IMprove CI pipeline

bakhtin · bakhtin · commit ee11dd0936de · 2025-12-01T16:54:35.000Z
Signed-off-by: bakhtin &lt;a@bakhtin.net&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,16 +23,15 @@ jobs:
 
       - name: Install tools
         run: |
-          # mkosi
-          sudo apt-get update && sudo apt-get install -y debian-archive-keyring rclone
-          sudo -H pip3 install git+https://github.com/systemd/mkosi.git@$(cat .mkosi_version)
-
-          # minisign
-          curl -sSfL https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz | \
-            sudo tar xzf - -C /usr/bin --strip-components=2 minisign-linux/x86_64/minisign
+          sudo apt-get update && sudo apt-get install -y \
+            debian-archive-keyring \
+            minisign\
+            rclone
+          pip3 install git+https://github.com/systemd/mkosi.git@$(cat .mkosi_version)
 
       - name: Create rclone config
         run: |
+          mkdir -p ~/.config/rclone
           cat << EOF > ~/.config/rclone/rclone.conf
           [r2-flashbots-public-artifacts]
           type = s3
@@ -52,9 +51,13 @@ jobs:
             sudo rm -f cache.tar
           fi
 
+      - name: Enable user namespaces
+        run: |
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Build image
         run: |
-          sudo mkosi --force -I buildernet.conf
+          mkosi --force -I buildernet.conf --image-version=${GITHUB_REF_NAME#v}-${GITHUB_SHA::8}
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -65,6 +68,25 @@ jobs:
             mkosi.output/*.tar.gz
             mkosi.output/*.vhd
 
+      - name: Sign artifacts
+        run: |
+          mkdir -p ~/.minisign
+          echo "$MINISIGN_SECRET_KEY" > ~/.minisign/minisign.key
+          chmod 600 ~/.minisign/minisign.key
+          for file in mkosi.output/*.{efi,tar.gz,vhd}; do
+            echo "$MINISIGN_SECRET_KEY_PASSWORD" | minisign -Sm "$file" -t "github.com/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"
+          done
+
+      - name: Generate SHA256 checksums
+        run: |
+          sha256sum mkosi.output/*.{efi,tar.gz,vhd} | tee mkosi.output/checksums.sha256
+
+      - name: Upload to R2
+        run: |
+          for file in mkosi.output/*.{efi,tar.gz,vhd,minisign,checksums.sha256}; do
+            rclone copy "$file" r2-flashbots-public-artifacts:flashbots-public-artifacts/buildernet-images/${GITHUB_REF_NAME#v}/$file
+          done
+
       - name: Prepare cache
         run: |
           sudo find . \( -name "mkosi.builddir" -o -name "mkosi.cache" -o -name "mkosi.tools" \) -type d -print0 | \
diff --git a/.mkosi_version b/.mkosi_version
@@ -1 +1 @@
-d5efbf6f8cd477ec40fda7db4ccfdd48bd0379d6
+a425313c5811d2ed840630dbfc45c6bc296bfd48
diff --git a/buildernet.conf b/buildernet.conf
@@ -25,6 +25,7 @@ CleanPackageMetadata=true
 Format=none
 ManifestFormat=json
 Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
+ImageVersion=latest
 
 [Runtime]
 TPM=no #TODO
diff --git a/mkosi.images/buildernet-gcp/mkosi.finalize b/mkosi.images/buildernet-gcp/mkosi.finalize
@@ -18,3 +18,5 @@ for p in "${remove_paths[@]}"; do
   echo "Removing $p"
   rm -rf $BUILDROOT$p
 done
+
+echo "IMAGE_VERSION=${IMAGE_VERSION:-latest}" >> $BUILDROOT/usr/lib/os-release

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-d5efbf6f8cd477ec40fda7db4ccfdd48bd0379d6`
	`1`	`+a425313c5811d2ed840630dbfc45c6bc296bfd48`