name: CI | Build kata-static tarball for amd64 on: workflow_call: inputs: stage: required: false type: string default: test tarball-suffix: required: false type: string push-to-registry: required: false type: string default: no commit-hash: required: false type: string target-branch: required: false type: string default: "" jobs: build-asset: runs-on: ubuntu-22.04 permissions: contents: read packages: write id-token: write attestations: write strategy: matrix: asset: - agent - agent-ctl - busybox - cloud-hypervisor - cloud-hypervisor-glibc - coco-guest-components - csi-kata-directvolume - firecracker - genpolicy - kata-ctl - kata-manager - kernel - kernel-confidential - kernel-dragonball-experimental - kernel-nvidia-gpu - kernel-nvidia-gpu-confidential - nydus - ovmf - ovmf-sev - pause-image - qemu - qemu-snp-experimental - qemu-tdx-experimental - stratovirt - trace-forwarder - virtiofsd stage: - ${{ inputs.stage }} exclude: - asset: cloud-hypervisor-glibc stage: release env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Build ${{ matrix.asset }} id: build run: | make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/. env: KATA_ASSET: ${{ matrix.asset }} TAR_OUTPUT: ${{ matrix.asset }}.tar.gz PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} ARTEFACT_REGISTRY: ghcr.io ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: Parse OCI image name and digest id: parse-oci-segments if: ${{ env.PERFORM_ATTESTATION == 'yes' }} run: | oci_image="$(<"build/${{ matrix.asset }}-oci-image")" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" - uses: oras-project/setup-oras@v1 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: version: "1.2.0" # for pushing attestations to the registry - uses: docker/login-action@v3 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - uses: actions/attest-build-provenance@v1 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }} push-to-registry: true - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz retention-days: 15 if-no-files-found: error - name: store-extratarballs-artifact ${{ matrix.asset }} if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz retention-days: 15 if-no-files-found: error build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset strategy: matrix: asset: - rootfs-image - rootfs-image-confidential - rootfs-image-mariner - rootfs-initrd - rootfs-initrd-confidential - rootfs-nvidia-gpu-initrd - rootfs-nvidia-gpu-confidential-initrd steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: Build ${{ matrix.asset }} id: build run: | ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/. env: KATA_ASSET: ${{ matrix.asset }} TAR_OUTPUT: ${{ matrix.asset }}.tar.gz PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} ARTEFACT_REGISTRY: ghcr.io ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz retention-days: 15 if-no-files-found: error # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs remove-rootfs-binary-artifacts: runs-on: ubuntu-22.04 needs: build-asset-rootfs strategy: matrix: asset: - busybox - coco-guest-components - kernel-nvidia-gpu-headers - kernel-nvidia-gpu-confidential-headers - pause-image steps: - uses: geekyeggo/delete-artifact@v5 with: name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }} # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs remove-rootfs-binary-artifacts-for-release: runs-on: ubuntu-22.04 needs: build-asset-rootfs strategy: matrix: asset: - agent steps: - uses: geekyeggo/delete-artifact@v5 if: ${{ inputs.stage == 'release' }} with: name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }} build-asset-shim-v2: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: Build shim-v2 id: build run: | ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/. env: KATA_ASSET: shim-v2 TAR_OUTPUT: shim-v2.tar.gz PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} ARTEFACT_REGISTRY: ghcr.io ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@v4 with: name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }} path: kata-build/kata-static-shim-v2.tar.xz retention-days: 15 if-no-files-found: error create-kata-tarball: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts uses: actions/download-artifact@v4 with: pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} path: kata-artifacts merge-multiple: true - name: merge-artifacts run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml - name: store-artifacts uses: actions/upload-artifact@v4 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-static.tar.xz retention-days: 15 if-no-files-found: error