Fix missing hardcoded k3s build (#2066) #235
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
# Bump the CI | |
push: | |
tags: | |
- v* | |
jobs: | |
get-core-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- run: | | |
sudo apt update && sudo apt install -y jq | |
- id: set-matrix | |
run: | | |
content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and .variant == "core"))'` | |
# the following lines are only required for multi line json | |
content="${content//'%'/'%25'}" | |
content="${content//$'\n'/'%0A'}" | |
content="${content//$'\r'/'%0D'}" | |
# end of optional handling for multi line json | |
echo "::set-output name=matrix::{\"include\": $content }" | |
# The matrix for standard (provider) images | |
get-standard-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- run: | | |
sudo apt update && sudo apt install -y jq wget | |
- id: set-matrix | |
run: | | |
docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./ | |
chmod +x luet | |
sudo mv luet /usr/bin/luet | |
# Construct an array like this from the found versions: | |
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json | |
content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.arch == "amd64" and .variant == "standard"))' .github/flavors.json k3s_versions.json) | |
# the following lines are only required for multi line json | |
content="${content//'%'/'%25'}" | |
content="${content//$'\n'/'%0A'}" | |
content="${content//$'\r'/'%0D'}" | |
# end of optional handling for multi line json | |
echo "::set-output name=matrix::{\"include\": $content }" | |
build-framework: | |
runs-on: kvm | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
security_profile: | |
- "generic" | |
- "fips" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
- name: Install earthly | |
uses: Luet-lab/[email protected] | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Login to Quay Registry | |
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
- name: Build 🔧 | |
run: | | |
# Configure earthly to use the docker mirror in CI | |
# https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache | |
mkdir -p ~/.earthly/ | |
cat << EOF > ~/.earthly/config.yml | |
global: | |
buildkit_additional_config: | | |
[registry."docker.io"] | |
mirrors = ["registry.docker-mirror.svc.cluster.local:5000"] | |
[registry."registry.docker-mirror.svc.cluster.local:5000"] | |
insecure = true | |
http = true | |
EOF | |
earthly +multi-build-framework-image --SECURITY_PROFILE=${{ matrix.security_profile }} --FRAMEWORK_VERSION="git" | |
- name: Push to quay | |
env: | |
COSIGN_YES: true | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export _IMG="$(cat build/FRAMEWORK_IMAGE)" | |
docker push "$_IMG" # Otherwise .RepoDigests will be empty for some reason | |
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$_IMG") | |
build-core: | |
runs-on: ubuntu-latest | |
needs: | |
- get-core-matrix | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
actions: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
- name: Release space from worker | |
run: | | |
echo "Listing top largest packages" | |
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) | |
head -n 30 <<< "${pkgs}" | |
echo | |
df -h | |
echo | |
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true | |
sudo apt-get remove --auto-remove android-sdk-platform-tools || true | |
sudo apt-get purge --auto-remove android-sdk-platform-tools || true | |
sudo rm -rf /usr/local/lib/android | |
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true | |
sudo rm -rf /usr/share/dotnet | |
sudo apt-get remove -y '^mono-.*' || true | |
sudo apt-get remove -y '^ghc-.*' || true | |
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true | |
sudo apt-get remove -y 'php.*' || true | |
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true | |
sudo apt-get remove -y '^google-.*' || true | |
sudo apt-get remove -y azure-cli || true | |
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true | |
sudo apt-get remove -y '^gfortran-.*' || true | |
sudo apt-get autoremove -y | |
sudo apt-get clean | |
echo | |
echo "Listing top largest packages" | |
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) | |
head -n 30 <<< "${pkgs}" | |
echo | |
sudo rm -rfv build || true | |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android | |
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET | |
df -h | |
- name: Login to Quay Registry | |
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
- name: Install earthly | |
uses: Luet-lab/[email protected] | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Build 🔧 | |
run: | | |
earthly +all \ | |
--VARIANT=${{ matrix.variant }} \ | |
--FAMILY=${{ matrix.family }} \ | |
--FLAVOR=${{ matrix.flavor }} \ | |
--FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ | |
--MODEL=${{ matrix.model }} \ | |
--BASE_IMAGE=${{ matrix.baseImage }} | |
sudo mv build release | |
- name: Push to quay | |
env: | |
COSIGN_YES: true | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export IMAGE=$(cat release/IMAGE) | |
docker push "$IMAGE" | |
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") | |
spdx=$(ls release/*.spdx.json) | |
cosign attach sbom --sbom $spdx $image_ref | |
cosign sign $image_ref --attachment sbom | |
# in-toto attestation | |
cosign attest --type spdx --predicate $spdx $image_ref | |
- name: Sign ISO sha files | |
env: | |
COSIGN_YES: true | |
run: | | |
sudo chmod -R 777 release | |
filename=$(ls release/*.iso.sha256) | |
cosign sign-blob --yes --output-certificate="${filename}.pem" \ | |
--output-signature="${filename}.sig" "${filename}" | |
- name: Prepare files for release | |
run: | | |
export VERSION=$(cat release/VERSION) | |
mkdir sarif | |
mv release/*.sarif sarif/ | |
mkdir reports | |
mv release/*.json reports/ | |
cd reports | |
filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json} | |
sudo tar cvf "${filename}-scan-reports.tar.gz" *.json | |
mv *.tar.gz ../release/ | |
cd .. | |
rm release/VERSION release/IMAGE release/versions.yaml | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
release/* | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
sarif_file: 'sarif' | |
category: ${{ matrix.flavor }} | |
build-core-uki: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install earthly | |
uses: Luet-lab/[email protected] | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Build uki image 🔧 | |
run: | | |
# Do fedora as its the smaller uki possible | |
earthly +uki \ | |
--FAMILY=rhel \ | |
--FLAVOR=fedora \ | |
--FLAVOR_RELEASE=38 \ | |
--VARIANT=core \ | |
--MODEL=generic \ | |
--BASE_IMAGE=fedora:38 | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
build/*.efi | |
build-standard: | |
runs-on: ubuntu-latest | |
needs: | |
- get-standard-matrix | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
actions: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
- name: Release space from worker | |
run: | | |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android | |
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET | |
- name: Install earthly | |
uses: Luet-lab/[email protected] | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Login to Quay Registry | |
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
- name: Build 🔧 | |
run: | | |
earthly +all \ | |
--VARIANT=${{ matrix.variant }} \ | |
--FAMILY=${{ matrix.family }} \ | |
--FLAVOR=${{ matrix.flavor }} \ | |
--FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ | |
--MODEL=${{ matrix.model }} \ | |
--K3S_VERSION=${{ matrix.k3s_version }} \ | |
--BASE_IMAGE=${{ matrix.baseImage }} | |
sudo mv build release | |
- name: Push to quay | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
COSIGN_YES: true | |
run: | | |
IMAGE=$(cat release/IMAGE) | |
docker push "$IMAGE" | |
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") | |
- name: Prepare files for release | |
run: | | |
export VERSION=$(cat release/VERSION) | |
mkdir sarif | |
mv release/*.sarif sarif/ | |
mkdir reports | |
mv release/*.json reports/ | |
cd reports | |
filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json} | |
sudo tar cvf "${filename}-scan-reports.tar.gz" *.json | |
mv *.tar.gz ../release/ | |
cd .. | |
sudo rm -rf release/IMAGE release/VERSION release/versions.yaml | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
release/* |