feat(talos): build custom talos assets

.gitattributes

@@ -0,0 +1,4 @@
+# Prevent things from going into automatic Source Code release assets
+/.github export-ignore
+.gitattributes export-ignore
+README.md export-ignore

.github/renovate.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "major": {
+    "dependencyDashboardApproval": true
+  },
+  "packageRules": [
+    {
+      "description": "Group updates into single PR",
+      "matchFileNames": [".github/workflows/talos-boot-assets.yaml"],
+      "groupName": "Talos boot assets"
+    },
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": [
+        "ghcr.io/siderolabs/intel-ucode",
+        "ghcr.io/siderolabs/i915-ucode"
+      ],
+      "versioning": "regex:^(?<major>\\d{4})(?<minor>\\d{2})(?<patch>\\d{2})\\.?(?<build>\\d+)?$"
+    }
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": ["^.github/workflows/.+\\.ya?ml$"],
+      "matchStrings": [
+        "#\\s?renovate: ?\\s+depName=(?<depName>.+?)?\\s(?:.*_(?:version|VERSION):\\s+(?<currentValue>.*))"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}

.github/workflows/talos-boot-assets.yaml

@@ -0,0 +1,247 @@
+---
+name: Talos Boot Assets Generation
+
+on:
+  schedule:
+    - cron: "0 * * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.actor }}-build
+
+env:
+  # renovate: depName=ghcr.io/siderolabs/intel-ucode
+  INTEL_UCODE_VERSION: 20230808
+  # renovate: depName=ghcr.io/siderolabs/i915-ucode
+  I915_UCODE_VERSION: 20230919
+
+jobs:
+  sync-pkgs-fork:
+    name: Sync pkgs fork with upstream
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.repository }}
+        ref: pkgs
+
+    - name: Pull upstream changes
+      id: sync
+      uses: aormsby/Fork-Sync-With-Upstream-action@v3.4
+      with:
+        target_sync_branch: pkgs
+        target_repo_token: ${{ secrets.GITHUB_TOKEN }}
+        target_branch_push_args: --force
+        upstream_sync_branch: main
+        upstream_sync_repo: siderolabs/pkgs
+        git_config_pull_rebase: true
+
+    outputs:
+      has_new_commits: ${{ steps.sync.outputs.has_new_commits }}
+
+  check-releases:
+    name: Check for new releases
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Fetch latest Talos release version
+        id: talos-release
+        run: |
+          talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name")
+          echo "talos_release_tag=$talos_release_tag" >> $GITHUB_OUTPUT
+
+      - name: Fetch latest Boot Asset release version
+        id: boot-asset-release
+        run: |
+          boot_assets_release_tag=$(curl -sL https://api.github.com/repos/buroa/talos-boot-assets/releases/latest | jq -r ".tag_name")
+          echo "boot_assets_release_tag=$boot_assets_release_tag" >> $GITHUB_OUTPUT
+
+      - name: Fetch latest Talos release body
+        id: talos-release-body
+        run: |
+          echo 'talos_release_body<<EOF' >> $GITHUB_OUTPUT
+          curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".body" >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+
+      - name: Compare release versions
+        if: steps.talos-release.outputs.talos_release_tag != steps.boot-asset-release.outputs.boot_assets_release_tag
+        id: compare-releases
+        run: |
+          curl https://raw.githubusercontent.com/Ariel-Rodriguez/sh-semversion-2/main/semver2.sh -o /tmp/semver2.sh
+          chmod +x /tmp/semver2.sh
+          compare_result=$(/tmp/semver2.sh \
+            ${{ steps.talos-release.outputs.talos_release_tag }} \
+            ${{ steps.boot-asset-release.outputs.boot_assets_release_tag }})
+          echo "compare_result=$compare_result" >> $GITHUB_OUTPUT
+
+    outputs:
+      newTalosReleaseFound: ${{ steps.compare-releases.outputs.compare_result }}
+      talosReleaseTag: ${{ steps.talos-release.outputs.talos_release_tag }}
+      talosReleaseBody: ${{ steps.talos-release-body.outputs.talos_release_body }}
+
+  build-kernel:
+    needs: [ sync-pkgs-fork, check-releases ]
+    if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
+    name: Build kernel image
+    runs-on: ubuntu-latest
+
+    outputs:
+      sha: ${{ steps.hash.outputs.sha_short }}
+
+    steps:
+      - name: Maximize build space
+        uses: jlumbroso/free-disk-space@main
+        with:
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository }}
+          ref: pkgs
+
+      - name: Get short commit hash
+        id: hash
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build kernel image
+        env:
+          PLATFORM: linux/amd64
+          USERNAME: ${{ github.actor }}
+        run: make kernel PUSH=true
+
+  build-installer:
+    needs: [ check-releases, build-kernel ]
+    if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
+    name: Build installer image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          repository: siderolabs/talos
+          ref: main # refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build installer image
+        env:
+          PLATFORM: linux/amd64
+          USERNAME: ${{ github.actor }}
+          TAG: ${{ needs.check-releases.outputs.talosReleaseTag }}
+          PKG_KERNEL: ghcr.io/${{ github.actor }}/kernel:${{ needs.build-kernel.outputs.sha }}
+        run: make installer PUSH=true
+
+  build-boot-assets:
+    needs: [ check-releases, build-installer ]
+    if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
+    name: Build boot assets
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    container:
+      image: ghcr.io/buroa/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
+      options: --privileged
+      volumes:
+        - /dev:/dev
+
+    steps:
+      - name: Build amd64 installer w/ Intel & I915 Ucode
+        run: |
+          /bin/imager installer \
+            --arch amd64 \
+            --base-installer-image ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }} \
+            --system-extension-image ghcr.io/siderolabs/intel-ucode:${{ env.INTEL_UCODE_VERSION }} \
+            --system-extension-image ghcr.io/siderolabs/i915-ucode:${{ env.I915_UCODE_VERSION }}
+
+      - name: Upload installer artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: talos-installer
+          path: /out/installer-amd64.tar
+          if-no-files-found: error
+          retention-days: 1
+
+  create-release:
+    needs: [ check-releases, build-boot-assets ]
+    if: needs.check-releases.outputs.newTalosReleaseFound
+    name: Create a new release
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Create a new release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ needs.check-releases.outputs.talosReleaseTag }}
+          body: ${{ needs.check-releases.outputs.talosReleaseBody }}
+
+  push-installer-image:
+    needs: [ check-releases, build-boot-assets ]
+    name: Push installer image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Download build asset images
+        uses: actions/download-artifact@v3
+        with:
+          name: talos-installer
+          path: /tmp/talos-build-assets
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: imjasonh/setup-crane@v0.3
+      - name: Push installer image
+        run: |
+          crane push \
+            --platform linux/amd64 \
+            /tmp/talos-build-assets/installer-amd64.tar \
+            ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}

README.md

@@ -0,0 +1,7 @@
+# talos-boot-assets
+
+## Overview
+
+This repository contains a [GitHub Actions](https://docs.github.com/en/actions) workflow that runs on a cronjob every hour to check and see if a new official [Talos Linux](https://github.com/siderolabs/talos) release has been pushed.
+
+If it detects a newer version is available _(compared to the tag(s) in this repo)_ it will use [Talos Imager](https://github.com/siderolabs/talos/tree/main/pkg/imager) to build new [Boot Assets](https://www.talos.dev/v1.5/talos-guides/install/boot-assets/) used in my [k8s-gitops](https://github.com/buroa/k8s-gitops) environment.