WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content
Build UKI images

test Hadron? #3659

Sign in to view logs

test Hadron?

test Hadron? #3659

Workflow file for this run

.github/workflows/uki.yaml at f27a332
name: Build UKI images
on:
pull_request:
push:
branches:
- master
permissions:
contents: write
security-events: write
id-token: write
actions: read
concurrency:
group: ci-uki-${{ github.head_ref || github.ref }}-${{ github.repository }}
cancel-in-progress: true
jobs:
factory:
uses: kairos-io/kairos-factory-action/.github/workflows/reusable-factory.yaml@handle-full-repository-urls
secrets:
registry_username: ${{ secrets.QUAY_USERNAME }}
registry_password: ${{ secrets.QUAY_PASSWORD }}
with:
auroraboot_version: "v0.15.0"
dockerfile_path: "images/Dockerfile"
base_image: ${{ matrix.base_image }}
kubernetes_distro: ${{ matrix.kubernetes_distro }}
model: "generic"
arch: "amd64"
trusted_boot: true
keys_dir: "$PWD/tests/assets/keys"
sysext_dir: "$PWD/tests/assets/sysext"
single_efi_cmdline: "testentry: nothing"
version: "auto"
iso: true
grype: true
registry_domain: "quay.io"
registry_namespace: "kairos"
registry_repository: "ci-temp-images"
custom_tag_format: "$FLAVOR-$FLAVOR_RELEASE-$VARIANT-$ARCH-$MODEL-$COMMIT_SHA-uki"
custom_artifact_format: "kairos-$FLAVOR-$FLAVOR_RELEASE-$VARIANT-$ARCH-$MODEL-uki"
image_labels: "quay.expires-after=6h"
summary_artifacts: true
strategy:
matrix:
base_image: ["ghcr.io/kairos-io/hadron-trusted:main"]
kubernetes_distro: ["", "k3s"]
test_generic:
needs: factory
runs-on: kvm
strategy:
matrix:
base_image: ["ghcr.io/kairos-io/hadron-trusted:main"]
arch: ["amd64"]
model: ["generic"]
variant: ["core", "standard"]
steps:
- name: Split base image
id: split
run: |
# Split base image for tag generation
BASE_IMAGE=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 1)
BASE_TAG=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 2 || echo 'latest')
# Handle special cases for base images with slashes
# Handle base images with slashes (registry paths)
# Examples:
# - ubuntu:24.04 -> FLAVOR=ubuntu, FLAVOR_RELEASE=24.04
# - opensuse/leap:15.6 -> FLAVOR=opensuse, FLAVOR_RELEASE=leap-15.6
# - ghcr.io/kairos-io/hadron:main -> FLAVOR=hadron, FLAVOR_RELEASE=main
if [[ "$BASE_IMAGE" == *"/"* ]]; then
DISTRO=$(echo "$BASE_IMAGE" | cut -d '/' -f 1)
SUB_DISTRO=$(echo "$BASE_IMAGE" | cut -d '/' -f 2)
FLAVOR="$DISTRO"
FLAVOR_RELEASE="$SUB_DISTRO-$BASE_TAG"
# Count number of slashes to determine if it's a registry path
SLASH_COUNT=$(echo "$BASE_IMAGE" | tr -cd '/' | wc -c)
if [[ $SLASH_COUNT -eq 1 ]]; then
# Simple case: distro/subdistro (preserve existing behavior)
DISTRO=$(echo "$BASE_IMAGE" | cut -d '/' -f 1)
SUB_DISTRO=$(echo "$BASE_IMAGE" | cut -d '/' -f 2)
FLAVOR="$DISTRO"
FLAVOR_RELEASE="$SUB_DISTRO-$BASE_TAG"
else
# Registry path with multiple slashes: extract last component as FLAVOR
# e.g., ghcr.io/kairos-io/hadron -> FLAVOR=hadron
FLAVOR=$(echo "$BASE_IMAGE" | awk -F'/' '{print $NF}')
FLAVOR_RELEASE="$BASE_TAG"
fi
else
# No slashes: simple image name
FLAVOR="$BASE_IMAGE"
FLAVOR_RELEASE="$BASE_TAG"
fi
echo "Base Image: $BASE_IMAGE"
echo "Determined Flavor: $FLAVOR"
echo "Determined Flavor Release: $FLAVOR_RELEASE"
echo "flavor=$FLAVOR" >> $GITHUB_OUTPUT
echo "flavor_release=$FLAVOR_RELEASE" >> $GITHUB_OUTPUT
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: '0'
- name: Set Version
run: echo "VERSION=$(git describe --tags --dirty )" >> $GITHUB_ENV
- name: Install Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
timeout-minutes: 5
with:
go-version-file: tests/go.mod
cache-dependency-path: tests/go.sum
cache: ${{ runner.environment == 'self-hosted' && 'false' || 'true' }}
- name: Enable KVM group perms and install deps
run: |
sudo apt-get update
sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev mkisofs swtpm
# https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
# echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
# sudo udevadm control --reload-rules
# sudo udevadm trigger --name-match=kvm
# sudo usermod -a -G kvm,libvirt $USER
#
# TODO: Switch back to the above solution when we switch to the github runners
# https://askubuntu.com/a/1081326
sudo setfacl -m u:runner:rwx /dev/kvm
- name: Login to Quay Registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Download artifacts
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
name: kairos-${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-uki.iso.zip
- name: Build uki upgrade image 🔧
run: |
echo "Building upgrade image for generic test"
docker build -t upgrade-image - <<EOF
FROM quay.io/kairos/ci-temp-images:${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.sha }}-uki
RUN echo "Current release info: \$(cat /etc/kairos-release)"
RUN sed -i 's/^KAIROS_VERSION=.*/KAIROS_VERSION="mynewversion"/' /etc/kairos-release
RUN echo "New release info: \$(cat /etc/kairos-release)"
EOF
mkdir -p $PWD/build
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/build:/result \
-v $PWD/tests/assets/keys:/keys \
quay.io/kairos/auroraboot:v0.10.0 --debug build-uki \
--output-dir /result --output-type container \
--public-keys /keys \
--tpm-pcr-private-key /keys/tpm2-pcr-private.pem \
--sb-key /keys/db.key --sb-cert /keys/db.pem \
docker:upgrade-image
image=$(docker load -i build/*.tar | grep "Loaded image" | awk -F: '{ st = index($0,":");print substr($0,st+1)}' | sed 's/+/-/g' | xargs)
echo "Image: $image"
rand=$(head /dev/urandom | tr -dc a-z0-9 | head -c 7)
temp_image=quay.io/kairos/ci-temp-images:$(echo $image | sed "s/:latest/-${rand}/")
docker build --label quay.expires-after="6h" --tag $temp_image - <<EOF
FROM $image
EOF
docker push $temp_image
echo $temp_image > build/upgrade_image_name
- name: Run tests 🔧
env:
USE_QEMU: true
KVM: true
MEMORY: 6000
CPUS: 4
FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
EMULATE_TPM: true
UKI_TEST: true
run: |
mv $PWD/kairos-*-uki.iso $PWD/build/
export ISO=$(ls $PWD/build/kairos-*-uki.iso)
export UPGRADE_IMAGE=$(cat "${PWD}/build/upgrade_image_name")
export EXPECTED_NEW_VERSION="mynewversion"
export EXPECTED_SINGLE_ENTRY="testentry"
cp tests/go.* .
go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "generic" --fail-fast -r ./tests/
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: failure()
with:
name: ${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-generic-uki.logs.zip
path: tests/**/logs/*
if-no-files-found: warn
test_boot_assessment:
needs: factory
runs-on: kvm
strategy:
matrix:
base_image: ["ghcr.io/kairos-io/hadron:main"]
arch: ["amd64"]
model: ["generic"]
variant: ["core"]
steps:
- name: Split base image
id: split
run: |
# All of this becuase opensuse/leap:15.6 has to be pushed to the opensuse repo instead of having opensuse-leap and opensuse-tumbleweed...
base_image=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 1)
tag=$(echo "${{ matrix.base_image }}" | cut -d ':' -f 2 || echo 'latest')
# Check if the base image contains a slash
if [[ "$base_image" == *"/"* ]]; then
# Split the base image into distro and sub-distro
distro=$(echo "$base_image" | cut -d '/' -f 1)
sub_distro=$(echo "$base_image" | cut -d '/' -f 2)
# Combine sub-distro and tag
tag="$sub_distro-$tag"
else
# Use the base image as the distro
distro="$base_image"
fi
echo "flavor=$distro" >> $GITHUB_OUTPUT
echo "flavor_release=$tag" >> $GITHUB_OUTPUT
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: '0'
- name: Set Version
run: echo "VERSION=$(git describe --tags --dirty )" >> $GITHUB_ENV
- name: Install Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
timeout-minutes: 5
with:
go-version-file: tests/go.mod
cache-dependency-path: tests/go.sum
cache: ${{ runner.environment == 'self-hosted' && 'false' || 'true' }}
- name: Enable KVM group perms and install deps
run: |
sudo apt-get update
sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev mkisofs swtpm
# https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
# echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
# sudo udevadm control --reload-rules
# sudo udevadm trigger --name-match=kvm
# sudo usermod -a -G kvm,libvirt $USER
#
# TODO: Switch back to the above solution when we switch to the github runners
# https://askubuntu.com/a/1081326
sudo setfacl -m u:runner:rwx /dev/kvm
- name: Login to Quay Registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Download artifacts
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
name: kairos-${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-uki.iso.zip
- name: Run tests 🔧
env:
USE_QEMU: true
KVM: true
MEMORY: 6000
CPUS: 4
FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
EMULATE_TPM: true
UKI_TEST: true
run: |
mkdir -p $PWD/build
mv $PWD/kairos-*-uki.iso $PWD/build/
export ISO=$(ls $PWD/build/kairos-*-uki.iso)
cp tests/go.* .
go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "boot-assessment" --fail-fast -r ./tests/
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: failure()
with:
name: ${{ steps.split.outputs.flavor }}-${{ steps.split.outputs.flavor_release }}-${{ inputs.variant }}-generic-uki.logs.zip
path: tests/**/logs/*
if-no-files-found: warn