feat: kernel signing cache kernels #53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Cache Fsync | |
on: | |
merge_group: | |
schedule: | |
- cron: "5 0 * * *" # 0005 UTC everyday | |
workflow_dispatch: | |
pull_request: | |
branches: | |
- main | |
env: | |
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
name: kernel-cache | |
runs-on: ubuntu-24.04 | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
kernel_flavor: | |
- asus | |
- fsync | |
- surface | |
- main | |
- coreos-stable | |
- coreos-testing | |
fedora_version: | |
- 39 | |
- 40 | |
exclude: | |
- fedora_version: 39 | |
kernel_flavor: asus | |
- fedora_version: 39 | |
kernel_flavor: coreos-testing | |
- fedora_version: 39 | |
kernel_flavor: fsync | |
steps: | |
- name: Checkout Push to Registry action | |
uses: actions/checkout@v4 | |
- name: Pull Image | |
uses: Wandalen/[email protected] | |
with: | |
attempt_limit: 3 | |
attempt_delay: 15000 | |
command: | | |
build_image="quay.io/fedora/fedora:${{ matrix.fedora_version }}" | |
echo "build_image=$build_image" >> "$GITHUB_ENV" | |
podman pull "$build_image" | |
- name: Get Kernel Version | |
id: Version | |
uses: Wandalen/[email protected] | |
with: | |
attempt_limit: 3 | |
attempt_delay: 15000 | |
command: | | |
if [[ ${{ matrix.kernel_flavor }} =~ asus|fsync|surface ]]; then | |
container_name="fq-$(uuidgen)" | |
dnf="podman exec $container_name dnf" | |
podman run --entrypoint /bin/bash --name "$container_name" -dt "${{ env.build_image }}" | |
$dnf install -y dnf-plugins-core | |
fi | |
case ${{ matrix.kernel_flavor }} in | |
"asus") | |
$dnf copr enable -y lukenukem/asus-kernel | |
linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:lukenukem:asus-kernel --whatprovides kernel | tail -n1 | sed 's/.*://') | |
;; | |
"fsync") | |
$dnf copr enable -y sentry/kernel-fsync | |
linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:sentry:kernel-fsync --whatprovides kernel | tail -n1 | sed 's/.*://') | |
;; | |
"surface") | |
$dnf config-manager --add-repo=https://pkg.surfacelinux.com/fedora/linux-surface.repo | |
linux=$($dnf repoquery --repoid linux-surface --whatprovides kernel-surface | tail -n1 | sed 's/.*://') | |
;; | |
"main") | |
linux=$(skopeo inspect docker://quay.io/fedora-ostree-desktops/base:${{ matrix.fedora_version }} | jq -r '.Labels["ostree.linux"]' ) | |
;; | |
"coreos-stable") | |
linux=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:stable | jq -r '.Labels["ostree.linux"]' ) | |
coreos_fedora_version=$(echo $linux | grep -oP 'fc\K[0-9]+') | |
if [[ "${{ matrix.fedora_version }}" != "$coreos_fedora_version" ]]; then | |
major_minor_patch=$(echo $linux | cut -d - -f 1) | |
linux="${major_minor_patch}-200.fc${{ matrix.fedora_version }}.$(uname -m)" | |
fi | |
;; | |
"coreos-testing") | |
linux=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:testing | jq -r '.Labels["ostree.linux"]' ) | |
;; | |
*) | |
echo "unexpected kernel_flavor '${{ matrix.kernel_flavor }}' for query" | |
;; | |
esac | |
if [ -z "$linux" ] || [ "null" = "$linux" ]; then | |
echo "inspected image linux version must not be empty or null" | |
exit 1 | |
fi | |
major=$(echo "$linux" | cut -d '.' -f 1) | |
minor=$(echo "$linux" | cut -d '.' -f 2) | |
patch=$(echo "$linux" | cut -d '.' -f 3) | |
kernel_major_minor_patch="${major}.${minor}.${patch}" | |
echo "Kernel Version is ${linux}" | |
echo "kernel_release=${linux}" >> $GITHUB_ENV | |
echo "kernel_major_minor_patch=${kernel_major_minor_patch}" >> $GITHUB_ENV | |
- name: Generate Tags | |
id: generate_tags | |
shell: bash | |
run: | | |
tag="${{ env.kernel_release }}" | |
short_tag=$(echo ${{ env.kernel_major_minor_patch }} | cut -d "-" -f 1) | |
COMMIT_TAGS=() | |
COMMIT_TAGS+=("pr-${{ github.event.number }}-${{ matrix.fedora_version }}") | |
COMMIT_TAGS+=("pr-${{ github.event.number }}-${{ matrix.fedora_version }}-${short_tag}") | |
COMMIT_TAGS+=("pr-${{ github.event.number }}-${tag}") | |
COMMIT_TAGS+=("${GITHUB_SHA::7}-${{ matrix.fedora_version }}") | |
COMMIT_TAGS+=("${GITHUB_SHA::7}-${{ matrix.fedora_version }}-${short_tag}") | |
COMMIT_TAGS+=("${GITHUB_SHA::7}-${tag}") | |
BUILD_TAGS=() | |
BUILD_TAGS+=("${{ matrix.fedora_version }}") | |
BUILD_TAGS+=(${{ matrix.fedora_version }}-${short_tag}) | |
BUILD_TAGS+=(${tag}) | |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
# echo "Generated the following commit tags: " | |
# for TAG in "${COMMIT_TAGS[@]}"; do | |
# echo "${TAG}" | |
# done | |
alias_tags=("${COMMIT_TAGS[@]}") | |
else | |
alias_tags=("${BUILD_TAGS[@]}") | |
fi | |
echo "Generated the following tags: " | |
for TAG in "${alias_tags[@]}"; do | |
echo "${TAG}" | |
done | |
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT | |
echo "date=$(date '+%Y%m%d.0')" >> $GITHUB_ENV | |
- name: Build Metadata | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: | | |
${{ matrix.kernel_flavor }}-kernel | |
labels: | | |
org.opencontainers.image.title=${{ matrix.kernel_flavor }} cached kernel | |
org.opencontainers.image.description=A caching layer for kernels. Contains ${{ matrix.kernel_flavor }} kernel. | |
org.opencontainers.image.version=${{ env.linux }}.${{ env.date }} | |
ostree.linux="${{ env.kernel_release }}" | |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md | |
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4 | |
- name: Retrieve Signing Key | |
if: (github.event_name == 'scheduled' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group') && github.event_name != 'pull_request' | |
run: | | |
mkdir -p certs | |
if [[ ${{ env.alias_tags }} =~ pr ]]; then | |
echo "This should not have run... exiting..." | |
exit 1 | |
else | |
echo "${{ secrets.KERNEL_PRIVKEY }}" > certs/private_key.priv | |
echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key_2.priv | |
# DEBUG: get character count of key | |
wc -c certs/private_key.priv | |
wc -c certs/private_key_2.priv | |
fi | |
- name: Build Image | |
id: build_image | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
containerfiles: | | |
./Containerfile | |
image: ${{ matrix.kernel_flavor }}-kernel | |
tags: ${{ steps.generate_tags.outputs.alias_tags }} | |
build-args: | | |
FEDORA_VERSION=${{ matrix.fedora_version }} | |
KERNEL_VERSION=${{ env.kernel_release }} | |
KERNEL_FLAVOR=${{ matrix.kernel_flavor }} | |
DUAL_SIGN=true | |
labels: ${{ steps.meta.outputs.labels }} | |
oci: false | |
- name: Lowercase Registry | |
id: registry_case | |
uses: ASzc/change-string-case-action@v6 | |
with: | |
string: ${{ env.IMAGE_REGISTRY }} | |
- name: Push to GHCR | |
uses: Wandalen/[email protected] | |
id: push | |
if: github.event_name != 'pull_request' | |
env: | |
REGISTRY_USER: ${{ github.actor }} | |
REGISTRY_PASSWORD: ${{ github.token }} | |
with: | |
action: redhat-actions/push-to-registry@v2 | |
attempt_limit: 3 | |
attempt_delay: 15000 | |
with: | | |
image: ${{ steps.build_image.outputs.image }} | |
tags: ${{ steps.build_image.outputs.tags }} | |
registry: ${{ steps.registry_case.outputs.lowercase }} | |
username: ${{ env.REGISTRY_USER }} | |
password: ${{ env.REGISTRY_PASSWORD }} | |
extra-args: | | |
--disable-content-trust | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
if: github.event_name != 'pull_request' | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Sign container | |
- uses: sigstore/[email protected] | |
if: github.event_name != 'pull_request' | |
- name: Sign container image | |
if: github.event_name != 'pull_request' | |
run: | | |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} | |
env: | |
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} | |
COSIGN_EXPERIMENTAL: false | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | |
- name: Echo outputs | |
if: github.event_name != 'pull_request' | |
run: | | |
echo "${{ toJSON(steps.push.outputs) }}" | |
check: | |
name: Check all builds successful | |
runs-on: ubuntu-latest | |
needs: [build] | |
steps: | |
- name: Exit on failure | |
if: ${{ needs.build.result == 'failure' }} | |
shell: bash | |
run: exit 1 | |
- name: Exit | |
shell: bash | |
run: exit 0 |