name: Build and Upload OS image on: workflow_dispatch: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false isRelease: description: 'Is this a release? (sets "ref" to special value "-")' type: boolean required: false default: false stream: description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)" type: choice required: true options: - "debug" - "console" - "nightly" - "stable" ref: type: string description: "Git ref to checkout" required: false workflow_call: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false type: string isRelease: description: 'Is this a release? (sets "ref" to special value "-")' type: boolean required: false default: false stream: description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)" type: string required: true ref: type: string description: "Git ref to checkout" required: false jobs: build-settings: name: "Determine build settings" runs-on: ubuntu-22.04 outputs: ref: ${{ steps.ref.outputs.ref }} stream: ${{ steps.stream.outputs.stream }} imageType: ${{ steps.image-type.outputs.imageType }} imageVersion: ${{ steps.image-version.outputs.imageVersion }} imageName: ${{ steps.image-version.outputs.imageName }} imageNameShort: ${{ steps.image-version.outputs.imageNameShort }} imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }} cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }} steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.ref || github.head_ref }} - name: Determine version id: version uses: ./.github/actions/pseudo_version - name: Determine ref id: ref run: | if [[ "${{ inputs.isRelease }}" = "true" ]]; then echo "ref=-" | tee -a "$GITHUB_OUTPUT" else echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT" fi - name: Determine and validate stream id: stream run: | if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then echo "Nightly builds are not allowed for releases" exit 1 fi if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then echo "Stable builds are only allowed for releases" exit 1 fi echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT" - name: Determine type of image build shell: bash id: image-type run: | case "${{ steps.stream.outputs.stream }}" in "debug") echo "imageType=debug" | tee -a "$GITHUB_OUTPUT" ;; "console") echo "imageType=console" | tee -a "$GITHUB_OUTPUT" ;; *) echo "imageType=default" | tee -a "$GITHUB_OUTPUT" ;; esac - name: Determine image version id: image-version shell: bash env: REF: ${{ steps.ref.outputs.ref }} STREAM: ${{ steps.stream.outputs.stream }} IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }} run: | { echo "imageVersion=${IMAGE_VERSION}" echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image" echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli" } | tee -a "$GITHUB_OUTPUT" if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" elif [[ "${REF}" = "-" ]]; then echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" else echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" fi upload-os-image: name: "Build OS using mkosi and upload it to CSPs" needs: [build-settings] runs-on: ubuntu-latest-8-cores permissions: id-token: write contents: read steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.ref || github.head_ref }} - uses: ./.github/actions/setup_bazel_nix with: useCache: "false" - name: Login to AWS uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Login to Azure uses: ./.github/actions/login_azure with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} - name: Login to GCP uses: ./.github/actions/login_gcp with: service_account: "image-uploader@constellation-images.iam.gserviceaccount.com" - name: Login to OpenStack uses: ./.github/actions/login_openstack with: clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }} - name: Build and upload id: build shell: bash working-directory: ${{ github.workspace }}/image env: TARGET: //image/system:upload_${{ needs.build-settings.outputs.stream }} REF: ${{ needs.build-settings.outputs.ref }} STREAM: ${{ needs.build-settings.outputs.stream }} SHORT_NAME: ${{ needs.build-settings.outputs.imageNameShort }} COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} run: | echo "::group::Build" echo "${COSIGN_PUBLIC_KEY}" > cosign.pub COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)" export COSIGN_PUBLIC_KEY_PATH opts=( --ref "${REF}" --upload-measurements ) if [[ "${STREAM}" = "debug" ]]; then opts+=(--fake-sign) fi bazel build //image/base:rpmdb bazel run "${TARGET}" -- "${opts[@]}" { echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)" } | tee -a "$GITHUB_OUTPUT" echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Upload SBOM to S3 shell: bash env: RPMDB: ${{ steps.build.outputs.rpmdb }} run: | aws s3 cp \ "${RPMDB}" \ "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ --no-progress - name: Create CLI compatibility information artifact shell: bash run: | bazel run //hack/cli-k8s-compatibility -- \ --ref=${{ needs.build-settings.outputs.ref }} \ --stream=${{ needs.build-settings.outputs.stream }} \ --version=${{ needs.build-settings.outputs.imageVersion }} add-image-version-to-versionsapi: needs: [upload-os-image, build-settings] name: "Add image version to versionsapi" if: needs.build-settings.outputs.ref != '-' permissions: contents: read id-token: write uses: ./.github/workflows/versionsapi.yml with: command: add ref: ${{ needs.build-settings.outputs.ref }} stream: ${{ needs.build-settings.outputs.stream }} version: ${{ needs.build-settings.outputs.imageVersion }} kind: "image" add_latest: true add-cli-version-to-versionsapi: needs: [upload-os-image, build-settings, add-image-version-to-versionsapi] name: "Add CLI version to versionsapi" if: needs.build-settings.outputs.ref != '-' permissions: contents: read id-token: write uses: ./.github/workflows/versionsapi.yml with: command: add ref: ${{ needs.build-settings.outputs.ref }} stream: ${{ needs.build-settings.outputs.stream }} version: ${{ needs.build-settings.outputs.imageVersion }} kind: "cli" add_latest: true