Have a framework profile to pin the arm64 agent #200

Workflow file for this run

.github/workflows/release.yaml at 7c21f33

	name: Release

	on:
	push:
	tags:
	- v*
	jobs:
	get-matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:
	- uses: actions/checkout@v3
	- run: \|
	git fetch --prune --unshallow
	sudo apt update && sudo apt install -y jq
	- id: set-matrix
	run: \|
	content=`cat .github/flavors.json \| jq 'map(select(.frameworkonly != "true"))'`
	# the following lines are only required for multi line json
	content="${content//'%'/'%25'}"
	content="${content//$'\n'/'%0A'}"
	content="${content//$'\r'/'%0D'}"
	# end of optional handling for multi line json
	echo "::set-output name=matrix::{\"include\": $content }"

	get-framework-matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:
	- uses: actions/checkout@v3
	- run: \|
	git fetch --prune --unshallow
	- id: set-matrix
	run: \|
	content=`cat .github/flavors.json`
	# the following lines are only required for multi line json
	content="${content//'%'/'%25'}"
	content="${content//$'\n'/'%0A'}"
	content="${content//$'\r'/'%0D'}"
	# end of optional handling for multi line json
	echo "::set-output name=matrix::{\"include\": $content }"

	build-framework:
	runs-on: self-hosted
	needs:
	- get-framework-matrix
	permissions:
	id-token: write # OIDC support
	contents: write
	strategy:
	fail-fast: false
	matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}}
	steps:
	- uses: actions/checkout@v3
	- run: \|
	git fetch --prune --unshallow
	- name: Install Cosign
	uses: sigstore/cosign-installer@main
	- name: Install earthly
	uses: Luet-lab/luet-install-action@v1
	with:
	repository: quay.io/kairos/packages
	packages: utils/earthly
	- name: Login to Quay Registry
	run: echo ${{ secrets.QUAY_PASSWORD }} \| docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
	- name: Build 🔧
	env:
	FLAVOR: ${{ matrix.flavor }}
	IMAGE: quay.io/kairos/framework
	run: \|
	# Configure earthly to use the docker mirror in CI
	# https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
	mkdir -p ~/.earthly/
	cat << EOF > ~/.earthly/config.yml
	global:
	buildkit_additional_config: \|
	[registry."docker.io"]
	mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
	[registry."registry.docker-mirror.svc.cluster.local:5000"]
	insecure = true
	http = true
	EOF
	export TAG=${GITHUB_REF##*/}
	earthly +build-framework-image --FLAVOR=${FLAVOR}
	- name: Push to quay
	env:
	COSIGN_YES: true
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	export TAG=${GITHUB_REF##*/}_${{ matrix.flavor }}
	export IMAGE="quay.io/kairos/framework"
	docker push "$IMAGE:$TAG" # Otherwise .RepoDigests will be empty for some reason
	cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")

	build:
	runs-on: ubuntu-latest
	needs:
	- get-matrix
	permissions:
	id-token: write # OIDC support
	contents: write
	actions: read
	security-events: write
	strategy:
	fail-fast: false
	matrix: ${{ fromJson(needs.get-matrix.outputs.matrix) }}
	steps:
	- uses: actions/checkout@v3
	- run: \|
	git fetch --prune --unshallow
	- name: setup-docker
	uses: docker-practice/actions-setup-docker@master
	- name: Install Cosign
	uses: sigstore/cosign-installer@main
	- name: Release space from worker
	run: \|
	sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
	sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
	- name: Login to Quay Registry
	run: echo ${{ secrets.QUAY_PASSWORD }} \| docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
	- name: Install earthly
	uses: Luet-lab/luet-install-action@v1
	with:
	repository: quay.io/kairos/packages
	packages: utils/earthly
	- name: Build 🔧
	if: startsWith(github.ref, 'refs/tags/')
	env:
	FLAVOR: ${{ matrix.flavor }}
	run: \|
	export TAG=${GITHUB_REF##*/}
	earthly +all --IMAGE=quay.io/kairos/core-$FLAVOR:$TAG --FLAVOR=$FLAVOR --ISO_NAME=kairos-$FLAVOR-$TAG
	sudo mv build release
	- name: Push to quay
	env:
	COSIGN_YES: true
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	export TAG=${GITHUB_REF##*/}
	export IMAGE="quay.io/kairos/core-${{ matrix.flavor }}"
	docker push "$IMAGE:$TAG"
	image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
	spdx=$(ls release/*.spdx.json)
	cosign attach sbom --sbom $spdx $image_ref
	cosign sign $image_ref --attachment sbom
	# in-toto attestation
	cosign attest --type spdx --predicate $spdx $image_ref
	- name: Sign ISO sha files
	env:
	COSIGN_YES: true
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	export TAG=${GITHUB_REF##*/}
	sudo chmod -R 777 release
	cosign sign-blob --yes --output-certificate=release/kairos-${{ matrix.flavor }}-$TAG.iso.sha256.pem \
	--output-signature=release/kairos-${{ matrix.flavor }}-$TAG.iso.sha256.sig \
	release/kairos-${{ matrix.flavor }}-$TAG.iso.sha256
	- name: Release
	uses: softprops/action-gh-release@v1
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	release/*
	- name: Prepare sarif files 🔧
	env:
	FLAVOR: ${{ matrix.flavor }}
	IMAGE: quay.io/kairos/core-$FLAVOR:latest
	MODEL: ${{ matrix.model }}
	run: \|
	mkdir sarif
	mv release/*.sarif sarif/
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'sarif'
	category: ${{ matrix.flavor }}
	build-uki:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- run: \|
	git fetch --prune --unshallow
	- name: Install earthly
	uses: Luet-lab/luet-install-action@v1
	with:
	repository: quay.io/kairos/packages
	packages: utils/earthly
	- name: Build uki image 🔧
	run: \|
	# Do fedora as its the smaller uki possible
	earthly +uki --FLAVOR=fedora
	- name: Release
	uses: softprops/action-gh-release@v1
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	build/*.efi
	# build-vm-images:
	# needs: build
	# runs-on: macos-12
	# strategy:
	# fail-fast: false
	# matrix:
	# include:
	# - flavor: "opensuse"
	# - flavor: "alpine"
	# steps:
	# - uses: actions/checkout@v2
	# - name: Install deps
	# run: \|
	# brew install hudochenkov/sshpass/sshpass
	# brew install qemu
	# - name: Download artifacts
	# uses: actions/download-artifact@v2
	# with:
	# name: kairos-${{ matrix.flavor }}.iso.zip
	# - run: \|
	# ls -liah
	# iso=$(ls *.iso)
	# bash scripts/build_vm.sh $iso
	# - uses: actions/upload-artifact@v2
	# with:
	# name: kairos-${{ matrix.flavor }}.qcow2.tar.xz
	# path: \|
	# *.qcow2.tar.xz
	# - uses: actions/upload-artifact@v2
	# with:
	# name: kairos-${{ matrix.flavor }}.ova
	# path: \|
	# *.ova
	# if-no-files-found: error

	# release-images:
	# runs-on: ubuntu-latest
	# permissions:
	# contents: write
	# needs: build-vm-images
	# strategy:
	# fail-fast: false
	# matrix:
	# include:
	# - flavor: "opensuse"
	# - flavor: "alpine"
	# steps:
	# - name: Download artifacts
	# uses: actions/download-artifact@v2
	# with:
	# name: kairos-${{ matrix.flavor }}.qcow2.tar.xz
	# - name: Download artifacts
	# uses: actions/download-artifact@v2
	# with:
	# name: kairos-${{ matrix.flavor }}.ova
	# - run: \|
	# mkdir release
	# mv *.qcow2.tar.xz release/
	# mv *.ova release/
	# - uses: web3-storage/add-to-web3@v2
	# id: web3
	# with:
	# web3_token: ${{ secrets.WEB3_STORAGE_TOKEN }}
	# path_to_add: 'release'
	# - run: \|
	# mkdir dist
	# echo ${{ steps.web3.outputs.url }} > dist/kairos-${{ matrix.flavor }}.qcow2.url.txt
	# - name: Release
	# uses: softprops/action-gh-release@v1
	# if: startsWith(github.ref, 'refs/tags/')
	# with:
	# files: \|
	# dist/*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Have a framework profile to pin the arm64 agent #200

Workflow file

Have a framework profile to pin the arm64 agent #200

Jobs

Run details

Workflow file for this run