From 496e255ea2649fc3007cdabde992e52585999803 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Fri, 10 Oct 2025 09:57:10 +0200
Subject: [PATCH] build: Fix KBUILD_SIGN_PIN usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

What was done in the past, trying to set the env var on the same step
it'd be used, simply does not work.

Instead, we need to properly set it through the `env` set up, as done
now.

We're also bumping the kata_config_version to ensure we retrigger the
kernel builds.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
---
 .github/workflows/build-kata-static-tarball-amd64.yaml | 6 ++----
 tools/packaging/kernel/kata_config_version             | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 67457af199..912638ed57 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -97,7 +97,6 @@ jobs:
       - name: Build ${{ matrix.asset }}
         id: build
         run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "GH_KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN}" >> "${GITHUB_ENV}"
           make "${KATA_ASSET}-tarball"
           build_dir=$(readlink -f build)
           # store-artifact does not work with symlink
@@ -111,7 +110,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          GH_KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
@@ -208,7 +207,6 @@ jobs:
       - name: Build ${{ matrix.asset }}
         id: build
         run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${GH_KBUILD_SIGN_PIN}" >> "${GITHUB_ENV}"
           ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
           make "${KATA_ASSET}-tarball"
           build_dir=$(readlink -f build)
@@ -223,7 +221,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          GH_KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index de8febe1c7..fb402ef6a4 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-168
+169