forked from edera-dev/linux-kernel-oci
-
Notifications
You must be signed in to change notification settings - Fork 1
190 lines (188 loc) · 8.41 KB
/
Copy pathmatrix.yml
File metadata and controls
190 lines (188 loc) · 8.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: Build Kernel Matrix
on:
workflow_call:
inputs:
spec:
description: 'Build Specification'
type: string
default: "new"
required: true
publish:
description: 'Publish Builds'
type: boolean
default: true
required: true
concurrency:
group: "kernel-builder"
jobs:
matrix:
name: matrix
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
submodules: recursive
- name: install dependencies
run: ./hack/build/install-matrix-deps.sh
- name: generate matrix
run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${{ inputs.spec }}"'
- name: upload matrix
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: matrix
path: "matrix.json"
compression-level: 0
- name: capture matrix
id: capture-matrix
run: |
# Split matrix.json into two strategy-matrix-shaped outputs: one keyed
# on `builds` (per-arch build jobs) and one on `merges` (per
# (version, flavor) manifest-list assembly jobs). Each iteration of the
# build job sees matrix.builds.* and each merge sees matrix.merges.*.
BUILDS=$(jq -c '{builds: .builds}' matrix.json)
MERGES=$(jq -c '{merges: .merges}' matrix.json)
echo "builds=${BUILDS}" >> "${GITHUB_OUTPUT}"
echo "merges=${MERGES}" >> "${GITHUB_OUTPUT}"
outputs:
builds: "${{ steps.capture-matrix.outputs.builds }}"
merges: "${{ steps.capture-matrix.outputs.merges }}"
build:
name: "build ${{ matrix.builds.version }} ${{ matrix.builds.flavor }} ${{ matrix.builds.arch }}"
needs: matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.matrix.outputs.builds) }}
runs-on: "${{ matrix.builds.runner }}"
env:
KERNEL_PUBLISH: "${{ inputs.publish }}"
KERNEL_VERSION: "${{ matrix.builds.version }}"
KERNEL_SRC_URL: "${{ matrix.builds.source }}"
FIRMWARE_URL: "${{ matrix.builds.firmware_url }}"
FIRMWARE_SIG_URL: "${{ matrix.builds.firmware_sig_url }}"
KERNEL_FLAVOR: "${{ matrix.builds.flavor }}"
KERNEL_TAGS: "${{ join(matrix.builds.tags, ',') }}"
KERNEL_ARCH: "${{ matrix.builds.arch }}"
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
submodules: recursive
- name: install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: docker setup linux-kernel-oci
run: sudo python3 ./hack/build/docker-setup.py
- name: docker setup buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: docker login ghcr.io
uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
with:
action: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: |
registry: ghcr.io
username: "${{github.actor}}"
password: "${{secrets.GITHUB_TOKEN}}"
- name: restore ccache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.2
with:
path: ~/.cache/kernel-ccache
# restore-keys is important here - it lets us restore the most recent cache key,
# *ignoring* the specific run ID, as a fuzzy match. So we can use previous build's
# caches for this flavor/arch even if the runid is not the same
key: "ccache-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}-${{ github.run_id }}"
restore-keys: |
ccache-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}-
- name: generate docker script
run: "./hack/build/generate-docker-script.sh"
- name: upload docker script
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "build-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}.sh"
path: "docker.sh"
compression-level: 0
- name: run docker script
run: sh -x docker.sh
- name: upload digests
# Only produced when publishing — push-by-digest path writes digests.json.
if: ${{ inputs.publish }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "digests-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}"
path: "digests.json"
if-no-files-found: error
compression-level: 0
retention-days: 1
- name: save ccache
# Only save from main. GH's per-repo 10GB cache pool is shared across all refs,
# so PR-scoped saves evict main-scoped entries via LRU - and main is the only ref
# whose entries the next build can actually restore. PRs still benefit because
# they will fallthrough to/inherit parent branch caches
if: github.ref == 'refs/heads/main'
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.2
with:
path: ~/.cache/kernel-ccache
# The run_id here is just for write-key uniqueness, as GH doesn't allow overwriting
# existing cache keys - the `restore` action will fuzzy-match and ignore the run_id
# for subsequent runs.
key: "ccache-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}-${{ github.run_id }}"
merge:
# Stitch the per-arch single-platform pushes from `build` into multi-arch
# manifest lists. Only runs when publishing; no-op when nothing was pushed.
name: "merge ${{ matrix.merges.version }} ${{ matrix.merges.flavor }}"
needs: [matrix, build]
if: ${{ inputs.publish && needs.matrix.outputs.merges != '' }}
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.matrix.outputs.merges) }}
runs-on: ubuntu-latest
env:
KERNEL_PUBLISH: "${{ inputs.publish }}"
KERNEL_VERSION: "${{ matrix.merges.version }}"
KERNEL_FLAVOR: "${{ matrix.merges.flavor }}"
KERNEL_PRODUCES: "${{ join(matrix.merges.produces, ',') }}"
DIGESTS_DIR: digests
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- name: install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: docker setup buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: docker login ghcr.io
uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
with:
action: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: |
registry: ghcr.io
username: "${{github.actor}}"
password: "${{secrets.GITHUB_TOKEN}}"
- name: download digest artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
# Each per-arch build uploads its digests under a uniquely-named
# artifact; pattern + default merge-multiple=false drops each artifact
# into its own subdirectory under digests/.
pattern: "digests-${{ matrix.merges.version }}-${{ matrix.merges.flavor }}-*"
path: digests
- name: generate merge script
run: python3 ./hack/build/generate-merge-script.py
- name: upload merge script
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "merge-${{ matrix.merges.version }}-${{ matrix.merges.flavor }}.sh"
path: "merge.sh"
compression-level: 0
- name: run merge script
run: sh -x merge.sh