Skip to content
.github/workflows/release.yaml

linter fixes #285

Sign in to view logs

linter fixes

linter fixes #285

Workflow file for this run

.github/workflows/release.yaml at 2ab3970
name: Release artifacts
on:
# Bump the CI
push:
tags:
- v*
env:
FORCE_COLOR: 1
EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }}
permissions: read-all
jobs:
get-core-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- run: |
sudo apt update && sudo apt install -y jq
- id: set-matrix
run: |
content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and .variant == "core"))'`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
get-uki-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- run: |
sudo apt update && sudo apt install -y jq
- id: set-matrix
run: |
content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and (.flavor == "fedora" or (.flavor == "ubuntu" and (.flavorRelease == "24.04")))))'`
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
# The matrix for standard (provider) images
get-standard-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- run: |
sudo apt update && sudo apt install -y jq wget
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- id: set-matrix
run: |
docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./
chmod +x luet
sudo mv luet /usr/bin/luet
# Construct an array like this from the found versions:
earthly --platform=linux/amd64 +extract-framework-profile
# fetch "k3s-openrc" versions
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-openrc")) | map(.version) | unique' > k3s_openrc.json
# fetch alpine flavors
jq 'map(select(.arch == "amd64" and .variant == "standard" and .model == "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json
# generate combinations
jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_openrc.json k3s_openrc.json > combinations_openrc.json
# fetch "k3s-systemd" versions
sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-systemd")) | map(.version) | unique' > k3s_systemd.json
# fetch non-alpine flavors
jq 'map(select(.arch == "amd64" and .variant == "standard" and .model == "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json
# generate combinations
jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_systemd.json k3s_systemd.json > combinations_systemd.json
# merge the two combinations
content=$(jq -s 'add' combinations_openrc.json combinations_systemd.json)
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
build-core:
runs-on: ubuntu-latest
needs:
- get-core-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Release space from worker
run: |
./github/release-space-from-ubuntu-runners.sh
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Build 🔧
run: |
earthly +all \
--VARIANT=${{ matrix.variant }} \
--FAMILY=${{ matrix.family }} \
--FLAVOR=${{ matrix.flavor }} \
--FLAVOR_RELEASE=${{ matrix.flavorRelease }} \
--MODEL=${{ matrix.model }} \
--BASE_IMAGE=${{ matrix.baseImage }}
sudo mv build release
- name: Push to quay
env:
COSIGN_YES: true
if: startsWith(github.ref, 'refs/tags/')
run: |
export IMAGE=$(cat release/IMAGE)
docker push "$IMAGE"
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
spdx=$(ls release/*.spdx.json)
cosign attach sbom --sbom $spdx $image_ref
cosign sign $image_ref --attachment sbom
# in-toto attestation
cosign attest --type spdx --predicate $spdx $image_ref
- name: Sign ISO sha files
env:
COSIGN_YES: true
run: |
sudo chmod -R 777 release
filename=$(ls release/*.iso.sha256)
cosign sign-blob --yes --output-certificate="${filename}.pem" \
--output-signature="${filename}.sig" "${filename}"
- name: Prepare files for release
run: |
mkdir trivy-results grype-results
trivy=$(ls build/*trivy.sarif 2>/dev/null | head -n 1)
grype=$(ls build/*grype.sarif 2>/dev/null | head -n 1)
sudo mv $trivy trivy-results/result.sarif
sudo mv $grype grype-results/result.sarif
mkdir reports
mv release/*.json reports/
cd reports
filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json}
sudo tar cvf "${filename}-sbom-scan-reports.tar.gz" *.json
mv *.tar.gz ../release/
cd ..
rm release/IMAGE release/VERSION release/versions.yaml
- uses: itxaka/sarif-filter@v1
if: startsWith(github.ref, 'refs/tags/')
with:
input: trivy-results/result.sarif
output: trivy-results/result.sarif
severity: high
- uses: itxaka/sarif-filter@v1
if: startsWith(github.ref, 'refs/tags/')
with:
input: grype-results/result.sarif
output: grype-results/result.sarif
severity: high
- name: Release
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'trivy-results'
category: ${{ matrix.flavor }}-${{ matrix.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-trivy
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'grype-results'
category: ${{ matrix.flavor }}-${{ matrix.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-grype
build-uki-container-image:
runs-on: ubuntu-latest
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
needs:
- get-uki-matrix
strategy:
matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- run: |
git fetch --prune --unshallow
- name: Release space from worker
run: |
./github/release-space-from-ubuntu-runners.sh
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines
run: |
sudo iptables -I INPUT -s 169.254.169.254 -j DROP
sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
- name: Build 🔧
run: |
earthly --platform=linux/amd64 +base-image \
--VARIANT=${{ matrix.variant }} \
--FLAVOR=${{ matrix.flavor }} \
--FLAVOR_RELEASE="${{ matrix.flavorRelease }}" \
--BASE_IMAGE=${{ matrix.baseImage }} \
--MODEL=${{ matrix.model }} \
--FAMILY=${{ matrix.family }} \
--BOOTLOADER=systemd-boot
sudo mv build/* .
sudo rm -rf build
- name: Install kairos-agent (for versioneer)
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: system/kairos-agent
- name: Push to quay
env:
COSIGN_YES: true
run: |
SUFFIX="-uki"
IMAGE=$(cat IMAGE)
docker tag $(cat IMAGE) "$IMAGE$SUFFIX"
docker push "$IMAGE$SUFFIX"
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX")
cosign sign $image_ref
- name: Build UKI ISO
run: |
earthly +uki-iso \
--BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki \
--AURORABOOT_CREATE_CI_KEYS=true
- name: Release
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/*.efi
build-standard:
runs-on: ubuntu-latest
needs:
- get-standard-matrix
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Release space from worker
run: |
./github/release-space-from-ubuntu-runners.sh
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧
run: |
earthly +all \
--VARIANT=${{ matrix.variant }} \
--FAMILY=${{ matrix.family }} \
--FLAVOR=${{ matrix.flavor }} \
--FLAVOR_RELEASE=${{ matrix.flavorRelease }} \
--MODEL=${{ matrix.model }} \
--K3S_VERSION=${{ matrix.k3s_version }} \
--BASE_IMAGE=${{ matrix.baseImage }}
sudo mv build release
- name: Push to quay
if: startsWith(github.ref, 'refs/tags/')
env:
COSIGN_YES: true
run: |
IMAGE=$(cat release/IMAGE)
docker push "$IMAGE"
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
- name: Prepare files for release
run: |
mkdir sarif
mv release/*.sarif sarif/
mkdir reports
mv release/*.json reports/
cd reports
filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json}
sudo tar cvf "${filename}-sbom-scan-reports.tar.gz" *.json
mv *.tar.gz ../release/
cd ..
sudo rm -rf release/VERSION release/IMAGE release/versions.yaml
- name: Release
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
release/*
build-aws-image:
runs-on: ubuntu-latest
needs:
- build-standard
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
strategy:
matrix:
include:
# We don't publish AWS images for all combinations so we go hardcoded here
- flavor: ubuntu
flavor_release: 24.04
family: ubuntu
base_image: ubuntu:24.04
variant: standard
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- run: |
git fetch --prune --unshallow
- name: Release space from worker
run: |
./github/release-space-from-ubuntu-runners.sh
- name: Install kairos-agent (for versioneer)
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: system/kairos-agent
- name: Build 🔧
run: |
# TODO: Does "sort" work correctly on k3s versions? Which version do we want?
k3s_version=$(echo '${{ needs.get-standard-matrix.outputs.matrix }}' | \
jq -r '[.[].k3s_version] | unique | sort | .[0]')
containerImage=$(kairos-agent versioneer container-artifact-name \
--flavor ${{ .matrix.flavor }} \
--flavor-release ${{ .matrix.flavor_release }} \
--variant ${{ .matrix.variant }} \
--model generic \
--arch amd64 \
--software-version-prefix k3s \
--registry-and-org quay.io/kairos \
--software-version "$k3s_version" \
--version $(git describe --always --tags --dirty)
)
docker run -v /var/run/docker.sock:/var/run/docker.sock --net host \
--privileged \
-v $PWD:/aurora --rm -ti quay.io/kairos/auroraboot \
--debug \
--set "disable_http_server=true" \
--set "container_image=docker:${IMAGE}" \
--set "disable_netboot=true" \
--set "disk.raw=true" \
--set "state_dir=/aurora"
- name: Install AWS cli
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# https://github.com/aws-actions/configure-aws-credentials?tab=readme-ov-file#assumerole-with-static-iam-credentials-in-repository-secrets
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
role-duration-seconds: 1200
role-session-name: AWSCIPush
- name: Push to AWS
env:

Check failure on line 419 in .github/workflows/release.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yaml

Invalid workflow file 

You have an error in your yaml syntax on line 419
AWS_S3_BUCKET: kairos-cloud-images
AWS_PROFILE: default
AWS_REGION: eu-central-1
run: |
AWS_PROFILE=kairos
.github/upload-image-to-aws.sh $(ls *.raw)