Skip to content

feat: Upload build artifacts as signed OCI images #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KyleGospo wants to merge 2 commits into
base: main
Choose a base branch
from
+241 −5
Open

feat: Upload build artifacts as signed OCI images #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7e6a2eb
feat: Add OCI upload & signing via ORAS and cosign
KyleGospo Mar 12, 2026
eea6cad
feat: Add build provenance
KyleGospo Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 78 additions & 2 deletions .github/workflows/arch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,23 @@ name: Build (arch)

on:
workflow_dispatch:
inputs:
version:
description: 'Enter a tagged OGC kernel version in the format <kernel-version>-ogc<rev>'
required: true
push:
tags:
- 'v*'

permissions: read-all
permissions:
contents: read
packages: write
id-token: write
attestations: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
build-arch:
Expand All @@ -29,6 +43,7 @@ jobs:
rm -rf /opt-host/hostedtoolcache
rm -rf /opt-host/az
df -h
- name: Checkout sources
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
Expand All @@ -49,7 +64,7 @@ jobs:
- name: Install dependencies
run: |
pacman -Syu --noconfirm bc cpio gettext libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra
pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra
- name: Build linux package
id: build-kernel-package
Expand All @@ -59,3 +74,64 @@ jobs:
. /home/build/linux/arch/PKGBUILD
full_version=${pkgver}-${pkgrel}
echo "full_version=$full_version" >> "$GITHUB_OUTPUT"
- name: Get OGC version
if: startsWith(github.ref, 'refs/tags/')
id: version
run: |
TAG="${{ github.ref_name }}"
echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
- name: Setup ORAS
if: startsWith(github.ref, 'refs/tags/')
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1

- name: Setup Cosign
if: startsWith(github.ref, 'refs/tags/')
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0

- name: Login to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push OCI artifact
if: startsWith(github.ref, 'refs/tags/')
id: push
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/arch"
cd /home/build/linux/arch
DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest')
if [ -z "$DIGEST" ]; then
echo "::error::Failed to capture digest from oras push"
exit 1
fi
oras tag "${REPO}:${VERSION}" latest
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Attest build provenance
if: startsWith(github.ref, 'refs/tags/')
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
with:
subject-name: ghcr.io/opengamingcollective/kernel-packages/arch
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true

- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/arch"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"
- name: Verify signature
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/arch"
cosign verify \
--certificate-identity-regexp=".*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
"${REPO}:${VERSION}"
84 changes: 83 additions & 1 deletion .github/workflows/nobara.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,23 @@ name: Build (Nobara)

on:
workflow_dispatch:
inputs:
version:
description: 'Enter a tagged OGC kernel version in the format <kernel-version>-ogc<rev>'
required: true
push:
tags:
- 'v*'

permissions: read-all
permissions:
contents: read
packages: write
id-token: write
attestations: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
build-rpm:
Expand All @@ -29,6 +43,7 @@ jobs:
rm -rf /opt-host/hostedtoolcache
rm -rf /opt-host/az
df -h
- name: Checkout sources
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
Expand All @@ -37,6 +52,8 @@ jobs:
- name: Dependencies
run: |
dnf -y builddep nobara/kernel.spec
dnf -y install jq
- name: build
run: |
TOPDIR="$(pwd)/rpmbuild"
Expand All @@ -45,3 +62,68 @@ jobs:
cp nobara/* $TOPDIR/SOURCES
rpmbuild --define "_topdir $TOPDIR" -ba ./nobara/kernel.spec
- name: Get OGC version
if: startsWith(github.ref, 'refs/tags/')
id: version
run: |
TAG="${{ github.ref_name }}"
echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
- name: Setup ORAS
if: startsWith(github.ref, 'refs/tags/')
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1

- name: Setup Cosign
if: startsWith(github.ref, 'refs/tags/')
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0

- name: Login to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push OCI artifact
if: startsWith(github.ref, 'refs/tags/')
id: push
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/nobara"
TOPDIR="$(pwd)/rpmbuild"
mkdir -p /tmp/rpms
cp "$TOPDIR"/RPMS/x86_64/*.rpm /tmp/rpms/ 2>/dev/null || true
cp "$TOPDIR"/RPMS/noarch/*.rpm /tmp/rpms/ 2>/dev/null || true
cd /tmp/rpms
DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.rpm | jq -r '.digest')
if [ -z "$DIGEST" ]; then
echo "::error::Failed to capture digest from oras push"
exit 1
fi
oras tag "${REPO}:${VERSION}" latest
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Attest build provenance
if: startsWith(github.ref, 'refs/tags/')
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
with:
subject-name: ghcr.io/opengamingcollective/kernel-packages/nobara
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true

- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/nobara"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"
- name: Verify signature
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/nobara"
cosign verify \
--certificate-identity-regexp=".*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
"${REPO}:${VERSION}"
82 changes: 80 additions & 2 deletions .github/workflows/ubuntu.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,23 @@ name: Build (ubuntu)

on:
workflow_dispatch:
inputs:
version:
description: 'Enter a tagged OGC kernel version in the format <kernel-version>-ogc<rev>'
required: true
push:
tags:
- 'v*'

permissions: read-all
permissions:
contents: read
packages: write
id-token: write
attestations: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
build-deb:
Expand All @@ -29,6 +43,7 @@ jobs:
rm -rf /opt-host/hostedtoolcache
rm -rf /opt-host/az
df -h
- name: Checkout sources
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
Expand All @@ -38,8 +53,9 @@ jobs:
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update -y
apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git
apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex jq kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git
apt-get install -y libunwind-dev libpfm4-dev coccinelle openjdk-17-jdk libcapstone-dev libbabeltrace-dev systemtap-sdt-dev libzstd-dev dwarves zstd libbfd-dev libperl-dev libssl-dev
- name: Get sources
run: |
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.19.6.tar.xz
Expand All @@ -48,8 +64,70 @@ jobs:
cd linux-6.19.6
cp ../config .config
patch -Np1 < "../monolithic.patch"
- name: Build
run: |
cd linux-6.19.6
make olddefconfig
fakeroot make -j$(nproc) bindeb-pkg
- name: Get OGC version
if: startsWith(github.ref, 'refs/tags/')
id: version
run: |
TAG="${{ github.ref_name }}"
echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
- name: Setup ORAS
if: startsWith(github.ref, 'refs/tags/')
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1

- name: Setup Cosign
if: startsWith(github.ref, 'refs/tags/')
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0

- name: Login to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push OCI artifact
if: startsWith(github.ref, 'refs/tags/')
id: push
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu"
cd $GITHUB_WORKSPACE
DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.deb | jq -r '.digest')
if [ -z "$DIGEST" ]; then
echo "::error::Failed to capture digest from oras push"
exit 1
fi
oras tag "${REPO}:${VERSION}" latest
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Attest build provenance
if: startsWith(github.ref, 'refs/tags/')
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
with:
subject-name: ghcr.io/opengamingcollective/kernel-packages/ubuntu
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true

- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"
- name: Verify signature
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
REPO="ghcr.io/opengamingcollective/kernel-packages/ubuntu"
cosign verify \
--certificate-identity-regexp=".*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
"${REPO}:${VERSION}"
Loading