Set dependency properly so string is interpolated for k3s #293
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release artifacts | |
| on: | |
| # Bump the CI | |
| push: | |
| tags: | |
| - v* | |
| env: | |
| FORCE_COLOR: 1 | |
| EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }} | |
| permissions: read-all | |
| jobs: | |
| get-core-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: | | |
| sudo apt update && sudo apt install -y jq | |
| - id: set-matrix | |
| run: | | |
| content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and .variant == "core"))'` | |
| # the following lines are only required for multi line json | |
| content="${content//'%'/'%25'}" | |
| content="${content//$'\n'/'%0A'}" | |
| content="${content//$'\r'/'%0D'}" | |
| # end of optional handling for multi line json | |
| echo "::set-output name=matrix::{\"include\": $content }" | |
| get-uki-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: | | |
| sudo apt update && sudo apt install -y jq | |
| - id: set-matrix | |
| run: | | |
| content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and (.flavor == "fedora" or (.flavor == "ubuntu" and (.flavorRelease == "24.04")))))'` | |
| # the following lines are only required for multi line json | |
| content="${content//'%'/'%25'}" | |
| content="${content//$'\n'/'%0A'}" | |
| content="${content//$'\r'/'%0D'}" | |
| # end of optional handling for multi line json | |
| echo "::set-output name=matrix::{\"include\": $content }" | |
| # The matrix for standard (provider) images | |
| get-standard-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: | | |
| sudo apt update && sudo apt install -y jq wget | |
| - name: Install earthly | |
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
| with: | |
| repository: quay.io/kairos/packages | |
| packages: utils/earthly | |
| - id: set-matrix | |
| run: | | |
| docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./ | |
| chmod +x luet | |
| sudo mv luet /usr/bin/luet | |
| # Construct an array like this from the found versions: | |
| earthly --platform=linux/amd64 +extract-framework-profile | |
| # fetch "k3s-openrc" versions | |
| sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-openrc")) | map(.version) | unique' > k3s_openrc.json | |
| # fetch alpine flavors | |
| jq 'map(select(.arch == "amd64" and .variant == "standard" and .model == "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json | |
| # generate combinations | |
| jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_openrc.json k3s_openrc.json > combinations_openrc.json | |
| # fetch "k3s-systemd" versions | |
| sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-systemd")) | map(.version) | unique' > k3s_systemd.json | |
| # fetch non-alpine flavors | |
| jq 'map(select(.arch == "amd64" and .variant == "standard" and .model == "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json | |
| # generate combinations | |
| jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_systemd.json k3s_systemd.json > combinations_systemd.json | |
| # merge the two combinations | |
| content=$(jq -s 'add' combinations_openrc.json combinations_systemd.json) | |
| # the following lines are only required for multi line json | |
| content="${content//'%'/'%25'}" | |
| content="${content//$'\n'/'%0A'}" | |
| content="${content//$'\r'/'%0D'}" | |
| # end of optional handling for multi line json | |
| echo "::set-output name=matrix::{\"include\": $content }" | |
| build-core: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - get-core-matrix | |
| permissions: | |
| id-token: write # OIDC support | |
| contents: write | |
| actions: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Release space from worker | |
| run: | | |
| ./.github/release-space-from-ubuntu-runners.sh | |
| - name: Login to Quay Registry | |
| run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
| - name: Install earthly | |
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
| with: | |
| repository: quay.io/kairos/packages | |
| packages: utils/earthly | |
| - name: Build 🔧 | |
| run: | | |
| earthly +all \ | |
| --VARIANT=${{ matrix.variant }} \ | |
| --FAMILY=${{ matrix.family }} \ | |
| --FLAVOR=${{ matrix.flavor }} \ | |
| --FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ | |
| --MODEL=${{ matrix.model }} \ | |
| --BASE_IMAGE=${{ matrix.baseImage }} | |
| sudo mv build release | |
| - name: Push to quay | |
| env: | |
| COSIGN_YES: true | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| export IMAGE=$(cat release/IMAGE) | |
| docker push "$IMAGE" | |
| image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") | |
| spdx=$(ls release/*.spdx.json) | |
| cosign attach sbom --sbom $spdx $image_ref | |
| cosign sign $image_ref --attachment sbom | |
| # in-toto attestation | |
| cosign attest --type spdx --predicate $spdx $image_ref | |
| - name: Sign ISO sha files | |
| env: | |
| COSIGN_YES: true | |
| run: | | |
| sudo chmod -R 777 release | |
| filename=$(ls release/*.iso.sha256) | |
| cosign sign-blob --yes --output-certificate="${filename}.pem" \ | |
| --output-signature="${filename}.sig" "${filename}" | |
| - name: Prepare files for release | |
| run: | | |
| mkdir trivy-results grype-results | |
| trivy=$(ls release/*trivy.sarif 2>/dev/null | head -n 1) | |
| grype=$(ls release/*grype.sarif 2>/dev/null | head -n 1) | |
| sudo mv $trivy trivy-results/result.sarif | |
| sudo mv $grype grype-results/result.sarif | |
| mkdir reports | |
| mv release/*.json reports/ | |
| cd reports | |
| filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json} | |
| sudo tar cvf "${filename}-sbom-scan-reports.tar.gz" *.json | |
| mv *.tar.gz ../release/ | |
| cd .. | |
| rm release/IMAGE release/VERSION release/versions.yaml | |
| - uses: itxaka/sarif-filter@v1 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| input: trivy-results/result.sarif | |
| output: trivy-results/result.sarif | |
| severity: critical | |
| - uses: itxaka/sarif-filter@v1 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| input: grype-results/result.sarif | |
| output: grype-results/result.sarif | |
| severity: critical | |
| - name: Release | |
| uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| files: | | |
| release/* | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| sarif_file: 'trivy-results' | |
| category: ${{ matrix.flavor }}-${{ matrix.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-trivy | |
| - name: Upload Grype scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| sarif_file: 'grype-results' | |
| category: ${{ matrix.flavor }}-${{ matrix.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-grype | |
| build-uki-container-image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # OIDC support | |
| contents: write | |
| actions: read | |
| security-events: write | |
| needs: | |
| - get-uki-matrix | |
| strategy: | |
| matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - run: | | |
| git fetch --prune --unshallow | |
| - name: Release space from worker | |
| run: | | |
| ./.github/release-space-from-ubuntu-runners.sh | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@master | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@master | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Login to Quay Registry | |
| run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
| - name: Install earthly | |
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
| with: | |
| repository: quay.io/kairos/packages | |
| packages: utils/earthly | |
| - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines | |
| run: | | |
| sudo iptables -I INPUT -s 169.254.169.254 -j DROP | |
| sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP | |
| - name: Build 🔧 | |
| run: | | |
| earthly --platform=linux/amd64 +base-image \ | |
| --VARIANT=${{ matrix.variant }} \ | |
| --FLAVOR=${{ matrix.flavor }} \ | |
| --FLAVOR_RELEASE="${{ matrix.flavorRelease }}" \ | |
| --BASE_IMAGE=${{ matrix.baseImage }} \ | |
| --MODEL=${{ matrix.model }} \ | |
| --FAMILY=${{ matrix.family }} \ | |
| --BOOTLOADER=systemd-boot | |
| sudo mv build/* . | |
| sudo rm -rf build | |
| - name: Install kairos-agent (for versioneer) | |
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
| with: | |
| repository: quay.io/kairos/packages | |
| packages: system/kairos-agent | |
| - name: Push to quay | |
| env: | |
| COSIGN_YES: true | |
| run: | | |
| SUFFIX="-uki" | |
| IMAGE=$(cat IMAGE) | |
| docker tag $(cat IMAGE) "$IMAGE$SUFFIX" | |
| docker push "$IMAGE$SUFFIX" | |
| image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX") | |
| cosign sign $image_ref | |
| - name: Build UKI ISO | |
| run: | | |
| earthly +uki-iso \ | |
| --BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki \ | |
| --AURORABOOT_CREATE_CI_KEYS=true | |
| - name: Release | |
| uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| files: | | |
| build/*.efi | |
| build-standard: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - get-standard-matrix | |
| permissions: | |
| id-token: write # OIDC support | |
| contents: write | |
| actions: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Release space from worker | |
| run: | | |
| ./.github/release-space-from-ubuntu-runners.sh | |
| - name: Install earthly | |
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
| with: | |
| repository: quay.io/kairos/packages | |
| packages: utils/earthly | |
| - name: Login to Quay Registry | |
| run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io | |
| - name: Build 🔧 | |
| run: | | |
| earthly +all \ | |
| --VARIANT=${{ matrix.variant }} \ | |
| --FAMILY=${{ matrix.family }} \ | |
| --FLAVOR=${{ matrix.flavor }} \ | |
| --FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ | |
| --MODEL=${{ matrix.model }} \ | |
| --K3S_VERSION=${{ matrix.k3s_version }} \ | |
| --BASE_IMAGE=${{ matrix.baseImage }} | |
| sudo mv build release | |
| - name: Push to quay | |
| if: startsWith(github.ref, 'refs/tags/') | |
| env: | |
| COSIGN_YES: true | |
| run: | | |
| IMAGE=$(cat release/IMAGE) | |
| docker push "$IMAGE" | |
| cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") | |
| - name: Prepare files for release | |
| run: | | |
| mkdir sarif | |
| mv release/*.sarif sarif/ | |
| mkdir reports | |
| mv release/*.json reports/ | |
| cd reports | |
| filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json} | |
| sudo tar cvf "${filename}-sbom-scan-reports.tar.gz" *.json | |
| mv *.tar.gz ../release/ | |
| cd .. | |
| sudo rm -rf release/VERSION release/IMAGE release/versions.yaml | |
| - name: Release | |
| uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| files: | | |
| release/* | |
| build-aws-image: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - get-standard-matrix | |
| - build-standard | |
| permissions: | |
| id-token: write # OIDC support | |
| contents: write | |
| actions: read | |
| security-events: write | |
| strategy: | |
| matrix: | |
| include: | |
| # We don't publish AWS images for all combinations so we go hardcoded here | |
| - flavor: ubuntu | |
| flavor_release: 24.04 | |
| family: ubuntu | |
| base_image: ubuntu:24.04 | |
| variant: standard | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - run: | | |
| git fetch --prune --unshallow | |
| - name: Install kairos-agent (for versioneer) | |
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
| with: | |
| repository: quay.io/kairos/packages | |
| packages: system/kairos-agent | |
| - name: Build 🔧 | |
| run: | | |
| # TODO: Does "sort" work correctly on k3s versions? Which version do we want? | |
| k3s_version=$(echo '${{ needs.get-standard-matrix.outputs.matrix }}' | \ | |
| jq -r '[.[].k3s_version] | unique | sort | .[0]') | |
| version=$(git describe --always --tags --dirty) | |
| containerImage=$(kairos-agent versioneer container-artifact-name \ | |
| --flavor ${{ matrix.flavor }} \ | |
| --flavor-release ${{ matrix.flavor_release }} \ | |
| --variant ${{ matrix.variant }} \ | |
| --model generic \ | |
| --arch amd64 \ | |
| --software-version-prefix k3s \ | |
| --registry-and-org quay.io/kairos \ | |
| --software-version "$k3s_version" \ | |
| --version "$version" | |
| ) | |
| echo "Using $containerImage to build a cloud image" | |
| docker run -v /var/run/docker.sock:/var/run/docker.sock --net host \ | |
| --privileged \ | |
| -v $PWD:/aurora --rm quay.io/kairos/auroraboot \ | |
| --debug \ | |
| --set "disable_http_server=true" \ | |
| --set "container_image=docker:${containerImage}" \ | |
| --set "disable_netboot=true" \ | |
| --set "disk.raw=true" \ | |
| --set "state_dir=/aurora" | |
| # https://github.com/aws-actions/configure-aws-credentials?tab=readme-ov-file#assumerole-with-static-iam-credentials-in-repository-secrets | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: eu-central-1 | |
| #role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| #role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }} | |
| role-duration-seconds: 1200 | |
| role-session-name: AWSCIPush | |
| - name: Push to AWS | |
| env: | |
| AWS_S3_BUCKET: kairos-cloud-images | |
| AWS_REGION: eu-central-1 | |
| run: | | |
| .github/upload-image-to-aws.sh $(ls *.raw) |