2022-10-19 13:10:15 +02:00
name : Build and Upload OS image
2023-01-23 10:59:17 +01:00
2022-10-19 13:10:15 +02:00
on :
workflow_dispatch :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
2022-12-09 11:51:38 +01:00
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
2022-10-19 13:10:15 +02:00
type : boolean
required : false
2022-12-09 11:51:38 +01:00
default : false
stream :
2023-01-16 12:20:01 +01:00
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
2022-12-09 11:51:38 +01:00
type : choice
required : true
options :
- "debug"
2023-01-16 13:56:06 +01:00
- "console"
- "nightly"
- "stable"
2023-01-02 12:25:17 +01:00
ref :
type : string
description : "Git ref to checkout"
required : false
workflow_call :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
type : string
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
type : boolean
required : false
default : false
stream :
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
type : string
required : true
ref :
type : string
description : "Git ref to checkout"
required : false
2022-10-19 13:10:15 +02:00
jobs :
2022-11-04 16:48:52 +01:00
build-settings :
name : "Determine build settings"
2024-10-09 12:16:10 +02:00
runs-on : ubuntu-24.04
2022-11-04 16:48:52 +01:00
outputs :
2022-12-09 11:51:38 +01:00
ref : ${{ steps.ref.outputs.ref }}
2023-01-16 13:56:06 +01:00
stream : ${{ steps.stream.outputs.stream }}
2022-11-04 16:48:52 +01:00
imageType : ${{ steps.image-type.outputs.imageType }}
2022-12-09 11:51:38 +01:00
imageVersion : ${{ steps.image-version.outputs.imageVersion }}
imageName : ${{ steps.image-version.outputs.imageName }}
imageNameShort : ${{ steps.image-version.outputs.imageNameShort }}
imageApiBasePath : ${{ steps.image-version.outputs.imageApiBasePath }}
2023-02-24 12:00:04 +01:00
cliApiBasePath : ${{ steps.image-version.outputs.cliApiBasePath }}
2022-11-04 16:48:52 +01:00
steps :
- name : Checkout
2024-11-28 16:15:26 +01:00
uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2022-11-10 17:22:26 +01:00
with :
2023-01-02 12:25:17 +01:00
ref : ${{ inputs.ref || github.head_ref }}
2022-11-04 16:48:52 +01:00
- name : Determine version
id : version
uses : ./.github/actions/pseudo_version
2022-12-09 11:51:38 +01:00
- name : Determine ref
id : ref
run : |
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
2023-04-14 18:25:53 +02:00
echo "ref=-" | tee -a "$GITHUB_OUTPUT"
2022-12-09 11:51:38 +01:00
else
2023-04-14 18:25:53 +02:00
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
2022-12-09 11:51:38 +01:00
fi
2023-01-16 13:56:06 +01:00
- name : Determine and validate stream
id : stream
2022-12-09 11:51:38 +01:00
run : |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
echo "Nightly builds are not allowed for releases"
exit 1
2023-01-23 10:59:17 +01:00
fi
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
2022-12-09 11:51:38 +01:00
echo "Stable builds are only allowed for releases"
exit 1
fi
2023-04-14 18:25:53 +02:00
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"
2023-01-16 13:56:06 +01:00
2022-11-04 16:48:52 +01:00
- name : Determine type of image build
shell : bash
id : image-type
run : |
2023-01-16 13:56:06 +01:00
case "${{ steps.stream.outputs.stream }}" in
"debug" )
2023-04-14 18:25:53 +02:00
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
2023-01-16 13:56:06 +01:00
;;
"console" )
2023-04-14 18:25:53 +02:00
echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
2023-01-16 13:56:06 +01:00
;;
*)
2023-04-14 18:25:53 +02:00
echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
2023-01-16 13:56:06 +01:00
;;
esac
2022-11-04 16:48:52 +01:00
2022-12-09 11:51:38 +01:00
- name : Determine image version
id : image-version
2022-11-16 15:45:10 +01:00
shell : bash
2022-12-09 11:51:38 +01:00
env :
REF : ${{ steps.ref.outputs.ref }}
2023-01-16 13:56:06 +01:00
STREAM : ${{ steps.stream.outputs.stream }}
2023-03-14 14:53:33 +01:00
IMAGE_VERSION : ${{ inputs.imageVersion || steps.version.outputs.version }}
2022-11-16 15:45:10 +01:00
run : |
2022-12-09 11:51:38 +01:00
{
echo "imageVersion=${IMAGE_VERSION}"
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
2023-01-04 17:07:16 +01:00
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
2023-02-24 12:00:04 +01:00
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
2023-03-21 12:20:27 +01:00
} | tee -a "$GITHUB_OUTPUT"
2022-12-09 11:51:38 +01:00
2022-12-12 14:17:50 +01:00
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
2023-04-14 18:25:53 +02:00
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-12-09 11:51:38 +01:00
elif [[ "${REF}" = "-" ]]; then
2023-04-14 18:25:53 +02:00
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-11-16 15:45:10 +01:00
else
2023-04-14 18:25:53 +02:00
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-11-16 15:45:10 +01:00
fi
2024-01-04 17:25:25 +01:00
upload-os-image :
name : "Build OS using mkosi and upload it to CSPs"
2023-09-18 13:55:46 +02:00
needs : [ build-settings]
2023-10-04 10:13:43 +02:00
runs-on : ubuntu-latest-8-cores
2022-10-17 17:39:49 +02:00
permissions :
id-token : write
contents : read
2022-10-19 13:10:15 +02:00
steps :
- name : Checkout
2024-11-28 16:15:26 +01:00
uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2022-11-10 17:22:26 +01:00
with :
2023-01-02 12:25:17 +01:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 13:10:15 +02:00
2023-10-04 13:55:38 +02:00
- uses : ./.github/actions/setup_bazel_nix
with :
useCache : "false"
2022-10-17 17:39:49 +02:00
- name : Login to AWS
2024-02-21 15:29:06 +01:00
uses : aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
2022-10-17 17:39:49 +02:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-19 13:10:15 +02:00
- name : Login to Azure
2022-11-08 16:13:10 +01:00
uses : ./.github/actions/login_azure
2022-10-19 13:10:15 +02:00
with :
2022-10-21 16:23:29 +02:00
azure_credentials : ${{ secrets.AZURE_CREDENTIALS }}
2022-10-19 13:10:15 +02:00
- name : Login to GCP
2023-01-18 10:15:58 +01:00
uses : ./.github/actions/login_gcp
2022-10-19 13:10:15 +02:00
with :
2023-11-27 13:04:41 +01:00
service_account : "image-uploader@constellation-images.iam.gserviceaccount.com"
2022-10-19 13:10:15 +02:00
2024-02-19 13:35:55 +01:00
- name : Login to OpenStack
uses : ./.github/actions/login_openstack
with :
clouds_yaml : ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
2024-01-04 17:25:25 +01:00
- name : Build and upload
id : build
2023-01-18 10:15:58 +01:00
shell : bash
2022-11-16 15:45:10 +01:00
working-directory : ${{ github.workspace }}/image
2023-02-09 13:33:17 +01:00
env :
2024-01-04 17:25:25 +01:00
TARGET : //image/system:upload_${{ needs.build-settings.outputs.stream }}
REF : ${{ needs.build-settings.outputs.ref }}
STREAM : ${{ needs.build-settings.outputs.stream }}
SHORT_NAME : ${{ needs.build-settings.outputs.imageNameShort }}
2023-02-09 13:33:17 +01:00
COSIGN_PUBLIC_KEY : ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY : ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD : ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run : |
2024-01-04 17:25:25 +01:00
echo "::group::Build"
2023-02-09 13:33:17 +01:00
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
2024-01-04 17:25:25 +01:00
COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)"
export COSIGN_PUBLIC_KEY_PATH
opts=(
--ref "${REF}"
--upload-measurements
)
if [[ "${STREAM}" = "debug" ]]; then
opts+=(--fake-sign)
fi
bazel build //image/base:rpmdb
bazel run "${TARGET}" -- "${opts[@]}"
{
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
} | tee -a "$GITHUB_OUTPUT"
echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY"
2023-05-23 16:22:29 +02:00
echo "::endgroup::"
2022-11-16 15:45:10 +01:00
2024-01-04 17:25:25 +01:00
- name : Upload SBOM to S3
2023-10-17 14:04:41 +02:00
shell : bash
2024-01-04 17:25:25 +01:00
env :
RPMDB : ${{ steps.build.outputs.rpmdb }}
2023-10-17 14:04:41 +02:00
run : |
aws s3 cp \
2024-01-04 17:25:25 +01:00
"${RPMDB}" \
2023-10-17 14:04:41 +02:00
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
--no -progress
2023-02-24 12:00:04 +01:00
- name : Create CLI compatibility information artifact
shell : bash
run : |
2023-09-29 10:22:08 +02:00
bazel run //hack/cli-k8s-compatibility -- \
2023-02-24 12:00:04 +01:00
--ref=${{ needs.build-settings.outputs.ref }} \
--stream=${{ needs.build-settings.outputs.stream }} \
2024-01-04 17:25:25 +01:00
--version=${{ needs.build-settings.outputs.imageVersion }}
2023-02-24 12:00:04 +01:00
2023-03-10 10:21:58 +01:00
add-image-version-to-versionsapi :
2024-01-04 17:25:25 +01:00
needs : [ upload-os-image, build-settings]
2023-03-10 10:21:58 +01:00
name : "Add image version to versionsapi"
2023-01-04 17:07:16 +01:00
if : needs.build-settings.outputs.ref != '-'
2023-01-30 16:11:27 +01:00
permissions :
contents : read
id-token : write
2023-01-04 17:07:16 +01:00
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
2023-01-16 13:56:06 +01:00
stream : ${{ needs.build-settings.outputs.stream }}
2023-01-04 17:07:16 +01:00
version : ${{ needs.build-settings.outputs.imageVersion }}
2023-03-10 10:21:58 +01:00
kind : "image"
add_latest : true
add-cli-version-to-versionsapi :
2024-01-04 17:25:25 +01:00
needs : [ upload-os-image, build-settings, add-image-version-to-versionsapi]
2023-03-10 10:21:58 +01:00
name : "Add CLI version to versionsapi"
if : needs.build-settings.outputs.ref != '-'
permissions :
contents : read
id-token : write
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
stream : ${{ needs.build-settings.outputs.stream }}
version : ${{ needs.build-settings.outputs.imageVersion }}
kind : "cli"
2023-01-04 17:07:16 +01:00
add_latest : true