Skip to content

Fix jq syntax and replace deprecated github action syntax with new #201

Fix jq syntax and replace deprecated github action syntax with new

Fix jq syntax and replace deprecated github action syntax with new #201

Workflow file for this run

name: Release
on:
# Bump the CI
push:
tags:
- v*
branches:
- "1609-release-standard-images"
jobs:
get-core-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
sudo apt update && sudo apt install -y jq
- id: set-matrix
run: |
content=`cat .github/flavors.json | jq 'map(select(.frameworkonly != "true"))'`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "matrix={\"include\": $content }" >> $GITHUB_OUTPUT
# The matrix for standard (provider) images
get-standard-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
sudo apt update && sudo apt install -y jq wget
- id: set-matrix
run: |
docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./
chmod +x luet
sudo mv luet /usr/bin/luet
# Construct an array like this from the found versions:
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version)' > k3s_versions.json
content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.frameworkonly != "true"))' .github/flavors.json k3s_versions.json)
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "matrix={\"include\": $content }" >> $GITHUB_OUTPUT
get-framework-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
- id: set-matrix
run: |
content=`cat .github/flavors.json`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "matrix={\"include\": $content }" >> $GITHUB_OUTPUT
build-framework:
runs-on: self-hosted
needs:
- get-framework-matrix
permissions:
id-token: write # OIDC support
contents: write
strategy:
fail-fast: false
matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}}
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Install earthly
uses: Luet-lab/luet-install-action@v1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧
env:
FLAVOR: ${{ matrix.flavor }}
IMAGE: quay.io/kairos/framework
run: |
# Configure earthly to use the docker mirror in CI
# https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
mkdir -p ~/.earthly/
cat << EOF > ~/.earthly/config.yml
global:
buildkit_additional_config: |
[registry."docker.io"]
mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
[registry."registry.docker-mirror.svc.cluster.local:5000"]
insecure = true
http = true
EOF
export TAG=${GITHUB_REF##*/}
earthly +build-framework-image --FLAVOR=${FLAVOR}
- name: Push to quay
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export TAG=${GITHUB_REF##*/}_${{ matrix.flavor }}
export IMAGE="quay.io/kairos/framework"
docker push "$IMAGE:$TAG" # Otherwise .RepoDigests will be empty for some reason
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
build-core:
runs-on: ubuntu-latest
needs:
- get-core-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
- name: setup-docker
uses: docker-practice/actions-setup-docker@master
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Release space from worker
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Install earthly
uses: Luet-lab/luet-install-action@v1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Build 🔧
env:
FLAVOR: ${{ matrix.flavor }}
run: |
earthly +all --VARIANT=core --FLAVOR=$FLAVOR
sudo mv build release
- name: Push to quay
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export IMAGE=$(cat release/IMAGE)
docker push "$IMAGE"
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
spdx=$(ls release/*.spdx.json)
cosign attach sbom --sbom $spdx $image_ref
cosign sign $image_ref --attachment sbom
# in-toto attestation
cosign attest --type spdx --predicate $spdx $image_ref
- name: Sign ISO sha files
env:
COSIGN_YES: true
run: |
sudo chmod -R 777 release
filename=$(ls release/*.iso.sha256)
cosign sign-blob --yes --output-certificate="${filename}.pem" \
--output-signature="${filename}.sig" "${filename}"
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*
- name: Prepare sarif files 🔧
run: |
mkdir sarif
mv release/*.sarif sarif/
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
build-core-uki:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
- name: Install earthly
uses: Luet-lab/luet-install-action@v1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Build uki image 🔧
run: |
# Do fedora as its the smaller uki possible
earthly +uki --VARIANT=core --FLAVOR=fedora
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/*.efi
build-standard:
runs-on: ubuntu-latest
needs:
- get-standard-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
- name: setup-docker
uses: docker-practice/actions-setup-docker@master
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Release space from worker
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Install earthly
uses: Luet-lab/luet-install-action@v1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧
run: |
earthly +all -VARIANT=standard -K3S_VERSION=${{ matrix.k3s_version }} -FLAVOR=${{ matrix.flavor }}
sudo mv build release
- name: Push to quay
if: startsWith(github.ref, 'refs/tags/')
env:
COSIGN_YES: true
run: |
IMAGE=$(cat release/IMAGE)
docker push "$IMAGE"
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
sudo rm -rf release/IMAGE release/VERSION
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*