name: CI | Build kata-static tarball for s390x on: workflow_call: inputs: stage: required: false type: string default: test tarball-suffix: required: false type: string push-to-registry: required: false type: string default: no commit-hash: required: false type: string target-branch: required: false type: string default: "" jobs: build-asset: runs-on: s390x permissions: contents: read packages: write id-token: write attestations: write strategy: matrix: asset: - agent - coco-guest-components - kernel - kernel-confidential - pause-image - qemu - virtiofsd env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Build ${{ matrix.asset }} id: build run: | make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/. env: KATA_ASSET: ${{ matrix.asset }} TAR_OUTPUT: ${{ matrix.asset }}.tar.gz PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} ARTEFACT_REGISTRY: ghcr.io ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: Parse OCI image name and digest id: parse-oci-segments if: ${{ env.PERFORM_ATTESTATION == 'yes' }} run: | oci_image="$(<"build/${{ matrix.asset }}-oci-image")" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" # for pushing attestations to the registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - uses: actions/attest-build-provenance@v1 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }} push-to-registry: true - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz retention-days: 15 if-no-files-found: error build-asset-rootfs: runs-on: s390x needs: build-asset strategy: matrix: asset: - rootfs-image - rootfs-image-confidential - rootfs-initrd - rootfs-initrd-confidential steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: Build ${{ matrix.asset }} id: build run: | ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/. env: KATA_ASSET: ${{ matrix.asset }} TAR_OUTPUT: ${{ matrix.asset }}.tar.gz PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} ARTEFACT_REGISTRY: ghcr.io ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz retention-days: 15 if-no-files-found: error build-asset-boot-image-se: runs-on: s390x needs: [build-asset, build-asset-rootfs] steps: - uses: actions/checkout@v4 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: Place a host key document run: | mkdir -p "host-key-document" cp "${CI_HKD_PATH}" "host-key-document" env: CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} - name: Build boot-image-se run: | ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se" make boot-image-se-tarball build_dir=$(readlink -f build) sudo cp -r "${build_dir}" "kata-build" sudo chown -R "$(id -u)":"$(id -g)" "kata-build" env: HKD_PATH: "host-key-document" - name: store-artifact boot-image-se uses: actions/upload-artifact@v4 with: name: kata-artifacts-s390x${{ inputs.tarball-suffix }} path: kata-build/kata-static-boot-image-se.tar.xz retention-days: 1 if-no-files-found: error # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs remove-rootfs-binary-artifacts: runs-on: ubuntu-22.04 needs: [build-asset-rootfs, build-asset-boot-image-se] strategy: matrix: asset: - agent - coco-guest-components - pause-image steps: - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 if: ${{ inputs.stage == 'release' }} with: name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }} build-asset-shim-v2: runs-on: s390x needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: Build shim-v2 id: build run: | ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/. env: KATA_ASSET: shim-v2 TAR_OUTPUT: shim-v2.tar.gz PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} ARTEFACT_REGISTRY: ghcr.io ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} MEASURED_ROOTFS: no - name: store-artifact shim-v2 uses: actions/upload-artifact@v4 with: name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }} path: kata-build/kata-static-shim-v2.tar.xz retention-days: 15 if-no-files-found: error create-kata-tarball: runs-on: s390x needs: - build-asset - build-asset-rootfs - build-asset-boot-image-se - build-asset-shim-v2 steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: merge-artifacts run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml - name: store-artifacts uses: actions/upload-artifact@v4 with: name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} path: kata-static.tar.xz retention-days: 15 if-no-files-found: error