From 06eca8408566f864c63738d9d5c5fcd9a5a1bd49 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 29 Jun 2024 22:04:36 -0400 Subject: [PATCH] feat: initial implementation --- .github/dependabot.yml | 11 ++ .github/pull_request_template.md | 3 + .github/workflows/release-please.yml | 13 ++ .github/workflows/reusable-build.yml | 189 +++++++++++++++++++++++++++ Containerfile | 15 +++ cosign.pub | 4 + fetch.sh | 24 ++++ 7 files changed, 259 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/release-please.yml create mode 100644 .github/workflows/reusable-build.yml create mode 100644 Containerfile create mode 100644 cosign.pub create mode 100755 fetch.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..92c44a8 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..fc8f96d --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,3 @@ +## Thank you for contributing to the Universal Blue project! + +Please [read the Contributor's Guide](https://universal-blue.org/contributing.html) before submitting a pull request. diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..f2aa6b0 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,13 @@ +on: + push: + branches: + - main +name: release-please +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: google-github-actions/release-please-action@v4 + with: + release-type: simple + package-name: release-please-action diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml new file mode 100644 index 0000000..ab566c1 --- /dev/null +++ b/.github/workflows/reusable-build.yml @@ -0,0 +1,189 @@ +name: Cache Fsync +on: + merge_group: + schedule: + - cron: "45 2 * * * *" # 0245 UTC everyday + workflow_dispatch: + +env: + IMAGE_NAME: fsync + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }} + cancel-in-progress: true + +jobs: + build: + name: fsync + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + strategy: + fail-fast: false + matrix: + fedora_version: + - 39 + - 40 + steps: + - name: Checkout Push to Registry action + uses: actions/checkout@v4 + + - name: Verify Akmods Image + uses: EyeCantCU/cosign-action/verify@v0.2.2 + with: + containers: akmods:fsync-40 + pubkey: https://raw.githubusercontent.com/ublue-os/akmods/main/cosign.pub + registry: ghcr.io/ublue-os + + - name: Get Fsync Kernel Version + id: Version + uses: Wandalen/wretry.action@v3.5.0 + with: + attempt_limit: 3 + attempt_delay: 15000 + command: | + kernel_release=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:fsync-40 | jq -r '.Labels["ostree.linux"] | split(".fc")[0]') + kernel_major_minor_patch=$(echo "$kernel_release" | cut -d '.' -f 1) + ver=$(skopeo inspect docker://registry.fedoraproject.com/fedora:${{ matrix.fedora_version }} | jq -r '.Labels["org.opencontainers.image.version"]') + if [ -z "$ver" ] || [ "null" = "$ver" ]; then + echo "inspected image version must not be empty or null" + exit 1 + fi + echo "version=$ver" >> $GITHUB_ENV + echo "kernel_release=${kernel_release}" >> $GITHUB_ENV + echo "kernel_major_minor_patch=${kernel_major_minor_patch}" >> $GITHUB_ENV + + - name: Checkout Push to Registry Action + uses: actions/checkout@v4 + + - name: Generate Tags + id: generate_tags + shell: bash + run: | + tag=${{ env.kernel_major_minor_patch }}-fc${{ matrix.fedora_version }} + COMMIT_TAGS=() + COMMIT_TAGS+=("pr-${{ github.event_number }}-${tag}") + COMMIT_TAGS+=("${GITHUB_SHA::7}-${tag}") + + BUILD_TAG=(${tag}) + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + echo "Generated the following commit tags: " + for TAG in "${COMMIT_TAGS[@]}"; do + echo "${TAG}" + done + + alias_tags=("${COMMIT_TAGS[@]}") + else + alias_tags=("${BUILD_TAGS[@]}") + fi + + echo "Generated the following build tags: " + for TAG in "${BUILD_TAGS[@]}"; do + echo "${TAG}" + done + + echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT + + - name: Pull Image + uses: Wandalen/wrety.action@v3.5.0 + with: + attempt_limit: 3 + attempt_delay: 15000 + command: | + podman pull registry.fedoraproject.com/fedora:${{ matrix.fedora_version }} + pomdan pull scratch + + - name: Build Metadata + uses: docker/metadata-action@v5 + id: meta + with: + images: | + ${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.description=A caching layer for sentry/kernel-fsync fsync kernel's + org.opencontainers.image.version=${{ env.version }} + ostree.linux=${{ env.kernel_major_minor_patch }}.fc${{ matrix.fedora_version }}.x86_64 + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md + io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4 + + - name: Build Image + id: build_image + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./Containerfile + image: ${{ env.IMAGE_NAME }} + tags: ${{ steps.generate_tags.outputs.build_tags }} + build-args: | + FEDORA_VERSION=${{ matrix.fedora_version }} + KERNEL_VERSION=${{ env.kernel_major_minor_patch }} + labels: ${{ steps.meta.outputs.labels }} + oci: false + + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@v6 + with: + string: ${{ env.IMAGE_REGISTRY }} + + - name: Push to GHCR + uses: Wandalen/wretry.action@v3.5.0 + id: push + if: github.event_name != 'pull_request' + env: + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + with: + action: redhat-actions/push-to-registry@v2 + attempt_limit: 3 + attempt_delay: 15000 + with: | + image: ${{ steps.build_image.outputs.image }} + tags: ${{ steps.build_image.outputs.tags }} + registry: ${{ steps.registry_case.outputs.lowercase }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + extra-args: | + --disable-content-trust + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + if: github.event_name != 'pull_request' + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Sign container + - uses: sigstore/cosign-installer@v3.5.0 + if: github.event_name != 'pull_request' + + - name: Sign container image + if: github.event_name != 'pull_request' + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} + env: + TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + + - name: Echo outputs + if: github.event_name != 'pull_request' + run: | + echo "${{ toJSON(steps.push.outputs) }}" + + check: + name: Check all builds successful + runs-on: ubuntu-latest + needs: [build] + steps: + - name: Exit on failure + if: ${{ needs.build.result == 'failure' }} + shell: bash + run: exit 1 + - name: Exit + shell: bash + run: exit 0 diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..c9c299c --- /dev/null +++ b/Containerfile @@ -0,0 +1,15 @@ +ARG SOURCE_IMAGE=${BASE_IMAGE:-fedora} +ARG SOURCE_REPO=${registry.fedoraproject.org} +ARG BASE_IMAGE=${${SOURCE_REPO}/${SOURCE_IMAGE}} +ARG FEDORA_VERSION=${FEDORA_VERSION:-40} + +# Build from base-main since its our smallest image and we control the tags +FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder +ARG KERNEL_VERSION=${:-} + +COPY fetch.sh / + +RUN /fetch.sh + +FROM scratch as rpms +COPY --from=builder /tmp/rpms /tmp/rpms diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..f9482c4 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA +cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +-----END PUBLIC KEY----- diff --git a/fetch.sh b/fetch.sh new file mode 100755 index 0000000..348b4fb --- /dev/null +++ b/fetch.sh @@ -0,0 +1,24 @@ +#!/usr/bin/bash + +set -eoux pipefail + +kernel_version="${KERNEL_VERSION}".fc"${FEDORA_VERSION}".x86_64 + +curl -LsSf -o /etc/yum.repos.d/_copr_sentry-kernel-ba.repo \ + https://copr.fedorainfracloud.org/coprs/sentry/kernel-fsync/repo/fedora-"$(rpm -E %fedora)"/sentry-kernel-fsync-fedora-"$(rpm -E %fedora)".repo + +dnf install -y 'dnf-command(download)' + +dnf download -y \ + kernel-"${kernel_version}" \ + kernel-core-"${kernel_version}" \ + kernel-devel-matched-"${kernel_version}" \ + kernel-modules-"${kernel_version}" \ + kernel-modules-core-"${kernel_version}" \ + kernel-modules-extra-"${kernel_version}" \ + kernel-headers-"${kernel_version}" \ + kernel-devel-"${kernel_version}" + +mkdir -p /tmp/rpms + +mv /kernel-*.rpm /tmp/rpms