Skip to content

🔧 Prevent secureboot keys from being added to git (#2942) #5523

🔧 Prevent secureboot keys from being added to git (#2942)

🔧 Prevent secureboot keys from being added to git (#2942) #5523

Workflow file for this run

name: Build and test images
on:
push:
branches:
- master
paths:
- '**'
permissions: read-all
concurrency:
group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
cancel-in-progress: true
env:
FORCE_COLOR: 1
jobs:
get-core-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- run: |
git fetch --prune --unshallow
sudo apt update && sudo apt install -y jq
- id: set-matrix
run: |
content=`cat .github/flavors.json | jq 'map(select(.variant == "core" and .arch == "amd64"))'`
# the following lines are only required for multi line json
# the following lines are only required for multi line json
content="${content//'%'/'%25'}"
content="${content//$'\n'/'%0A'}"
content="${content//$'\r'/'%0D'}"
# end of optional handling for multi line json
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
# Populate the trivy cache once for all later jobs to use
trivy-cache:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
core:
uses: ./.github/workflows/reusable-build-flavor.yaml
needs:
- trivy-cache
- get-core-matrix
permissions:
id-token: write # OIDC support
contents: write
security-events: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
secrets: inherit
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
family: ${{ matrix.family }}
base_image: ${{ matrix.baseImage }}
model: ${{ matrix.model }}
variant: ${{ matrix.variant }}
arch: ${{ matrix.arch }}
strategy:
fail-fast: false
matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
install:
secrets: inherit
uses: ./.github/workflows/reusable-install-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: true
matrix:
include:
- flavor: opensuse
flavorRelease: leap-15.6
secureboot: false
install-target:
secrets: inherit
uses: ./.github/workflows/reusable-install-test-target.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: true
matrix:
include:
- flavor: "ubuntu"
flavorRelease: "24.04"
install-secureboot:
secrets: inherit
uses: ./.github/workflows/reusable-install-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
secureboot: true
needs:
- core
- trivy-cache
strategy:
fail-fast: true
matrix:
include:
- flavor: "opensuse"
flavorRelease: "leap-15.6"
- flavor: "opensuse"
flavorRelease: "tumbleweed"
- flavor: "debian"
flavorRelease: "bookworm"
- flavor: "ubuntu"
flavorRelease: "22.04"
- flavor: "ubuntu"
flavorRelease: "24.04"
- flavor: "fedora"
flavorRelease: "40"
zfs:
secrets: inherit
uses: ./.github/workflows/reusable-zfs-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
- flavor: "ubuntu"
flavorRelease: "22.04"
acceptance:
secrets: inherit
uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
- flavor: "alpine"
flavorRelease: "3.19"
- flavor: "opensuse"
flavorRelease: "leap-15.6"
- flavor: "opensuse"
flavorRelease: "tumbleweed"
- flavor: "debian"
flavorRelease: "testing"
- flavor: "ubuntu"
flavorRelease: "20.04"
- flavor: "ubuntu"
flavorRelease: "22.04"
- flavor: "ubuntu"
flavorRelease: "24.04"
bundles:
secrets: inherit
uses: ./.github/workflows/reusable-qemu-bundles-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
- flavor: opensuse # Kubo test needs systemd version 252+ which atm is not available in Leap
flavorRelease: tumbleweed
reset:
secrets: inherit
uses: ./.github/workflows/reusable-qemu-reset-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
- flavor: alpine
flavorRelease: "3.19"
family: alpine
base_image: alpine:3.19
model: generic
variant: core
- flavor: opensuse
flavorRelease: leap-15.6
family: opensuse
base_image: opensuse/leap:15.6
model: generic
variant: core
netboot:
secrets: inherit
uses: ./.github/workflows/reusable-qemu-netboot-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
family: ${{ matrix.family }}
model: ${{ matrix.model }}
variant: ${{ matrix.variant }}
base_image: ${{ matrix.baseImage }}
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
- flavor: alpine
flavorRelease: "3.19"
family: alpine
variant: core
model: generic
baseImage: alpine:3.19
- flavor: opensuse
flavorRelease: leap-15.6
family: opensuse
variant: core
model: generic
baseImage: opensuse/leap:15.6
- flavor: ubuntu
flavorRelease: "24.04"
family: ubuntu
variant: core
model: generic
baseImage: ubuntu:24.04
upgrade:
secrets: inherit
uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
- flavor: alpine
flavorRelease: "3.19"
- flavor: opensuse
flavorRelease: leap-15.6
# releaseMatcher: leap-15.5
upgrade-latest:
secrets: inherit
uses: ./.github/workflows/reusable-upgrade-latest-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
family: ${{ matrix.family }}
release_matcher: ${{ matrix.releaseMatcher }} # introduced so tests can be green while we wait for the kairos release with the latest flavor release
needs:
- core
- trivy-cache
strategy:
fail-fast: false
matrix:
include:
# cant do alpine yet as it hasnt been released with the proper name
# - flavor: alpine
# flavorRelease: "3.19"
- flavor: opensuse
flavorRelease: leap-15.6
family: opensuse
# releaseMatcher: leap-15.5
custom-partitioning:
secrets: inherit
uses: ./.github/workflows/reusable-custom-partitioning-test.yaml
permissions:
id-token: write # OIDC support
contents: write
security-events: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- core
- trivy-cache
strategy:
fail-fast: true
matrix:
flavor:
- "opensuse"
flavorRelease:
- "leap-15.6"
encryption:
uses: ./.github/workflows/reusable-encryption-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
label: ${{ matrix.label }}
needs:
- core
- trivy-cache
strategy:
fail-fast: true
matrix:
label:
- "local-encryption"
- "remote-auto"
- "remote-static"
- "remote-https-pinned"
- "remote-https-bad-cert"
flavor:
- "opensuse"
flavorRelease:
- "leap-15.6"
standard:
uses: ./.github/workflows/reusable-build-provider.yaml
needs:
- core
- trivy-cache
permissions:
id-token: write # OIDC support
contents: write
security-events: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
secrets: inherit
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
family: ${{ matrix.family }}
base_image: ${{ matrix.baseImage }}
variant: standard
model: generic
arch: amd64
strategy:
fail-fast: false
matrix:
include:
- flavor: opensuse
flavorRelease: leap-15.6
family: opensuse
baseImage: opensuse/leap:15.6
- flavor: alpine
flavorRelease: "3.19"
family: alpine
baseImage: alpine:3.19
- flavor: ubuntu
flavorRelease: "24.04"
family: ubuntu
baseImage: ubuntu:24.04
various:
secrets: inherit
uses: ./.github/workflows/reusable-provider-tests.yaml
permissions:
contents: write
security-events: write
id-token: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
label: ${{ matrix.label }}
needs:
- standard
- trivy-cache
strategy:
fail-fast: false
max-parallel: 2
matrix:
include:
- flavor: "opensuse"
flavorRelease: "leap-15.6"
label: "provider-qrcode-install"
- flavor: "opensuse"
flavorRelease: "leap-15.6"
label: "provider-upgrade"
# no point of running this on CI if it always fails
# - flavor: "opensuse"
# flavorRelease: "leap-15.6"
# label: "provider-decentralized-k8s"
- flavor: "opensuse"
flavorRelease: "leap-15.6"
label: "provider-upgrade-k8s"
# no point of running this on CI if it always fails
# - flavor: "alpine"
# flavorRelease: "3.19"
# label: "provider-decentralized-k8s"
- flavor: "alpine"
flavorRelease: "3.19"
label: "provider-upgrade-k8s"
standard-upgrade-latest:
secrets: inherit
uses: ./.github/workflows/reusable-provider-upgrade-latest-test.yaml
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
family: ${{ matrix.family }}
release_matcher: ${{ matrix.releaseMatcher }} # introduced so tests can be green while we wait for the kairos release with the latest flavor release
needs:
- standard
- trivy-cache
strategy:
fail-fast: false
max-parallel: 2
matrix:
include:
# cant do alpine yet as it hasnt been released with the proper name
# - flavor: "alpine"
# flavorRelease: "3.19"
- flavor: "opensuse"
flavorRelease: "leap-15.6"
family: "opensuse"
# releaseMatcher: "leap-15.5"
notify:
runs-on: ubuntu-latest
if: failure()
needs:
- trivy-cache
- core
- standard
- install
- install-target
- install-secureboot
- zfs
- acceptance
- bundles
- reset
- netboot
- upgrade
- upgrade-latest
- encryption
- various
- standard-upgrade-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- run: |
git fetch --prune --unshallow
- name: save commit-message
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure()
run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV
- name: notify if failure
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure()
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Job failure on master branch for job ${{ github.job }} in workflow \"${{ github.workflow }}\"\n\nCommit message is \"${{ env.COMMIT_MSG }}\"\n\n Commit sha is <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>"
}
},
{
"type": "divider"
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": ":thisisfine: Failed Run",
"emoji": true
},
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": ":kairos: Repository link",
"emoji": true
},
"url": "https://github.com/${{ github.repository }}"
}
]
}
]
}