Remove uneedeed stuff

.github/workflows/image.yml

@@ -1,69 +1,83 @@
 ---
-name: 'build container images'
+name: 'Release images'
 
 on:
   push:
-    branches:
-      - main
     tags:
       - '*'
+
 concurrency:
   group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
-  cancel-in-progress: true
+  cancel-in-progress: false # we never want to cancel a running job on release
 jobs:
-  docker:
-    runs-on: ubuntu-latest
+  build-linux-amd64:
+    runs-on: 'ubuntu-24.04'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
-      - name: Prepare
-        id: prep
-        run: |
-          DOCKER_IMAGE=quay.io/kairos/auroraboot
-          VERSION=latest
-          BINARY_VERSION=$(git describe --always --tags --dirty)
-          SHORTREF=${GITHUB_SHA::8}
-          # If this is git tag, use the tag name as a docker tag
-          if [[ $GITHUB_REF == refs/tags/* ]]; then
-            VERSION=${GITHUB_REF#refs/tags/}
-          fi
-          TAGS="${DOCKER_IMAGE}:${VERSION},${DOCKER_IMAGE}:${SHORTREF}"
-          # If the VERSION looks like a version number, assume that
-          # this is the most recent version of the image and also
-          # tag it 'latest'.
-          if [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-            TAGS="$TAGS,${DOCKER_IMAGE}:latest"
-          fi
-          # Set output parameters.
-          echo ::set-output name=binary_version::${BINARY_VERSION}
-          echo ::set-output name=tags::${TAGS}
-          echo ::set-output name=docker_image::${DOCKER_IMAGE}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@master
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@master
+      - uses: docker/login-action@v3
         with:
-          platforms: all
-
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          # https://docs.redhat.com/en/documentation/red_hat_quay/3.4/html/use_red_hat_quay/working_with_tags#tag-expiration
+          labels: |
+            quay.expires-after=6h
+          build-args: |
+            VERSION=${{ github.ref_name }}
+          provenance: false
+          platforms: linux/amd64
+          push: true
+          tags: quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }}-amd64
+  build-linux-arm64:
+    runs-on: 'ubuntu-24.04-arm'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: Set up Docker Buildx
-        id: buildx
         uses: docker/setup-buildx-action@master
-
-      - name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+      - uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
-
       - name: Build
         uses: docker/build-push-action@v6
         with:
-          builder: ${{ steps.buildx.outputs.name }}
+          # https://docs.redhat.com/en/documentation/red_hat_quay/3.4/html/use_red_hat_quay/working_with_tags#tag-expiration
+          labels: |
+            quay.expires-after=6h
           build-args: |
-            VERSION=${{ steps.prep.outputs.binary_version }}
-          context: ./
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
+            VERSION=${{ github.ref_name }}
+          provenance: false
+          platforms: linux/arm64
           push: true
-          tags: ${{ steps.prep.outputs.tags }}
+          tags: quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }}-arm64
+  build:
+    needs:
+      - build-linux-amd64
+      - build-linux-arm64
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - uses: docker/metadata-action@v5
+        id: metadata
+        with:
+          images: quay.io/kairos/auroraboot
+      - uses: int128/docker-manifest-create-action@v2
+        id: build
+        with:
+          index-annotations: ${{ steps.metadata.outputs.labels }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          sources: |
+            quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }}-amd64
+            quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }}-arm64

.github/workflows/tests.yml

@@ -32,7 +32,34 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
-          file: ./coverage.out
+          files: ./coverage.out
+  build-image:
+    runs-on: kvm
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Login to Quay Registry
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          tags: quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }}
+          # https://docs.redhat.com/en/documentation/red_hat_quay/3.4/html/use_red_hat_quay/working_with_tags#tag-expiration
+          labels: |
+            quay.expires-after=6h
   e2e-tests:
     runs-on: kvm
     steps:
@@ -54,7 +81,6 @@ jobs:
         with:
           push: false
           load: true
-          builder: ${{ steps.buildx.outputs.name }}
           context: .
           file: ./Dockerfile
           platforms: linux/amd64
@@ -67,21 +93,50 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
-          file: ./coverage.out
-  test-bootable:
-    runs-on: ubuntu-latest
+          files: ./coverage.out
+  test-bootable-iso-uki:
+    runs-on: kvm
+    needs: build-image
     steps:
-      - uses: earthly/[email protected]
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Build
-        run: earthly +test-bootable
+      - name: Install deps
+        run: |
+          sudo apt-get update && sudo apt-get install -y ovmf libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev swtpm
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Generate raw image
+        run: |
+          docker run --rm --privileged \
+          -v $PWD/build/:/output \
+          -v $PWD/e2e/assets/keys/:/keys \
+          quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }} \
+          --debug \
+          build-uki \
+          --output-dir /build \
+          -k /keys \
+          --output-type iso \
+          -x "console=ttyS0" \
+          quay.io/kairos/ubuntu:24.04-core-amd64-generic-v3.2.3
+      - name: Test UKI iso is bootable
+        env:
+          FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
+          KVM: true
+          EFIVARS_EMPTY: true
+        run: |
+          export ISO=$(find $PWD/build -name *.iso)
+          go run github.com/onsi/ginkgo/v2/ginkgo run --label-filter "bootable" -v --fail-fast -r ./e2e
   test-bootable-raw-efi:
     runs-on: kvm
+    needs: build-image
     steps:
-      - uses: earthly/[email protected]
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -96,35 +151,27 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@master
-      - name: Build local image
-        uses: docker/build-push-action@v6
-        with:
-          push: false
-          load: true
-          builder: ${{ steps.buildx.outputs.name }}
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64
-          tags: auroraboot:latest
       - name: Generate raw image
         run: |
-          docker run --rm --privileged -v $PWD/build/:/output auroraboot:latest --debug --set "disable_http_server=true" --set "disable_netboot=true" --set "disk.efi=true" --set "disk.size=16000" --set "container_image=quay.io/kairos/ubuntu:24.04-core-amd64-generic-v3.2.3" --set "state_dir=/output"
+          docker run --rm --privileged \
+          -v $PWD/build/:/output \
+          quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }} \
+          --debug \
+          --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/output"\
+          --set "disk.efi=true" \
+          --set "disk.size=16000" \
+          --set "container_image=quay.io/kairos/ubuntu:24.04-core-amd64-generic-v3.2.3"
       - name: Test raw image is bootable
         env:
-          FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
-          USE_QEMU: true
-          MEMORY: 4000
-          CPUS: 2
-          CREATE_VM: true
           KVM: true
-          SECUREBOOT: true
+          FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
         run: |
           export RAW_IMAGE=$(find $PWD/build -name *.raw)
           go run github.com/onsi/ginkgo/v2/ginkgo run --label-filter "raw-bootable" -v --fail-fast -r ./e2e
   test-bootable-raw-bios:
     runs-on: kvm
+    needs: build-image
     steps:
-      - uses: earthly/[email protected]
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -139,27 +186,19 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@master
-      - name: Build local image
-        uses: docker/build-push-action@v6
-        with:
-          push: false
-          load: true
-          builder: ${{ steps.buildx.outputs.name }}
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64
-          tags: auroraboot:latest
       - name: Generate raw image
         run: |
-          docker run --rm --privileged -v $PWD/build/:/output auroraboot:latest --debug --set "disable_http_server=true" --set "disable_netboot=true" --set "disk.bios=true" --set "disk.size=16000" --set "container_image=quay.io/kairos/ubuntu:24.04-core-amd64-generic-v3.2.3" --set "state_dir=/output"
+          docker run --rm --privileged \
+          -v $PWD/build/:/output \
+          quay.io/kairos/ci-temp-images:auroraboot-${{ github.sha }} \
+          --debug \
+          --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/output"\
+          --set "disk.bios=true" \
+          --set "disk.size=16000" \
+          --set "container_image=quay.io/kairos/ubuntu:24.04-core-amd64-generic-v3.2.3"
       - name: Test raw image is bootable
         env:
-          USE_QEMU: true
-          MEMORY: 4000
-          CPUS: 2
-          CREATE_VM: true
           KVM: true
-          SECUREBOOT: false
         run: |
           export RAW_IMAGE=$(find $PWD/build -name *.raw)
           go run github.com/onsi/ginkgo/v2/ginkgo run --label-filter "raw-bootable" -v --fail-fast -r ./e2e

Dockerfile

@@ -17,15 +17,8 @@ RUN go build -ldflags "-X main.version=${VERSION}" -o auroraboot
 FROM fedora:$FEDORA_VERSION AS default
 RUN dnf -y update
 ## ISO+ Arm image + Netboot + cloud images Build depedencies
-RUN dnf in -y bc qemu-tools qemu-img qemu-system-x86 jq genisoimage docker git curl gdisk kpartx \
-    sudo xfsprogs parted e2fsprogs erofs-utils binutils curl util-linux udev rsync \
-    grub2 dosfstools mtools xorriso lvm2 zstd sbsigntools squashfs-tools openssl \
-    python3-cryptography python3-pefile # ukify deps
-# systemd-ukify systemd-boot
-# Install grub2-efi-x64 only on x86 arches
-RUN if [ "$(uname -m)" == "x86_64" ]; then dnf install -y grub2-efi-x64; fi
-# Install grub2-efi-arm64 only on arm64 arches
-RUN if [ "$(uname -m)" == "aarch64" ]; then dnf install -y grub2-efi-aa64; fi
+RUN dnf in -y bc jq genisoimage docker sudo parted e2fsprogs erofs-utils binutils curl util-linux udev rsync \
+    dosfstools mtools xorriso lvm2 zstd sbsigntools squashfs-tools kpartx grub2
 
 COPY --from=luet /usr/bin/luet /usr/bin/luet
 ENV LUET_NOLOCK=true
@@ -44,13 +37,9 @@ ENV CONTAINERD_DISABLE_PIGZ=1
 RUN luet repo update
 RUN luet install -y system/systemd-boot
 
-## Live CD artifacts
-# TODO: This seems like we can skip if we use the artifacts from the rootfs?
-RUN luet install -y livecd/grub2 --system-target /grub2
-# This we can definitely skip if we use the artifacts from the rootfs
-# The only thing we need is the grub.cfg to be on our constants the rest is provided by the rootfs
-# We only need this packages for the systems that do not provide signed artifacts (archlinux) so should we skip the shim in that case
-# and just use the grub.efi directly unsigned? Arch wont support secureboto in any case so....
+# Install the grub2-efi-image package to get the unsigned shim and the unsigned grub.efi
+# TODO: Remove this. Only used by alpine+arch. It should fallback to not install the shim if on alpine and install the usigned grub.efi
+# Alpine doesnt ship a shim so we can skip it directly and install the grub in the shim place.
 RUN luet install -y livecd/grub2-efi-image --system-target /efi
 
 ## RPI64
@@ -67,12 +56,13 @@ RUN luet install -y firmware/odroid-c2 --system-target /firmware/odroid-c2
 # get them from the x86 repo and we want it to do it from the arm64 repo, even on x86
 # so we use the arm64 luet config and use that to install those on x86
 # This is being used by the prepare_arm_images.sh and build-arch-image.sh scripts
-# TODO: Remove this when raw image is implemented in go as we should get the artifacts from the rootfs
+# TODO: Remove this. Only used for orin image. It should be built in the RAW image generation directly so we cna drop this
 RUN luet install --config /tmp/luet-arm64.yaml -y static/grub-efi --system-target /arm/raw/grubefi
 RUN luet install --config /tmp/luet-arm64.yaml -y static/grub-config --system-target /arm/raw/grubconfig
 RUN luet install --config /tmp/luet-arm64.yaml -y static/grub-artifacts --system-target /arm/raw/grubartifacts
 
 # kairos-agent so we can use the pull-image
+# TODO: What? I cant see where this is used anywhere? Check why its here? Its like 35Mb on nothingness if not used?
 RUN luet install -y system/kairos-agent
 
 # remove luet tmp files. Side effect of setting the system-target is that it treats it as a root fs
@@ -104,13 +94,8 @@ RUN rm -d /arm/raw/grubconfig/var || true
 RUN rm -d /arm/raw/grubartifacts/var || true
 
 # ARM helpers
-COPY ./image-assets/build-arm-image.sh /build-arm-image.sh
-COPY ./image-assets/arm /arm
-COPY ./image-assets/prepare_arm_images.sh /prepare_arm_images.sh
 COPY ./image-assets/prepare_nvidia_orin_images.sh /prepare_nvidia_orin_images.sh
 
-COPY ./image-assets/defaults.yaml /defaults.yaml
-
 COPY --from=builder /work/auroraboot /usr/bin/auroraboot
 
 ENTRYPOINT ["/usr/bin/auroraboot"]