chore: use kres to manage project

Move to using kres to manage project. Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Nov 3, 2023 · 7c68b1b · 7c68b1b
1 parent d7fdcc9
commit 7c68b1b
Show file tree

Hide file tree

Showing 14 changed files with 480 additions and 132 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,8 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2023-11-02T15:47:10Z by kres 32170a7-dirty.
+
+*
+!CHANGELOG.md
+!README.md
+!pkg.yaml
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,8 +1,12 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2023-11-03T11:00:40Z by kres latest.
+
 name: default
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
-on:
+"on":
   push:
     branches:
       - main
@@ -15,55 +19,66 @@ on:
       - release-*
 jobs:
   default:
-    if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/'))
     permissions:
+      actions: read
+      contents: write
       packages: write
+      pull-requests: read
     runs-on:
       - self-hosted
       - pkgs
+    if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/'))
     outputs:
       labels: ${{ steps.workflow-run-info.outputs.pullRequestLabels }}
     services:
       buildkitd:
-        image: moby/buildkit:buildx-stable-1
+        image: moby/buildkit:v0.12.2
+        options: --privileged
         ports:
           - 1234:1234
-        options: --privileged
         volumes:
           - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit
           - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Unshallow
         run: |
           git fetch --prune --unshallow
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          driver: remote
-          endpoint: tcp://localhost:1234
           append: |
             - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234
               platforms: linux/arm64
-      - name: build
+          driver: remote
+          endpoint: tcp://localhost:1234
+      - name: Build
         run: |
           make
-      - name: build nonfree
+      - name: Build nonfree
         run: |
           make nonfree
       - name: Login to registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
           username: ${{ github.repository_owner }}
       - name: Push to registry
         if: github.event_name != 'pull_request'
         run: |
-          make PUSH=true
+          make  PUSH=true
+      - name: Push nonfree
+        if: github.event_name != 'pull_request'
+        run: |
           make nonfree PUSH=true
+      - name: Retrieve workflow info
+        id: workflow-run-info
+        uses: potiuk/get-workflow-origin@v1_5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: release-notes
         if: startsWith(github.ref, 'refs/tags/')
         run: |
@@ -74,8 +89,36 @@ jobs:
         with:
           body_path: _out/RELEASE_NOTES.md
           draft: "true"
-      - name: Retrieve workflow info
-        id: workflow-run-info
-        uses: potiuk/get-workflow-origin@v1_5
+  reproducibility:
+    runs-on:
+      - self-hosted
+      - pkgs
+    if: contains(needs.default.outputs.labels, 'integration/reproducibility')
+    needs:
+      - default
+    services:
+      buildkitd:
+        image: moby/buildkit:v0.12.2
+        options: --privileged
+        ports:
+          - 1234:1234
+        volumes:
+          - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit
+          - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          append: |
+            - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234
+              platforms: linux/arm64
+          driver: remote
+          endpoint: tcp://localhost:1234
+      - name: reproducibility-test
+        run: |
+          make reproducibility-test
diff --git a/.github/workflows/slack-notify.yaml b/.github/workflows/slack-notify.yaml
@@ -1,12 +1,13 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-01T12:40:50Z by kres f0cdabb-dirty.
+# Generated on 2023-11-03T11:00:40Z by kres latest.
 
 name: slack-notify
 "on":
   workflow_run:
     workflows:
       - default
+      - weekly
     types:
       - completed
 jobs:

diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml
@@ -0,0 +1,42 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2023-11-03T11:00:40Z by kres latest.
+
+name: weekly
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 1 * * 1
+jobs:
+  reproducibility:
+    runs-on:
+      - self-hosted
+      - pkgs
+    services:
+      buildkitd:
+        image: moby/buildkit:v0.12.2
+        options: --privileged
+        ports:
+          - 1234:1234
+        volumes:
+          - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit
+          - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          append: |
+            - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234
+              platforms: linux/arm64
+          driver: remote
+          endpoint: tcp://localhost:1234
+      - name: reproducibility-test
+        run: |
+          make reproducibility-test
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,6 @@
-_out/
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2023-11-02T15:50:53Z by kres latest.
+
+_out
 internal/extensions/image-digests
diff --git a/.kres.yaml b/.kres.yaml
@@ -0,0 +1,114 @@
+---
+kind: pkgfile.Build
+spec:
+  targets:
+    - amdgpu-firmware
+    - amd-ucode
+    - binfmt-misc
+    - bnx2-bnx2x
+    - btrfs
+    - chelsio-drivers
+    - chelsio-firmware
+    - drbd
+    - fuse3
+    - gasket-driver
+    - gvisor
+    - hello-world-service
+    - i915-ucode
+    - intel-ice-firmware
+    - intel-ucode
+    - iscsi-tools
+    - nut-client
+    - nvidia-container-toolkit
+    - nvidia-fabricmanager
+    - nvidia-open-gpu-kernel-modules
+    - qemu-guest-agent
+    - stargz-snapshotter
+    - tailscale
+    - thunderbolt
+    - usb-modem-drivers
+    - util-linux-tools
+    - xe-guest-utilities
+    - zfs
+  additionalTargets:
+    nonfree:
+      - nonfree-kmod-nvidia
+  reproducibleTargetName: reproducibility
+  extraBuildArgs:
+    - TAG
+    - PKGS
+  useBldrPkgTagResolver: true
+---
+kind: common.Build
+spec:
+    ignoredPaths:
+        - "internal/extensions/image-digests"
+---
+kind: auto.CustomSteps
+spec:
+  steps:
+    - name: extensions
+      toplevel: true
+    - name: extensions-metadata
+      toplevel: true
+    - name: internal/extensions/image-digests
+      toplevel: true
+    - name: sign-images
+      toplevel: true
+---
+kind: custom.Step
+name: extensions
+spec:
+  makefile:
+    enabled: true
+    phony: true
+    variables:
+      - name: EXTENSIONS_IMAGE_REF
+        defaultValue: $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
+      - name: PKGS
+        defaultValue: v1.6.0-alpha.0-26-g5f84302
+    depends:
+      - internal/extensions/image-digests
+    script:
+      - |
+        @$(MAKE) docker-$@ TARGET_ARGS="--tag=$(EXTENSIONS_IMAGE_REF) --push=$(PUSH)"
+---
+kind: custom.Step
+name: extensions-metadata
+spec:
+  makefile:
+    enabled: true
+    phony: true
+    depends:
+      - $(ARTIFACTS)/bldr
+    script:
+      - |
+        @rm -f _out/extensions-metadata
+        @$(foreach target,$(TARGETS),echo $(REGISTRY)/$(USERNAME)/$(target):$(shell $(ARTIFACTS)/bldr eval --target $(target) --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) >> _out/extensions-metadata;)
+        @$(foreach target,$(NONFREE_TARGETS),echo $(REGISTRY)/$(USERNAME)/$(target):$(shell $(ARTIFACTS)/bldr eval --target $(target) --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) >> _out/extensions-metadata;)
+---
+kind: custom.Step
+name: internal/extensions/image-digests
+spec:
+  makefile:
+    enabled: true
+    phony: true
+    depends:
+      - extensions-metadata
+    script:
+      - |
+        @cat _out/extensions-metadata | xargs -I{} sh -c 'echo {}@$$(crane digest {})' > internal/extensions/image-digests
+---
+kind: custom.Step
+name: sign-images
+spec:
+  makefile:
+    enabled: true
+    phony: true
+    script:
+      - |
+        @for image in $(shell crane export $(EXTENSIONS_IMAGE_REF) | tar x --to-stdout image-digests) $(EXTENSIONS_IMAGE_REF)@$$(crane digest $(EXTENSIONS_IMAGE_REF)); do \
+          echo '==>' $$image; \
+          cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \
+            cosign sign --yes $$image; \
+        done