name: Publish Kata release artifacts for arm64 on: workflow_call: inputs: target-arch: required: true type: string secrets: QUAY_DEPLOYER_PASSWORD: required: true KBUILD_SIGN_PIN: required: true concurrency: group: ${{ github.workflow }}-${{ github.ref }}-release-arm64 cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results permissions: {} jobs: build-kata-static-tarball-arm64: uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml with: push-to-registry: yes stage: release secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} permissions: contents: read packages: write id-token: write attestations: write kata-deploy: name: kata-deploy needs: build-kata-static-tarball-arm64 permissions: contents: read packages: write runs-on: ubuntu-24.04-arm steps: - name: Login to Kata Containers ghcr.io uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Kata Containers quay.io uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: quay.io username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: get-kata-artifacts uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: kata-artifacts-arm64-* path: tools/packaging/kata-deploy/local-build/build merge-multiple: true - name: build-and-push-kata-deploy-ci-arm64 id: build-and-push-kata-deploy-ci-arm64 env: TARGET_ARCH: ${{ inputs.target-arch }} run: | # The multi-arch manifest is always published using the release # version (see the publish-multiarch-manifest step), so the per-arch # images must be tagged with the release version too -- regardless of # the branch the release workflow was dispatched from. Otherwise a run # from a testing branch would tag the images with the branch name and # the manifest step would not be able to find them. tag=$(./tools/packaging/release/release.sh release-version) tags=("${tag}") for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "ghcr.io/kata-containers/kata-deploy" \ "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "quay.io/kata-containers/kata-deploy" \ "${tag}-${TARGET_ARCH}" done