Skip to content

Fix release pipeline for standard builds #314

Fix release pipeline for standard builds

Fix release pipeline for standard builds #314

Workflow file for this run

name: Build arm images
on:
push:
tags:
- 'v*'
jobs:
get-core-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: set-matrix
run: |
content=`cat ./.github/flavors.json | map(select(.arch == "arm64"))`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
# The matrix for standard (provider) images
get-standard-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: |
sudo apt update && sudo apt install -y jq
- id: set-matrix
run: |
docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./
chmod +x luet
sudo mv luet /usr/bin/luet
# Construct an array like this from the found versions:
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json
# Create a combination of flavors and k3s versions.
content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.variant == "standard" and .arch == "arm64"))' .github/flavors.json k3s_versions.json)
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
build-arm-core:
runs-on: ${{ matrix.worker }}
needs:
- get-core-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
steps:
- name: Release space from worker
if: ${{ matrix.worker != 'kvm' }}
run: |
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
df -h
echo
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
sudo apt-get remove --auto-remove android-sdk-platform-tools || true
sudo apt-get purge --auto-remove android-sdk-platform-tools || true
sudo rm -rf /usr/local/lib/android
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
sudo rm -rf /usr/share/dotnet
sudo apt-get remove -y '^mono-.*' || true
sudo apt-get remove -y '^ghc-.*' || true
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
sudo apt-get remove -y 'php.*' || true
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
sudo apt-get remove -y '^google-.*' || true
sudo apt-get remove -y azure-cli || true
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
sudo apt-get remove -y '^gfortran-.*' || true
sudo apt-get autoremove -y
sudo apt-get clean
echo
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
sudo rm -rfv build || true
df -h
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Install earthly
uses: Luet-lab/luet-install-action@v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Build 🔧
run: |
earthly -P +all-arm \
-VARIANT=core \
-MODEL=${{ matrix.model }} \
-FLAVOR=${{ matrix.flavor }} \
-FLAVOR_RELEASE=${{ matrix.flavorRelease }} \
-FAMILY=${{ matrix.family }} \
-BASE_IMAGE=${{ matrix.baseImage }}
- name: Convert all json files into a reports.tar.gz file
run: |
export VERSION=$(cat build/VERSION)
cd build
sudo tar cvf "kairos-core-${{matrix.flavor}}-arm64-${{matrix.model}}-${VERSION}-scan-reports.tar.gz" *.json
- name: Push 🔧
if: startsWith(github.ref, 'refs/tags/')
run: |
docker push $(cat build/IMAGE)
- name: Sign image
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export IMAGE=$(cat build/IMAGE)
docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
- name: Upload Image
if: startsWith(github.ref, 'refs/tags/')
run: |
curl https://luet.io/install.sh | sudo sh
IMAGE=$(cat build/IMAGE | sed 's/$/-img/')
sudo tar cvf build.tar build
sudo luet util pack $IMAGE build.tar image.tar
sudo -E docker load -i image.tar
sudo -E docker push "$IMAGE"
sudo rm -rf build/IMAGE build/VERSION
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/*scan-reports.tar.gz
- name: Prepare sarif files 🔧
run: |
mkdir sarif
sudo mv build/*.sarif sarif/
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
build-arm-standard:
runs-on: ${{ matrix.worker }}
needs:
- get-standard-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{fromJson(needs.get-standard-matrix.outputs.matrix)}}
steps:
- name: Release space from worker
if: ${{ matrix.worker != 'kvm' }}
run: |
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
df -h
echo
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
sudo apt-get remove --auto-remove android-sdk-platform-tools || true
sudo apt-get purge --auto-remove android-sdk-platform-tools || true
sudo rm -rf /usr/local/lib/android
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
sudo rm -rf /usr/share/dotnet
sudo apt-get remove -y '^mono-.*' || true
sudo apt-get remove -y '^ghc-.*' || true
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
sudo apt-get remove -y 'php.*' || true
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
sudo apt-get remove -y '^google-.*' || true
sudo apt-get remove -y azure-cli || true
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
sudo apt-get remove -y '^gfortran-.*' || true
sudo apt-get autoremove -y
sudo apt-get clean
echo
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
sudo rm -rfv build || true
df -h
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Install earthly
uses: Luet-lab/luet-install-action@v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Build 🔧
run: |
earthly -P +all-arm \
-VARIANT=standard \
-MODEL=${{ matrix.model }} \
-K3S_VERSION=${{ matrix.k3s_version }} \
-FLAVOR=${{ matrix.flavor }} \
-FLAVOR_RELEASE=${{ matrix.flavorRelease }} \
-FAMILY=${{ matrix.family }} \
-BASE_IMAGE=${{ matrix.baseImage }}
- name: Convert all json files into a reports.tar.gz file
run: |
export VERSION=$(cat build/VERSION)
cd build
sudo tar cvf "kairos-standard-${{matrix.flavor}}-arm64-${{matrix.model}}-${VERSION}-scan-reports.tar.gz" *.json
- name: Push 🔧
if: startsWith(github.ref, 'refs/tags/')
run: |
docker push $(cat build/IMAGE)
- name: Sign image
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export IMAGE=$(cat build/IMAGE)
docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
- name: Upload Image
if: startsWith(github.ref, 'refs/tags/')
run: |
curl https://luet.io/install.sh | sudo sh
IMAGE=$(cat build/IMAGE | sed 's/$/-img/')
sudo tar cvf build.tar build
sudo luet util pack $IMAGE build.tar image.tar
sudo -E docker load -i image.tar
sudo -E docker push "$IMAGE"
sudo rm -rf build/IMAGE build/VERSION
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/*scan-reports.tar.gz
- name: Prepare sarif files 🔧
run: |
mkdir sarif
sudo mv build/*.sarif sarif/
- name: Upload Trivy scan results to GitHub Security tab
if: startsWith(github.ref, 'refs/tags/')
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
build-arm-generic:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- flavor: opensuse
flavor_release: leap-15.5
family: opensuse
base_image: opensuse/leap:15.5
model: generic
variant: core
- flavor: opensuse
flavor_release: leap-15.5
family: opensuse
base_image: opensuse/leap:15.5
model: generic
variant: standard
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/luet-install-action@v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build iso 🔧
run: |
earthly -P +all-arm-generic \
--FLAVOR=${{ matrix.flavor }} \
--FLAVOR_RELEASE=${{ matrix.flavor_release }} \
--FAMILY=${{ matrix.family }} \
--BASE_IMAGE=${{ matrix.base_image}} \
--MODEL=${{ matrix.model }} \
--VARIANT=${{ matrix.variant }}
sudo mv build release
- name: Push to quay
if: startsWith(github.ref, 'refs/tags/')
run: |
docker push $(cat release/IMAGE)
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*iso*