linux-kernel-oci/.github/workflows/matrix.yml at main · edera-dev/linux-kernel-oci · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Build Kernel Matrix
on:
  workflow_call:
    inputs:
      spec:
        description: 'Build Specification'
        type: string
        default: "new"
        required: true
      publish:
        description: 'Publish Builds'
        type: boolean
        default: true
        required: true
concurrency:
  group: "kernel-builder"
jobs:
  matrix:
    name: matrix
    runs-on: ubuntu-latest
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
      with:
        submodules: recursive
    - name: install dependencies
      run: ./hack/build/install-matrix-deps.sh
    - name: generate matrix
      run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${{ inputs.spec }}"'
    - name: upload matrix
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: matrix
        path: "matrix.json"
        compression-level: 0
    - name: capture matrix
      id: capture-matrix
      run: >
        echo "matrix=$(cat matrix.json)" >> "${GITHUB_OUTPUT}"
    outputs:
      matrix: "${{ steps.capture-matrix.outputs.matrix }}"
  build:
    name: "build ${{ matrix.builds.version }} ${{ matrix.builds.flavor }}"
    needs: matrix
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
    runs-on: "${{ matrix.builds.runner }}"
    env:
      KERNEL_PUBLISH: "${{ inputs.publish }}"
      KERNEL_VERSION: "${{ matrix.builds.version }}"
      KERNEL_SRC_URL: "${{ matrix.builds.source }}"
      FIRMWARE_URL: "${{ matrix.builds.firmware_url }}"
      FIRMWARE_SIG_URL: "${{ matrix.builds.firmware_sig_url }}"
      KERNEL_FLAVOR: "${{ matrix.builds.flavor }}"
      KERNEL_TAGS: "${{ join(matrix.builds.tags, ',') }}"
      KERNEL_ARCHITECTURES: "${{ join(matrix.builds.architectures, ',') }}"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          submodules: recursive
      - name: install cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
      - name: docker setup linux-kernel-oci
        run: sudo python3 ./hack/build/docker-setup.py
      - name: docker setup buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: docker login ghcr.io
        uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
        with:
          action: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
          with: |
            registry: ghcr.io
            username: "${{github.actor}}"
            password: "${{secrets.GITHUB_TOKEN}}"
      - name: restore ccache
        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.2
        with:
          path: ~/.cache/kernel-ccache
          # restore-keys is important here - it lets us restore the most recent cache key,
          # *ignoring* the specific run ID, as a fuzzy match. So we can use previous build's
          # caches for this flavor/arch even if the runid is not the same
          key: "ccache-${{ matrix.builds.flavor }}-${{ join(matrix.builds.architectures, '-') }}-${{ github.run_id }}"
          restore-keys: |
            ccache-${{ matrix.builds.flavor }}-${{ join(matrix.builds.architectures, '-') }}-
      - name: generate docker script
        run: "./hack/build/generate-docker-script.sh"
      - name: upload docker script
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: "build-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}.sh"
          path: "docker.sh"
          compression-level: 0
      - name: run docker script
        run: sh -x docker.sh
      - name: save ccache
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.2
        with:
          path: ~/.cache/kernel-ccache
          # The run_id here is just for write-key uniqueness, as GH doesn't allow overwriting
          # existing cache keys - the `restore` action will fuzzy-match and ignore the run_id
          # for subsequent runs.
          key: "ccache-${{ matrix.builds.flavor }}-${{ join(matrix.builds.architectures, '-') }}-${{ github.run_id }}"