2022-10-19 07:10:15 -04:00
name : Build and Upload OS image
2023-01-23 04:59:17 -05:00
2022-10-19 07:10:15 -04:00
on :
workflow_dispatch :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
2022-12-09 05:51:38 -05:00
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
2022-10-19 07:10:15 -04:00
type : boolean
required : false
2022-12-09 05:51:38 -05:00
default : false
stream :
2023-01-16 06:20:01 -05:00
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
2022-12-09 05:51:38 -05:00
type : choice
required : true
options :
- "debug"
2023-01-16 07:56:06 -05:00
- "console"
- "nightly"
- "stable"
2023-01-02 06:25:17 -05:00
ref :
type : string
description : "Git ref to checkout"
required : false
workflow_call :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
type : string
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
type : boolean
required : false
default : false
stream :
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
type : string
required : true
ref :
type : string
description : "Git ref to checkout"
required : false
2022-10-19 07:10:15 -04:00
jobs :
2022-11-04 11:48:52 -04:00
build-settings :
name : "Determine build settings"
runs-on : ubuntu-22.04
outputs :
2022-12-09 05:51:38 -05:00
ref : ${{ steps.ref.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ steps.stream.outputs.stream }}
2022-11-04 11:48:52 -04:00
imageType : ${{ steps.image-type.outputs.imageType }}
2022-12-09 05:51:38 -05:00
imageVersion : ${{ steps.image-version.outputs.imageVersion }}
imageName : ${{ steps.image-version.outputs.imageName }}
imageNameShort : ${{ steps.image-version.outputs.imageNameShort }}
imageApiBasePath : ${{ steps.image-version.outputs.imageApiBasePath }}
2023-02-24 06:00:04 -05:00
cliApiBasePath : ${{ steps.image-version.outputs.cliApiBasePath }}
2022-11-04 11:48:52 -04:00
steps :
- name : Checkout
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-11-04 11:48:52 -04:00
- name : Determine version
id : version
uses : ./.github/actions/pseudo_version
2022-12-09 05:51:38 -05:00
- name : Determine ref
id : ref
run : |
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
2023-04-14 12:25:53 -04:00
echo "ref=-" | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
else
2023-04-14 12:25:53 -04:00
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
fi
2023-01-16 07:56:06 -05:00
- name : Determine and validate stream
id : stream
2022-12-09 05:51:38 -05:00
run : |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
echo "Nightly builds are not allowed for releases"
exit 1
2023-01-23 04:59:17 -05:00
fi
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
2022-12-09 05:51:38 -05:00
echo "Stable builds are only allowed for releases"
exit 1
fi
2023-04-14 12:25:53 -04:00
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
2022-11-04 11:48:52 -04:00
- name : Determine type of image build
shell : bash
id : image-type
run : |
2023-01-16 07:56:06 -05:00
case "${{ steps.stream.outputs.stream }}" in
"debug" )
2023-04-14 12:25:53 -04:00
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
;;
"console" )
2023-04-14 12:25:53 -04:00
echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
;;
*)
2023-04-14 12:25:53 -04:00
echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
;;
esac
2022-11-04 11:48:52 -04:00
2022-12-09 05:51:38 -05:00
- name : Determine image version
id : image-version
2022-11-16 09:45:10 -05:00
shell : bash
2022-12-09 05:51:38 -05:00
env :
REF : ${{ steps.ref.outputs.ref }}
2023-01-16 07:56:06 -05:00
STREAM : ${{ steps.stream.outputs.stream }}
2023-03-14 09:53:33 -04:00
IMAGE_VERSION : ${{ inputs.imageVersion || steps.version.outputs.version }}
2022-11-16 09:45:10 -05:00
run : |
2022-12-09 05:51:38 -05:00
{
echo "imageVersion=${IMAGE_VERSION}"
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
2023-01-04 11:07:16 -05:00
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
2023-02-24 06:00:04 -05:00
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
2023-03-21 07:20:27 -04:00
} | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
2022-12-12 08:17:50 -05:00
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
2023-04-14 12:25:53 -04:00
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
elif [[ "${REF}" = "-" ]]; then
2023-04-14 12:25:53 -04:00
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-11-16 09:45:10 -05:00
else
2023-04-14 12:25:53 -04:00
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-11-16 09:45:10 -05:00
fi
2024-01-04 11:25:25 -05:00
upload-os-image :
name : "Build OS using mkosi and upload it to CSPs"
2023-09-18 07:55:46 -04:00
needs : [ build-settings]
2023-10-04 04:13:43 -04:00
runs-on : ubuntu-latest-8-cores
2022-10-17 11:39:49 -04:00
permissions :
id-token : write
contents : read
2022-10-19 07:10:15 -04:00
steps :
- name : Checkout
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 07:10:15 -04:00
2023-10-04 07:55:38 -04:00
- uses : ./.github/actions/setup_bazel_nix
with :
useCache : "false"
2022-10-17 11:39:49 -04:00
- name : Login to AWS
2023-10-26 02:18:37 -04:00
uses : aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
2022-10-17 11:39:49 -04:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-19 07:10:15 -04:00
- name : Login to Azure
2022-11-08 10:13:10 -05:00
uses : ./.github/actions/login_azure
2022-10-19 07:10:15 -04:00
with :
2022-10-21 10:23:29 -04:00
azure_credentials : ${{ secrets.AZURE_CREDENTIALS }}
2022-10-19 07:10:15 -04:00
- name : Login to GCP
2023-01-18 04:15:58 -05:00
uses : ./.github/actions/login_gcp
2022-10-19 07:10:15 -04:00
with :
2023-11-27 07:04:41 -05:00
service_account : "image-uploader@constellation-images.iam.gserviceaccount.com"
2022-10-19 07:10:15 -04:00
2024-01-04 11:25:25 -05:00
- name : Build and upload
id : build
2023-01-18 04:15:58 -05:00
shell : bash
2022-11-16 09:45:10 -05:00
working-directory : ${{ github.workspace }}/image
2023-02-09 07:33:17 -05:00
env :
2024-01-04 11:25:25 -05:00
TARGET : //image/system:upload_${{ needs.build-settings.outputs.stream }}
REF : ${{ needs.build-settings.outputs.ref }}
STREAM : ${{ needs.build-settings.outputs.stream }}
SHORT_NAME : ${{ needs.build-settings.outputs.imageNameShort }}
2023-02-09 07:33:17 -05:00
COSIGN_PUBLIC_KEY : ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY : ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD : ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run : |
2024-01-04 11:25:25 -05:00
echo "::group::Build"
2023-02-09 07:33:17 -05:00
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
2024-01-04 11:25:25 -05:00
COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)"
export COSIGN_PUBLIC_KEY_PATH
opts=(
--ref "${REF}"
--upload-measurements
)
if [[ "${STREAM}" = "debug" ]]; then
opts+=(--fake-sign)
fi
bazel build //image/base:rpmdb
bazel run "${TARGET}" -- "${opts[@]}"
{
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
} | tee -a "$GITHUB_OUTPUT"
echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY"
2023-05-23 10:22:29 -04:00
echo "::endgroup::"
2022-11-16 09:45:10 -05:00
2024-01-04 11:25:25 -05:00
- name : Upload SBOM to S3
2023-10-17 08:04:41 -04:00
shell : bash
2024-01-04 11:25:25 -05:00
env :
RPMDB : ${{ steps.build.outputs.rpmdb }}
2023-10-17 08:04:41 -04:00
run : |
aws s3 cp \
2024-01-04 11:25:25 -05:00
"${RPMDB}" \
2023-10-17 08:04:41 -04:00
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
--no -progress
2023-02-24 06:00:04 -05:00
- name : Create CLI compatibility information artifact
shell : bash
run : |
2023-09-29 04:22:08 -04:00
bazel run //hack/cli-k8s-compatibility -- \
2023-02-24 06:00:04 -05:00
--ref=${{ needs.build-settings.outputs.ref }} \
--stream=${{ needs.build-settings.outputs.stream }} \
2024-01-04 11:25:25 -05:00
--version=${{ needs.build-settings.outputs.imageVersion }}
2023-02-24 06:00:04 -05:00
2023-03-10 04:21:58 -05:00
add-image-version-to-versionsapi :
2024-01-04 11:25:25 -05:00
needs : [ upload-os-image, build-settings]
2023-03-10 04:21:58 -05:00
name : "Add image version to versionsapi"
2023-01-04 11:07:16 -05:00
if : needs.build-settings.outputs.ref != '-'
2023-01-30 10:11:27 -05:00
permissions :
contents : read
id-token : write
2023-01-04 11:07:16 -05:00
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ needs.build-settings.outputs.stream }}
2023-01-04 11:07:16 -05:00
version : ${{ needs.build-settings.outputs.imageVersion }}
2023-03-10 04:21:58 -05:00
kind : "image"
add_latest : true
add-cli-version-to-versionsapi :
2024-01-04 11:25:25 -05:00
needs : [ upload-os-image, build-settings, add-image-version-to-versionsapi]
2023-03-10 04:21:58 -05:00
name : "Add CLI version to versionsapi"
if : needs.build-settings.outputs.ref != '-'
permissions :
contents : read
id-token : write
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
stream : ${{ needs.build-settings.outputs.stream }}
version : ${{ needs.build-settings.outputs.imageVersion }}
kind : "cli"
2023-01-04 11:07:16 -05:00
add_latest : true