Build and Upload OS image #953
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Upload OS image | |
on: | |
workflow_dispatch: | |
inputs: | |
imageVersion: | |
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)" | |
required: false | |
isRelease: | |
description: 'Is this a release? (sets "ref" to special value "-")' | |
type: boolean | |
required: false | |
default: false | |
stream: | |
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)" | |
type: choice | |
required: true | |
options: | |
- "debug" | |
- "console" | |
- "nightly" | |
- "stable" | |
ref: | |
type: string | |
description: "Git ref to checkout" | |
required: false | |
workflow_call: | |
inputs: | |
imageVersion: | |
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)" | |
required: false | |
type: string | |
isRelease: | |
description: 'Is this a release? (sets "ref" to special value "-")' | |
type: boolean | |
required: false | |
default: false | |
stream: | |
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)" | |
type: string | |
required: true | |
ref: | |
type: string | |
description: "Git ref to checkout" | |
required: false | |
jobs: | |
build-settings: | |
name: "Determine build settings" | |
runs-on: ubuntu-24.04 | |
outputs: | |
ref: ${{ steps.ref.outputs.ref }} | |
stream: ${{ steps.stream.outputs.stream }} | |
imageType: ${{ steps.image-type.outputs.imageType }} | |
imageVersion: ${{ steps.image-version.outputs.imageVersion }} | |
imageName: ${{ steps.image-version.outputs.imageName }} | |
imageNameShort: ${{ steps.image-version.outputs.imageNameShort }} | |
imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }} | |
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ inputs.ref || github.head_ref }} | |
- name: Determine version | |
id: version | |
uses: ./.github/actions/pseudo_version | |
- name: Determine ref | |
id: ref | |
run: | | |
if [[ "${{ inputs.isRelease }}" = "true" ]]; then | |
echo "ref=-" | tee -a "$GITHUB_OUTPUT" | |
else | |
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT" | |
fi | |
- name: Determine and validate stream | |
id: stream | |
run: | | |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then | |
echo "Nightly builds are not allowed for releases" | |
exit 1 | |
fi | |
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then | |
echo "Stable builds are only allowed for releases" | |
exit 1 | |
fi | |
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT" | |
- name: Determine type of image build | |
shell: bash | |
id: image-type | |
run: | | |
case "${{ steps.stream.outputs.stream }}" in | |
"debug") | |
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT" | |
;; | |
"console") | |
echo "imageType=console" | tee -a "$GITHUB_OUTPUT" | |
;; | |
*) | |
echo "imageType=default" | tee -a "$GITHUB_OUTPUT" | |
;; | |
esac | |
- name: Determine image version | |
id: image-version | |
shell: bash | |
env: | |
REF: ${{ steps.ref.outputs.ref }} | |
STREAM: ${{ steps.stream.outputs.stream }} | |
IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }} | |
run: | | |
{ | |
echo "imageVersion=${IMAGE_VERSION}" | |
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | |
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image" | |
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli" | |
} | tee -a "$GITHUB_OUTPUT" | |
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then | |
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" | |
elif [[ "${REF}" = "-" ]]; then | |
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" | |
else | |
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" | |
fi | |
upload-os-image: | |
name: "Build OS using mkosi and upload it to CSPs" | |
needs: [build-settings] | |
runs-on: ubuntu-latest-8-cores | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ inputs.ref || github.head_ref }} | |
- uses: ./.github/actions/setup_bazel_nix | |
with: | |
useCache: "false" | |
- name: Login to AWS | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline | |
aws-region: eu-central-1 | |
- name: Login to Azure | |
uses: ./.github/actions/login_azure | |
with: | |
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Login to GCP | |
uses: ./.github/actions/login_gcp | |
with: | |
service_account: "[email protected]" | |
- name: Login to OpenStack | |
uses: ./.github/actions/login_openstack | |
with: | |
clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }} | |
- name: Build and upload | |
id: build | |
shell: bash | |
working-directory: ${{ github.workspace }}/image | |
env: | |
TARGET: //image/system:upload_${{ needs.build-settings.outputs.stream }} | |
REF: ${{ needs.build-settings.outputs.ref }} | |
STREAM: ${{ needs.build-settings.outputs.stream }} | |
SHORT_NAME: ${{ needs.build-settings.outputs.imageNameShort }} | |
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} | |
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} | |
run: | | |
echo "::group::Build" | |
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub | |
COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)" | |
export COSIGN_PUBLIC_KEY_PATH | |
opts=( | |
--ref "${REF}" | |
--upload-measurements | |
) | |
if [[ "${STREAM}" = "debug" ]]; then | |
opts+=(--fake-sign) | |
fi | |
bazel build //image/base:rpmdb | |
bazel run "${TARGET}" -- "${opts[@]}" | |
{ | |
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)" | |
} | tee -a "$GITHUB_OUTPUT" | |
echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY" | |
echo "::endgroup::" | |
- name: Upload SBOM to S3 | |
shell: bash | |
env: | |
RPMDB: ${{ steps.build.outputs.rpmdb }} | |
run: | | |
aws s3 cp \ | |
"${RPMDB}" \ | |
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ | |
--no-progress | |
- name: Create CLI compatibility information artifact | |
shell: bash | |
run: | | |
bazel run //hack/cli-k8s-compatibility -- \ | |
--ref=${{ needs.build-settings.outputs.ref }} \ | |
--stream=${{ needs.build-settings.outputs.stream }} \ | |
--version=${{ needs.build-settings.outputs.imageVersion }} | |
add-image-version-to-versionsapi: | |
needs: [upload-os-image, build-settings] | |
name: "Add image version to versionsapi" | |
if: needs.build-settings.outputs.ref != '-' | |
permissions: | |
contents: read | |
id-token: write | |
uses: ./.github/workflows/versionsapi.yml | |
with: | |
command: add | |
ref: ${{ needs.build-settings.outputs.ref }} | |
stream: ${{ needs.build-settings.outputs.stream }} | |
version: ${{ needs.build-settings.outputs.imageVersion }} | |
kind: "image" | |
add_latest: true | |
add-cli-version-to-versionsapi: | |
needs: [upload-os-image, build-settings, add-image-version-to-versionsapi] | |
name: "Add CLI version to versionsapi" | |
if: needs.build-settings.outputs.ref != '-' | |
permissions: | |
contents: read | |
id-token: write | |
uses: ./.github/workflows/versionsapi.yml | |
with: | |
command: add | |
ref: ${{ needs.build-settings.outputs.ref }} | |
stream: ${{ needs.build-settings.outputs.stream }} | |
version: ${{ needs.build-settings.outputs.imageVersion }} | |
kind: "cli" | |
add_latest: true |