test Hadron? #3657
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build UKI images | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| permissions: | |
| contents: write | |
| security-events: write | |
| id-token: write | |
| actions: read | |
| concurrency: | |
| group: ci-uki-${{ github.head_ref || github.ref }}-${{ github.repository }} | |
| cancel-in-progress: true | |
| jobs: | |
| factory: | |
| uses: kairos-io/kairos-factory-action/.github/workflows/reusable-factory.yaml@handle-full-repository-urls | |
| secrets: | |
| registry_username: ${{ secrets.QUAY_USERNAME }} | |
| registry_password: ${{ secrets.QUAY_PASSWORD }} | |
| with: | |
| auroraboot_version: "v0.15.0" | |
| dockerfile_path: "images/Dockerfile" | |
| base_image: ${{ matrix.base_image }} | |
| kubernetes_distro: ${{ matrix.kubernetes_distro }} | |
| model: "generic" | |
| arch: "amd64" | |
| trusted_boot: true | |
| keys_dir: "$PWD/tests/assets/keys" | |
| sysext_dir: "$PWD/tests/assets/sysext" | |
| single_efi_cmdline: "testentry: nothing" | |
| version: "auto" | |
| iso: true | |
| grype: true | |
| registry_domain: "quay.io" | |
| registry_namespace: "kairos" | |
| registry_repository: "ci-temp-images" | |
| custom_tag_format: "$FLAVOR-$FLAVOR_RELEASE-$VARIANT-$ARCH-$MODEL-$COMMIT_SHA-uki" | |
| custom_artifact_format: "kairos-$FLAVOR-$FLAVOR_RELEASE-$VARIANT-$ARCH-$MODEL-uki" | |
| image_labels: "quay.expires-after=6h" | |
| summary_artifacts: true | |
| strategy: | |
| matrix: | |
| base_image: ["ghcr.io/kairos-io/hadron-trusted:main"] | |
| kubernetes_distro: ["", "k3s"] | |
| test_generic: | |
| needs: factory | |
| runs-on: kvm | |
| strategy: | |
| matrix: | |
| base_image: ["ghcr.io/kairos-io/hadron-trusted:main"] | |
| arch: ["amd64"] | |
| model: ["generic"] | |
| variant: ["core", "standard"] | |
| steps: | |
| - name: Split base image | |
| id: split | |
| run: | | |
| # All of this becuase opensuse/leap:15.6 has to be pushed to the opensuse repo instead of having opensuse-leap and opensuse-tumbleweed... | |
| base_image=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 1) | |
| tag=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 2 || echo 'latest') | |
| # Check if the base image contains a slash | |
| if [[ "$base_image" == *"/"* ]]; then | |
| # Split the base image into distro and sub-distro | |
| distro=$(echo "$base_image" | cut -d '/' -f 1) | |
| sub_distro=$(echo "$base_image" | cut -d '/' -f 2) | |
| # Combine sub-distro and tag | |
| tag="$sub_distro-$tag" | |
| else | |
| # Use the base image as the distro | |
| distro="$base_image" | |
| fi | |
| echo "flavor=$distro" >> $GITHUB_OUTPUT | |
| echo "flavor_release=$tag" >> $GITHUB_OUTPUT | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: '0' | |
| - name: Set Version | |
| run: echo "VERSION=$(git describe --tags --dirty )" >> $GITHUB_ENV | |
| - name: Install Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 | |
| timeout-minutes: 5 | |
| with: | |
| go-version-file: tests/go.mod | |
| cache-dependency-path: tests/go.sum | |
| cache: ${{ runner.environment == 'self-hosted' && 'false' || 'true' }} | |
| - name: Enable KVM group perms and install deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev mkisofs swtpm | |
| # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/ | |
| # echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
| # sudo udevadm control --reload-rules | |
| # sudo udevadm trigger --name-match=kvm | |
| # sudo usermod -a -G kvm,libvirt $USER | |
| # | |
| # TODO: Switch back to the above solution when we switch to the github runners | |
| # https://askubuntu.com/a/1081326 | |
| sudo setfacl -m u:runner:rwx /dev/kvm | |
| - name: Login to Quay Registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Download artifacts | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | |
| with: | |
| name: kairos-${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-uki.iso.zip | |
| - name: Build uki upgrade image 🔧 | |
| run: | | |
| echo "Building upgrade image for generic test" | |
| docker build -t upgrade-image - <<EOF | |
| FROM quay.io/kairos/ci-temp-images:${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.sha }}-uki | |
| RUN echo "Current release info: \$(cat /etc/kairos-release)" | |
| RUN sed -i 's/^KAIROS_VERSION=.*/KAIROS_VERSION="mynewversion"/' /etc/kairos-release | |
| RUN echo "New release info: \$(cat /etc/kairos-release)" | |
| EOF | |
| mkdir -p $PWD/build | |
| docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v $PWD/build:/result \ | |
| -v $PWD/tests/assets/keys:/keys \ | |
| quay.io/kairos/auroraboot:v0.10.0 --debug build-uki \ | |
| --output-dir /result --output-type container \ | |
| --public-keys /keys \ | |
| --tpm-pcr-private-key /keys/tpm2-pcr-private.pem \ | |
| --sb-key /keys/db.key --sb-cert /keys/db.pem \ | |
| docker:upgrade-image | |
| image=$(docker load -i build/*.tar | grep "Loaded image" | awk -F: '{ st = index($0,":");print substr($0,st+1)}' | sed 's/+/-/g' | xargs) | |
| echo "Image: $image" | |
| rand=$(head /dev/urandom | tr -dc a-z0-9 | head -c 7) | |
| temp_image=quay.io/kairos/ci-temp-images:$(echo $image | sed "s/:latest/-${rand}/") | |
| docker build --label quay.expires-after="6h" --tag $temp_image - <<EOF | |
| FROM $image | |
| EOF | |
| docker push $temp_image | |
| echo $temp_image > build/upgrade_image_name | |
| - name: Run tests 🔧 | |
| env: | |
| USE_QEMU: true | |
| KVM: true | |
| MEMORY: 6000 | |
| CPUS: 4 | |
| FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd | |
| EMULATE_TPM: true | |
| UKI_TEST: true | |
| run: | | |
| mv $PWD/kairos-*-uki.iso $PWD/build/ | |
| export ISO=$(ls $PWD/build/kairos-*-uki.iso) | |
| export UPGRADE_IMAGE=$(cat "${PWD}/build/upgrade_image_name") | |
| export EXPECTED_NEW_VERSION="mynewversion" | |
| export EXPECTED_SINGLE_ENTRY="testentry" | |
| cp tests/go.* . | |
| go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "generic" --fail-fast -r ./tests/ | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| if: failure() | |
| with: | |
| name: ${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-generic-uki.logs.zip | |
| path: tests/**/logs/* | |
| if-no-files-found: warn | |
| test_boot_assessment: | |
| needs: factory | |
| runs-on: kvm | |
| strategy: | |
| matrix: | |
| base_image: ["ghcr.io/kairos-io/hadron:main"] | |
| arch: ["amd64"] | |
| model: ["generic"] | |
| variant: ["core"] | |
| steps: | |
| - name: Split base image | |
| id: split | |
| run: | | |
| # All of this becuase opensuse/leap:15.6 has to be pushed to the opensuse repo instead of having opensuse-leap and opensuse-tumbleweed... | |
| base_image=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 1) | |
| tag=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 2 || echo 'latest') | |
| # Check if the base image contains a slash | |
| if [[ "$base_image" == *"/"* ]]; then | |
| # Split the base image into distro and sub-distro | |
| distro=$(echo "$base_image" | cut -d '/' -f 1) | |
| sub_distro=$(echo "$base_image" | cut -d '/' -f 2) | |
| # Combine sub-distro and tag | |
| tag="$sub_distro-$tag" | |
| else | |
| # Use the base image as the distro | |
| distro="$base_image" | |
| fi | |
| echo "flavor=$distro" >> $GITHUB_OUTPUT | |
| echo "flavor_release=$tag" >> $GITHUB_OUTPUT | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: '0' | |
| - name: Set Version | |
| run: echo "VERSION=$(git describe --tags --dirty )" >> $GITHUB_ENV | |
| - name: Install Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 | |
| timeout-minutes: 5 | |
| with: | |
| go-version-file: tests/go.mod | |
| cache-dependency-path: tests/go.sum | |
| cache: ${{ runner.environment == 'self-hosted' && 'false' || 'true' }} | |
| - name: Enable KVM group perms and install deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev mkisofs swtpm | |
| # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/ | |
| # echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
| # sudo udevadm control --reload-rules | |
| # sudo udevadm trigger --name-match=kvm | |
| # sudo usermod -a -G kvm,libvirt $USER | |
| # | |
| # TODO: Switch back to the above solution when we switch to the github runners | |
| # https://askubuntu.com/a/1081326 | |
| sudo setfacl -m u:runner:rwx /dev/kvm | |
| - name: Login to Quay Registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Download artifacts | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | |
| with: | |
| name: kairos-${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-uki.iso.zip | |
| - name: Run tests 🔧 | |
| env: | |
| USE_QEMU: true | |
| KVM: true | |
| MEMORY: 6000 | |
| CPUS: 4 | |
| FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd | |
| EMULATE_TPM: true | |
| UKI_TEST: true | |
| run: | | |
| mkdir -p $PWD/build | |
| mv $PWD/kairos-*-uki.iso $PWD/build/ | |
| export ISO=$(ls $PWD/build/kairos-*-uki.iso) | |
| cp tests/go.* . | |
| go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "boot-assessment" --fail-fast -r ./tests/ | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| if: failure() | |
| with: | |
| name: ${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ inputs.variant }}-generic-uki.logs.zip | |
| path: tests/**/logs/* | |
| if-no-files-found: warn |