From: romeroalx Date: Tue, 21 May 2024 14:33:15 +0000 (+0200) Subject: gh actions: build-packages.yml - add arm64 builds running on ubicloud X-Git-Tag: rec-5.1.0-beta1~4^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8f6616cbeaf9a02e654168a6335d4a3843b5f66;p=thirdparty%2Fpdns.git gh actions: build-packages.yml - add arm64 builds running on ubicloud --- diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index 24f8183842..0d755826d0 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -61,23 +61,37 @@ jobs: build: needs: prepare name: build ${{ inputs.product }} (${{ inputs.ref }}) for ${{ matrix.os }} - runs-on: ubuntu-22.04 + runs-on: ${{ matrix.runner-os }} strategy: matrix: os: ${{fromJson(needs.prepare.outputs.oslist)}} + runner-os: + - ubuntu-22.04 + - ubicloud-standard-2-arm + exclude: + - os: el-7 + runner-os: ubicloud-standard-2-arm fail-fast: false outputs: product-name: ${{ steps.normalize-name.outputs.normalized-package-name }} version: ${{ steps.getversion.outputs.version }} - pkghashes-el-7: ${{ steps.pkghashes.outputs.pkghashes-el-7 }} - pkghashes-el-8: ${{ steps.pkghashes.outputs.pkghashes-el-8 }} - pkghashes-el-9: ${{ steps.pkghashes.outputs.pkghashes-el-9 }} - pkghashes-debian-buster: ${{ steps.pkghashes.outputs.pkghashes-debian-buster }} - pkghashes-debian-bullseye: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye }} - pkghashes-debian-bookworm: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm }} - pkghashes-ubuntu-focal: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal }} - pkghashes-ubuntu-jammy: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy }} - pkghashes-ubuntu-noble: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-noble }} + pkghashes-el-7-x86_64: ${{ steps.pkghashes.outputs.pkghashes-el-7-x86_64 }} + pkghashes-el-8-x86_64: ${{ steps.pkghashes.outputs.pkghashes-el-8-x86_64 }} + pkghashes-el-8-aarch64: ${{ steps.pkghashes.outputs.pkghashes-el-8-aarch64 }} + pkghashes-el-9-x86_64: ${{ steps.pkghashes.outputs.pkghashes-el-9-x86_64 }} + pkghashes-el-9-aarch64: ${{ steps.pkghashes.outputs.pkghashes-el-9-aarch64 }} + pkghashes-debian-buster-x86_64: ${{ steps.pkghashes.outputs.pkghashes-debian-buster-x86_64 }} + pkghashes-debian-buster-aarch64: ${{ steps.pkghashes.outputs.pkghashes-debian-buster-aarch64 }} + pkghashes-debian-bullseye-x86_64: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye-x86_64 }} + pkghashes-debian-bullseye-aarch64: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye-aarch64 }} + pkghashes-debian-bookworm-x86_64: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm-x86_64 }} + pkghashes-debian-bookworm-aarch64: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm-aarch64 }} + pkghashes-ubuntu-focal-x86_64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal-x86_64 }} + pkghashes-ubuntu-focal-aarch64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal-aarch64 }} + pkghashes-ubuntu-jammy-x86_64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy-x86_64 }} + pkghashes-ubuntu-jammy-aarch64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy-aarch64 }} + pkghashes-ubuntu-noble-x86_64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-noble-x86_64 }} + pkghashes-ubuntu-noble-aarch64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-noble-aarch64 }} srchashes: ${{ steps.srchashes.outputs.srchashes }} steps: - uses: actions/checkout@v4 @@ -91,12 +105,10 @@ jobs: run: | echo "version=$(readlink builder/tmp/latest)" >> $GITHUB_OUTPUT id: getversion - - name: Upload packages as GH artifacts - uses: actions/upload-artifact@v4 - with: - name: ${{ inputs.product }}-${{ matrix.os }}-${{ steps.getversion.outputs.version }} - path: built_pkgs/ - retention-days: 7 + - name: Get target architecture + run: | + echo "target-arch=$(uname -m)" >> $GITHUB_OUTPUT + id: getarch - name: Normalize package name id: normalize-name run: | @@ -107,18 +119,25 @@ jobs: else echo "normalized-package-name=${{ inputs.product }}" >> $GITHUB_OUTPUT fi - + - name: Include architecture in the packages compressed file name + run: for f in $(ls ./built_pkgs/*/*/*-${{ matrix.os }}.tar.bz2 | sed 's/\.tar.bz2$//'); do mv $f.tar.bz2 $f-${{ steps.getarch.outputs.target-arch }}.tar.bz2; done + - name: Upload packages as GH artifacts + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.product }}-${{ matrix.os }}-${{ steps.getversion.outputs.version }}-${{ steps.getarch.outputs.target-arch }} + path: built_pkgs/ + retention-days: 7 - name: Extract packages from the tarball # so we get provenance for individual packages (and the JSON package manifests from the builder) id: extract run: | mkdir -m 700 -p ./packages/ - tar xvf ./built_pkgs/*/*/${{ steps.normalize-name.outputs.normalized-package-name }}-${{ steps.getversion.outputs.version }}-${{ matrix.os }}.tar.bz2 -C ./packages/ --transform='s/.*\///' + tar xvf ./built_pkgs/*/*/${{ steps.normalize-name.outputs.normalized-package-name }}-${{ steps.getversion.outputs.version }}-${{ matrix.os }}-${{ steps.getarch.outputs.target-arch }}.tar.bz2 -C ./packages/ --transform='s/.*\///' - name: Generate package hashes for provenance shell: bash id: pkghashes run: | - echo "pkghashes-${{ matrix.os }}=$(sha256sum ./packages/*.rpm ./packages/*.deb ./packages/*.json | base64 -w0)" >> $GITHUB_OUTPUT + echo "pkghashes-${{ matrix.os }}-${{ steps.getarch.outputs.target-arch }}=$(sha256sum ./packages/*.rpm ./packages/*.deb ./packages/*.json | base64 -w0)" >> $GITHUB_OUTPUT - name: Generate source hash for provenance shell: bash id: srchashes @@ -146,7 +165,14 @@ jobs: - name: Get list of outputs from build jobs run: echo '${{ toJSON(needs.build.outputs) }}' | jq 'keys[]' | grep -vE 'version|product-name' | tee /tmp/build-outputs.txt - name: Get list of OS inputs - run: for i in ${{ inputs.os }}; do echo "\"pkghashes-$i\""; done | sort | tee /tmp/os-inputs.txt; echo "\"srchashes\"" | tee -a /tmp/os-inputs.txt + run: | + for os in ${{ inputs.os }}; do + for architecture in x86_64 aarch64; do + [[ "$os" != "el-7" || "$architecture" != "aarch64" ]] && echo "\"pkghashes-$os-$architecture\"" | tee -a /tmp/os-inputs.txt + done + done + sort -o /tmp/os-inputs.txt /tmp/os-inputs.txt + echo "\"srchashes\"" | tee -a /tmp/os-inputs.txt - name: Fail if there is a hash missing run: if ! diff -q /tmp/build-outputs.txt /tmp/os-inputs.txt; then exit 1; fi @@ -156,15 +182,19 @@ jobs: strategy: matrix: os: ${{fromJson(needs.prepare.outputs.oslist)}} + architecture: ['x86_64', 'aarch64'] + exclude: + - os: el-7 + architecture: aarch64 permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To be able to upload assets as release artifacts uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects: "${{ needs.build.outputs[format('pkghashes-{0}', matrix.os)] }}" + base64-subjects: "${{ needs.build.outputs[format('pkghashes-{0}-{1}', matrix.os, matrix.architecture)] }}" upload-assets: false - provenance-name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os}}.intoto.jsonl" + provenance-name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os }}-${{ matrix.architecture }}.intoto.jsonl" provenance-src: needs: build @@ -186,6 +216,10 @@ jobs: strategy: matrix: os: ${{fromJson(needs.prepare.outputs.oslist)}} + architecture: ['x86_64', 'aarch64'] + exclude: + - os: el-7 + architecture: aarch64 steps: - name: Download source tarball provenance for ${{ inputs.product }} (${{ inputs.ref }}) id: download-src-provenance @@ -196,7 +230,7 @@ jobs: id: download-provenance uses: actions/download-artifact@v4 # be careful, this needs to match what https://github.com/slsa-framework/slsa-github-generator is using with: - name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os}}.intoto.jsonl" + name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os }}-${{ matrix.architecture }}.intoto.jsonl" - name: Upload provenance artifacts to downloads.powerdns.com id: upload-provenance env: