Skip to content
Build Bootc Agent Bootstrap Images

Build Bootc Agent Bootstrap Images #859

Sign in to view logs

Build Bootc Agent Bootstrap Images

Build Bootc Agent Bootstrap Images #859

Workflow file for this run

.github/workflows/build-bootc.yaml at 69952ba
name: "Build Bootc Agent Bootstrap Images"
on:
pull_request:
schedule:
- cron: '0 */12 * * *'
workflow_dispatch:
env:
REGISTRY: quay.io
REPOSITORY: flightctl
jobs:
build-and-push-bootstrap-images:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
flavor: [centos, fedora, rhel]
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Modify Containerfile
run: |
pushd images/bootc/${{ matrix.flavor }}-bootc
echo "${{ secrets.FLIGHTCTL_RSA_PUB }}" > flightctl_rsa.pub
sed -i -e 's/^# COPY flightctl_rsa.pub \/usr\/etc-system\/root.keys/COPY flightctl_rsa.pub \/usr\/etc-system\/root.keys/' \
-e 's/^# RUN touch \/etc\/ssh\/sshd_config.d\/30-auth-system.conf;/RUN touch \/etc\/ssh\/sshd_config.d\/30-auth-system.conf;/' \
-e 's/^# mkdir -p \/usr\/etc-system\/;/ mkdir -p \/usr\/etc-system\/;/' \
-e 's/^# echo '\''AuthorizedKeysFile \/usr\/etc-system\/%u.keys'\'' >> \/etc\/ssh\/sshd_config.d\/30-auth-system.conf;/ echo '\''AuthorizedKeysFile \/usr\/etc-system\/%u.keys'\'' >> \/etc\/ssh\/sshd_config.d\/30-auth-system.conf;/' \
-e 's/^# chmod 0600 \/usr\/etc-system\/root.keys/ chmod 0600 \/usr\/etc-system\/root.keys/' \
-e 's/^# VOLUME \/var\/roothome/VOLUME \/var\/roothome/' Containerfile
echo "${{ secrets.CA_CRT }}" > ca.crt
echo "${{ secrets.CLIENT_ENROLLMENT_CRT }}" > client-enrollment.crt
echo "${{ secrets.CLIENT_ENROLLMENT_KEY }}" > client-enrollment.key
popd
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to registry.redhat.io (for RHEL image)
if: ${{ matrix.flavor }} == 'rhel'
uses: docker/login-action@v3
with:
registry: registry.redhat.io
username: ${{ secrets.RH_REGISTRY_USERNAME }}
password: ${{ secrets.RH_REGISTRY_PASSWORD }}
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_USERNAME }}
password: ${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_PASSWORD }}
- name: Build image
id: build
uses: docker/build-push-action@v5
with:
context: images/bootc/${{ matrix.flavor }}-bootc
file: images/bootc/${{ matrix.flavor }}-bootc/Containerfile
load: true
tags: user/flightctl-agent:test
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test image
run: |
ID=$(docker create ${{ steps.build.outputs.imageid }} /verify-flightctl-agent.sh)
docker cp .github/workflow-scripts/verify-flightctl-agent.sh $ID:/
docker start $ID
exit $(docker inspect $ID --format='{{.State.ExitCode}}')
- name: Push image
id: push
uses: docker/build-push-action@v5
with:
context: images/bootc/${{ matrix.flavor }}-bootc
file: images/bootc/${{ matrix.flavor }}-bootc/Containerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/flightctl-agent-${{ matrix.flavor }}:bootstrap
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install cosign
uses: sigstore/[email protected]
- name: Sign images
run: |
cosign login \
-u "${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_USERNAME }}" \
-p "${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_PASSWORD }}" \
quay.io
cosign sign \
--yes \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}/flightctl-agent-${{ matrix.flavor }}@${{ steps.push.outputs.digest }}
build-bootc-images:
needs: build-and-push-bootstrap-images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
flavor: [rhel, centos, fedora]
arch: [amd64, arm64]
format: [qcow2, raw]
steps:
- name: Build bootc image
run: |
mkdir output
if [ "${{ matrix.arch }}" == "arm64" ]; then
sudo apt install -y qemu-user-static
fi
sudo podman run \
--rm \
-it \
--privileged \
--pull=newer \
--security-opt label=type:unconfined_t \
-v $(pwd)/output:/output \
quay.io/centos-bootc/bootc-image-builder:latest \
--target-arch ${{ matrix.arch }} \
--type ${{ matrix.format }} \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}/flightctl-agent-${{ matrix.flavor }}:bootstrap
if [ "${{ matrix.format }}" == "raw" ]; then
OUTPUT=output/image/disk.raw
else
OUTPUT=output/qcow2/disk.qcow2
fi
sudo mv $OUTPUT "${{ matrix.arch }}-${{ matrix.format }}"
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.flavor }}-${{ matrix.arch}}-${{ matrix.format }}
path: ${{ matrix.arch }}-${{ matrix.format }}
compression-level: 0
push-bootc-images:
needs: build-bootc-images
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
flavor: [rhel, centos, fedora]
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Free disk space
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf "/usr/local/share/boost"
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo rm -rf /usr/local/lib/android
- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: bootc-images
pattern: ${{ matrix.flavor }}-*
merge-multiple: true
- name: Build and push disk images
id: build-and-push
run: |
cp .github/workflow-scripts/buildah-build-and-push-manifest.sh bootc-images
URL=${{ env.REGISTRY }}/${{ env.REPOSITORY }}/flightctl-agent-${{ matrix.flavor }}
podman run \
--rm \
-v $(pwd)/bootc-images:/bootc-images \
-e "BUILDAH_USERNAME=${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_USERNAME }}" \
-e "BUILDAH_PASSWORD=${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_PASSWORD }}" \
-e "BUILDAH_URL=$URL:bootc" \
quay.io/buildah/stable:v1.36.0 \
/bootc-images/buildah-build-and-push-manifest.sh
DIGEST=$(cat bootc-images/digest)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Install cosign
uses: sigstore/[email protected]
- name: Sign images
run: |
cosign login \
-u "${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_USERNAME }}" \
-p "${{ secrets.QUAY_FLIGHTCTL_INFRA_ROBOT_PASSWORD }}" \
quay.io
cosign sign \
--yes \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}/flightctl-agent-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}