Skip to content

⬆️ Update repositories (#1857) #221

⬆️ Update repositories (#1857)

⬆️ Update repositories (#1857) #221

Workflow file for this run

name: Release
on:
# Bump the CI
push:
tags:
- v*
jobs:
get-core-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: |
sudo apt update && sudo apt install -y jq
- id: set-matrix
run: |
content=`cat .github/flavors.json | jq 'map(select(.frameworkonly != "true"))'`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
# The matrix for standard (provider) images
get-standard-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: |
sudo apt update && sudo apt install -y jq wget
- id: set-matrix
run: |
docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./
chmod +x luet
sudo mv luet /usr/bin/luet
# Construct an array like this from the found versions:
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json
content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.frameworkonly != "true")) | map(select(.standard == "true"))' .github/flavors.json k3s_versions.json)
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
get-framework-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: set-matrix
run: |
content=`cat .github/flavors.json`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
build-framework:
runs-on: kvm
needs:
- get-framework-matrix
permissions:
id-token: write # OIDC support
contents: write
strategy:
fail-fast: false
matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Install earthly
uses: Luet-lab/[email protected]
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧
env:
FLAVOR: ${{ matrix.flavor }}
run: |
# Configure earthly to use the docker mirror in CI
# https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
mkdir -p ~/.earthly/
cat << EOF > ~/.earthly/config.yml
global:
buildkit_additional_config: |
[registry."docker.io"]
mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
[registry."registry.docker-mirror.svc.cluster.local:5000"]
insecure = true
http = true
EOF
earthly +build-framework-image --FLAVOR=${FLAVOR}
- name: Push to quay
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export _IMG="$(cat build/FRAMEWORK_IMAGE)"
docker push "$_IMG" # Otherwise .RepoDigests will be empty for some reason
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$_IMG")
build-core:
runs-on: ubuntu-latest
needs:
- get-core-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Release space from worker
run: |
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
df -h
echo
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
sudo apt-get remove --auto-remove android-sdk-platform-tools || true
sudo apt-get purge --auto-remove android-sdk-platform-tools || true
sudo rm -rf /usr/local/lib/android
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
sudo rm -rf /usr/share/dotnet
sudo apt-get remove -y '^mono-.*' || true
sudo apt-get remove -y '^ghc-.*' || true
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
sudo apt-get remove -y 'php.*' || true
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
sudo apt-get remove -y '^google-.*' || true
sudo apt-get remove -y azure-cli || true
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
sudo apt-get remove -y '^gfortran-.*' || true
sudo apt-get autoremove -y
sudo apt-get clean
echo
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
sudo rm -rfv build || true
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
df -h
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Install earthly
uses: Luet-lab/[email protected]
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Build 🔧
env:
FLAVOR: ${{ matrix.flavor }}
run: |
earthly +all --VARIANT=core --FLAVOR=$FLAVOR
sudo mv build release
- name: Push to quay
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export IMAGE=$(cat release/IMAGE)
docker push "$IMAGE"
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
spdx=$(ls release/*.spdx.json)
cosign attach sbom --sbom $spdx $image_ref
cosign sign $image_ref --attachment sbom
# in-toto attestation
cosign attest --type spdx --predicate $spdx $image_ref
- name: Sign ISO sha files
env:
COSIGN_YES: true
run: |
sudo chmod -R 777 release
filename=$(ls release/*.iso.sha256)
cosign sign-blob --yes --output-certificate="${filename}.pem" \
--output-signature="${filename}.sig" "${filename}"
- name: Prepare files for release
run: |
export VERSION=$(cat release/VERSION)
mkdir sarif
mv release/*.sarif sarif/
mkdir reports
mv release/*.json reports/
cd reports
sudo tar cvf "kairos-core-${{matrix.flavor}}-amd64-generic-${VERSION}-scan-reports.tar.gz" *.json
mv *.tar.gz ../release/
cd ..
rm release/VERSION release/IMAGE release/versions.yaml
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
build-core-uki:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/[email protected]
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Build uki image 🔧
run: |
# Do fedora as its the smaller uki possible
earthly +uki --VARIANT=core --FLAVOR=fedora
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/*.efi
build-standard:
runs-on: ubuntu-latest
needs:
- get-standard-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Release space from worker
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Install earthly
uses: Luet-lab/[email protected]
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧
run: |
earthly +all -VARIANT=standard -K3S_VERSION=${{ matrix.k3s_version }} -FLAVOR=${{ matrix.flavor }}
sudo mv build release
- name: Push to quay
if: startsWith(github.ref, 'refs/tags/')
env:
COSIGN_YES: true
run: |
IMAGE=$(cat release/IMAGE)
docker push "$IMAGE"
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
- name: Prepare files for release
run: |
export VERSION=$(cat release/VERSION)
mkdir sarif
mv release/*.sarif sarif/
mkdir reports
mv release/*.json reports/
cd reports
sudo tar cvf "kairos-core-${{matrix.flavor}}-amd64-generic-${VERSION}-scan-reports.tar.gz" *.json
mv *.tar.gz ../release/
cd ..
sudo rm -rf release/IMAGE release/VERSION release/versions.yaml
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*