diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml index fb48cf2..df85d3e 100644 --- a/.github/workflows/arch.yaml +++ b/.github/workflows/arch.yaml @@ -2,9 +2,26 @@ name: Build (arch) on: workflow_dispatch: + inputs: + version: + description: 'Enter a tagged OGC kernel version in the format -ogc' + required: true push: + tags: + - 'v*' -permissions: read-all +env: + OCI_REPO: ghcr.io/${{ github.repository }}/arch + +permissions: + contents: read + packages: write + id-token: write + attestations: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-arch: @@ -29,6 +46,7 @@ jobs: rm -rf /opt-host/hostedtoolcache rm -rf /opt-host/az df -h + - name: Checkout sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -49,7 +67,7 @@ jobs: - name: Install dependencies run: | - pacman -Syu --noconfirm bc cpio gettext libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra + pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra - name: Build linux package id: build-kernel-package @@ -59,3 +77,64 @@ jobs: . /home/build/linux/arch/PKGBUILD full_version=${pkgver}-${pkgrel} echo "full_version=$full_version" >> "$GITHUB_OUTPUT" + + - name: Get OGC version + if: startsWith(github.ref, 'refs/tags/') + id: version + run: | + TAG="${{ github.ref_name }}" + echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" + + - name: Setup ORAS + if: startsWith(github.ref, 'refs/tags/') + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 + + - name: Setup Cosign + if: startsWith(github.ref, 'refs/tags/') + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + + - name: Login to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Push OCI artifact + if: startsWith(github.ref, 'refs/tags/') + id: push + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cd /home/build/linux/arch + DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest') + if [ -z "$DIGEST" ]; then + echo "::error::Failed to capture digest from oras push" + exit 1 + fi + oras tag "${REPO}:${VERSION}" latest + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Attest build provenance + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ${{ env.OCI_REPO }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Sign artifacts + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cosign sign --yes "${REPO}:${VERSION}" + cosign sign --yes "${REPO}:latest" + + - name: Verify signature + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cosign verify \ + --certificate-identity-regexp=".*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + "${REPO}:${VERSION}" diff --git a/.github/workflows/nobara.yaml b/.github/workflows/nobara.yaml index 3224221..3ea1ebc 100644 --- a/.github/workflows/nobara.yaml +++ b/.github/workflows/nobara.yaml @@ -2,9 +2,26 @@ name: Build (Nobara) on: workflow_dispatch: + inputs: + version: + description: 'Enter a tagged OGC kernel version in the format -ogc' + required: true push: + tags: + - 'v*' -permissions: read-all +env: + OCI_REPO: ghcr.io/${{ github.repository }}/nobara + +permissions: + contents: read + packages: write + id-token: write + attestations: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-rpm: @@ -29,6 +46,7 @@ jobs: rm -rf /opt-host/hostedtoolcache rm -rf /opt-host/az df -h + - name: Checkout sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -37,6 +55,8 @@ jobs: - name: Dependencies run: | dnf -y builddep nobara/kernel.spec + dnf -y install jq + - name: build run: | TOPDIR="$(pwd)/rpmbuild" @@ -45,3 +65,68 @@ jobs: cp nobara/* $TOPDIR/SOURCES rpmbuild --define "_topdir $TOPDIR" -ba ./nobara/kernel.spec + + - name: Get OGC version + if: startsWith(github.ref, 'refs/tags/') + id: version + run: | + TAG="${{ github.ref_name }}" + echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" + + - name: Setup ORAS + if: startsWith(github.ref, 'refs/tags/') + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 + + - name: Setup Cosign + if: startsWith(github.ref, 'refs/tags/') + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + + - name: Login to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Push OCI artifact + if: startsWith(github.ref, 'refs/tags/') + id: push + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + TOPDIR="$(pwd)/rpmbuild" + mkdir -p /tmp/rpms + cp "$TOPDIR"/RPMS/x86_64/*.rpm /tmp/rpms/ 2>/dev/null || true + cp "$TOPDIR"/RPMS/noarch/*.rpm /tmp/rpms/ 2>/dev/null || true + cd /tmp/rpms + DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.rpm | jq -r '.digest') + if [ -z "$DIGEST" ]; then + echo "::error::Failed to capture digest from oras push" + exit 1 + fi + oras tag "${REPO}:${VERSION}" latest + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Attest build provenance + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ${{ env.OCI_REPO }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Sign artifacts + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cosign sign --yes "${REPO}:${VERSION}" + cosign sign --yes "${REPO}:latest" + + - name: Verify signature + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cosign verify \ + --certificate-identity-regexp=".*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + "${REPO}:${VERSION}" diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index 8399068..371b088 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -2,9 +2,26 @@ name: Build (ubuntu) on: workflow_dispatch: + inputs: + version: + description: 'Enter a tagged OGC kernel version in the format -ogc' + required: true push: + tags: + - 'v*' -permissions: read-all +env: + OCI_REPO: ghcr.io/${{ github.repository }}/ubuntu + +permissions: + contents: read + packages: write + id-token: write + attestations: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-deb: @@ -29,6 +46,7 @@ jobs: rm -rf /opt-host/hostedtoolcache rm -rf /opt-host/az df -h + - name: Checkout sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -38,8 +56,9 @@ jobs: run: | export DEBIAN_FRONTEND=noninteractive apt-get update -y - apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git + apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex jq kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git apt-get install -y libunwind-dev libpfm4-dev coccinelle openjdk-17-jdk libcapstone-dev libbabeltrace-dev systemtap-sdt-dev libzstd-dev dwarves zstd libbfd-dev libperl-dev libssl-dev + - name: Get sources run: | wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.19.6.tar.xz @@ -48,8 +67,70 @@ jobs: cd linux-6.19.6 cp ../config .config patch -Np1 < "../monolithic.patch" + - name: Build run: | cd linux-6.19.6 make olddefconfig fakeroot make -j$(nproc) bindeb-pkg + + - name: Get OGC version + if: startsWith(github.ref, 'refs/tags/') + id: version + run: | + TAG="${{ github.ref_name }}" + echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" + + - name: Setup ORAS + if: startsWith(github.ref, 'refs/tags/') + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 + + - name: Setup Cosign + if: startsWith(github.ref, 'refs/tags/') + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + + - name: Login to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Push OCI artifact + if: startsWith(github.ref, 'refs/tags/') + id: push + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cd $GITHUB_WORKSPACE + DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.deb | jq -r '.digest') + if [ -z "$DIGEST" ]; then + echo "::error::Failed to capture digest from oras push" + exit 1 + fi + oras tag "${REPO}:${VERSION}" latest + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Attest build provenance + if: startsWith(github.ref, 'refs/tags/') + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ${{ env.OCI_REPO }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Sign artifacts + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cosign sign --yes "${REPO}:${VERSION}" + cosign sign --yes "${REPO}:latest" + + - name: Verify signature + if: startsWith(github.ref, 'refs/tags/') + run: | + VERSION="${{ steps.version.outputs.version }}" + REPO="${{ env.OCI_REPO }}" + cosign verify \ + --certificate-identity-regexp=".*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + "${REPO}:${VERSION}"