kata-containers/.github/workflows/build-kata-static-tarball-arm64.yaml

name: CI | Build kata-static tarball for arm64
on:
  workflow_call:
    inputs:
      stage:
        required: false
        type: string
        default: test
      tarball-suffix:
        required: false
        type: string
      push-to-registry:
        required: false
        type: string
        default: no
      commit-hash:
        required: false
        type: string
      target-branch:
        required: false
        type: string
        default: ""

jobs:
  build-asset:
    runs-on: ubuntu-22.04-arm
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write
    strategy:
      matrix:
        asset:
          - agent
          - busybox
          - cloud-hypervisor
          - firecracker
          - kernel
          - kernel-dragonball-experimental
          - kernel-nvidia-gpu
          - nydus
          - qemu
          - stratovirt
          - virtiofsd
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"          
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Build ${{ matrix.asset }}
        run: |
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.          
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
          ARTEFACT_REGISTRY: ghcr.io
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        run: |
          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"          

      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          version: "1.2.0"

      # for pushing attestations to the registry
      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/attest-build-provenance@v1
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
          subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
          push-to-registry: true

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 15
          if-no-files-found: error

      - name: store-extratarballs-artifact ${{ matrix.asset }}
        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
          retention-days: 15
          if-no-files-found: error

  build-asset-rootfs:
    runs-on: ubuntu-22.04-arm
    needs: build-asset
    strategy:
      matrix:
        asset:
          - rootfs-image
          - rootfs-initrd
          - rootfs-nvidia-gpu-initrd
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"          
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
          merge-multiple: true

      - name: Build ${{ matrix.asset }}
        run: |
          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.          
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
          ARTEFACT_REGISTRY: ghcr.io
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 15
          if-no-files-found: error

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
    runs-on: ubuntu-22.04-arm
    needs: build-asset-rootfs
    strategy:
      matrix:
        asset:
          - busybox
          - kernel-nvidia-gpu-headers
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts-for-release:
    runs-on: ubuntu-22.04-arm
    needs: build-asset-rootfs
    strategy:
      matrix:
        asset:
          - agent
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
        with:
          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"          
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
          merge-multiple: true

      - name: Build shim-v2
        run: |
          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.          
        env:
          KATA_ASSET: shim-v2
          TAR_OUTPUT: shim-v2.tar.gz
          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
          ARTEFACT_REGISTRY: ghcr.io
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact shim-v2
        uses: actions/upload-artifact@v4
        with:
          name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-shim-v2.tar.xz
          retention-days: 15
          if-no-files-found: error

  create-kata-tarball:
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"          
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}
      - name: get-artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
          merge-multiple: true
      - name: merge-artifacts
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml          
      - name: store-artifacts
        uses: actions/upload-artifact@v4
        with:
          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
          retention-days: 15
          if-no-files-found: error