mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-05-04 12:31:27 +00:00
af4ced32f4
It is good practice to add concurrency limits to automatically cancel jobs that have been superceded and potentially stop race conditions if we try and get artifacts by workflows and job id rather than run id. See https://docs.zizmor.sh/audits/#concurrency-limits Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
87 lines
2.9 KiB
YAML
87 lines
2.9 KiB
YAML
name: Publish Kata release artifacts for amd64
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
target-arch:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
QUAY_DEPLOYER_PASSWORD:
|
|
required: true
|
|
KBUILD_SIGN_PIN:
|
|
required: true
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
build-kata-static-tarball-amd64:
|
|
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
|
|
with:
|
|
push-to-registry: yes
|
|
stage: release
|
|
secrets:
|
|
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
|
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
attestations: write
|
|
|
|
kata-deploy:
|
|
name: kata-deploy
|
|
needs: build-kata-static-tarball-amd64
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Login to Kata Containers ghcr.io
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Login to Kata Containers quay.io
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
|
|
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
|
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: get-kata-tarball
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
name: kata-static-tarball-amd64
|
|
|
|
- name: build-and-push-kata-deploy-ci-amd64
|
|
id: build-and-push-kata-deploy-ci-amd64
|
|
env:
|
|
TARGET_ARCH: ${{ inputs.target-arch }}
|
|
run: |
|
|
# We need to do such trick here as the format of the $GITHUB_REF
|
|
# is "refs/tags/<tag>"
|
|
tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
|
|
if [ "${tag}" = "main" ]; then
|
|
tag=$(./tools/packaging/release/release.sh release-version)
|
|
tags=("${tag}" "latest")
|
|
else
|
|
tags=("${tag}")
|
|
fi
|
|
for tag in "${tags[@]}"; do
|
|
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
|
|
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
|
|
"${tag}-${TARGET_ARCH}"
|
|
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
|
|
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
|
|
"${tag}-${TARGET_ARCH}"
|
|
done
|