Merge branch 'main' into bleggett/retry-docker-login #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Kernel Matrix | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| spec: | ||
| description: 'Build Specification' | ||
| type: string | ||
| default: "new" | ||
| required: true | ||
| publish: | ||
| description: 'Publish Builds' | ||
| type: boolean | ||
| default: true | ||
| required: true | ||
| concurrency: | ||
| group: "kernel-builder" | ||
| jobs: | ||
| matrix: | ||
| name: matrix | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | ||
| with: | ||
| egress-policy: audit | ||
| - name: checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
| with: | ||
| submodules: recursive | ||
| - name: install dependencies | ||
| run: ./hack/build/install-matrix-deps.sh | ||
| - name: generate matrix | ||
| run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${{ inputs.spec }}"' | ||
| - name: upload matrix | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: matrix | ||
| path: "matrix.json" | ||
| compression-level: 0 | ||
| - name: capture matrix | ||
| id: capture-matrix | ||
| run: > | ||
| echo "matrix=$(cat matrix.json)" >> "${GITHUB_OUTPUT}" | ||
| outputs: | ||
| matrix: "${{ steps.capture-matrix.outputs.matrix }}" | ||
| build: | ||
| name: "build ${{ matrix.builds.version }} ${{ matrix.builds.flavor }}" | ||
| needs: matrix | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }} | ||
| runs-on: "${{ matrix.builds.runner }}" | ||
| env: | ||
| KERNEL_PUBLISH: "${{ inputs.publish }}" | ||
| KERNEL_VERSION: "${{ matrix.builds.version }}" | ||
| KERNEL_SRC_URL: "${{ matrix.builds.source }}" | ||
| FIRMWARE_URL: "${{ matrix.builds.firmware_url }}" | ||
| FIRMWARE_SIG_URL: "${{ matrix.builds.firmware_sig_url }}" | ||
| KERNEL_FLAVOR: "${{ matrix.builds.flavor }}" | ||
| KERNEL_TAGS: "${{ join(matrix.builds.tags, ',') }}" | ||
| KERNEL_ARCHITECTURES: "${{ join(matrix.builds.architectures, ',') }}" | ||
| steps: | ||
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | ||
| with: | ||
| egress-policy: audit | ||
| - name: checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
| with: | ||
| submodules: recursive | ||
| - name: install cosign | ||
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | ||
| - name: docker setup linux-kernel-oci | ||
| run: sudo python3 ./hack/build/docker-setup.py | ||
| - name: docker setup buildx | ||
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | ||
| - name: docker login ghcr.io | ||
| uses: Wandalen/wretry.action@e163fd2433953d9cc77f0bc47cb60fef01aaa450 # v3.8.0 | ||
| with: | ||
| action: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: "${{github.actor}}" | ||
| password: "${{secrets.GITHUB_TOKEN}}" | ||
| - name: restore ccache | ||
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.2 | ||
| with: | ||
| path: ~/.cache/kernel-ccache | ||
| # restore-keys is important here - it lets us restore the most recent cache key, | ||
| # *ignoring* the specific run ID, as a fuzzy match. So we can use previous build's | ||
| # caches for this flavor/arch even if the runid is not the same | ||
| key: "ccache-${{ matrix.builds.flavor }}-${{ join(matrix.builds.architectures, '-') }}-${{ github.run_id }}" | ||
| restore-keys: | | ||
| ccache-${{ matrix.builds.flavor }}-${{ join(matrix.builds.architectures, '-') }}- | ||
| - name: generate docker script | ||
| run: "./hack/build/generate-docker-script.sh" | ||
| - name: upload docker script | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: "build-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}.sh" | ||
| path: "docker.sh" | ||
| compression-level: 0 | ||
| - name: run docker script | ||
| run: sh -x docker.sh | ||
| - name: save ccache | ||
| uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.2 | ||
| with: | ||
| path: ~/.cache/kernel-ccache | ||
| # The run_id here is just for write-key uniqueness, as GH doesn't allow overwriting | ||
| # existing cache keys - the `restore` action will fuzzy-match and ignore the run_id | ||
| # for subsequent runs. | ||
| key: "ccache-${{ matrix.builds.flavor }}-${{ join(matrix.builds.architectures, '-') }}-${{ github.run_id }}" | ||
