Skip to content

Build and Upload OS image #912

Build and Upload OS image

Build and Upload OS image #912

name: Build and Upload OS image
on:
workflow_dispatch:
inputs:
imageVersion:
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required: false
isRelease:
description: 'Is this a release? (sets "ref" to special value "-")'
type: boolean
required: false
default: false
stream:
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
type: choice
required: true
options:
- "debug"
- "console"
- "nightly"
- "stable"
ref:
type: string
description: "Git ref to checkout"
required: false
workflow_call:
inputs:
imageVersion:
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required: false
type: string
isRelease:
description: 'Is this a release? (sets "ref" to special value "-")'
type: boolean
required: false
default: false
stream:
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
type: string
required: true
ref:
type: string
description: "Git ref to checkout"
required: false
jobs:
build-settings:
name: "Determine build settings"
runs-on: ubuntu-22.04
outputs:
ref: ${{ steps.ref.outputs.ref }}
stream: ${{ steps.stream.outputs.stream }}
imageType: ${{ steps.image-type.outputs.imageType }}
imageVersion: ${{ steps.image-version.outputs.imageVersion }}
imageName: ${{ steps.image-version.outputs.imageName }}
imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }}
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Determine ref
id: ref
run: |
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
echo "ref=-" | tee -a "$GITHUB_OUTPUT"
else
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
fi
- name: Determine and validate stream
id: stream
run: |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
echo "Nightly builds are not allowed for releases"
exit 1
fi
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
echo "Stable builds are only allowed for releases"
exit 1
fi
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"
- name: Determine type of image build
shell: bash
id: image-type
run: |
case "${{ steps.stream.outputs.stream }}" in
"debug")
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
;;
"console")
echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
;;
*)
echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
;;
esac
- name: Determine image version
id: image-version
shell: bash
env:
REF: ${{ steps.ref.outputs.ref }}
STREAM: ${{ steps.stream.outputs.stream }}
IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }}
run: |
{
echo "imageVersion=${IMAGE_VERSION}"
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
} | tee -a "$GITHUB_OUTPUT"
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
elif [[ "${REF}" = "-" ]]; then
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
else
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
fi
upload-os-image:
name: "Build OS using mkosi and upload it to CSPs"
needs: [build-settings]
runs-on: ubuntu-latest-8-cores
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.ref || github.head_ref }}
- uses: ./.github/actions/setup_bazel_nix
with:
useCache: "false"
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
- name: Login to Azure
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Login to GCP
uses: ./.github/actions/login_gcp
with:
service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"
- name: Login to OpenStack
uses: ./.github/actions/login_openstack
with:
clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
- name: Build and upload
id: build
shell: bash
working-directory: ${{ github.workspace }}/image
env:
TARGET: //image/system:upload_${{ needs.build-settings.outputs.stream }}
REF: ${{ needs.build-settings.outputs.ref }}
STREAM: ${{ needs.build-settings.outputs.stream }}
SHORT_NAME: ${{ needs.build-settings.outputs.imageNameShort }}
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run: |
echo "::group::Build"
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)"
export COSIGN_PUBLIC_KEY_PATH
opts=(
--ref "${REF}"
--upload-measurements
)
if [[ "${STREAM}" = "debug" ]]; then
opts+=(--fake-sign)
fi
bazel build //image/base:rpmdb
bazel run "${TARGET}" -- "${opts[@]}"
{
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
} | tee -a "$GITHUB_OUTPUT"
echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
- name: Upload SBOM to S3
shell: bash
env:
RPMDB: ${{ steps.build.outputs.rpmdb }}
run: |
aws s3 cp \
"${RPMDB}" \
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
--no-progress
- name: Create CLI compatibility information artifact
shell: bash
run: |
bazel run //hack/cli-k8s-compatibility -- \
--ref=${{ needs.build-settings.outputs.ref }} \
--stream=${{ needs.build-settings.outputs.stream }} \
--version=${{ needs.build-settings.outputs.imageVersion }}
add-image-version-to-versionsapi:
needs: [upload-os-image, build-settings]
name: "Add image version to versionsapi"
if: needs.build-settings.outputs.ref != '-'
permissions:
contents: read
id-token: write
uses: ./.github/workflows/versionsapi.yml
with:
command: add
ref: ${{ needs.build-settings.outputs.ref }}
stream: ${{ needs.build-settings.outputs.stream }}
version: ${{ needs.build-settings.outputs.imageVersion }}
kind: "image"
add_latest: true
add-cli-version-to-versionsapi:
needs: [upload-os-image, build-settings, add-image-version-to-versionsapi]
name: "Add CLI version to versionsapi"
if: needs.build-settings.outputs.ref != '-'
permissions:
contents: read
id-token: write
uses: ./.github/workflows/versionsapi.yml
with:
command: add
ref: ${{ needs.build-settings.outputs.ref }}
stream: ${{ needs.build-settings.outputs.stream }}
version: ${{ needs.build-settings.outputs.imageVersion }}
kind: "cli"
add_latest: true