kairos/.github/workflows/reusable-build-provider.yaml

name: Reusable workflow that builds a Provider image

on:
  workflow_call:
    inputs:
      flavor:
        required: true
        type: string
      flavor_release:
        required: true
        type: string
      base_image:
        required: true
        type: string
      model:
        required: true
        type: string
      family:
        required: true
        type: string
      variant:
        required: true
        type: string
      arch:
        required: true
        type: string

permissions: read-all
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write  # OIDC support
      contents: write
      actions: read
      security-events: write
    steps:
      - name: Release space from worker
        run: |
          echo "Listing top largest packages"
          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
          head -n 30 <<< "${pkgs}"
          echo
          df -h
          echo
          sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
          sudo apt-get remove --auto-remove android-sdk-platform-tools || true
          sudo apt-get purge --auto-remove android-sdk-platform-tools || true
          sudo rm -rf /usr/local/lib/android
          sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
          sudo rm -rf /usr/share/dotnet
          sudo apt-get remove -y '^mono-.*' || true
          sudo apt-get remove -y '^ghc-.*' || true
          sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
          sudo apt-get remove -y 'php.*' || true
          sudo apt-get remove -y hhvm || true
          sudo apt-get remove -y powershell || true
          sudo apt-get remove -y firefox || true
          sudo apt-get remove -y monodoc-manual || true
          sudo apt-get remove -y msbuild || true
          sudo apt-get remove -y microsoft-edge-stable || true
          sudo apt-get remove -y '^google-.*' || true
          sudo apt-get remove -y azure-cli || true
          sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
          sudo apt-get remove -y '^gfortran-.*' || true
          sudo apt-get remove -y '^gcc-*' || true
          sudo apt-get remove -y '^g++-*' || true
          sudo apt-get remove -y '^cpp-*' || true
          sudo apt-get autoremove -y
          sudo apt-get clean
          echo
          echo "Listing top largest packages"
          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
          head -n 30 <<< "${pkgs}"
          echo
          sudo rm -rfv build || true
          df -h          
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - run: |
          git fetch --prune --unshallow          
      - name: Install earthly
        uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
        with:
          repository: quay.io/kairos/packages
          packages: utils/earthly
      - name: Block all traffic to metadata ip  # For cloud runners, the metadata ip can interact with our test machines
        run: |
          sudo iptables -I INPUT -s 169.254.169.254 -j DROP
          sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP          
      - name: Login to earthly
        run: |
          earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos          
      - name: Build PR 🔧
        if: ${{ github.event_name == 'pull_request' }}
        run: |
          earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile
          INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd")
          K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s  | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"')
          earthly --platform=linux/${{ inputs.arch }} +ci \
            --SECURITY_SCANS=false \
            --VARIANT=${{ inputs.variant }} \
            --FLAVOR=${{ inputs.flavor }} \
            --FLAVOR_RELEASE=${{ inputs.flavor_release }} \
            --BASE_IMAGE=${{ inputs.base_image }} \
            --MODEL=${{ inputs.model }} \
            --FAMILY=${{ inputs.family }} \
            --K3S_VERSION=${K3S_VERSION}

          sudo mv build/* .
          sudo rm -rf build          
      - name: Install kairos-agent (for versioneer)
        uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
        with:
          repository: quay.io/kairos/packages
          packages: system/kairos-agent
      - name: Build master 🔧
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
        run: |
          earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile
          INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd")
          K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s  | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"')
          earthly --platform=linux/${{ inputs.arch }} +ci \
            --SECURITY_SCANS=true \
            --VARIANT=${{ inputs.variant }} \
            --FLAVOR=${{ inputs.flavor }} \
            --FLAVOR_RELEASE=${{ inputs.flavor_release }} \
            --BASE_IMAGE=${{ inputs.base_image }} \
            --MODEL=${{ inputs.model }} \
            --FAMILY=${{ inputs.family }} \
            --K3S_VERSION=${K3S_VERSION}

          sudo mv build/* .
          sudo rm -rf build          
      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip
          path: |
            *.iso
            *.sha256
            versions.yaml            
          if-no-files-found: error
      - name: Login to Quay Registry
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
      - name: Install Cosign
        uses: sigstore/cosign-installer@main
      - name: Push to quay
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
        env:
          COSIGN_YES: true
        run: |
          INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd")
          K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s  | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"')
          IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*}-k3s1 kairos-agent versioneer container-artifact-name)
          docker tag $(cat IMAGE) $IMAGE
          docker push $IMAGE
          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
          # TODO: on master we don't want to push all the sbom files since the tag is always the same and we don't go back to clean the old sbom files
          # but we should also use this reusable job for releases and then it's important to do it
          # For master:
          cosign sign $image_ref
          # For releases:
          # spdx=$(ls *.spdx.json)
          # cosign attach sbom --sbom $spdx $image_ref
          # cosign sign $image_ref --attachment sbom
          # in-toto attestation
          # cosign attest --type spdx --predicate $spdx $image_ref          
      - name: Push to testing
        run: |
          _IMG=$(cat IMAGE)
          TEST_IMAGE="ttl.sh/kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ github.sha }}-provider:24h"
          docker tag $_IMG $TEST_IMAGE
          docker push $TEST_IMAGE