.github/workflows/reusable-uki-test.yaml

name: Reusable UKI test

on:
  workflow_call:
    inputs:
      base_image:
        required: true
        type: string
      family:
        required: true
        type: string
      flavor:
        required: true
        type: string
      flavor_release:
        required: true
        type: string

jobs:
  test-uki:
    permissions:
      id-token: write  # OIDC support
      contents: write
      actions: read
      security-events: write
    runs-on: kvm
    env:
      FLAVOR: ${{ inputs.flavor }}
      FLAVOR_RELEASE: ${{ inputs.flavor_release }}
    steps:
      - uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: tests/go.mod
          cache-dependency-path: tests/go.sum
      - name: Enable KVM group perms
        run: |
          sudo apt-get update
          sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev
          # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
          # echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
          # sudo udevadm control --reload-rules
          # sudo udevadm trigger --name-match=kvm
          # sudo usermod -a -G kvm,libvirt $USER
          #
          # TODO: Switch back to the above solution when we switch to the github runners
          # https://askubuntu.com/a/1081326
          sudo setfacl -m u:runner:rwx /dev/kvm
      - name: Install earthly
        uses: Luet-lab/luet-install-action@v1.1
        with:
          repository: quay.io/kairos/packages
          packages: utils/earthly
      - name: Build base image 🔧
        run: | # known flavors to work with uki+encryption: fedora >= 38, ubuntu >= 23.10, anything with systemd 253
          earthly +base-image \
            --FLAVOR=${{ inputs.flavor }} \
            --FLAVOR_RELEASE=${{ inputs.flavor_release }} \
            --FAMILY=${{ inputs.family }} \
            --MODEL=generic \
            --VARIANT=core \
            --BASE_IMAGE=${{ inputs.base_image }} \
            --BOOTLOADER=systemd-boot
      - name: Push image to ttl.sh
        env:
          TEMP_IMAGE: ttl.sh/${{ inputs.flavor }}-${{ inputs.flavor_release}}-${{ github.head_ref || github.ref }}:24h
        run: |
          docker tag $(cat build/IMAGE) $TEMP_IMAGE
          docker push $TEMP_IMAGE
      - name: Build uki ISO 🔧
        run: |
          earthly +uki-iso \
            --BASE_IMAGE=ttl.sh/${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ github.head_ref || github.ref }}:24h \
            --ENKI_CREATE_CI_KEYS=true
      - name: Create datasource iso 🔧
        run: |
          earthly +datasource-iso --CLOUD_CONFIG=tests/assets/uki-install.yaml
      - name: Run tests 🔧
        env:
          USE_QEMU: true
          KVM: true
          MEMORY: 4000
          CPUS: 2
          FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
          EMULATE_TPM: true
          UKI_TEST: true
        run: |
          export ISO=$(ls $PWD/build/kairos_*.iso)
          export DATASOURCE=${PWD}/build/datasource.iso
          cp tests/go.* .
          go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/
      - name: Install kairos-agent (for versioneer)
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
        uses: Luet-lab/luet-install-action@v1.1
        with:
          repository: quay.io/kairos/packages
          packages: system/kairos-agent
      - name: Login to Quay Registry
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
      - name: Push to quay
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
        env:
          COSIGN_YES: true
        run: |
          SUFFIX="-uki"
          IMAGE=$(FLAVOR=${{ matrix.flavor }} FLAVOR_RELEASE="${{ matrix.flavor_release }}" MODEL=generic TARGETARCH=amd64 VARIANT=core REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name)
          docker tag $(cat IMAGE) "$IMAGE$SUFFIX"
          docker push "$IMAGE$SUFFIX"
          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX")
          cosign sign $image_ref
      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: ${{ env.FLAVOR }}-${{ env.FLAVOR_RELEASE }}.logs.zip
          path: tests/**/logs/*
          if-no-files-found: warn