diff --git a/.github/workflows/bump_repos.yml b/.github/workflows/bump_repos.yml deleted file mode 100644 index 8c0601f629..0000000000 --- a/.github/workflows/bump_repos.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Bump repositories -on: - schedule: - - cron: 0 20 * * * - workflow_dispatch: -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Install earthly - uses: Luet-lab/luet-install-action@v1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Old packages - run: | - earthly +base-image --VARIANT=standard --FLAVOR=opensuse-leap --K3S_VERSION=latest - mv build/versions.yaml build/versions.old.yaml - - name: Bump cos 🔧 - run: earthly +bump-repositories - - name: New packages - run: | - earthly +base-image --VARIANT=standard --FLAVOR=opensuse-leap --K3S_VERSION=latest - mv build/versions.yaml build/versions.new.yaml - - name: Diff versions and generate pr message - run: .github/repo-diff-msg.sh - - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 - with: - token: ${{ secrets.PAT_TOKEN }} - push-to-fork: ci-robbot/c3os - commit-message: ':arrow_up: Update repositories' - title: ':arrow_up: Update repositories' - body-path: pr-message - signoff: true diff --git a/.github/workflows/image-arm-pr.yaml b/.github/workflows/image-arm-pr.yaml deleted file mode 100644 index 2121fa0afa..0000000000 --- a/.github/workflows/image-arm-pr.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: 'Push latest ARM images' - -on: - pull_request: - paths: - - '**' - -concurrency: - group: ci-arm-${{ github.head_ref || github.ref }}-${{ github.repository }} - cancel-in-progress: true -env: - FORCE_COLOR: 1 - -jobs: - docker: - uses: ./.github/workflows/reusable-docker-arm-build.yaml - with: - flavor: opensuse-leap-arm-rpi - model: rpi4 - worker: fast diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml deleted file mode 100644 index 489df53535..0000000000 --- a/.github/workflows/image-arm.yaml +++ /dev/null @@ -1,143 +0,0 @@ -name: 'Push latest ARM images' - -on: - push: - branches: - - master - -concurrency: - group: ci-arm-${{ github.head_ref || github.ref }}-${{ github.repository }} - cancel-in-progress: true -env: - FORCE_COLOR: 1 - -jobs: - get-core-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - id: set-matrix - run: | - content=`cat ./.github/flavors-arm.json` - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - # The matrix for standard (provider) images - get-standard-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - run: | - sudo apt update && sudo apt install -y jq - - id: set-matrix - run: | - docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./ - chmod +x luet - sudo mv luet /usr/bin/luet - # Construct an array like this from the found versions: - sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json - # Create a combination of flavors and k3s versions. - content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.frameworkonly != "true")) | map(select(.standard == "true"))' .github/flavors-arm.json k3s_versions.json) - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - build-arm-core: - uses: ./.github/workflows/reusable-docker-arm-build.yaml - secrets: inherit - with: - flavor: ${{ matrix.flavor }} - model: ${{ matrix.model }} - worker: ${{ matrix.worker }} - needs: - - get-core-matrix - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}} - - image_and_iso_arm64_generic: - uses: ./.github/workflows/reusable-image-and-iso-arm-generic.yaml - secrets: inherit - with: - flavor: ${{ matrix.flavor }} - needs: - - get-core-matrix - strategy: - fail-fast: false - matrix: - flavor: - - "opensuse-leap" - - notify: - runs-on: ubuntu-latest - if: failure() - needs: - - build-arm-core - - image_and_iso_arm64_generic - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: save commit-message - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV - - name: notify if failure - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - uses: slackapi/slack-github-action@v1.24.0 - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - with: - payload: | - { - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "Job failure on master branch for job ${{ github.job }} in workflow \"${{ github.workflow }}\"\n\nCommit message is \"${{ env.COMMIT_MSG }}\"\n\n Commit sha is " - } - }, - { - "type": "divider" - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": ":thisisfine: Failed Run", - "emoji": true - }, - "url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - }, - { - "type": "button", - "text": { - "type": "plain_text", - "text": ":kairos: Repository link", - "emoji": true - }, - "url": "https://github.com/${{ github.repository }}" - } - ] - } - ] - } diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml deleted file mode 100644 index 150d879127..0000000000 --- a/.github/workflows/image-pr.yaml +++ /dev/null @@ -1,89 +0,0 @@ -name: Build and test PRs -on: - pull_request: - paths: - - '**' - -concurrency: - group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }} - cancel-in-progress: true -env: - FORCE_COLOR: 1 -jobs: - core: - uses: ./.github/workflows/reusable-build-flavor.yaml - with: - flavor: ubuntu - - install: - uses: ./.github/workflows/reusable-install-test.yaml - with: - flavor: ubuntu - needs: - - core - - zfs: - uses: ./.github/workflows/reusable-zfs-test.yaml - with: - flavor: ubuntu - needs: - - core - - acceptance: - uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml - with: - flavor: ubuntu - needs: - - core - - bundles: - uses: ./.github/workflows/reusable-qemu-bundles-test.yaml - with: - flavor: ubuntu - needs: - - core - - reset: - uses: ./.github/workflows/reusable-qemu-reset-test.yaml - with: - flavor: ubuntu - needs: - - core - - netboot: - uses: ./.github/workflows/reusable-qemu-netboot-test.yaml - with: - flavor: ubuntu - needs: - - core - - upgrade: - uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml - with: - flavor: ubuntu - needs: - - core - - upgrade-latest: - uses: ./.github/workflows/reusable-upgrade-latest-test.yaml - with: - flavor: ubuntu - needs: - - core - - encryption: - uses: ./.github/workflows/reusable-encryption-test.yaml - with: - flavor: ubuntu - label: ${{ matrix.label }} - needs: - - core - strategy: - fail-fast: true - matrix: - label: - - "local-encryption" - - "remote-auto" - - "remote-static" - - "remote-https-pinned" - - "remote-https-bad-cert" diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml deleted file mode 100644 index c1c6d7aaea..0000000000 --- a/.github/workflows/image.yaml +++ /dev/null @@ -1,356 +0,0 @@ -name: Build and test images -on: - push: - branches: - - master - paths: - - '**' - -concurrency: - group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }} - cancel-in-progress: true -env: - FORCE_COLOR: 1 -jobs: - get-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - sudo apt update && sudo apt install -y jq - - id: set-matrix - run: | - content=`cat .github/flavors.json | jq 'map(select(.frameworkonly != "true"))'` - # the following lines are only required for multi line json - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - get-framework-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - id: set-matrix - run: | - content=`cat .github/flavors.json` - # the following lines are only required for multi line json - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - core: - uses: ./.github/workflows/reusable-build-flavor.yaml - secrets: inherit - with: - flavor: ${{ matrix.flavor }} - needs: - - get-matrix - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-matrix.outputs.matrix)}} - framework: - uses: ./.github/workflows/reusable-build-framework-flavor.yaml - secrets: inherit - with: - flavor: ${{ matrix.flavor }} - needs: - - get-framework-matrix - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}} - install: - uses: ./.github/workflows/reusable-install-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: true - matrix: - include: - - flavor: opensuse-leap - zfs: - uses: ./.github/workflows/reusable-zfs-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: "ubuntu" - acceptance: - uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: "alpine-opensuse-leap" - - flavor: "opensuse-leap" - - flavor: "opensuse-tumbleweed" - - flavor: "ubuntu" - - flavor: "debian" - - flavor: "ubuntu-20-lts" - - flavor: "ubuntu-22-lts" - bundles: - uses: ./.github/workflows/reusable-qemu-bundles-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: opensuse-tumbleweed # Kubo test needs systemd version 252+ which atm is not available in Leap - reset: - uses: ./.github/workflows/reusable-qemu-reset-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: alpine-opensuse-leap - - flavor: opensuse-leap - netboot: - uses: ./.github/workflows/reusable-qemu-netboot-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: alpine-opensuse-leap - - flavor: opensuse-leap - - flavor: ubuntu - upgrade: - uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: alpine-opensuse-leap - - flavor: opensuse-leap - upgrade-latest: - uses: ./.github/workflows/reusable-upgrade-latest-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - core - strategy: - fail-fast: false - matrix: - include: - - flavor: alpine-opensuse-leap - - flavor: opensuse-leap - # - flavor: "ubuntu" - # - flavor: "ubuntu" - # - flavor: "ubuntu" - encryption: - uses: ./.github/workflows/reusable-encryption-test.yaml - with: - flavor: ${{ matrix.flavor }} - label: ${{ matrix.label }} - needs: - - core - strategy: - fail-fast: true - matrix: - label: - - "local-encryption" - - "remote-auto" - - "remote-static" - - "remote-https-pinned" - - "remote-https-bad-cert" - flavor: - - "opensuse-leap" - standard: - uses: ./.github/workflows/reusable-build-provider.yaml - with: - flavor: ${{ matrix.flavor }} - strategy: - fail-fast: false - matrix: - flavor: - - "opensuse-leap" - - "alpine-opensuse-leap" - various: - uses: ./.github/workflows/reusable-provider-tests.yaml - with: - flavor: ${{ matrix.flavor }} - label: ${{ matrix.label }} - needs: - - standard - strategy: - fail-fast: false - max-parallel: 2 - matrix: - label: - - "provider-qrcode-install" - - "provider-upgrade" - - "provider-decentralized-k8s" - - "provider-upgrade-k8s" - flavor: - - "opensuse-leap" - - "alpine-opensuse-leap" - exclude: # looks like only the k8s stuff is tested on both flavors - - label: "provider-qrcode-install" - flavor: "alpine-opensuse-leap" - - label: "provider-upgrade" - flavor: "alpine-opensuse-leap" - standard-upgrade-latest: - uses: ./.github/workflows/reusable-provider-upgrade-latest-test.yaml - with: - flavor: ${{ matrix.flavor }} - needs: - - standard - strategy: - fail-fast: false - max-parallel: 2 - matrix: - flavor: - - "opensuse-leap" - - "alpine-opensuse-leap" - test-uki: - runs-on: kvm - steps: - - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: tests/go.mod - cache-dependency-path: tests/go.sum - - name: Enable KVM group perms - run: | - sudo apt-get update - sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev - - # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/ - # echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules - # sudo udevadm control --reload-rules - # sudo udevadm trigger --name-match=kvm - # sudo usermod -a -G kvm,libvirt $USER - # - # TODO: Switch back to the above solution when we switch to the github runners - # https://askubuntu.com/a/1081326 - sudo setfacl -m u:runner:rwx /dev/kvm - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Build uki disk 🔧 - run: | - # Do fedora as its the smaller uki possible - earthly +prepare-uki-disk-image --FLAVOR=fedora - - name: Run tests - env: - USE_QEMU: true - KVM: true - MEMORY: 4000 - CPUS: 2 - FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd - run: | - export UKI_DRIVE=${PWD}/build/disk.img - cp tests/go.* . - go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/ - notify: - runs-on: ubuntu-latest - if: failure() - needs: - - core - - standard - - framework - - install - - zfs - - acceptance - - bundles - - reset - - netboot - - upgrade - - upgrade-latest - - encryption - - various - - standard-upgrade-latest - - test-uki - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: save commit-message - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV - - name: notify if failure - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - uses: slackapi/slack-github-action@v1.24.0 - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - with: - payload: | - { - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "Job failure on master branch for job ${{ github.job }} in workflow \"${{ github.workflow }}\"\n\nCommit message is \"${{ env.COMMIT_MSG }}\"\n\n Commit sha is " - } - }, - { - "type": "divider" - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": ":thisisfine: Failed Run", - "emoji": true - }, - "url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - }, - { - "type": "button", - "text": { - "type": "plain_text", - "text": ":kairos: Repository link", - "emoji": true - }, - "url": "https://github.com/${{ github.repository }}" - } - ] - } - ] - } diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index da54105110..0000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Lint -on: - push: - branches: - - master - pull_request: - paths: - - '**' -env: - FORCE_COLOR: 1 -jobs: - call-workflow: - uses: kairos-io/linting-composite-action/.github/workflows/reusable-linting.yaml@v0.0.8 - with: - yamldirs: ".github/workflows/" - is-go: false diff --git a/.github/workflows/pages-releases.yml.disable b/.github/workflows/pages-releases.yml.disable deleted file mode 100644 index d9738570d4..0000000000 --- a/.github/workflows/pages-releases.yml.disable +++ /dev/null @@ -1,23 +0,0 @@ -name: GitHub Pages Updates -on: - push: -# tags: -# - '*' -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - submodules: 'recursive' - - name: Build 🔧 - run: | - cd docs && make build - mv public ../ - - name: Deploy 🚀 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: JamesIves/github-pages-deploy-action@releases/v3 - with: - ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }} - BRANCH: gh-pages - FOLDER: public diff --git a/.github/workflows/pages.yml.disable b/.github/workflows/pages.yml.disable deleted file mode 100644 index 7f795c3c79..0000000000 --- a/.github/workflows/pages.yml.disable +++ /dev/null @@ -1,15 +0,0 @@ -name: GitHub Pages -on: - push: - pull_request: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - submodules: 'recursive' - - name: Build 🔧 - run: | - cd docs && make build diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml deleted file mode 100644 index 86aa174a08..0000000000 --- a/.github/workflows/release-arm.yaml +++ /dev/null @@ -1,362 +0,0 @@ -name: Build arm images -on: - push: - tags: - - 'v*' -jobs: - get-core-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - id: set-matrix - run: | - content=`cat ./.github/flavors-arm.json` - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - # The matrix for standard (provider) images - get-standard-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - run: | - sudo apt update && sudo apt install -y jq - - id: set-matrix - run: | - docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./ - chmod +x luet - sudo mv luet /usr/bin/luet - # Construct an array like this from the found versions: - sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json - # Create a combination of flavors and k3s versions. - content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.frameworkonly != "true")) | map(select(.standard == "true"))' .github/flavors-arm.json k3s_versions.json) - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - build-arm-core: - runs-on: ${{ matrix.worker }} - needs: - - get-core-matrix - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}} - steps: - - name: Release space from worker - if: ${{ matrix.worker != 'kvm' }} - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - name: Build 🔧 - run: | - earthly -P +all-arm -VARIANT=core -MODEL=${{ matrix.model }} -FLAVOR=${{ matrix.flavor }} - - name: Convert all json files into a reports.tar.gz file - run: | - export VERSION=$(cat build/VERSION) - cd build - sudo tar cvf "kairos-core-${{matrix.flavor}}-arm64-${{matrix.model}}-${VERSION}-scan-reports.tar.gz" *.json - - name: Push 🔧 - if: startsWith(github.ref, 'refs/tags/') - run: | - docker push $(cat build/IMAGE) - - name: Sign image - env: - COSIGN_YES: true - if: startsWith(github.ref, 'refs/tags/') - run: | - export IMAGE=$(cat build/IMAGE) - docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason - cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") - - name: Upload Image - if: startsWith(github.ref, 'refs/tags/') - run: | - curl https://luet.io/install.sh | sudo sh - IMAGE=$(cat build/IMAGE | sed 's/:/-img:/') - sudo tar cvf build.tar build - sudo luet util pack $IMAGE build.tar image.tar - sudo -E docker load -i image.tar - sudo -E docker push "$IMAGE" - sudo rm -rf build/IMAGE build/VERSION - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - build/*scan-reports.tar.gz - - name: Prepare sarif files 🔧 - run: | - mkdir sarif - sudo mv build/*.sarif sarif/ - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: startsWith(github.ref, 'refs/tags/') - with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} - - build-arm-standard: - runs-on: ${{ matrix.worker }} - needs: - - get-standard-matrix - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-standard-matrix.outputs.matrix)}} - steps: - - name: Release space from worker - if: ${{ matrix.worker != 'kvm' }} - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - name: Build 🔧 - run: | - earthly -P +all-arm -VARIANT=standard -MODEL=${{ matrix.model }} -K3S_VERSION=${{ matrix.k3s_version }} -FLAVOR=${{ matrix.flavor }} - - name: Convert all json files into a reports.tar.gz file - run: | - export VERSION=$(cat build/VERSION) - cd build - sudo tar cvf "kairos-standard-${{matrix.flavor}}-arm64-${{matrix.model}}-${VERSION}-scan-reports.tar.gz" *.json - - name: Push 🔧 - if: startsWith(github.ref, 'refs/tags/') - run: | - docker push $(cat build/IMAGE) - - name: Sign image - env: - COSIGN_YES: true - if: startsWith(github.ref, 'refs/tags/') - run: | - export IMAGE=$(cat build/IMAGE) - docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason - cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") - - name: Upload Image - if: startsWith(github.ref, 'refs/tags/') - run: | - curl https://luet.io/install.sh | sudo sh - IMAGE=$(cat build/IMAGE | sed 's/:/-img:/') - sudo tar cvf build.tar build - sudo luet util pack $IMAGE build.tar image.tar - sudo -E docker load -i image.tar - sudo -E docker push "$IMAGE" - sudo rm -rf build/IMAGE build/VERSION - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - build/*scan-reports.tar.gz - - name: Prepare sarif files 🔧 - run: | - mkdir sarif - sudo mv build/*.sarif sarif/ - - name: Upload Trivy scan results to GitHub Security tab - if: startsWith(github.ref, 'refs/tags/') - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} - - build-arm-generic-core: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - flavor: - - "opensuse-leap" - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Build iso 🔧 - run: | - earthly -P +all-arm-generic --VARIANT=core --FLAVOR=${{ matrix.flavor }} - sudo mv build release - - name: Push to quay - if: startsWith(github.ref, 'refs/tags/') - run: | - docker push $(cat release/IMAGE) - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - release/*iso* - - build-arm-generic-standard: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - flavor: - - "opensuse-leap" - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Build iso 🔧 - run: | - earthly -P +all-arm-generic --VARIANT=standard --FLAVOR=${{ matrix.flavor }} --K3S_VERSION=latest - sudo mv build release - - name: Push to quay - if: startsWith(github.ref, 'refs/tags/') - run: | - docker push $(cat release/IMAGE) - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - release/*iso* diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 3a5fab1510..0000000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,314 +0,0 @@ -name: Release - -on: - # Bump the CI - push: - tags: - - v* - -jobs: - get-core-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - run: | - sudo apt update && sudo apt install -y jq - - id: set-matrix - run: | - content=`cat .github/flavors.json | jq 'map(select(.frameworkonly != "true"))'` - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - # The matrix for standard (provider) images - get-standard-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - run: | - sudo apt update && sudo apt install -y jq wget - - id: set-matrix - run: | - docker run --name luet quay.io/luet/base && docker cp luet:/usr/bin/luet ./ - chmod +x luet - sudo mv luet /usr/bin/luet - # Construct an array like this from the found versions: - sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json - content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.frameworkonly != "true")) | map(select(.standard == "true"))' .github/flavors.json k3s_versions.json) - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - get-framework-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - id: set-matrix - run: | - content=`cat .github/flavors.json` - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - - build-framework: - runs-on: kvm - needs: - - get-framework-matrix - permissions: - id-token: write # OIDC support - contents: write - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Build 🔧 - env: - FLAVOR: ${{ matrix.flavor }} - run: | - # Configure earthly to use the docker mirror in CI - # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache - mkdir -p ~/.earthly/ - cat << EOF > ~/.earthly/config.yml - global: - buildkit_additional_config: | - [registry."docker.io"] - mirrors = ["registry.docker-mirror.svc.cluster.local:5000"] - [registry."registry.docker-mirror.svc.cluster.local:5000"] - insecure = true - http = true - EOF - earthly +build-framework-image --FLAVOR=${FLAVOR} - - name: Push to quay - env: - COSIGN_YES: true - if: startsWith(github.ref, 'refs/tags/') - run: | - export _IMG="$(cat build/FRAMEWORK_IMAGE)" - docker push "$_IMG" # Otherwise .RepoDigests will be empty for some reason - cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$_IMG") - - build-core: - runs-on: ubuntu-latest - needs: - - get-core-matrix - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - strategy: - fail-fast: false - matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android - sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET - df -h - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Build 🔧 - env: - FLAVOR: ${{ matrix.flavor }} - run: | - earthly +all --VARIANT=core --FLAVOR=$FLAVOR - sudo mv build release - - name: Push to quay - env: - COSIGN_YES: true - if: startsWith(github.ref, 'refs/tags/') - run: | - export IMAGE=$(cat release/IMAGE) - docker push "$IMAGE" - image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") - spdx=$(ls release/*.spdx.json) - cosign attach sbom --sbom $spdx $image_ref - cosign sign $image_ref --attachment sbom - # in-toto attestation - cosign attest --type spdx --predicate $spdx $image_ref - - name: Sign ISO sha files - env: - COSIGN_YES: true - run: | - sudo chmod -R 777 release - filename=$(ls release/*.iso.sha256) - cosign sign-blob --yes --output-certificate="${filename}.pem" \ - --output-signature="${filename}.sig" "${filename}" - - name: Prepare files for release - run: | - export VERSION=$(cat release/VERSION) - mkdir sarif - mv release/*.sarif sarif/ - mkdir reports - mv release/*.json reports/ - cd reports - sudo tar cvf "kairos-core-${{matrix.flavor}}-amd64-generic-${VERSION}-scan-reports.tar.gz" *.json - mv *.tar.gz ../release/ - cd .. - rm release/VERSION release/IMAGE release/versions.yaml - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - release/* - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: startsWith(github.ref, 'refs/tags/') - with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} - build-core-uki: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Build uki image 🔧 - run: | - # Do fedora as its the smaller uki possible - earthly +uki --VARIANT=core --FLAVOR=fedora - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - build/*.efi - - build-standard: - runs-on: ubuntu-latest - needs: - - get-standard-matrix - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - strategy: - fail-fast: false - matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Release space from worker - run: | - sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android - sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Build 🔧 - run: | - earthly +all -VARIANT=standard -K3S_VERSION=${{ matrix.k3s_version }} -FLAVOR=${{ matrix.flavor }} - sudo mv build release - - name: Push to quay - if: startsWith(github.ref, 'refs/tags/') - env: - COSIGN_YES: true - run: | - IMAGE=$(cat release/IMAGE) - docker push "$IMAGE" - cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") - - name: Prepare files for release - run: | - export VERSION=$(cat release/VERSION) - mkdir sarif - mv release/*.sarif sarif/ - mkdir reports - mv release/*.json reports/ - cd reports - sudo tar cvf "kairos-core-${{matrix.flavor}}-amd64-generic-${VERSION}-scan-reports.tar.gz" *.json - mv *.tar.gz ../release/ - cd .. - sudo rm -rf release/IMAGE release/VERSION release/versions.yaml - - name: Release - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - release/* diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml deleted file mode 100644 index 4d48c98108..0000000000 --- a/.github/workflows/reusable-build-flavor.yaml +++ /dev/null @@ -1,131 +0,0 @@ -name: Reusable workflow that builds a specific Kairos flavor - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - build: - runs-on: ubuntu-latest - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Release space from worker - run: | - sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android - sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Build PR 🔧 - if: ${{ github.event_name == 'pull_request' }} - env: - FLAVOR: ${{ inputs.flavor }} - IMAGE: quay.io/kairos/core-${{ inputs.flavor }}:latest - run: | - earthly +ci --SECURITY_SCANS=false --VARIANT=core --IMAGE=$IMAGE --FLAVOR=$FLAVOR - sudo mv build/* . - sudo rm -rf build - - name: Build master 🔧 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - env: - FLAVOR: ${{ inputs.flavor }} - IMAGE: quay.io/kairos/core-${{ inputs.flavor }}:latest - run: | - earthly +ci --VARIANT=core --IMAGE=$IMAGE --FLAVOR=$FLAVOR - sudo mv build/* . - sudo rm -rf build - mkdir sarif - mv *.sarif sarif/ - - name: Upload Trivy scan results to GitHub Security tab - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'sarif' - category: ${{ inputs.flavor }} - - uses: actions/upload-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - path: | - *.iso - *.sha256 - versions.yaml - if-no-files-found: error - - uses: actions/upload-artifact@v3 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - with: - name: kairos-${{ inputs.flavor }}.sbom.zip - path: | - *.syft.json - *.spdx.json - if-no-files-found: error - - name: Push to quay - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - env: - IMAGE: "quay.io/kairos/core-${{ inputs.flavor }}" - TAG: "latest" - COSIGN_YES: true - run: | - docker push "$IMAGE:$TAG" - image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG") - spdx=$(ls *.spdx.json) - cosign attach sbom --sbom $spdx $image_ref - cosign sign $image_ref --attachment sbom - # in-toto attestation - cosign attest --type spdx --predicate $spdx $image_ref - - name: Push to testing - run: | - docker tag quay.io/kairos/core-${{ inputs.flavor }}:latest ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}:24h - docker push ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}:24h diff --git a/.github/workflows/reusable-build-framework-flavor.yaml b/.github/workflows/reusable-build-framework-flavor.yaml deleted file mode 100644 index 266fcb46e5..0000000000 --- a/.github/workflows/reusable-build-framework-flavor.yaml +++ /dev/null @@ -1,53 +0,0 @@ -name: Reusable workflow that builds a specific Kairos framework image flavor - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - build: - runs-on: kvm - permissions: - id-token: write - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Build framework image 🔧 - env: - FLAVOR: ${{ inputs.flavor }} - IMAGE: "quay.io/kairos/framework" - TAG: "master_${{ inputs.flavor }}" - COSIGN_YES: true - run: | - # Configure earthly to use the docker mirror in CI - # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache - mkdir -p ~/.earthly/ - cat << EOF > ~/.earthly/config.yml - global: - buildkit_additional_config: | - [registry."docker.io"] - mirrors = ["registry.docker-mirror.svc.cluster.local:5000"] - [registry."registry.docker-mirror.svc.cluster.local:5000"] - insecure = true - http = true - EOF - earthly +build-framework-image --FLAVOR=${FLAVOR} --VERSION=master - docker push "$IMAGE:$TAG" # Otherwise .RepoDigests will be empty for some reason - cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG") diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml deleted file mode 100644 index b2515a3960..0000000000 --- a/.github/workflows/reusable-build-provider.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: Reusable workflow that builds a Provider image - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - build: - runs-on: ubuntu-latest - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Build PR 🔧 - run: | - K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last') - earthly +ci \ - --SECURITY_SCANS=false \ - --IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}-provider:24h \ - --FLAVOR=${{ inputs.flavor }} \ - --VARIANT=standard -K3S_VERSION=${K3S_VERSION} - sudo mv build/* . - sudo rm -rf build - - uses: actions/upload-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}-provider.iso.zip - path: | - *.iso - *.sha256 - versions.yaml - if-no-files-found: error - - name: Push to testing - run: | - docker push ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}-provider:24h diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml deleted file mode 100644 index 98b6948c39..0000000000 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ /dev/null @@ -1,151 +0,0 @@ -name: Reusable workflow - docker arm build - -on: - workflow_call: - inputs: - worker: - required: true - type: string - flavor: - required: true - type: string - model: - required: true - type: string - -jobs: - build: - runs-on: ${{ inputs.worker }} - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - steps: - - name: Release space from worker - if: ${{ inputs.worker != 'fast' }} - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Install Cosign - uses: sigstore/cosign-installer@main - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Set compression for PR - if: ${{ github.event_name == 'pull_request' }} - run: | - echo "IMG_COMPRESSION=zstd" >> $GITHUB_ENV - - name: Set compression for master - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: | - echo "IMG_COMPRESSION=xz" >> $GITHUB_ENV - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Shared runner build 🔧 - if: ${{ inputs.worker != 'fast' }} - run: | - ./earthly.sh +all-arm --VARIANT=core --MODEL=${{ inputs.model }} \ - --FLAVOR=${{ inputs.flavor }} \ - --IMG_COMPRESSION=${{env.IMG_COMPRESSION}} - - name: fast runner Build 🔧 - if: ${{ inputs.worker == 'fast' }} - run: | - earthly --allow-privileged +all-arm \ - --VARIANT=core --MODEL=${{ inputs.model }} \ - --FLAVOR=${{ inputs.flavor }} --IMG_COMPRESSION=${{env.IMG_COMPRESSION}} - - name: Show img sizes - run: | - ls -ltra build - ls -ltrh build - - name: Push 🔧 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - env: - FLAVOR: ${{ inputs.flavor }} - IMAGE: quay.io/kairos/core-$FLAVOR:latest - MODEL: ${{ inputs.model }} - run: | - export _IMG=$(cat build/IMAGE) - export _NEW_IMG=$(echo $_IMG | cut -f1 -d:):latest - docker tag $_IMG $_NEW_IMG - docker push $_NEW_IMG - - name: Prepare sarif files 🔧 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: | - mkdir sarif - sudo mv build/*.sarif sarif/ - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - with: - sarif_file: 'sarif' - category: ${{ inputs.flavor }} - - name: Sign image - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - env: - IMAGE: "quay.io/kairos/core-${{ inputs.flavor }}" - TAG: "latest" - COSIGN_YES: true - run: | - # Avoid pushing a new image for every commit (re-use latest) - export _IMG=$(cat build/IMAGE) - export _LATEST=$(echo $_IMG | cut -f1 -d:):latest - docker push $_LATEST - image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$_LATEST") - spdx=$(ls build/*.spdx.json) - cosign attach sbom --sbom $spdx $image_ref - cosign sign $image_ref --attachment sbom - # in-toto attestation - cosign attest --type spdx --predicate $spdx $image_ref - - name: Upload results - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: actions/upload-artifact@v3 - with: - name: ${{ inputs.flavor }}-image - path: build - if-no-files-found: error diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml deleted file mode 100644 index b955a568ec..0000000000 --- a/.github/workflows/reusable-encryption-test.yaml +++ /dev/null @@ -1,91 +0,0 @@ -name: Reusable workflow - upgrade latest with cli test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - label: - required: true - type: string - -jobs: - test: - runs-on: ubuntu-latest - defaults: - run: - shell: bash -eo pipefail {0} - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: tests/go.mod - cache-dependency-path: tests/go.sum - - name: Deps - run: | - sudo apt update && \ - sudo apt install -y git qemu-system-x86 qemu-utils swtpm jq make glibc-tools \ - openssl curl gettext ca-certificates curl gnupg lsb-release - - curl -L https://github.com/mudler/luet/releases/download/0.33.0/luet-0.33.0-linux-amd64 -o luet - chmod +x luet - sudo mv luet /usr/bin/luet - sudo mkdir -p /etc/luet/repos.conf.d/ - sudo luet repo add -y kairos --url quay.io/kairos/packages --type docker - LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -las . - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Run tests - env: - LABEL: ${{ inputs.label }} - EMULATE_TPM: true - USE_QEMU: true - run: | - export ISO=$(ls $PWD/kairos-core-*${{ inputs.flavor }}*.iso) - .github/encryption-tests.sh diff --git a/.github/workflows/reusable-image-and-iso-arm-generic.yaml b/.github/workflows/reusable-image-and-iso-arm-generic.yaml deleted file mode 100644 index b3b6c86d14..0000000000 --- a/.github/workflows/reusable-image-and-iso-arm-generic.yaml +++ /dev/null @@ -1,58 +0,0 @@ -name: Reusable workflow - image and iso arm generic build - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - - name: Install earthly - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Set up QEMU - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Set up Docker Buildx - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Build iso 🔧 - env: - IMAGE: "quay.io/kairos/core-${{ inputs.flavor }}-arm-generic" - TAG: "master" - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: | - earthly -P +all-arm-generic --FLAVOR=${{ inputs.flavor }} --IMAGE=$IMAGE:$TAG --ISO_NAME=kairos-${{ inputs.flavor }}-arm-generic-$TAG - - name: Push to quay - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - env: - IMAGE: "quay.io/kairos/core-${{ inputs.flavor }}-arm-generic" - TAG: "master" - run: | - docker push "$IMAGE:$TAG" - - uses: actions/upload-artifact@v3 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - with: - name: kairos-${{ inputs.flavor }}-arm64.iso.zip - path: | - build/*.iso - build/*.sha256 diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml deleted file mode 100644 index 657df0f32a..0000000000 --- a/.github/workflows/reusable-install-test.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Reusable workflow - install test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: macos-12 - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -las . - - name: Install deps - run: | - brew install cdrtools jq gsed - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: tests/go.mod - cache-dependency-path: tests/go.sum - - name: Ginkgo - run: | - export ISO=$(ls $PWD/kairos-core-*${{ inputs.flavor }}*.iso) - export GOPATH="/Users/runner/go" - export PATH=$PATH:$GOPATH/bin - export CREATE_VM=true - export FLAVOR=${{ inputs.flavor }} - cd tests - go run github.com/onsi/ginkgo/v2/ginkgo --label-filter "install-test" --fail-fast -r ./... - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: ${{ inputs.flavor }}-vbox.logs.zip - path: tests/**/logs/* - if-no-files-found: warn diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml deleted file mode 100644 index 9459eb60bc..0000000000 --- a/.github/workflows/reusable-provider-tests.yaml +++ /dev/null @@ -1,77 +0,0 @@ -name: Reusable workflow that runs provider tess - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - label: - required: true - type: string - -jobs: - test: - runs-on: fast - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: tests/go.mod - cache-dependency-path: tests/go.sum - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Enable KVM group perms - run: | - sudo apt-get update - sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev - - # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/ - # echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules - # sudo udevadm control --reload-rules - # sudo udevadm trigger --name-match=kvm - # sudo usermod -a -G kvm,libvirt $USER - # - # TODO: Switch back to the above solution when we switch to the github runners - # https://askubuntu.com/a/1081326 - sudo setfacl -m u:runner:rwx /dev/kvm - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}-provider.iso.zip - - name: Run tests - env: - USE_QEMU: true - KVM: true - MEMORY: 4000 - CPUS: 2 - DRIVE_SIZE: 30000 - CONTAINER_IMAGE: ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}-provider:24h - run: | - ls *.iso - export ISO=$PWD/$(ls *.iso) - echo "ISO is: $ISO" - cp tests/go.* . - go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "${{ inputs.label }}" --fail-fast -r ./tests/ - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: ${{ inputs.flavor }}-${{ inputs.label }}-provider-test.logs.zip - path: tests/**/logs/* - if-no-files-found: warn diff --git a/.github/workflows/reusable-provider-upgrade-latest-test.yaml b/.github/workflows/reusable-provider-upgrade-latest-test.yaml deleted file mode 100644 index 7baf23ba27..0000000000 --- a/.github/workflows/reusable-provider-upgrade-latest-test.yaml +++ /dev/null @@ -1,68 +0,0 @@ -name: Reusable workflow that runs provider tess - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: kvm - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: tests/go.mod - cache-dependency-path: tests/go.sum - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Enable KVM group perms - run: | - sudo apt-get update - sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev - - # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/ - # echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules - # sudo udevadm control --reload-rules - # sudo udevadm trigger --name-match=kvm - # sudo usermod -a -G kvm,libvirt $USER - # - # TODO: Switch back to the above solution when we switch to the github runners - # https://askubuntu.com/a/1081326 - sudo setfacl -m u:runner:rwx /dev/kvm - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - uses: actions/checkout@v4 - - name: Download artifacts - uses: robinraju/release-downloader@v1.8 - with: - latest: true - repository: "kairos-io/kairos" - fileName: 'kairos-standard-*${{ inputs.flavor }}-*k3s1.iso' - out-file-path: "" - - name: Run tests - run: | - export USE_QEMU=true - export KVM=true - export MEMORY=4000 - export CPUS=2 - export DRIVE_SIZE=30000 - export CONTAINER_IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}-provider:24h - - K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq -r '.packages | map(.version) | unique | last' | cut -d+ -f1) - - export ISO=$PWD/$(ls *${K3S_VERSION}*.iso | head -n 1) - cp tests/go.* . - go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "provider-upgrade-latest-k8s-with-kubernetes" --fail-fast -r ./tests diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml deleted file mode 100644 index 7fc8fbcf3d..0000000000 --- a/.github/workflows/reusable-qemu-acceptance-test.yaml +++ /dev/null @@ -1,69 +0,0 @@ -name: Reusable workflow - qemu acceptance test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - port: - required: false - type: string - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -las . - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - run: | - earthly +run-qemu-datasource-tests --PREBUILT_ISO=$(ls kairos-core-*${{ inputs.flavor }}*.iso) --FLAVOR=${{ inputs.flavor }} --SSH_PORT=${{ inputs.port }} diff --git a/.github/workflows/reusable-qemu-bundles-test.yaml b/.github/workflows/reusable-qemu-bundles-test.yaml deleted file mode 100644 index e6bd323526..0000000000 --- a/.github/workflows/reusable-qemu-bundles-test.yaml +++ /dev/null @@ -1,50 +0,0 @@ -name: Reusable workflow - qemu bundles test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: kvm - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -las . - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - env: - KVM: true - run: | - # Configure earthly to use the docker mirror in CI - # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache - mkdir -p ~/.earthly/ - cat << EOF > ~/.earthly/config.yml - global: - buildkit_additional_config: | - [registry."docker.io"] - mirrors = ["registry.docker-mirror.svc.cluster.local:5000"] - [registry."registry.docker-mirror.svc.cluster.local:5000"] - insecure = true - http = true - EOF - - earthly -P +prepare-bundles-tests - earthly -P +run-qemu-bundles-tests --PREBUILT_ISO=$(ls kairos-core-*${{ inputs.flavor }}*.iso) --FLAVOR=${{ inputs.flavor }} diff --git a/.github/workflows/reusable-qemu-netboot-test.yaml b/.github/workflows/reusable-qemu-netboot-test.yaml deleted file mode 100644 index d4c42755b5..0000000000 --- a/.github/workflows/reusable-qemu-netboot-test.yaml +++ /dev/null @@ -1,59 +0,0 @@ -name: Reusable workflow - qemu netboot test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - run: | - earthly -P +run-qemu-netboot-test --TEST_SUITE=netboot-test --FLAVOR=${{ inputs.flavor }} diff --git a/.github/workflows/reusable-qemu-reset-test.yaml b/.github/workflows/reusable-qemu-reset-test.yaml deleted file mode 100644 index fd9f4d5b1a..0000000000 --- a/.github/workflows/reusable-qemu-reset-test.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Reusable workflow - qemu reset test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: kvm - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -las . - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - env: - KVM: true - run: | - # Configure earthly to use the docker mirror in CI - # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache - mkdir -p ~/.earthly/ - cat << EOF > ~/.earthly/config.yml - global: - buildkit_additional_config: | - [registry."docker.io"] - mirrors = ["registry.docker-mirror.svc.cluster.local:5000"] - [registry."registry.docker-mirror.svc.cluster.local:5000"] - insecure = true - http = true - EOF - earthly -P +run-qemu-datasource-tests --PREBUILT_ISO=$(ls kairos-core-*${{ inputs.flavor }}*.iso) --TEST_SUITE=reset-test --FLAVOR=${{ inputs.flavor }} diff --git a/.github/workflows/reusable-upgrade-latest-test.yaml b/.github/workflows/reusable-upgrade-latest-test.yaml deleted file mode 100644 index 667c05fd85..0000000000 --- a/.github/workflows/reusable-upgrade-latest-test.yaml +++ /dev/null @@ -1,80 +0,0 @@ -name: Reusable workflow - upgrade latest with cli test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - uses: robinraju/release-downloader@v1.8 - with: - # A flag to set the download target as latest release - # The default value is 'false' - latest: true - fileName: 'kairos-core-${{ inputs.flavor }}-amd64-generic-v*.iso' - out-file-path: "" - - name: Display structure of downloaded files - run: ls -las . - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - run: | - # release-downloader globing matches more than one iso. Make sure - # we use the right one. - ISO=$(ls kairos-core-${{ inputs.flavor }}-amd64-generic-v*.iso | grep -v ipxe) - earthly +run-qemu-test --PREBUILT_ISO=$ISO \ - --FLAVOR=${{ inputs.flavor }} \ - --CONTAINER_IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}:24h \ - --TEST_SUITE=upgrade-latest-with-cli - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: ${{ inputs.flavor }}-upgrade-test.logs.zip - path: tests/**/logs/* - if-no-files-found: warn diff --git a/.github/workflows/reusable-upgrade-with-cli-test.yaml b/.github/workflows/reusable-upgrade-with-cli-test.yaml deleted file mode 100644 index 8c27f1208f..0000000000 --- a/.github/workflows/reusable-upgrade-with-cli-test.yaml +++ /dev/null @@ -1,75 +0,0 @@ -name: Reusable workflow - upgrade with cli test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: kvm - steps: - - name: Release space from worker - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -las . - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - run: | - earthly +run-qemu-test --PREBUILT_ISO=$(ls kairos-core-*${{ inputs.flavor }}*.iso) \ - --FLAVOR=${{ inputs.flavor }} \ - --CONTAINER_IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}:24h \ - --TEST_SUITE=upgrade-with-cli - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: ${{ inputs.flavor }}-upgrade-test.logs.zip - path: tests/**/logs/* - if-no-files-found: warn diff --git a/.github/workflows/reusable-zfs-test.yaml b/.github/workflows/reusable-zfs-test.yaml deleted file mode 100644 index 7c114b6e89..0000000000 --- a/.github/workflows/reusable-zfs-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: Reusable workflow - zfs test - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - -jobs: - test: - runs-on: kvm - steps: - - uses: actions/checkout@v4 - - name: Download ISO - id: iso - uses: actions/download-artifact@v3 - with: - name: kairos-${{ inputs.flavor }}.iso.zip - - name: Display structure of downloaded files - run: ls -R - - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - run: | - earthly +run-qemu-test --PREBUILT_ISO=$(ls kairos-core-*${{ inputs.flavor }}*.iso) --TEST_SUITE=zfs --FLAVOR=${{ inputs.flavor }} diff --git a/.github/workflows/spelling.yml.disable b/.github/workflows/spelling.yml.disable deleted file mode 100644 index 043aad37b7..0000000000 --- a/.github/workflows/spelling.yml.disable +++ /dev/null @@ -1,141 +0,0 @@ -name: Check Spelling - -# Comment management is handled through a secondary job, for details see: -# https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions -# -# `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment -# (in odd cases, it might actually run just to collapse a comment, but that's fairly rare) -# it needs `contents: write` in order to add a comment. -# -# `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment -# or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment) -# it needs `pull-requests: write` in order to manipulate those comments. - -# Updating pull request branches is managed via comment handling. -# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list -# -# These elements work together to make it happen: -# -# `on.issue_comment` -# This event listens to comments by users asking to update the metadata. -# -# `jobs.update` -# This job runs in response to an issue_comment and will push a new commit -# to update the spelling metadata. -# -# `with.experimental_apply_changes_via_bot` -# Tells the action to support and generate messages that enable it -# to make a commit to update the spelling metadata. -# -# `with.ssh_key` -# In order to trigger workflows when the commit is made, you can provide a -# secret (typically, a write-enabled github deploy key). -# -# For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key - -on: - push: - branches: - - "**" - tags-ignore: - - "**" - pull_request_target: - branches: - - "**" - tags-ignore: - - "**" - types: - - 'opened' - - 'reopened' - - 'synchronize' - issue_comment: - types: - - 'created' - -jobs: - spelling: - name: Check Spelling - permissions: - contents: read - pull-requests: read - actions: read - security-events: write - outputs: - followup: ${{ steps.spelling.outputs.followup }} - runs-on: ubuntu-latest - if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'" - concurrency: - group: spelling-${{ github.event.pull_request.number || github.ref }} - # note: If you use only_check_changed_files, you do not want cancel-in-progress - cancel-in-progress: true - steps: - - name: check-spelling - id: spelling - uses: check-spelling/check-spelling@main - with: - suppress_push_for_open_pull_request: 1 - checkout: true - check_file_names: 1 - spell_check_this: check-spelling/spell-check-this@prerelease - post_comment: 0 - use_magic_file: 1 - experimental_apply_changes_via_bot: 1 - use_sarif: 1 - extra_dictionary_limit: 10 - check_commit_messages: commits title description - - comment-push: - name: Report (Push) - # If your workflow isn't running on push, you can remove this job - runs-on: ubuntu-latest - needs: spelling - permissions: - contents: write - if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push' - steps: - - name: comment - uses: check-spelling/check-spelling@prerelease - with: - checkout: true - spell_check_this: check-spelling/spell-check-this@prerelease - task: ${{ needs.spelling.outputs.followup }} - - comment-pr: - name: Report (PR) - # If you workflow isn't running on pull_request*, you can remove this job - runs-on: ubuntu-latest - needs: spelling - permissions: - pull-requests: write - if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request') - steps: - - name: comment - uses: check-spelling/check-spelling@main - with: - checkout: true - spell_check_this: check-spelling/spell-check-this@prerelease - task: ${{ needs.spelling.outputs.followup }} - experimental_apply_changes_via_bot: 1 - - update: - name: Update PR - permissions: - contents: write - pull-requests: write - actions: read - runs-on: ubuntu-latest - if: ${{ - github.event_name == 'issue_comment' && - github.event.issue.pull_request && - contains(github.event.comment.body, '@check-spelling-bot apply') - }} - concurrency: - group: spelling-update-${{ github.event.issue.number }} - cancel-in-progress: false - steps: - - name: apply spelling updates - uses: check-spelling/check-spelling@main - with: - experimental_apply_changes_via_bot: 1 - checkout: true - ssh_key: "${{ secrets.CHECK_SPELLING }}"