-
Notifications
You must be signed in to change notification settings - Fork 9
185 lines (183 loc) · 8.05 KB
/
matrix.yml
File metadata and controls
185 lines (183 loc) · 8.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
name: Build Kernel Matrix
on:
workflow_call:
inputs:
spec:
description: 'Build Specification'
type: string
default: "new"
required: true
publish:
description: 'Publish Builds'
type: boolean
default: true
required: true
concurrency:
group: "kernel-builder"
jobs:
matrix:
name: matrix
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
submodules: recursive
- name: install dependencies
run: ./hack/build/install-matrix-deps.sh
- name: generate matrix
run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${{ inputs.spec }}"'
- name: upload matrix
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: matrix
path: "matrix.json"
compression-level: 0
- name: capture matrix
id: capture-matrix
run: |
# Split matrix.json into two strategy-matrix-shaped outputs: one keyed
# on `builds` (per-arch build jobs) and one on `merges` (per
# (version, flavor) manifest-list assembly jobs). Each iteration of the
# build job sees matrix.builds.* and each merge sees matrix.merges.*.
BUILDS=$(jq -c '{builds: .builds}' matrix.json)
MERGES=$(jq -c '{merges: .merges}' matrix.json)
echo "builds=${BUILDS}" >> "${GITHUB_OUTPUT}"
echo "merges=${MERGES}" >> "${GITHUB_OUTPUT}"
outputs:
builds: "${{ steps.capture-matrix.outputs.builds }}"
merges: "${{ steps.capture-matrix.outputs.merges }}"
build:
name: "build ${{ matrix.builds.version }} ${{ matrix.builds.flavor }} ${{ matrix.builds.arch }}"
needs: matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.matrix.outputs.builds) }}
runs-on: "${{ matrix.builds.runner }}"
env:
KERNEL_PUBLISH: "${{ inputs.publish }}"
KERNEL_VERSION: "${{ matrix.builds.version }}"
KERNEL_SRC_URL: "${{ matrix.builds.source }}"
FIRMWARE_URL: "${{ matrix.builds.firmware_url }}"
FIRMWARE_SIG_URL: "${{ matrix.builds.firmware_sig_url }}"
KERNEL_FLAVOR: "${{ matrix.builds.flavor }}"
KERNEL_TAGS: "${{ join(matrix.builds.tags, ',') }}"
KERNEL_ARCH: "${{ matrix.builds.arch }}"
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
submodules: recursive
- name: install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: docker setup linux-kernel-oci
run: sudo python3 ./hack/build/docker-setup.py
- name: docker setup buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: docker login ghcr.io
uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
with:
action: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: |
registry: ghcr.io
username: "${{github.actor}}"
password: "${{secrets.GITHUB_TOKEN}}"
- name: restore ccache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.2
with:
path: ~/.cache/kernel-ccache
# restore-keys is important here - it lets us restore the most recent cache key,
# *ignoring* the specific run ID, as a fuzzy match. So we can use previous build's
# caches for this flavor/arch even if the runid is not the same
key: "ccache-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}-${{ github.run_id }}"
restore-keys: |
ccache-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}-
- name: generate docker script
run: "./hack/build/generate-docker-script.sh"
- name: upload docker script
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "build-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}.sh"
path: "docker.sh"
compression-level: 0
- name: run docker script
run: sh -x docker.sh
- name: upload digests
# Only produced when publishing — push-by-digest path writes digests.json.
if: ${{ inputs.publish }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "digests-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}"
path: "digests.json"
if-no-files-found: error
compression-level: 0
retention-days: 1
- name: save ccache
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.2
with:
path: ~/.cache/kernel-ccache
# The run_id here is just for write-key uniqueness, as GH doesn't allow overwriting
# existing cache keys - the `restore` action will fuzzy-match and ignore the run_id
# for subsequent runs.
key: "ccache-${{ matrix.builds.flavor }}-${{ matrix.builds.arch }}-${{ github.run_id }}"
merge:
# Stitch the per-arch single-platform pushes from `build` into multi-arch
# manifest lists. Only runs when publishing; no-op when nothing was pushed.
name: "merge ${{ matrix.merges.version }} ${{ matrix.merges.flavor }}"
needs: [matrix, build]
if: ${{ inputs.publish && needs.matrix.outputs.merges != '' }}
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.matrix.outputs.merges) }}
runs-on: ubuntu-latest
env:
KERNEL_PUBLISH: "${{ inputs.publish }}"
KERNEL_VERSION: "${{ matrix.merges.version }}"
KERNEL_FLAVOR: "${{ matrix.merges.flavor }}"
KERNEL_PRODUCES: "${{ join(matrix.merges.produces, ',') }}"
DIGESTS_DIR: digests
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- name: install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: docker setup buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: docker login ghcr.io
uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
with:
action: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: |
registry: ghcr.io
username: "${{github.actor}}"
password: "${{secrets.GITHUB_TOKEN}}"
- name: download digest artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
# Each per-arch build uploads its digests under a uniquely-named
# artifact; pattern + default merge-multiple=false drops each artifact
# into its own subdirectory under digests/.
pattern: "digests-${{ matrix.merges.version }}-${{ matrix.merges.flavor }}-*"
path: digests
- name: generate merge script
run: python3 ./hack/build/generate-merge-script.py
- name: upload merge script
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "merge-${{ matrix.merges.version }}-${{ matrix.merges.flavor }}.sh"
path: "merge.sh"
compression-level: 0
- name: run merge script
run: sh -x merge.sh