Fix release pipeline for standard builds #314
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build arm images | |
on: | |
push: | |
tags: | |
- 'v*' | |
jobs: | |
get-core-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- id: set-matrix | |
run: | | |
content=`cat ./.github/flavors.json | map(select(.arch == "arm64"))` | |
# the following lines are only required for multi line json | |
content="${content//'%'/'%25'}" | |
content="${content//$'\n'/'%0A'}" | |
content="${content//$'\r'/'%0D'}" | |
# end of optional handling for multi line json | |
echo "::set-output name=matrix::{\"include\": $content }" | |
# The matrix for standard (provider) images | |
get-standard-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- run: | | |
sudo apt update && sudo apt install -y jq | |
- id: set-matrix | |
run: | | |
docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./ | |
chmod +x luet | |
sudo mv luet /usr/bin/luet | |
# Construct an array like this from the found versions: | |
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json | |
# Create a combination of flavors and k3s versions. | |
content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.variant == "standard" and .arch == "arm64"))' .github/flavors.json k3s_versions.json) | |
# the following lines are only required for multi line json | |
content="${content//'%'/'%25'}" | |
content="${content//$'\n'/'%0A'}" | |
content="${content//$'\r'/'%0D'}" | |
# end of optional handling for multi line json | |
echo "::set-output name=matrix::{\"include\": $content }" | |
build-arm-core: | |
runs-on: ${{ matrix.worker }} | |
needs: | |
- get-core-matrix | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
actions: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}} | |
steps: | |
- name: Release space from worker | |
if: ${{ matrix.worker != 'kvm' }} | |
run: | | |
echo "Listing top largest packages" | |
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) | |
head -n 30 <<< "${pkgs}" | |
echo | |
df -h | |
echo | |
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true | |
sudo apt-get remove --auto-remove android-sdk-platform-tools || true | |
sudo apt-get purge --auto-remove android-sdk-platform-tools || true | |
sudo rm -rf /usr/local/lib/android | |
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true | |
sudo rm -rf /usr/share/dotnet | |
sudo apt-get remove -y '^mono-.*' || true | |
sudo apt-get remove -y '^ghc-.*' || true | |
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true | |
sudo apt-get remove -y 'php.*' || true | |
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true | |
sudo apt-get remove -y '^google-.*' || true | |
sudo apt-get remove -y azure-cli || true | |
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true | |
sudo apt-get remove -y '^gfortran-.*' || true | |
sudo apt-get autoremove -y | |
sudo apt-get clean | |
echo | |
echo "Listing top largest packages" | |
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) | |
head -n 30 <<< "${pkgs}" | |
echo | |
sudo rm -rfv build || true | |
df -h | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@master | |
with: | |
platforms: all | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
- name: Install earthly | |
uses: Luet-lab/luet-install-action@v1.1 | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Build 🔧 | |
run: | | |
earthly -P +all-arm \ | |
-VARIANT=core \ | |
-MODEL=${{ matrix.model }} \ | |
-FLAVOR=${{ matrix.flavor }} \ | |
-FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ | |
-FAMILY=${{ matrix.family }} \ | |
-BASE_IMAGE=${{ matrix.baseImage }} | |
- name: Convert all json files into a reports.tar.gz file | |
run: | | |
export VERSION=$(cat build/VERSION) | |
cd build | |
sudo tar cvf "kairos-core-${{matrix.flavor}}-arm64-${{matrix.model}}-${VERSION}-scan-reports.tar.gz" *.json | |
- name: Push 🔧 | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
docker push $(cat build/IMAGE) | |
- name: Sign image | |
env: | |
COSIGN_YES: true | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export IMAGE=$(cat build/IMAGE) | |
docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason | |
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") | |
- name: Upload Image | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
curl https://luet.io/install.sh | sudo sh | |
IMAGE=$(cat build/IMAGE | sed 's/$/-img/') | |
sudo tar cvf build.tar build | |
sudo luet util pack $IMAGE build.tar image.tar | |
sudo -E docker load -i image.tar | |
sudo -E docker push "$IMAGE" | |
sudo rm -rf build/IMAGE build/VERSION | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
build/*scan-reports.tar.gz | |
- name: Prepare sarif files 🔧 | |
run: | | |
mkdir sarif | |
sudo mv build/*.sarif sarif/ | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
sarif_file: 'sarif' | |
category: ${{ matrix.flavor }} | |
build-arm-standard: | |
runs-on: ${{ matrix.worker }} | |
needs: | |
- get-standard-matrix | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
actions: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: ${{fromJson(needs.get-standard-matrix.outputs.matrix)}} | |
steps: | |
- name: Release space from worker | |
if: ${{ matrix.worker != 'kvm' }} | |
run: | | |
echo "Listing top largest packages" | |
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) | |
head -n 30 <<< "${pkgs}" | |
echo | |
df -h | |
echo | |
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true | |
sudo apt-get remove --auto-remove android-sdk-platform-tools || true | |
sudo apt-get purge --auto-remove android-sdk-platform-tools || true | |
sudo rm -rf /usr/local/lib/android | |
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true | |
sudo rm -rf /usr/share/dotnet | |
sudo apt-get remove -y '^mono-.*' || true | |
sudo apt-get remove -y '^ghc-.*' || true | |
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true | |
sudo apt-get remove -y 'php.*' || true | |
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true | |
sudo apt-get remove -y '^google-.*' || true | |
sudo apt-get remove -y azure-cli || true | |
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true | |
sudo apt-get remove -y '^gfortran-.*' || true | |
sudo apt-get autoremove -y | |
sudo apt-get clean | |
echo | |
echo "Listing top largest packages" | |
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) | |
head -n 30 <<< "${pkgs}" | |
echo | |
sudo rm -rfv build || true | |
df -h | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@master | |
with: | |
platforms: all | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
- name: Install earthly | |
uses: Luet-lab/luet-install-action@v1.1 | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Build 🔧 | |
run: | | |
earthly -P +all-arm \ | |
-VARIANT=standard \ | |
-MODEL=${{ matrix.model }} \ | |
-K3S_VERSION=${{ matrix.k3s_version }} \ | |
-FLAVOR=${{ matrix.flavor }} \ | |
-FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ | |
-FAMILY=${{ matrix.family }} \ | |
-BASE_IMAGE=${{ matrix.baseImage }} | |
- name: Convert all json files into a reports.tar.gz file | |
run: | | |
export VERSION=$(cat build/VERSION) | |
cd build | |
sudo tar cvf "kairos-standard-${{matrix.flavor}}-arm64-${{matrix.model}}-${VERSION}-scan-reports.tar.gz" *.json | |
- name: Push 🔧 | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
docker push $(cat build/IMAGE) | |
- name: Sign image | |
env: | |
COSIGN_YES: true | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export IMAGE=$(cat build/IMAGE) | |
docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason | |
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") | |
- name: Upload Image | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
curl https://luet.io/install.sh | sudo sh | |
IMAGE=$(cat build/IMAGE | sed 's/$/-img/') | |
sudo tar cvf build.tar build | |
sudo luet util pack $IMAGE build.tar image.tar | |
sudo -E docker load -i image.tar | |
sudo -E docker push "$IMAGE" | |
sudo rm -rf build/IMAGE build/VERSION | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
build/*scan-reports.tar.gz | |
- name: Prepare sarif files 🔧 | |
run: | | |
mkdir sarif | |
sudo mv build/*.sarif sarif/ | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'sarif' | |
category: ${{ matrix.flavor }} | |
build-arm-generic: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- flavor: opensuse | |
flavor_release: leap-15.5 | |
family: opensuse | |
base_image: opensuse/leap:15.5 | |
model: generic | |
variant: core | |
- flavor: opensuse | |
flavor_release: leap-15.5 | |
family: opensuse | |
base_image: opensuse/leap:15.5 | |
model: generic | |
variant: standard | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install earthly | |
uses: Luet-lab/luet-install-action@v1.1 | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@master | |
with: | |
platforms: all | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to Quay Registry | |
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
- name: Build iso 🔧 | |
run: | | |
earthly -P +all-arm-generic \ | |
--FLAVOR=${{ matrix.flavor }} \ | |
--FLAVOR_RELEASE=${{ matrix.flavor_release }} \ | |
--FAMILY=${{ matrix.family }} \ | |
--BASE_IMAGE=${{ matrix.base_image}} \ | |
--MODEL=${{ matrix.model }} \ | |
--VARIANT=${{ matrix.variant }} | |
sudo mv build release | |
- name: Push to quay | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
docker push $(cat release/IMAGE) | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
release/*iso* |