diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..3b98b3f3 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,209 @@ +name: build +on: + workflow_call: + inputs: + version: + description: "Garden Linux version" + type: string + default: today + target: + type: string + default: dev + flavors_parse_params_test: + description: "Run bin/parse_flavors.py with these parameters" + default: '--exclude "bare-*" --no-arch --json-by-arch --build --test' + type: string + flavors_matrix: + description: "Already generated GitHub workflow flavors matrix" + type: string + platform_test_tag: + description: 'Tag to run platform-test containers. "latest" or GL version. Tag must be available in `ghcr.io/gardenlinux/gardenlinux/platform-test-*`' + type: string + default: latest + platform_test_build: + description: "Run platform-test image build." + type: boolean + default: true + flavors_parse_params_test_bare: + description: "Run bin/parse_flavors.py with these parameters for bare flavors" + default: '--include-only "bare-*" --no-arch --json-by-arch --build --test' + type: string + fail_fast: + description: "Cancel workflow run on first error" + type: boolean + default: false + secrets: + aws_region: + required: false + aws_kms_role: + required: false + aws_oidc_session: + required: false + secureboot_db_kms_arn: + required: false + outputs: + flavors_matrix: + value: ${{ jobs.flavors_matrix.outputs.matrix }} + version: + value: ${{ jobs.requirements.outputs.version }} + bare_flavors_matrix: + value: ${{ jobs.bare_flavors_matrix.outputs.matrix }} + +jobs: + requirements: + name: Prepare build requirements + uses: gardenlinux/gardenlinux/.github/workflows/build_requirements.yml@b49b2dc9853b2a91a509c6ad947bc538797a4068 + with: + version: ${{ inputs.version == '' && 'now' || inputs.version }} + target: ${{ inputs.target }} + permissions: + actions: write + + bootstrap: + needs: requirements + name: Bootstrap build + uses: gardenlinux/gardenlinux/.github/workflows/build_bootstrap.yml@b49b2dc9853b2a91a509c6ad947bc538797a4068 + with: + commit_id: ${{ needs.requirements.outputs.commit_id }} + version: ${{ needs.requirements.outputs.version }} + permissions: + actions: write + + flavors_matrix: + name: Generate flavors matrix to build + uses: gardenlinux/gardenlinux/.github/workflows/build_flavors_matrix.yml@b49b2dc9853b2a91a509c6ad947bc538797a4068 + with: + flags: ${{ inputs.flavors_parse_params_test }} + flavors_matrix: ${{ inputs.flavors_matrix }} + + flavors: + needs: [bootstrap, flavors_matrix, requirements] + name: Build flavors + runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }} + strategy: + matrix: ${{ fromJson(needs.flavors_matrix.outputs.matrix ) }} + fail-fast: ${{ inputs.fail_fast }} + permissions: + id-token: write + actions: write + env: + CNAME: '' + USE_KMS: ${{ needs.requirements.outputs.signing_env == '' && 'false' || 'true' }} + environment: ${{ needs.requirements.outputs.signing_env }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 + with: + submodules: true + + - name: Install python-gardenlinux-lib + uses: gardenlinux/python-gardenlinux-lib/.github/actions/setup@02879bd567ed39b5610332afcc6e46197073db0c # pin@0.10.0 + + - name: Set build reference + run: | + echo "${{ needs.requirements.outputs.commit_id }}" | tee COMMIT + echo "${{ needs.requirements.outputs.version }}" | tee VERSION + + - name: Load bootstrap stage cache + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # pin@v4.3.0 + with: + path: .build + key: base-${{ matrix.arch }}-${{ github.run_id }} + fail-on-cache-miss: true + + - name: Load certs artifact + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # pin@v5.0.0 + with: + name: certs + path: cert/ + + - name: Configure aws credentials for kms signing + id: aws_auth + if: ${{ env.USE_KMS == 'true' }} + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # pin@v4 + with: + role-to-assume: ${{ secrets.aws_kms_role }} + role-session-name: ${{ secrets.aws_oidc_session }} + aws-region: ${{ secrets.aws_region }} + role-duration-seconds: 14400 + + - name: Write secureboot db arn for kms backed certificates + if: ${{ steps.aws_auth.conclusion == 'success' }} + run: echo "${{ secrets.secureboot_db_kms_arn }}" > cert/secureboot.db.arn + + - name: Update bootstrap stage build artifact timestamps + run: | + t="$(date '+%s')" + find ./.build -exec touch -d "@$t" {} + + + - name: Build + run: | + cp ./flavors.yaml ./gardenlinux/flavors.yaml + make ${{ matrix.flavor }}-${{ matrix.arch }}-build + + - name: Determine CNAME + id: cname + uses: gardenlinux/python-gardenlinux-lib/.github/actions/features_parse@02879bd567ed39b5610332afcc6e46197073db0c # pin@0.10.0 + with: + flags: --cname ${{ matrix.flavor }}-${{ matrix.arch }} cname + + - name: Set CNAME + run: | + echo "CNAME=${{ steps.cname.outputs.result }}" | tee -a "$GITHUB_ENV" + + - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # pin@v4.3.0 + with: + path: | + COMMIT + VERSION + key: build-${{ matrix.flavor }}-${{ matrix.arch }}-${{ github.run_id }} + + kmodbuild_container: + needs: [flavors, requirements] + name: Build kernel module build dev container + uses: gardenlinux/gardenlinux/.github/workflows/build_kmodbuild_container.yml@b49b2dc9853b2a91a509c6ad947bc538797a4068 + with: + version: ${{ needs.requirements.outputs.version }} + permissions: + actions: write + + bare_flavors_matrix: + name: Generate bare flavors matrix to build + uses: gardenlinux/gardenlinux/.github/workflows/build_flavors_matrix.yml@b49b2dc9853b2a91a509c6ad947bc538797a4068 + with: + flags: ${{ inputs.flavors_parse_params_test_bare }} + + bare_flavors: + needs: [bootstrap, bare_flavors_matrix, requirements] + name: Build bare flavors + uses: gardenlinux/gardenlinux/.github/workflows/build_bare_flavor.yml@b49b2dc9853b2a91a509c6ad947bc538797a4068 + strategy: + matrix: ${{ fromJson(needs.bare_flavors_matrix.outputs.matrix) }} + fail-fast: ${{ inputs.fail_fast }} + with: + arch: ${{ matrix.arch }} + bare_flavor: ${{ matrix.flavor }} + commit_id: ${{ needs.requirements.outputs.commit_id }} + version: ${{ needs.requirements.outputs.version }} + secrets: inherit + permissions: + actions: write + + upload_flavor_version_data: + needs: [requirements, flavors] + name: Store flavor version data + runs-on: ubuntu-24.04 + permissions: + actions: write + steps: + - name: Store data in JSON file + run: | + jq -r -n '{ + "commit_id": "${{ needs.requirements.outputs.commit_id }}", + "version": "${{ needs.requirements.outputs.version }}", + "target": "${{ needs.requirements.outputs.target }}" + }' '.' > flavor_version_data.json + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4.6.2 + with: + name: flavor-version-data + path: flavor_version_data.json + if-no-files-found: error diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 1f67f55c..266b61b8 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -26,7 +26,7 @@ jobs: run: echo "VERSION=$(cat VERSION)" >> $GITHUB_OUTPUT build: needs: [set_version] - uses: gardenlinux/gardenlinux/.github/workflows/build.yml@c1a1f112762be72b7f154ec931dfe4c57b4d2d44 + uses: ./.github/workflows/build.yml with: version: ${{ needs.set_version.outputs.VERSION }} # to set target to "release" or "nightly" we need proper KMS secrets diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index e43b0f38..1cb47332 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -19,7 +19,7 @@ jobs: submodules: recursive build: needs: [checkout] - uses: gardenlinux/gardenlinux/.github/workflows/build.yml@c1a1f112762be72b7f154ec931dfe4c57b4d2d44 + uses: ./.github/workflows/build.yml with: version: ${{ inputs.version || 'now' }} # to set target to "release" or "nightly" we need proper KMS secrets