Create a Pod VM image with mkosi #6
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create a Pod VM image with mkosi | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| registry: | |
| default: 'quay.io/confidential-containers' | |
| required: false | |
| type: string | |
| image_tag: | |
| default: '' | |
| required: false | |
| type: string | |
| git_ref: | |
| description: Git ref to checkout the cloud-api-adaptor repository. | |
| required: true | |
| type: string | |
| arch: | |
| description: Which arch we are building the mkosi image for | |
| default: 'amd64' | |
| required: false | |
| type: string | |
| debug: | |
| description: Whether to build the image in debug mode | |
| default: false | |
| required: false | |
| type: boolean | |
| workflow_call: | |
| inputs: | |
| registry: | |
| default: 'quay.io/confidential-containers' | |
| required: false | |
| type: string | |
| image_tag: | |
| default: '' | |
| required: false | |
| type: string | |
| git_ref: | |
| description: Git ref to checkout the cloud-api-adaptor repository. | |
| required: true | |
| type: string | |
| arch: | |
| description: Which arch we are building the mkosi image for | |
| default: 'amd64' | |
| required: false | |
| type: string | |
| debug: | |
| description: Whether to build the image in debug mode | |
| default: false | |
| required: false | |
| type: boolean | |
| outputs: | |
| qcow2_oras_image: | |
| description: The location of the qcow2 oras container this workflow pushed | |
| value: ${{ jobs.build-image.outputs.qcow2_oras_image }} | |
| docker_oci_image: | |
| description: The location of the docker oci container image this workflow pushed | |
| value: ${{ jobs.build-image.outputs.docker_oci_image }} | |
| defaults: | |
| run: | |
| working-directory: src/cloud-api-adaptor | |
| jobs: | |
| build-image: | |
| name: Build mkosi image | |
| runs-on: ${{ inputs.arch == 's390x' && 's390x' || 'ubuntu-24.04' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| outputs: | |
| qcow2_oras_image: ${{ steps.publish_oras_qcow2.outputs.image }}:${{ steps.publish_oras_qcow2.outputs.tag }} | |
| docker_oci_image: ${{ steps.build_docker_oci.outputs.image }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: "${{ inputs.git_ref }}" | |
| # Required by rootless mkosi | |
| - name: Un-restrict user namespaces | |
| if: inputs.arch == 'amd64' | |
| run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 | |
| - name: Rebase the code | |
| if: github.event_name == 'pull_request_target' | |
| working-directory: ./ | |
| run: | | |
| ./hack/ci-helper.sh rebase-atop-of-the-latest-target-branch | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to quay Container Registry | |
| if: ${{ startsWith(inputs.registry, 'quay.io') }} | |
| uses: docker/#-action@v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Login to the ghcr Container registry | |
| if: ${{ startsWith(inputs.registry, 'ghcr.io') }} | |
| uses: docker/#-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install build dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y bubblewrap alien dnf qemu-utils uidmap | |
| sudo snap install yq | |
| - name: Read properties from versions.yaml | |
| run: | | |
| echo "ORAS_VERSION=$(yq -e '.tools.oras' versions.yaml)" >> "$GITHUB_ENV" | |
| - uses: oras-project/setup-oras@v1 | |
| with: | |
| version: ${{ env.ORAS_VERSION }} | |
| - name: Build binaries | |
| id: build_binaries | |
| working-directory: src/cloud-api-adaptor/podvm-mkosi | |
| run: make binaries | |
| env: | |
| ARCH: ${{ inputs.arch }} | |
| - name: Install mkosi | |
| if: ${{ inputs.arch == 's390x' }} | |
| run: | | |
| git clone -b v22 https://github.com/systemd/mkosi | |
| sudo rm -f /usr/local/bin/mkosi | |
| sudo ln -s "$PWD/mkosi/bin/mkosi" /usr/local/bin/mkosi | |
| mkosi --version | |
| - name: Install Nix | |
| if: ${{ inputs.arch == 'amd64' }} | |
| uses: cachix/install-nix-action@v30 | |
| - name: Build nix shell to cache dependencies | |
| if: ${{ inputs.arch == 'amd64' }} | |
| run: nix build .#devShells.x86_64-linux.podvm-mkosi | |
| - name: Build mkosi debug image | |
| if: ${{ inputs.debug == 'true' }} | |
| working-directory: src/cloud-api-adaptor/podvm-mkosi | |
| run: make image-debug | |
| - name: Build mkosi image | |
| if: ${{ inputs.debug != 'true' }} | |
| working-directory: src/cloud-api-adaptor/podvm-mkosi | |
| run: make image | |
| - name: Upload the qcow2 with oras | |
| id: publish_oras_qcow2 | |
| working-directory: src/cloud-api-adaptor/podvm-mkosi | |
| run: | | |
| mkdir oras | |
| cd oras | |
| cp ../build/podvm-*.qcow2 . | |
| tar cJf podvm.tar.xz podvm-*.qcow2 | |
| image=${{ inputs.registry }}/podvm-generic-fedora | |
| if [ "${{inputs.debug}}" = "true" ]; then | |
| image=${image}-debug | |
| fi | |
| image=${image}-${{ inputs.arch }} | |
| tag=$(git rev-parse --short HEAD) | |
| oras push "${image}:${tag}" podvm.tar.xz | |
| # If the input has a different image-tag then also push it with that tag | |
| if [ -n "${{ inputs.image_tag }}" ] && [ "${{ inputs.image_tag }}" != "${tag}" ];then | |
| oras push "${image}:${{ inputs.image_tag }}" podvm.tar.xz | |
| fi | |
| # add image and digest to output for attestation | |
| echo "image=${image}" >> "$GITHUB_OUTPUT" | |
| digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)" | |
| echo "digest=${digest}" >> "$GITHUB_OUTPUT" | |
| echo "tag=${tag}" >> "$GITHUB_OUTPUT" | |
| - uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: ${{ steps.publish_oras_qcow2.outputs.image }} | |
| subject-digest: ${{ steps.publish_oras_qcow2.outputs.digest }} | |
| push-to-registry: true | |
| - name: Clean up some space for the docker provider build | |
| working-directory: src/cloud-api-adaptor/podvm-mkosi | |
| run: | | |
| sudo du --max-depth=2 /home/runner || true | |
| sudo du --max-depth=2 /var/lib || true | |
| sudo rm -rf /nix | |
| sudo rm -rf ./build | |
| sudo rm -rf ./mkosi.cache | |
| - name: Build and push image for docker provider | |
| id: build_docker_oci | |
| working-directory: src/cloud-api-adaptor/podvm-mkosi | |
| run: | | |
| tag=$(git rev-parse --short HEAD) | |
| PODVM_TAG=${tag} make image-container | |
| PODVM_TAG=${tag} make push-image-container | |
| arch=$(uname -m) | |
| arch=${arch/x86_64/amd64} | |
| echo "image=ghcr.io/${{ github.repository }}/podvm-docker-image-${arch}:${tag}" >> "$GITHUB_OUTPUT" | |
| env: | |
| REGISTRY: ghcr.io/${{ github.repository }} |