Skip to content

Commit

Permalink
wip: test build w/o sudo
Browse files Browse the repository at this point in the history 
Signed-off-by: Magnus Kulke <[email protected]>
  • Loading branch information
@mkulke
mkulke committed Dec 6, 2024
1 parent 199b2bb commit 4c86e46
Showing 1 changed file with 149 additions and 146 deletions.
295 changes: 149 additions & 146 deletions .github/workflows/podvm_mkosi.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,62 +1,66 @@
name: Create a Pod VM image with mkosi
# name: Create a Pod VM image with mkosi
name: mgns mkosi

on:
workflow_dispatch:
inputs:
registry:
default: 'quay.io/confidential-containers'
required: false
type: string
image_tag:
default: ''
required: false
type: string
git_ref:
description: Git ref to checkout the cloud-api-adaptor repository.
required: true
type: string
arch:
description: Which arch we are building the mkosi image for
default: 'amd64'
required: false
type: string
debug:
description: Whether to build the image in debug mode
default: false
required: false
type: boolean

workflow_call:
inputs:
registry:
default: 'quay.io/confidential-containers'
required: false
type: string
image_tag:
default: ''
required: false
type: string
git_ref:
description: Git ref to checkout the cloud-api-adaptor repository.
required: true
type: string
arch:
description: Which arch we are building the mkosi image for
default: 'amd64'
required: false
type: string
debug:
description: Whether to build the image in debug mode
default: false
required: false
type: boolean
outputs:
qcow2_oras_image:
description: The location of the qcow2 oras container this workflow pushed
value: ${{ jobs.build-image.outputs.qcow2_oras_image }}
docker_oci_image:
description: The location of the docker oci container image this workflow pushed
value: ${{ jobs.build-image.outputs.docker_oci_image }}
# workflow_dispatch:
# inputs:
# registry:
# default: 'quay.io/confidential-containers'
# required: false
# type: string
# image_tag:
# default: ''
# required: false
# type: string
# git_ref:
# description: Git ref to checkout the cloud-api-adaptor repository.
# required: true
# type: string
# arch:
# description: Which arch we are building the mkosi image for
# default: 'amd64'
# required: false
# type: string
# debug:
# description: Whether to build the image in debug mode
# default: false
# required: false
# type: boolean

# workflow_call:
# inputs:
# registry:
# default: 'quay.io/confidential-containers'
# required: false
# type: string
# image_tag:
# default: ''
# required: false
# type: string
# git_ref:
# description: Git ref to checkout the cloud-api-adaptor repository.
# required: true
# type: string
# arch:
# description: Which arch we are building the mkosi image for
# default: 'amd64'
# required: false
# type: string
# debug:
# description: Whether to build the image in debug mode
# default: false
# required: false
# type: boolean
# outputs:
# qcow2_oras_image:
# description: The location of the qcow2 oras container this workflow pushed
# value: ${{ jobs.build-image.outputs.qcow2_oras_image }}
# docker_oci_image:
# description: The location of the docker oci container image this workflow pushed
# value: ${{ jobs.build-image.outputs.docker_oci_image }}
push:
branches:
- mkulke/remove-sudo-from-mkosi

defaults:
run:
Expand All @@ -77,34 +81,34 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: "${{ inputs.git_ref }}"
# with:
# fetch-depth: 0
# ref: "${{ inputs.git_ref }}"

- name: Rebase the code
if: github.event_name == 'pull_request_target'
working-directory: ./
run: |
./hack/ci-helper.sh rebase-atop-of-the-latest-target-branch
# - name: Rebase the code
# if: github.event_name == 'pull_request_target'
# working-directory: ./
# run: |
# ./hack/ci-helper.sh rebase-atop-of-the-latest-target-branch

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to quay Container Registry
if: ${{ startsWith(inputs.registry, 'quay.io') }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}

- name: Login to the ghcr Container registry
if: ${{ startsWith(inputs.registry, 'ghcr.io') }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# - name: Login to quay Container Registry
# if: ${{ startsWith(inputs.registry, 'quay.io') }}
# uses: docker/login-action@v3
# with:
# registry: quay.io
# username: ${{ secrets.QUAY_USERNAME }}
# password: ${{ secrets.QUAY_PASSWORD }}

# - name: Login to the ghcr Container registry
# if: ${{ startsWith(inputs.registry, 'ghcr.io') }}
# uses: docker/login-action@v3
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}

- name: Install build dependencies
run: |
Expand All @@ -115,14 +119,14 @@ jobs:
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.tools.golang' versions.yaml)"
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
# echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
echo "ORAS_VERSION=$(yq -e '.tools.oras' versions.yaml)" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
if: ${{ inputs.arch == 's390x' }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
# - name: Setup Golang version ${{ env.GO_VERSION }}
# if: ${{ inputs.arch == 's390x' }}
# uses: actions/setup-go@v5
# with:
# go-version: ${{ env.GO_VERSION }}

- uses: oras-project/setup-oras@v1
with:
Expand All @@ -144,83 +148,82 @@ jobs:
ARCH: ${{ inputs.arch }}

- name: Install mkosi
if: ${{ inputs.arch == 's390x' }}
if: inputs.arch == 's390x'
run: |
git clone -b v22 https://github.com/systemd/mkosi
sudo rm -f /usr/local/bin/mkosi
sudo ln -s "$PWD/mkosi/bin/mkosi" /usr/local/bin/mkosi
mkosi --version
- name: Install Nix
if: ${{ inputs.arch == 'amd64' }}
if: runner.arch == 'x64'
uses: cachix/install-nix-action@v30

- name: Build nix shell to cache dependencies
if: ${{ inputs.arch == 'amd64' }}
if: runner.arch == 'x64'
run: nix build .#devShells.x86_64-linux.podvm-mkosi

- name: Build mkosi debug image
if: ${{ inputs.debug == 'true' }}
if: inputs.debug
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: make image-debug

- name: Build mkosi image
if: ${{ inputs.debug != 'true' }}
if: !inputs.debug
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: make image

- name: Upload the qcow2 with oras
id: publish_oras_qcow2
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: |
mkdir oras
cd oras
cp ../build/podvm-*.qcow2 .
tar cJf podvm.tar.xz podvm-*.qcow2
image=${{ inputs.registry }}/podvm-generic-fedora
if [ "${{inputs.debug}}" = "true" ]; then
image=${image}-debug
fi
image=${image}-${{ inputs.arch }}
tag=$(git rev-parse --short HEAD)
oras push "${image}:${tag}" podvm.tar.xz
# If the input has a different image-tag then also push it with that tag
if [ -n "${{ inputs.image_tag }}" ] && [ "${{ inputs.image_tag }}" != "${tag}" ];then
oras push "${image}:${{ inputs.image_tag }}" podvm.tar.xz
fi
# add image and digest to output for attestation
echo "image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
echo "tag=${tag}" >> "$GITHUB_OUTPUT"
- uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.publish_oras_qcow2.outputs.image }}
subject-digest: ${{ steps.publish_oras_qcow2.outputs.digest }}
push-to-registry: true


- name: Clean up some space for the docker provider build
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: |
sudo du --max-depth=2 /home/runner || true
sudo du --max-depth=2 /var/lib || true
sudo rm -rf /nix
sudo rm -rf ./build
sudo rm -rf ./mkosi.cache
- name: Build image for docker provider
id: build_docker_oci
working-directory: src/cloud-api-adaptor/podvm-mkosi
run: |
tag=$(git rev-parse --short HEAD)
PODVM_TAG=${tag} make image-container
PODVM_TAG=${tag} make push-image-container
arch=$(uname -m)
arch=${arch/x86_64/amd64}
echo "image=ghcr.io/${{ github.repository }}/podvm-docker-image-${arch}:${tag}" >> "$GITHUB_OUTPUT"
env:
REGISTRY: ghcr.io/${{ github.repository }}
# - name: Upload the qcow2 with oras
# id: publish_oras_qcow2
# working-directory: src/cloud-api-adaptor/podvm-mkosi
# run: |
# mkdir oras
# cd oras
# cp ../build/podvm-*.qcow2 .
# tar cJf podvm.tar.xz podvm-*.qcow2
# image=${{ inputs.registry }}/podvm-generic-fedora
# if [ "${{inputs.debug}}" = "true" ]; then
# image=${image}-debug
# fi
# image=${image}-${{ inputs.arch }}
# tag=$(git rev-parse --short HEAD)
# oras push "${image}:${tag}" podvm.tar.xz

# # If the input has a different image-tag then also push it with that tag
# if [ -n "${{ inputs.image_tag }}" ] && [ "${{ inputs.image_tag }}" != "${tag}" ];then
# oras push "${image}:${{ inputs.image_tag }}" podvm.tar.xz
# fi

# # add image and digest to output for attestation
# echo "image=${image}" >> "$GITHUB_OUTPUT"
# digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
# echo "digest=${digest}" >> "$GITHUB_OUTPUT"
# echo "tag=${tag}" >> "$GITHUB_OUTPUT"

# - uses: actions/attest-build-provenance@v1
# with:
# subject-name: ${{ steps.publish_oras_qcow2.outputs.image }}
# subject-digest: ${{ steps.publish_oras_qcow2.outputs.digest }}
# push-to-registry: true

# - name: Clean up some space for the docker provider build
# working-directory: src/cloud-api-adaptor/podvm-mkosi
# run: |
# sudo du --max-depth=2 /home/runner || true
# sudo du --max-depth=2 /var/lib || true
# sudo rm -rf /nix
# sudo rm -rf ./build
# sudo rm -rf ./mkosi.cache

# - name: Build image for docker provider
# id: build_docker_oci
# working-directory: src/cloud-api-adaptor/podvm-mkosi
# run: |
# tag=$(git rev-parse --short HEAD)
# PODVM_TAG=${tag} make image-container
# PODVM_TAG=${tag} make push-image-container
# arch=$(uname -m)
# arch=${arch/x86_64/amd64}
# echo "image=ghcr.io/${{ github.repository }}/podvm-docker-image-${arch}:${tag}" >> "$GITHUB_OUTPUT"
# env:
# REGISTRY: ghcr.io/${{ github.repository }}

0 comments on commit 4c86e46

Please sign in to comment.