Push generic images on release and on master (#3104)

* Push generic images on release also renames the jobs so they are easily identificable from the CI web Signed-off-by: Itxaka <itxaka@kairos.io> * Push arm64 master images as well Signed-off-by: Itxaka <itxaka@kairos.io> --------- Signed-off-by: Itxaka <itxaka@kairos.io>
2025-02-09 05:18:51 +00:00 · 2025-01-08 15:24:18 +01:00 · 2025-01-08 15:24:18 +01:00 · 885c0eb565
commit 885c0eb565
parent e70691069f
6 changed files with 167 additions and 65 deletions
--- a/.github/flavors.json
+++ b/.github/flavors.json
@ -69,6 +69,16 @@
        "arch": "arm64",
        "worker": "ARM64"
    },
+    {
+        "family": "opensuse",
+        "flavor": "opensuse",
+        "flavorRelease": "leap-15.6",
+        "variant": "standard",
+        "model": "generic",
+        "baseImage": "opensuse/leap:15.6",
+        "arch": "arm64",
+        "worker": "ARM64"
+    },
    {
        "family": "opensuse",
        "flavor": "opensuse",
@ -209,16 +219,6 @@
        "arch": "arm64",
        "worker": "ARM64"
    },
-    {
-        "family": "ubuntu",
-        "flavor": "ubuntu",
-        "flavorRelease": "24.04",
-        "variant": "core",
-        "model": "generic",
-        "baseImage": "ubuntu:24.04",
-        "arch": "arm64",
-        "worker": "ARM64"
-    },
    {
        "family": "ubuntu",
        "flavor": "ubuntu",
@ -239,16 +239,6 @@
        "arch": "amd64",
        "worker": "self-hosted"
    },
-    {
-        "family": "ubuntu",
-        "flavor": "ubuntu",
-        "flavorRelease": "24.04",
-        "variant": "core",
-        "model": "generic",
-        "baseImage": "ubuntu:24.04",
-        "arch": "arm64",
-        "worker": "ARM64"
-    },
    {
        "family": "ubuntu",
        "flavor": "ubuntu",
@ -283,7 +273,7 @@
        "family": "ubuntu",
        "flavor": "ubuntu",
        "flavorRelease": "24.10",
-        "variant": "core",
+        "variant": "standard",
        "model": "generic",
        "baseImage": "ubuntu:24.10",
        "arch": "arm64",
@ -369,6 +359,26 @@
        "arch": "amd64",
        "worker": "self-hosted"
    },
+    {
+        "family": "rhel",
+        "flavor": "fedora",
+        "flavorRelease": "40",
+        "variant": "core",
+        "model": "generic",
+        "baseImage": "fedora:40",
+        "arch": "arm64",
+        "worker": "ARM64"
+    },
+    {
+        "family": "rhel",
+        "flavor": "fedora",
+        "flavorRelease": "40",
+        "variant": "standard",
+        "model": "generic",
+        "baseImage": "fedora:40",
+        "arch": "arm64",
+        "worker": "ARM64"
+    },
    {
        "family": "debian",
        "flavor": "debian",
--- a/.github/workflows/image-arm-pr.yaml
+++ b/.github/workflows/image-arm-pr.yaml
@ -1,4 +1,4 @@
-name: 'Push latest ARM images'
+name: 'Push latest ARM images (PR)'

 on:
  pull_request:
--- a/.github/workflows/image-arm.yaml
+++ b/.github/workflows/image-arm.yaml
@ -1,4 +1,4 @@
-name: 'Push latest ARM images'
+name: 'Push latest ARM images (Master)'

 on:
  push:
@ -30,6 +30,24 @@ jobs:
          # end of optional handling for multi line json
          echo "::set-output name=matrix::{\"include\": $content }"

+  get-core-matrix-generic:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 0
+      - id: set-matrix
+        run: |
+          content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "arm64" and .variant == "core" and .model == "generic"))'`
+          # the following lines are only required for multi line json
+          content="${content//'%'/'%25'}"
+          content="${content//$'\n'/'%0A'}"
+          content="${content//$'\r'/'%0D'}"
+          # end of optional handling for multi line json
+          echo "::set-output name=matrix::{\"include\": $content }"
+
  # The matrix for standard (provider) images
  get-standard-matrix:
    runs-on: ubuntu-latest
@ -193,7 +211,6 @@ jobs:
      base_image: quay.io/kairos/cache:nvidia-base
      model: nvidia-jetson-agx-orin
      worker: ARM64
-
  build-arm-core:
    uses: ./.github/workflows/reusable-docker-arm-build.yaml
    permissions:
@ -224,16 +241,83 @@ jobs:
    strategy:
      fail-fast: false
      matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
-
-  image_and_iso_arm64_generic:
-    uses: ./.github/workflows/reusable-image-and-iso-arm-generic.yaml
-    secrets: inherit
-    with:
-      flavor: "opensuse"
-      flavor_release: "leap-15.6"
-      family: opensuse
-      base_image: opensuse/leap:15.6
-      variant: core
+  build-arm-generic:
+    needs:
+      - get-core-matrix-generic
+    runs-on: ARM64
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 0
+      - name: Install earthly
+        uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
+        with:
+          repository: quay.io/kairos/packages-arm64
+          packages: utils/earthly
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
+      - name: Login to Quay Registry
+        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+      - name: Set local mirror
+        if: ${{ inputs.worker == 'ARM64' }}
+        run: |
+          # Configure earthly to use the docker mirror in CI
+          # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
+          mkdir -p ~/.earthly/
+          cat << EOF > ~/.earthly/config.yml
+          global:
+            buildkit_additional_config: |
+              [registry."docker.io"]
+                mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
+              [registry."registry.docker-mirror.svc.cluster.local:5000"]
+                insecure = true
+                http = true
+          EOF
+      - name: Set Image name (master)
+        if: ${{ github.ref == 'refs/heads/master' }}
+        run: |
+          IMAGE_REF=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=arm64 VARIANT=core REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name)
+          echo "IMAGE_REF=${IMAGE_REF}" >> $GITHUB_ENV
+      - name: Build container 🔧
+        run: |
+          earthly -P +arm-container-image \
+            --FLAVOR=${{ matrix.flavor }} \
+            --FLAVOR_RELEASE=${{ matrix.flavor_release }} \
+            --FAMILY=${{ matrix.family }} \
+            --BASE_IMAGE=${{ matrix.base_image}} \
+            --MODEL=${{ matrix.model }} \
+            --VARIANT=${{ matrix.variant }}
+      - name: Push  🔧
+        if:  ${{ github.ref == 'refs/heads/master' }}
+        run: |
+          docker tag $(cat build/IMAGE) ${{ env.IMAGE_REF }}
+          docker push ${{ env.IMAGE_REF }}
+      - name: Sign image
+        if: ${{ github.ref == 'refs/heads/master' }}
+        env:
+          COSIGN_YES: true
+        run: |
+          docker push "${{ env.IMAGE_REF }}" # Otherwise .RepoDigests will be empty for some reason
+          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "${{ env.IMAGE_REF }}")

  notify:
    runs-on: ubuntu-latest
--- a/.github/workflows/release-arm.yaml
+++ b/.github/workflows/release-arm.yaml
@ -1,4 +1,4 @@
-name: Build arm images
+name: Release ARM artifacts
 on:
  push:
    tags:
@ -8,7 +8,7 @@ env:
  EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }}
 permissions: read-all
 jobs:
-  get-core-matrix:
+  get-core-matrix-model:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
@ -25,9 +25,26 @@ jobs:
          content="${content//$'\r'/'%0D'}"
          # end of optional handling for multi line json
          echo "::set-output name=matrix::{\"include\": $content }"
+  get-core-matrix-generic:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 0
+      - id: set-matrix
+        run: |
+          content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "arm64" and .variant == "core" and .model == "generic"))'`
+          # the following lines are only required for multi line json
+          content="${content//'%'/'%25'}"
+          content="${content//$'\n'/'%0A'}"
+          content="${content//$'\r'/'%0D'}"
+          # end of optional handling for multi line json
+          echo "::set-output name=matrix::{\"include\": $content }"

  # The matrix for standard (provider) images
-  get-standard-matrix:
+  get-standard-matrix-model:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
@ -131,7 +148,7 @@ jobs:
  build-arm-core:
    runs-on: ${{ matrix.worker }}
    needs:
-      - get-core-matrix
+      - get-core-matrix-model
    permissions:
      id-token: write  # OIDC support
      contents: write
@ -232,7 +249,7 @@ jobs:
  build-arm-standard:
    runs-on: ARM64
    needs:
-      - get-standard-matrix
+      - get-standard-matrix-model
    permissions:
      id-token: write  # OIDC support
      contents: write
@ -339,6 +356,8 @@ jobs:
          docker images --format "{{.Size}} - {{.Repository}}:{{.Tag}}"

  build-arm-generic:
+    needs:
+      - get-core-matrix-generic
    runs-on: ARM64
    permissions:
      id-token: write  # OIDC support
@ -357,14 +376,7 @@ jobs:
      statuses: read
    strategy:
      fail-fast: false
-      matrix:
-        include:
-          - flavor: opensuse
-            flavor_release: leap-15.6
-            family: opensuse
-            base_image: opensuse/leap:15.6
-            model: generic
-            variant: standard
+      matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
@ -379,28 +391,18 @@ jobs:
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
      - name: Login to Quay Registry
        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
-      - name: Build iso  🔧
+      - name: Build container 🔧
        run: |
-          INIT=$([[ "${{ matrix.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd")
-          earthly --platform=linux/arm64 +extract-framework-profile
-          K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s  | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"')
-          earthly -P +all-arm-generic \
+          earthly -P +arm-container-image \
            --FLAVOR=${{ matrix.flavor }} \
            --FLAVOR_RELEASE=${{ matrix.flavor_release }} \
            --FAMILY=${{ matrix.family }} \
            --BASE_IMAGE=${{ matrix.base_image}} \
            --MODEL=${{ matrix.model }} \
-            --VARIANT=${{ matrix.variant }} \
-            --K3S_VERSION=${K3S_VERSION}
-
-          sudo mv build release
-      - name: Push to quay
+            --VARIANT=${{ matrix.variant }}
+      - name: Push and sign 🔧
        if: startsWith(github.ref, 'refs/tags/')
        run: |
-          docker push $(cat release/IMAGE)
-      - name: Release
-        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          files: |
-            release/*iso*
+          export IMAGE=$(cat build/IMAGE)
+          docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason
+          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,4 +1,4 @@
-name: Release
+name: Release artifacts

 on:
  # Bump the CI
--- a/6
+++ b/6
@ -94,6 +94,12 @@ all-arm:
  END

 arm-container-image:
+  ARG --required FLAVOR
+  ARG --required FLAVOR_RELEASE
+  ARG --required BASE_IMAGE
+  ARG --required VARIANT
+  ARG --required FAMILY
+  ARG --required MODEL
  BUILD --platform=linux/arm64 +base-image

 all-arm-generic: