|
| 1 | +name: Publish GardenLinux New OCI Image |
| 2 | + |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + workflow_dispatch: |
| 6 | + inputs: |
| 7 | + version: |
| 8 | + description: "Specify the GardenLinux version to process (e.g., 1877.0)" |
| 9 | + required: true |
| 10 | + |
| 11 | +jobs: |
| 12 | + publish: |
| 13 | + runs-on: ubuntu-latest |
| 14 | + |
| 15 | + steps: |
| 16 | + - name: Set Version |
| 17 | + run: echo "VERSION=1877.0" >> $GITHUB_ENV |
| 18 | + |
| 19 | + - name: Checkout Repository |
| 20 | + uses: actions/checkout@v2 |
| 21 | + |
| 22 | + - name: Install Dependencies |
| 23 | + run: | |
| 24 | + sudo apt-get update -qq |
| 25 | + sudo apt-get install -y jq curl git make |
| 26 | +
|
| 27 | + - name: Setup ORAS |
| 28 | + uses: oras-project/setup-oras@v1 |
| 29 | + |
| 30 | + - name: Fetch and Process Metal PXE Layers |
| 31 | + id: fetch-and-process |
| 32 | + env: |
| 33 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 34 | + run: | |
| 35 | + set -euo pipefail |
| 36 | + |
| 37 | + echo "Authenticating ORAS with GitHub Container Registry..." |
| 38 | + echo "$GITHUB_TOKEN" | oras login ghcr.io -u github --password-stdin |
| 39 | + |
| 40 | + IMAGE_REF="ghcr.io/gardenlinux/gardenlinux:1877.0" |
| 41 | + INDEX_FILE="index-manifest.json" |
| 42 | + PXE_LAYERS_FILE="metal-pxe-layers.json" |
| 43 | + |
| 44 | + echo "Fetching index manifest from: $IMAGE_REF" |
| 45 | + INDEX_RAW=$(oras manifest fetch "$IMAGE_REF") || { echo "Failed to fetch index manifest"; exit 1; } |
| 46 | + |
| 47 | + echo "$INDEX_RAW" | jq . > "$INDEX_FILE" || { echo "Invalid JSON from index"; exit 1; } |
| 48 | + |
| 49 | + echo "Filtering PXE variant layers..." |
| 50 | + jq -c '.manifests[] | select(.annotations.cname? and (.annotations.cname | startswith("metal_pxe")))' "$INDEX_FILE" > "$PXE_LAYERS_FILE" |
| 51 | + |
| 52 | + mkdir -p binaries/amd64 binaries/arm64 |
| 53 | + |
| 54 | + jq -c '.' "$PXE_LAYERS_FILE" | while read -r layer; do |
| 55 | + ARCH=$(echo "$layer" | jq -r '.platform.architecture // empty') |
| 56 | + DIGEST=$(echo "$layer" | jq -r '.digest // empty') |
| 57 | + |
| 58 | + if [[ -z "$ARCH" || -z "$DIGEST" ]]; then |
| 59 | + echo "Skipping layer due to missing architecture or digest" |
| 60 | + continue |
| 61 | + fi |
| 62 | + |
| 63 | + echo "Processing architecture: $ARCH | digest: $DIGEST" |
| 64 | + |
| 65 | + MANIFEST_RAW=$(oras manifest fetch "ghcr.io/gardenlinux/gardenlinux@$DIGEST") || { |
| 66 | + echo "Failed to fetch manifest for $DIGEST"; continue; |
| 67 | + } |
| 68 | + |
| 69 | + echo "$MANIFEST_RAW" | jq . > "manifest-$ARCH.json" || { |
| 70 | + echo "Invalid manifest JSON for $ARCH"; continue; |
| 71 | + } |
| 72 | + |
| 73 | + for BINARY in initrd vmlinuz root.squashfs; do |
| 74 | + echo "Fetching $BINARY for $ARCH..." |
| 75 | + |
| 76 | + BINARY_DIGEST=$(echo "$MANIFEST_RAW" | jq -r --arg bin "$BINARY" '.layers[] | select(.annotations."org.opencontainers.image.title" == $bin).digest // empty') |
| 77 | + |
| 78 | + if [[ -z "$BINARY_DIGEST" ]]; then |
| 79 | + echo "No digest found for $BINARY in $ARCH" |
| 80 | + continue |
| 81 | + fi |
| 82 | + |
| 83 | + oras blob fetch ghcr.io/gardenlinux/gardenlinux@$BINARY_DIGEST -o "binaries/$ARCH/$BINARY" || { |
| 84 | + echo "Failed to fetch $BINARY with oras for $ARCH" |
| 85 | + continue |
| 86 | + } |
| 87 | + |
| 88 | + echo "Downloaded $BINARY for $ARCH" |
| 89 | + done |
| 90 | + done |
| 91 | +
|
| 92 | +
|
| 93 | + - name: Login to GitHub Container Registry |
| 94 | + uses: docker/login-action@v1 |
| 95 | + with: |
| 96 | + registry: ghcr.io |
| 97 | + username: ${{ github.actor }} |
| 98 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 99 | + |
| 100 | + - name: Authenticate with GitHub |
| 101 | + env: |
| 102 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 103 | + run: | |
| 104 | + echo "Authenticating with GitHub..." |
| 105 | + git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" |
| 106 | +
|
| 107 | + - name: Clone Ironcore Image Repository |
| 108 | + run: | |
| 109 | + git clone https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/ironcore-dev/ironcore-image.git |
| 110 | + cd ironcore-image |
| 111 | + make build |
| 112 | +
|
| 113 | + - name: Build New OCI Image |
| 114 | + run: | |
| 115 | + cd ironcore-image |
| 116 | + ./bin/ironcore-image build \ |
| 117 | + --tag ghcr.io/ironcore-dev/os-images/test-image:${{ github.event.inputs.version }} \ |
| 118 | + --config arch=amd64,squashfs=../binaries/amd64/root.squashfs,initramfs=../binaries/amd64/initrd,kernel=../binaries/amd64/vmlinuz \ |
| 119 | + --config arch=arm64,squashfs=../binaries/arm64/root.squashfs,initramfs=../binaries/arm64/initrd,kernel=../binaries/arm64/vmlinuz |
| 120 | +
|
| 121 | + - name: Push New OCI Image |
| 122 | + run: | |
| 123 | + cd ironcore-image |
| 124 | + ./ironcore-image push ghcr.io/ironcore-dev/os-images/test-image:${{ github.event.inputs.version }} --push-sub-manifests |
0 commit comments