From b04bdf54a527ba6b3ae63ba97b560d33d418d37e Mon Sep 17 00:00:00 2001
From: Zvonko Kaiser <zkaiser@nvidia.com>
Date: Thu, 23 Jan 2025 15:55:49 +0000
Subject: [PATCH 1/4] gpu: Add rootfs target amd64/arm64

Adding the initrd build first to get the rootfs on amd64.
With that we can start to add tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
---
 .github/workflows/build-kata-static-tarball-amd64.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 519d6c1a78..440539382c 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -147,6 +147,7 @@ jobs:
           - rootfs-image-mariner
           - rootfs-initrd
           - rootfs-initrd-confidential
+          - rootfs-nvidia-gpu-initrd
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}

From 968318180d129807b2643565a9013338d4d50d17 Mon Sep 17 00:00:00 2001
From: Zvonko Kaiser <zkaiser@nvidia.com>
Date: Thu, 23 Jan 2025 16:50:05 +0000
Subject: [PATCH 2/4] ci: Add extratarballs steps

We introduced extratarballs with a make target. The CI
currently only uploads tarballs that are listed in the matrix.
The NV kernel builds a headers package which needs to be uploaded
as well.

The get-artifacts has a glob to download all artifacts hence we
should be good.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
---
 .github/workflows/build-kata-static-tarball-amd64.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 440539382c..dc3520f146 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -34,6 +34,7 @@ jobs:
         asset:
           - agent
           - agent-ctl
+          - busybox
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - coco-guest-components
@@ -136,6 +137,15 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+      - name: store-extratarballs-artifact ${{ matrix.asset }}
+        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
+          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
+          retention-days: 15
+          if-no-files-found: error
+
   build-asset-rootfs:
     runs-on: ubuntu-22.04
     needs: build-asset

From 9a7dff9c403c31f9590509872bb0816fa99c0b5a Mon Sep 17 00:00:00 2001
From: Zvonko Kaiser <zkaiser@nvidia.com>
Date: Wed, 29 Jan 2025 18:45:39 +0000
Subject: [PATCH 3/4] gpu: Add arm64 targets

We want to make sure we deliver arm64 GPU targets as well

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
---
 .../workflows/build-kata-static-tarball-arm64.yaml   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml
index 3cca495751..2c935d4691 100644
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -28,10 +28,12 @@ jobs:
       matrix:
         asset:
           - agent
+          - busybox
           - cloud-hypervisor
           - firecracker
           - kernel
           - kernel-dragonball-experimental
+          - kernel-nvidia-gpu
           - nydus
           - qemu
           - stratovirt
@@ -80,6 +82,15 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+      - name: store-extratarballs-artifact ${{ matrix.asset }}
+        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
+          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
+          retention-days: 15
+          if-no-files-found: error
+
   build-asset-rootfs:
     runs-on: ubuntu-22.04-arm
     needs: build-asset
@@ -88,6 +99,7 @@ jobs:
         asset:
           - rootfs-image
           - rootfs-initrd
+          - rootfs-nvidia-gpu-initrd
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}

From 45bd451fa0612658f0d8650bc7d42f8b5d7ed0e2 Mon Sep 17 00:00:00 2001
From: Zvonko Kaiser <zkaiser@nvidia.com>
Date: Wed, 29 Jan 2025 18:50:02 +0000
Subject: [PATCH 4/4] ci: add arm64 attestation

Do the very same thing that we do on amd64 and add attestation

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
---
 .../build-kata-static-tarball-arm64.yaml      | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml
index 2c935d4691..180c806caf 100644
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -24,6 +24,11 @@ on:
 jobs:
   build-asset:
     runs-on: ubuntu-22.04-arm
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         asset:
@@ -38,6 +43,8 @@ jobs:
           - qemu
           - stratovirt
           - virtiofsd
+    env:
+      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -74,6 +81,34 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
 
+      - name: Parse OCI image name and digest
+        id: parse-oci-segments
+        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        run: |
+          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
+          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
+
+      - uses: oras-project/setup-oras@v1
+        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        with:
+          version: "1.2.0"
+
+      # for pushing attestations to the registry
+      - uses: docker/login-action@v3
+        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/attest-build-provenance@v1
+        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        with:
+          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
+          subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
+          push-to-registry: true
+
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@v4
         with: