diff --git a/.github/workflows/cc-payload-amd64.yaml b/.github/workflows/cc-payload-amd64.yaml new file mode 100644 index 0000000000..c4c1eb0354 --- /dev/null +++ b/.github/workflows/cc-payload-amd64.yaml @@ -0,0 +1,142 @@ +name: Publish Kata Containers payload for Confidential Containers (amd64) +on: + workflow_call: + inputs: + target-arch: + required: true + type: string + +jobs: + build-asset: + runs-on: ubuntu-latest + strategy: + matrix: + asset: + - cc-cloud-hypervisor + - cc-kernel + - cc-qemu + - cc-rootfs-image + - cc-virtiofsd + - cc-sev-kernel + - cc-sev-ovmf + - cc-sev-rootfs-initrd + - cc-tdx-kernel + - cc-tdx-rootfs-image + - cc-tdx-qemu + - cc-tdx-td-shim + - cc-tdx-tdvf + steps: + - uses: actions/checkout@v3 + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + + - name: store-artifact root_hash_tdx.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_tdx.txt + path: tools/osbuilder/root_hash_tdx.txt + retention-days: 1 + if-no-files-found: ignore + + - name: store-artifact root_hash_vanilla.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_vanilla.txt + path: tools/osbuilder/root_hash_vanilla.txt + retention-days: 1 + if-no-files-found: ignore + + build-asset-cc-shim-v2: + runs-on: ubuntu-latest + needs: build-asset + steps: + - uses: actions/checkout@v3 + + - name: Get root_hash_tdx.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_tdx.txt + path: tools/osbuilder/ + + - name: Get root_hash_vanilla.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_vanilla.txt + path: tools/osbuilder/ + + - name: Build cc-shim-v2 + run: | + make cc-shim-v2-tarball + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + + - name: store-artifact cc-shim-v2 + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-cc-shim-v2.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: [build-asset, build-asset-cc-shim-v2] + steps: + - uses: actions/checkout@v3 + - name: get-artifacts + uses: actions/download-artifact@v3 + with: + name: kata-artifacts + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v3 + with: + name: kata-static-tarball + path: kata-static.tar.xz + retention-days: 1 + if-no-files-found: error + + kata-payload: + needs: create-kata-tarball + runs-on: ubuntu-latest + steps: + - name: Login to quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v3 + - name: get-kata-tarball + uses: actions/download-artifact@v3 + with: + name: kata-static-tarball + + - name: build-and-push-kata-payload + id: build-and-push-kata-payload + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ + $(pwd)/kata-static.tar.xz \ + "quay.io/confidential-containers/runtime-payload" \ + "kata-containers-${{ inputs.target-arch }}" + diff --git a/.github/workflows/cc-payload-s390x.yaml b/.github/workflows/cc-payload-s390x.yaml new file mode 100644 index 0000000000..c062ac3ab2 --- /dev/null +++ b/.github/workflows/cc-payload-s390x.yaml @@ -0,0 +1,134 @@ +name: Publish Kata Containers payload for Confidential Containers (s390x) +on: + workflow_call: + inputs: + target-arch: + required: true + type: string + +jobs: + build-asset: + runs-on: s390x + strategy: + matrix: + asset: + - cc-kernel + - cc-qemu + - cc-rootfs-image + - cc-virtiofsd + steps: + - name: Adjust a permission for repo + run: | + sudo chown -R $USER:$USER $GITHUB_WORKSPACE + + - uses: actions/checkout@v3 + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts-s390x + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + + - name: store-artifact root_hash_vanilla.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_vanilla.txt-s390x + path: tools/osbuilder/root_hash_vanilla.txt + retention-days: 1 + if-no-files-found: ignore + + build-asset-cc-shim-v2: + runs-on: s390x + needs: build-asset + steps: + - name: Adjust a permission for repo + run: | + sudo chown -R $USER:$USER $GITHUB_WORKSPACE + + - uses: actions/checkout@v3 + + - name: Get root_hash_vanilla.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_vanilla.txt-s390x + path: tools/osbuilder/ + + - name: Build cc-shim-v2 + run: | + make cc-shim-v2-tarball + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + + - name: store-artifact cc-shim-v2 + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts-s390x + path: kata-build/kata-static-cc-shim-v2.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: s390x + needs: [build-asset, build-asset-cc-shim-v2] + steps: + - name: Adjust a permission for repo + run: | + sudo chown -R $USER:$USER $GITHUB_WORKSPACE + + - uses: actions/checkout@v3 + - name: get-artifacts + uses: actions/download-artifact@v3 + with: + name: kata-artifacts-s390x + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v3 + with: + name: kata-static-tarball-s390x + path: kata-static.tar.xz + retention-days: 1 + if-no-files-found: error + + kata-payload: + needs: create-kata-tarball + runs-on: s390x + steps: + - name: Login to quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }} + + - name: Adjust a permission for repo + run: | + sudo chown -R $USER:$USER $GITHUB_WORKSPACE + + - uses: actions/checkout@v3 + - name: get-kata-tarball + uses: actions/download-artifact@v3 + with: + name: kata-static-tarball-s390x + + - name: build-and-push-kata-payload + id: build-and-push-kata-payload + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ + $(pwd)/kata-static.tar.xz \ + "quay.io/confidential-containers/runtime-payload" \ + "kata-containers-${{ inputs.target-arch }}" diff --git a/.github/workflows/cc-payload.yaml b/.github/workflows/cc-payload.yaml index a0b32f8b6d..f079369070 100644 --- a/.github/workflows/cc-payload.yaml +++ b/.github/workflows/cc-payload.yaml @@ -5,132 +5,35 @@ on: - 'CC\-[0-9]+.[0-9]+.[0-9]+' jobs: - build-asset: + build-assets-amd64: + uses: ./.github/workflows/cc-payload-amd64.yaml + with: + target-arch: amd64 + secrets: inherit + + build-assets-s390x: + uses: ./.github/workflows/cc-payload-s390x.yaml + with: + target-arch: s390x + secrets: inherit + + publish: runs-on: ubuntu-latest - strategy: - matrix: - asset: - - cc-cloud-hypervisor - - cc-kernel - - cc-qemu - - cc-rootfs-image - - cc-virtiofsd - - cc-sev-kernel - - cc-sev-ovmf - - cc-sev-rootfs-initrd - - cc-tdx-kernel - - cc-tdx-rootfs-image - - cc-tdx-qemu - - cc-tdx-td-shim - - cc-tdx-tdvf + needs: [build-assets-amd64, build-assets-s390x] steps: - - uses: actions/checkout@v3 - - name: Build ${{ matrix.asset }} - run: | - make "${KATA_ASSET}-tarball" - build_dir=$(readlink -f build) - # store-artifact does not work with symlink - sudo cp -r "${build_dir}" "kata-build" - env: - KATA_ASSET: ${{ matrix.asset }} - TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + - name: Checkout repository + uses: actions/checkout@v3 - - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v3 - with: - name: kata-artifacts - path: kata-build/kata-static-${{ matrix.asset }}.tar.xz - retention-days: 1 - if-no-files-found: error - - - name: store-artifact root_hash_tdx.txt - uses: actions/upload-artifact@v3 - with: - name: root_hash_tdx.txt - path: tools/osbuilder/root_hash_tdx.txt - retention-days: 1 - if-no-files-found: ignore - - - name: store-artifact root_hash_vanilla.txt - uses: actions/upload-artifact@v3 - with: - name: root_hash_vanilla.txt - path: tools/osbuilder/root_hash_vanilla.txt - retention-days: 1 - if-no-files-found: ignore - - build-asset-cc-shim-v2: - runs-on: ubuntu-latest - needs: build-asset - steps: - - uses: actions/checkout@v3 - - - name: Get root_hash_tdx.txt - uses: actions/download-artifact@v3 - with: - name: root_hash_tdx.txt - path: tools/osbuilder/ - - - name: Get root_hash_vanilla.txt - uses: actions/download-artifact@v3 - with: - name: root_hash_vanilla.txt - path: tools/osbuilder/ - - - name: Build cc-shim-v2 - run: | - make cc-shim-v2-tarball - build_dir=$(readlink -f build) - # store-artifact does not work with symlink - sudo cp -r "${build_dir}" "kata-build" - - - name: store-artifact cc-shim-v2 - uses: actions/upload-artifact@v3 - with: - name: kata-artifacts - path: kata-build/kata-static-cc-shim-v2.tar.xz - retention-days: 1 - if-no-files-found: error - - create-kata-tarball: - runs-on: ubuntu-latest - needs: [build-asset, build-asset-cc-shim-v2] - steps: - - uses: actions/checkout@v3 - - name: get-artifacts - uses: actions/download-artifact@v3 - with: - name: kata-artifacts - path: kata-artifacts - - name: merge-artifacts - run: | - ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts - - name: store-artifacts - uses: actions/upload-artifact@v3 - with: - name: kata-static-tarball - path: kata-static.tar.xz - retention-days: 1 - if-no-files-found: error - - kata-payload: - needs: create-kata-tarball - runs-on: ubuntu-latest - steps: - - name: Login to quay.io + - name: Login to Confidential Containers quay.io uses: docker/login-action@v2 with: registry: quay.io username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v3 - - name: get-kata-tarball - uses: actions/download-artifact@v3 - with: - name: kata-static-tarball - - - name: build-and-push-kata-payload - id: build-and-push-kata-payload + - name: Push multi-arch manifest run: | - ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz + docker manifest create quay.io/confidential-containers/runtime-payload:kata-containers-latest \ + --amend quay.io/confidential-containers/runtime-payload:kata-containers-amd64 \ + --amend quay.io/confidential-containers/runtime-payload:kata-containers-s390x + docker manifest push quay.io/confidential-containers/runtime-payload:kata-containers-latest