[WIP] Securing EVE Logs #9174
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: PR build | |
on: # yamllint disable-line rule:truthy | |
pull_request_target: | |
branches: | |
- "master" | |
- "[0-9]+.[0-9]+" | |
- "[0-9]+.[0-9]+-stable" | |
paths-ignore: | |
- '.github/**' | |
- '**/*.md' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
cancel-in-progress: true | |
jobs: | |
packages: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: buildjet-4vcpu-ubuntu-2204-arm | |
arch: arm64 | |
- os: buildjet-4vcpu-ubuntu-2004 | |
arch: amd64 | |
- os: buildjet-4vcpu-ubuntu-2004 | |
arch: riscv64 | |
steps: | |
- name: Starting Report | |
run: | | |
echo Git Ref: ${{ github.event.pull_request.head.ref }} | |
echo GitHub Event: ${{ github.event_name }} | |
echo Disk usage | |
df -h | |
echo Memory | |
free -m | |
- name: Clear repository | |
run: | | |
sudo rm -fr "$GITHUB_WORKSPACE" && mkdir "$GITHUB_WORKSPACE" | |
rm -fr ~/.linuxkit | |
docker system prune --all --force --volumes | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
fetch-depth: 0 | |
- name: Login to Docker Hub | |
if: ${{ github.event.repository.full_name }}== 'lf-edge/eve' | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }} | |
password: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }} | |
- name: ensure zstd for cache # this should be removed once the arm64 VM includes zstd | |
if: ${{ matrix.os == 'buildjet-4vcpu-ubuntu-2204-arm' || matrix.os == 'arm64-secure' }} | |
run: | | |
sudo apt install -y zstd | |
- name: ensure packages for cross-arch build | |
if: ${{ matrix.arch == 'riscv64' }} | |
run: | | |
APT_INSTALL="sudo apt install -y binfmt-support qemu-user-static" | |
# the following weird statement is here to speed up the happy path | |
# if the default server is responding -- we can skip apt update | |
$APT_INSTALL || { sudo apt update && $APT_INSTALL ; } | |
# The next step explicitly use actions/cache, rather than actions/cache/save at the end. | |
# If we rerun a job without changing the sha, we should not have to rebuild anything. | |
# Since the cache is keyed on the head sha, it will retrieve it. | |
- name: update linuxkit cache if available | |
uses: actions/cache@v4 | |
with: | |
path: ~/.linuxkit/cache | |
key: linuxkit-${{ matrix.arch }}-${{ github.event.pull_request.head.sha }} | |
- name: Build packages | |
run: | | |
make V=1 PRUNE=1 ZARCH=${{ matrix.arch }} pkgs | |
- name: Post package report | |
run: | | |
echo Disk usage | |
df -h | |
echo Memory | |
free -m | |
docker system df | |
docker system df -v | |
eve: | |
needs: packages # all packages for all platforms must be built first | |
runs-on: buildjet-4vcpu-ubuntu-2004 | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: [arm64, amd64] | |
hv: [xen, kvm, kubevirt] | |
platform: ["generic"] | |
include: | |
- arch: riscv64 | |
hv: mini | |
platform: "generic" | |
- arch: amd64 | |
hv: kvm | |
platform: "rt" | |
- arch: arm64 | |
hv: kvm | |
platform: "nvidia" | |
- arch: arm64 | |
hv: kvm | |
platform: "imx8mp_pollux" | |
- arch: arm64 | |
hv: kvm | |
platform: "imx8mp_epc_r3720" | |
exclude: | |
- arch: arm64 | |
hv: kubevirt | |
platform: "generic" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
fetch-depth: 0 | |
- name: Login to Docker Hub | |
if: ${{ github.event.repository.full_name }}== 'lf-edge/eve' | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }} | |
password: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }} | |
- name: Arch Runner is Matrix | |
id: arch_runner_equals_matrix | |
run: | | |
RUNNER_ARCH=${{ runner.arch }} | |
[ "$RUNNER_ARCH" = "X64" ] && RUNNER_ARCH="amd64" | |
[ "$RUNNER_ARCH" = "ARM64" ] && RUNNER_ARCH="arm64" | |
[ "$RUNNER_ARCH" = "X86" ] && RUNNER_ARCH="i386" | |
[ "$RUNNER_ARCH" = "ARM" ] && RUNNER_ARCH="arm" | |
MATCHED="false" | |
[ "$RUNNER_ARCH" = "${{ matrix.arch }}" ] && MATCHED="true" | |
# report for good measure | |
echo "runner_arch=${RUNNER_ARCH}" | |
echo "matrix_arch=${{ matrix.arch }}" | |
echo "matched=${MATCHED}" | |
echo "matched=${MATCHED}" >> "$GITHUB_OUTPUT" | |
# the next three steps - cache_for_docker, load images, and cache_for_packages - | |
# having nothing to do with the content of the final eve image. Instead, it is because we are running | |
# on amd64, and we need some of the tools in order to compose the final eve image for the target arch. | |
# These tools are in pkg/, and therefore are part of packages, and we need them in docker. | |
# Rather than build them again, we just restore the cache for our runner architecture, | |
# load them into docker, and then clear the cache so we can load the cache for the target arch. | |
- name: update linuxkit cache for runner arch so we can get desired images | |
id: cache_for_docker | |
uses: actions/cache/restore@v4 | |
with: | |
path: ~/.linuxkit/cache | |
key: linuxkit-amd64-${{ github.event.pull_request.head.sha }} | |
fail-on-cache-miss: true | |
- name: load images we need from linuxkit cache into docker | |
run: | | |
make cache-export-docker-load-all | |
- name: clear linuxkit cache so we can load for target arch | |
if: ${{ steps.arch_runner_equals_matrix.outputs.matched != 'true' }} | |
run: | | |
rm -rf ~/.linuxkit | |
# With the "load into docker" complete, now we can restore the packages into the cache for the target arch (as opposed to the runner arch) | |
- name: update linuxkit cache for our arch | |
id: cache_for_packages | |
if: ${{ steps.arch_runner_equals_matrix.outputs.matched != 'true' }} | |
uses: actions/cache/restore@v4 | |
with: | |
path: ~/.linuxkit/cache | |
key: linuxkit-${{ matrix.arch }}-${{ github.event.pull_request.head.sha }} | |
fail-on-cache-miss: true | |
- name: set environment | |
env: | |
PR_ID: ${{ github.event.pull_request.number }} | |
run: | | |
COMMIT_ID=$(git describe --abbrev=8 --always) | |
echo "VERSION=0.0.0-pr$PR_ID-$COMMIT_ID" >> $GITHUB_ENV | |
echo "TAG=evebuild/pr:$PR_ID" >> $GITHUB_ENV | |
echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV" | |
- name: Build EVE ${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }} | |
run: | | |
make V=1 ROOTFS_VERSION="$VERSION" PLATFORM=${{ matrix.platform }} HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} pkgs eve # note that this already loads it into docker | |
- name: Post eve build report | |
run: | | |
echo Disk usage | |
df -h | |
echo Memory | |
free -m | |
docker system df | |
docker system df -v | |
- name: Export docker container | |
run: | | |
make cache-export ZARCH=${{ matrix.arch }} IMAGE=lfedge/eve:$VERSION-${{ matrix.hv }} OUTFILE=eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}.tar IMAGE_NAME=$TAG-${{ matrix.hv }}-${{ matrix.arch }} | |
- name: Upload EVE ${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }} | |
path: eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}.tar | |
- name: Clean EVE ${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }} | |
run: | | |
make clean | |
docker rmi "$TAG-${{ matrix.hv }}-${{ matrix.arch }}" "lfedge/eve:$VERSION-${{ matrix.hv }}" "lfedge/eve:$VERSION-${{ matrix.hv }}-${{ matrix.arch }}" ||: | |
- name: Post clean eve ${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }} report | |
run: | | |
echo Disk usage | |
df -h | |
echo Memory | |
free -m | |
docker system df | |
docker system df -v | |
- name: Clean | |
if: ${{ always() }} | |
run: | | |
make clean | |
docker system prune -f -a --volumes | |
rm -rf ~/.linuxkit |