pub/talos-image-factory-apple-x86
pub/talos-image-factory-apple-x86
1
0
Fork 0
Code Releases Packages Activity Actions 1

feat: build secure boot images

Browse source
This commit is contained in:
Steven Kreitzer 2023-12-01 12:52:17 -06:00
parent da79ae072c
commit 23ae905287
No known key found for this signature in database
GPG key ID: 76F902141A05C232
1 changed files with 138 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
.github/workflows/talos-boot-assets.yaml vendored
View file

@ -122,13 +122,6 @@ jobs:
sha: ${{ steps.hash.outputs.sha_short }} sha: ${{ steps.hash.outputs.sha_short }}
steps: steps:
- name: Maximize build space
uses: jlumbroso/free-disk-space@main
with:
large-packages: true
docker-images: true
swap-storage: true
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
@ -141,13 +134,32 @@ jobs:
sha_short=$(git rev-parse --short HEAD) sha_short=$(git rev-parse --short HEAD)
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
- name: Check if kernel image is already built
id: check
run: |
token=$(echo "${{ secrets.GITHUB_TOKEN }}" | base64)
tags=$(curl -H "Authorization: Bearer $token" https://ghcr.io/v2/${{ github.actor }}/kernel/tags/list)
built=$(echo "$tags" | jq -r '.tags | contains(["${{ steps.hash.outputs.sha_short }}"])')
echo "built=$built" >> $GITHUB_OUTPUT
- name: Maximize build space
if: steps.check.outputs.built == 'false'
uses: jlumbroso/free-disk-space@main
with:
large-packages: true
docker-images: true
swap-storage: true
- name: Set up QEMU - name: Set up QEMU
if: steps.check.outputs.built == 'false'
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx - name: Set up Docker Buildx
if: steps.check.outputs.built == 'false'
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
if: steps.check.outputs.built == 'false'
uses: docker/login-action@v3.0.0 uses: docker/login-action@v3.0.0
with: with:
registry: ghcr.io registry: ghcr.io
@ -155,6 +167,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build kernel image - name: Build kernel image
if: steps.check.outputs.built == 'false'
env: env:
PLATFORM: linux/amd64 PLATFORM: linux/amd64
USERNAME: ${{ github.actor }} USERNAME: ${{ github.actor }}
@ -226,22 +239,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
retention-days: 1 retention-days: 1
create-release:
needs: [ check-releases, build-boot-assets ]
if: needs.check-releases.outputs.newTalosReleaseFound
name: Create a new release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Create a new release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ needs.check-releases.outputs.talosReleaseTag }}
body: ${{ needs.check-releases.outputs.talosReleaseBody }}
push-installer-image: push-installer-image:
needs: [ check-releases, build-boot-assets ] needs: [ check-releases, build-boot-assets ]
name: Push installer image name: Push installer image
@ -252,7 +249,7 @@ jobs:
packages: write packages: write
steps: steps:
- name: Download build asset images - name: Download talos installer image
uses: actions/download-artifact@v3 uses: actions/download-artifact@v3
with: with:
name: talos-installer name: talos-installer
@ -278,3 +275,120 @@ jobs:
--platform linux/amd64 \ --platform linux/amd64 \
/tmp/talos-build-assets/metal-amd64-installer.tar \ /tmp/talos-build-assets/metal-amd64-installer.tar \
ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }} ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
build-secure-boot-assets:
needs: [ check-releases, build-installer ]
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
name: Build secure boot assets
runs-on: ubuntu-latest
permissions:
contents: write
container:
image: ghcr.io/buroa/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
options: --privileged
volumes:
- /dev:/dev
steps:
- name: Write uki-signing-cert.pem
id: uki-signing-cert-pem
uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
with:
encodedString: "${{ secrets.UKI_SIGNING_CERT }}"
fileDir: /secureboot
fileName: uki-signing-cert.pem
- name: Write uki-signing-key.pem
id: uki-signing-key-pem
uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
with:
encodedString: "${{ secrets.UKI_SIGNING_KEY }}"
fileDir: /secureboot
fileName: uki-signing-key.pem
- name: Write pcr-signing-key.pem
id: pcr-signing-key-pem
uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
with:
encodedString: "${{ secrets.PCR_SIGNING_KEY }}"
fileDir: /secureboot
fileName: pcr-signing-key.pem
- name: Write pcr-signing-public-key.pem
id: pcr-signing-public-key-pem
uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
with:
encodedString: "${{ secrets.PCR_SIGNING_PUBLIC_KEY }}"
fileDir: /secureboot
fileName: pcr-signing-public-key.pem
- name: Build amd64 secureboot-installer w/ Intel & I915 Ucode
run: |
/bin/imager secureboot-installer \
--arch amd64 \
--base-installer-image ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }} \
--system-extension-image ghcr.io/siderolabs/intel-ucode:${{ env.INTEL_UCODE_VERSION }} \
--system-extension-image ghcr.io/siderolabs/i915-ucode:${{ env.I915_UCODE_VERSION }}
- name: Upload secureboot-installer artifact
uses: actions/upload-artifact@v3
with:
name: talos-secureboot-installer
path: /out/metal-amd64-secureboot-installer.tar
if-no-files-found: error
retention-days: 1
push-secureboot-installer-image:
needs: [ check-releases, build-secure-boot-assets ]
name: Push secureboot-installer image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Download talos secureboot-installer image
uses: actions/download-artifact@v3
with:
name: talos-secureboot-installer
path: /tmp/talos-build-assets
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: imjasonh/setup-crane@v0.3
- name: Push secureboot-installer image
run: |
crane push \
--platform linux/amd64 \
/tmp/talos-build-assets/metal-amd64-secureboot-installer.tar \
ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}-secureboot
create-release:
needs: [ check-releases, push-installer-image, push-secureboot-installer-image ]
if: needs.check-releases.outputs.newTalosReleaseFound
name: Create a new release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Create a new release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ needs.check-releases.outputs.talosReleaseTag }}
body: ${{ needs.check-releases.outputs.talosReleaseBody }}