd64}
echo "image=${{ inputs.registry }}/${{ github.repository }}/podvm-docker-image-${arch}:${tag}" >> "$GITHUB_OUTPUT"
env:
REGISTRY: ${{ inputs.registry }}/${{ github.repository }}