name: CI | Build kata-static tarball for amd64
on:
  workflow_call:
    inputs:
      stage:
        required: false
        type: string
        default: test
      tarball-suffix:
        required: false
        type: string
      push-to-registry:
        required: false
        type: string
        default: no
      commit-hash:
        required: false
        type: string
      target-branch:
        required: false
        type: string
        default: ""

jobs:
  build-asset:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write
    strategy:
      matrix:
        asset:
          - agent
          - agent-ctl
          - busybox
          - cloud-hypervisor
          - cloud-hypervisor-glibc
          - coco-guest-components
          - csi-kata-directvolume
          - firecracker
          - genpolicy
          - kata-ctl
          - kata-manager
          - kernel
          - kernel-confidential
          - kernel-dragonball-experimental
          - kernel-nvidia-gpu
          - kernel-nvidia-gpu-confidential
          - nydus
          - ovmf
          - ovmf-sev
          - pause-image
          - qemu
          - qemu-snp-experimental
          - qemu-tdx-experimental
          - stratovirt
          - trace-forwarder
          - virtiofsd
        stage:
          - ${{ inputs.stage }}
        exclude:
          - asset: cloud-hypervisor-glibc
            stage: release
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Build ${{ matrix.asset }}
        id: build
        run: |
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
          ARTEFACT_REGISTRY: ghcr.io
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        run: |
          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

      - uses: oras-project/setup-oras@v1
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          version: "1.2.0"

      # for pushing attestations to the registry
      - uses: docker/login-action@v3
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/attest-build-provenance@v1
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
          subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
          push-to-registry: true

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 15
          if-no-files-found: error

      - name: store-extratarballs-artifact ${{ matrix.asset }}
        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
          retention-days: 15
          if-no-files-found: error

  build-asset-rootfs:
    runs-on: ubuntu-22.04
    needs: build-asset
    strategy:
      matrix:
        asset:
          - rootfs-image
          - rootfs-image-confidential
          - rootfs-image-mariner
          - rootfs-initrd
          - rootfs-initrd-confidential
          - rootfs-nvidia-gpu-initrd
          - rootfs-nvidia-gpu-confidential-initrd
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
          merge-multiple: true

      - name: Build ${{ matrix.asset }}
        id: build
        run: |
          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
          ARTEFACT_REGISTRY: ghcr.io
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 15
          if-no-files-found: error

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
      matrix:
        asset:
          - busybox
          - coco-guest-components
          - kernel-nvidia-gpu-headers
          - kernel-nvidia-gpu-confidential-headers
          - pause-image
    steps:
      - uses: geekyeggo/delete-artifact@v5
        with:
          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts-for-release:
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
      matrix:
        asset:
          - agent
    steps:
      - uses: geekyeggo/delete-artifact@v5
        if: ${{ inputs.stage == 'release' }}
        with:
          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
          merge-multiple: true

      - name: Build shim-v2
        id: build
        run: |
          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
        env:
          KATA_ASSET: shim-v2
          TAR_OUTPUT: shim-v2.tar.gz
          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
          ARTEFACT_REGISTRY: ghcr.io
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
          MEASURED_ROOTFS: yes

      - name: store-artifact shim-v2
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-shim-v2.tar.xz
          retention-days: 15
          if-no-files-found: error

  create-kata-tarball:
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}
      - name: get-artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
          merge-multiple: true
      - name: merge-artifacts
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
      - name: store-artifacts
        uses: actions/upload-artifact@v4
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
          retention-days: 15
          if-no-files-found: error