Skip to content

Do not fail SealDiskKey if PCRs/eventlog can not be saved #1773

Do not fail SealDiskKey if PCRs/eventlog can not be saved

Do not fail SealDiskKey if PCRs/eventlog can not be saved #1773

Workflow file for this run

---
name: Publish
on: # yamllint disable-line rule:truthy
push:
branches:
- "master"
- "[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+-stable"
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+-lts"
jobs:
packages:
if: github.event.repository.full_name == 'lf-edge/eve'
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: arm64-secure
arch: arm64
- os: ubuntu-20.04
arch: amd64
- os: ubuntu-latest
arch: riscv64
steps:
- name: Starting Report
run: |
echo Git Ref: ${{ github.ref }}
echo GitHub Event: ${{ github.event_name }}
echo Disk usage
df -h
echo Memory
free -m
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Force fetch annotated tags (workaround)
# Workaround for https://github.com/actions/checkout/issues/290
run: |
git fetch --force --tags
- name: Determine architecture prefix and ref
env:
REF: ${{ github.ref }}
run: |
# some special installs when building for riscv64
if [ "${{ matrix.arch }}" = riscv64 ]; then
APT_INSTALL="sudo apt install -y binfmt-support qemu-user-static"
# the following weird statement is here to speed up the happy path
# if the default server is responding -- we can skip apt update
$APT_INSTALL || { sudo apt update && $APT_INSTALL ; }
# constraining environment for riscv64 builds
echo "ZARCH=riscv64" >> "$GITHUB_ENV"
fi
echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
echo "TAG=$(echo "$REF" | sed -e 's#^.*/##' -e 's#master#snapshot#' -e 's#main#snapshot#')" >> "$GITHUB_ENV"
- name: Login to DockerHUB
run: |
echo "${{ secrets.RELEASE_DOCKERHUB_TOKEN }}" |\
docker login -u "${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}" --password-stdin
- name: Build packages
run: |
SUCCESS=
# sadly, our build sometimes times out on network access
# and running out of disk space: re-trying for 3 times
for i in 1 2 3; do
if make -e V=1 LINUXKIT_PKG_TARGET=push PRUNE=1 pkgs; then
SUCCESS=true
break
else
# the most likely reason for 'make pkgs' to fail is
# the docker cache produced by the build exhausting
# disk space. So the following can't hurt before we
# retry:
docker rmi -f `docker image ls -q` || :
docker system prune -f || :
fi
done
if [ -z "$SUCCESS" ]; then echo "::error::failed to build and push packages" && exit 1; fi
- name: Post package report
run: |
echo Disk usage
df -h
echo Memory
free -m
docker system df
docker system df -v
- name: Clean
run: |
make clean
docker system prune -f -a
rm -rf ~/.linuxkit
# eve composition can run as a separate job, even on a separate runner, because the packages job
# published everything. Which means all images are already on the OCI registry.
eve:
if: github.event.repository.full_name == 'lf-edge/eve'
needs: packages
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch: [arm64, amd64]
hv: [kvm, xen]
include:
- arch: riscv64
hv: mini
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: ./.github/actions/run-make
with:
command: "V=1 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} LINUXKIT_PKG_TARGET=push eve"
dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
- uses: ./.github/actions/run-make
if: matrix.arch != 'riscv64'
with:
command: "V=1 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} LINUXKIT_PKG_TARGET=push sbom collected_sources compare_sbom_collected_sources publish_sources"
dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
verification:
if: github.event.repository.full_name == 'lf-edge/eve'
needs: packages
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch: [arm64, amd64]
hv: [kvm, xen]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: ./.github/actions/run-make
with:
command: "V=1 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} LINUXKIT_PKG_TARGET=push verification"
dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
manifest:
if: github.event.repository.full_name == 'lf-edge/eve'
runs-on: ubuntu-latest
needs: packages
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: ./.github/actions/run-make
with:
command: "V=1 LINUXKIT_PKG_TARGET=manifest pkgs"
dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}