Build Wolfi OS world from bootstrap #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Wolfi OS world from bootstrap | |
on: | |
workflow_dispatch: | |
# Only run one build at a time to prevent out of sync signatures | |
concurrency: | |
group: build-world-${{ github.ref }} | |
jobs: | |
build: | |
name: Build packages | |
if: github.repository == 'wolfi-dev/os' | |
strategy: | |
matrix: | |
arch: [ "x86_64", "aarch64" ] | |
fail-fast: false | |
runs-on: | |
group: wolfi-os-builder-${{ matrix.arch }} | |
# Ensure this is deprivileged, isolated job | |
# permissions: | |
container: | |
image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2 | |
# TODO: Deprivilege | |
options: | | |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined | |
steps: | |
- uses: actions/checkout@v4 | |
- name: 'Trust the github workspace' | |
run: | | |
# This is to avoid fatal errors about "dubious ownership" because we are | |
# running inside of a container action with the workspace mounted in. | |
git config --global --add safe.directory "$(pwd)" | |
# Build with a local key, we'll resign this with the real key later | |
- name: 'Generate local signing key' | |
run: | | |
make local-melange.rsa | |
- name: 'Build Wolfi World' | |
run: | | |
wolfictl build \ | |
-k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub \ | |
-r https://packages.wolfi.dev/bootstrap/stage3 \ | |
--arch=${{ matrix.arch }} \ | |
--runner=bubblewrap \ | |
-j10 | |
# TODO: See how big these get, maybe we only upload failures and shorten the retention, or throw them in GCS | |
- name: Upload build logs | |
if: always() | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
name: buildlogs | |
path: ./packages/**/buildlogs/*.log | |
retention-days: 7 | |
# TODO: enable Slack alerts when this is expected to pass reliably. | |
#postrun: | |
# runs-on: ubuntu-latest | |
# needs: [build] | |
# if: failure() | |
# steps: | |
# - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 | |
# id: slack | |
# with: | |
# payload: '{"text": "[build-wolfi-world-bootstrap] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' | |
# env: | |
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
# SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |