Build and release multi arch framework images (#2024)

* Build and release multi arch framework images

* remove reuqired security profile arg

Signed-off-by: Mauro Morales <[email protected]>

* typo

---------

Signed-off-by: Mauro Morales <[email protected]>

.github/workflows/image.yaml

@@ -49,16 +49,16 @@ jobs:
       fail-fast: false
       matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
   framework:
-    uses: ./.github/workflows/reusable-build-framework-flavor.yaml
+    uses: ./.github/workflows/reusable-build-framework.yaml
     secrets: inherit
     with:
-      flavor: ${{ matrix.flavor }}
+      security_profile: ${{ matrix.security_profile }}
     strategy:
       fail-fast: false
       matrix:
         include:
-          - flavor: "generic"
-          - flavor: "fips"
+          - security_profile: "generic"
+          - security_profile: "fips"
   install:
     uses: ./.github/workflows/reusable-install-test.yaml
     with:

.github/workflows/release.yaml

@@ -62,7 +62,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        flavor:
+        security_profile:
           - "generic"
           - "fips"
     steps:
@@ -92,7 +92,7 @@ jobs:
                 insecure = true
                 http = true
           EOF
-          earthly +build-framework-image --FRAMEWORK_FLAVOR=${{ matrix.flavor }}
+          earthly +multi-build-framework-image --SECURITY_PROFILE=${{ matrix.security_profile }}
       - name: Push to quay
         env:
           COSIGN_YES: true

.github/workflows/reusable-build-framework-flavor.yaml → .github/workflows/reusable-build-framework.yaml

@@ -3,7 +3,7 @@ name: Reusable workflow that builds a specific Kairos framework image flavor
 on:
   workflow_call:
     inputs:
-      flavor:
+      security_profile:
         required: true
         type: string
 
@@ -31,9 +31,7 @@ jobs:
           sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
       - name: Build framework image 🔧
         env:
-          FLAVOR: ${{ inputs.flavor }}
-          IMAGE: "quay.io/kairos/framework"
-          TAG: "master_${{ inputs.flavor }}"
+          ARTIFACT: "quay.io/kairos/framework:master_${{ inputs.security_profile }}"
           COSIGN_YES: true
         run: |
           # Configure earthly to use the docker mirror in CI
@@ -48,6 +46,6 @@ jobs:
                 insecure = true
                 http = true
           EOF
-          earthly +build-framework-image --FRAMEWORK_FLAVOR=${FLAVOR} --VERSION=master
-          docker push "$IMAGE:$TAG" # Otherwise .RepoDigests will be empty for some reason
-          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          earthly +multi-build-framework-image --SECURITY_PROFILE=${{ inputs.security_profile }} --VERSION=master
+          docker push "$ARTIFACT" # Otherwise .RepoDigests will be empty for some reason
+          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$ARTIFACT")

Earthfile

@@ -264,7 +264,12 @@ luet:
 framework:
     FROM golang:alpine
 
-    ARG FRAMEWORK_FLAVOR
+    ARG SECURITY_PROFILE
+    IF [ "$SECURITY_PROFILE" = "fips" ]
+        ARG _SECURITY_PROFILE=fips
+    ELSE
+        ARG _SECURITY_PROFILE=generic
+    END
 
     WORKDIR /build
 
@@ -273,7 +278,7 @@ framework:
 
     RUN go mod download
     COPY framework-profile.yaml /build
-    RUN go run main.go ${FRAMEWORK_FLAVOR} framework-profile.yaml /framework
+    RUN go run main.go ${_SECURITY_PROFILE} framework-profile.yaml /framework
 
     RUN mkdir -p /framework/etc/kairos/
     RUN luet database --system-target /framework get-all-installed --output /framework/etc/kairos/versions.yaml
@@ -290,29 +295,41 @@ framework:
 
     SAVE ARTIFACT --keep-own /framework/ framework
 
+multi-build-framework-image:
+    ARG --required SECUIRTY_PROFILE
+
+    BUILD --platform=linux/amd64 --platform=linux/arm64 +build-framework-image
+
 build-framework-image:
     FROM alpine
+    ARG SECURITY_PROFILE
 
-    ARG --required FRAMEWORK_FLAVOR
-
-    # Just in case, make sure this is valid
-    IF [ "$FRAMEWORK_FLAVOR" = "" ]
-        ARG FRAMEWORK_FLAVOR=generic
+    IF [ "$SECURITY_PROFILE" = "fips" ]
+        ARG _SECUIRTY_PROFILE=fips
+    ELSE
+        ARG _SECUIRTY_PROFILE=generic
     END
 
+
     COPY +version/VERSION ./
     ARG VERSION=$(cat VERSION)
 
-    ARG _IMG="$IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FRAMEWORK_FLAVOR}"
+    IF [ "$VERSION" ~= ".*dirty.*" ]
+        ARG FRAMEWORK_VERSION=master
+    ELSE
+        ARG FRAMEWORK_VERSION=$VERSION
+    END
+
+    ARG _IMG="$IMAGE_REPOSITORY_ORG/framework:${FRAMEWORK_VERSION}_${_SECUIRTY_PROFILE}"
     RUN echo $_IMG > FRAMEWORK_IMAGE
 
     SAVE ARTIFACT FRAMEWORK_IMAGE AS LOCAL build/FRAMEWORK_IMAGE
 
     FROM scratch
 
-    COPY (+framework/framework --FRAMEWORK_FLAVOR=$FRAMEWORK_FLAVOR) /
+    COPY (+framework/framework --SECURITY_PROFILE=$_SECUIRTY_PROFILE) /
 
-    SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FRAMEWORK_FLAVOR}
+    SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${_SECUIRTY_PROFILE}
 
 base-image:
     ARG TARGETARCH # Earthly built-in (not passed)