diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 519d6c1a78..dc3520f146 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -34,6 +34,7 @@ jobs: asset: - agent - agent-ctl + - busybox - cloud-hypervisor - cloud-hypervisor-glibc - coco-guest-components @@ -136,6 +137,15 @@ jobs: retention-days: 15 if-no-files-found: error + - name: store-extratarballs-artifact ${{ matrix.asset }} + if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz + retention-days: 15 + if-no-files-found: error + build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset @@ -147,6 +157,7 @@ jobs: - rootfs-image-mariner - rootfs-initrd - rootfs-initrd-confidential + - rootfs-nvidia-gpu-initrd steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 3cca495751..180c806caf 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -24,18 +24,27 @@ on: jobs: build-asset: runs-on: ubuntu-22.04-arm + permissions: + contents: read + packages: write + id-token: write + attestations: write strategy: matrix: asset: - agent + - busybox - cloud-hypervisor - firecracker - kernel - kernel-dragonball-experimental + - kernel-nvidia-gpu - nydus - qemu - stratovirt - virtiofsd + env: + PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -72,6 +81,34 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + - name: Parse OCI image name and digest + id: parse-oci-segments + if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + run: | + oci_image="$(<"build/${{ matrix.asset }}-oci-image")" + echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" + echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" + + - uses: oras-project/setup-oras@v1 + if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + with: + version: "1.2.0" + + # for pushing attestations to the registry + - uses: docker/login-action@v3 + if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/attest-build-provenance@v1 + if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + with: + subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} + subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }} + push-to-registry: true + - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v4 with: @@ -80,6 +117,15 @@ jobs: retention-days: 15 if-no-files-found: error + - name: store-extratarballs-artifact ${{ matrix.asset }} + if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz + retention-days: 15 + if-no-files-found: error + build-asset-rootfs: runs-on: ubuntu-22.04-arm needs: build-asset @@ -88,6 +134,7 @@ jobs: asset: - rootfs-image - rootfs-initrd + - rootfs-nvidia-gpu-initrd steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }}