feat: Break up build process into separate jobs to improve caching in matrix strategy (#63)

joshua-stone · web-flow · commit 581f1fa78f3f · 2023-03-08T22:58:59.000-05:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -16,8 +16,165 @@ on:
 env:
     IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 jobs:
+  build-akmods:
+    name: Build akmods package
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        major_version: [37, 38]
+        driver_version: [520, 525, 470]
+        exclude:
+          - driver_version: 520
+            major_version: 38
+          - driver_version: 470
+            major_version: 38
+    steps:
+      # Checkout push-to-registry action GitHub repository
+      - name: Checkout Push to Registry action
+        uses: actions/checkout@v3
+
+      - name: Matrix Variables
+        run: |
+            REPO=${{ github.repository }}
+            echo "IMAGE_NAME=akmods-${REPO##*/}" >> $GITHUB_ENV
+      - name: Generate tags
+        id: generate-tags
+        shell: bash
+        run: |
+          # Generate a timestamp for creating an image version history
+          TIMESTAMP="$(date +%Y%m%d)"
+          VARIANT="${{ matrix.major_version }}-${{ matrix.driver_version }}"
+
+          COMMIT_TAGS=()
+          BUILD_TAGS=()
+
+          # Have tags for tracking builds during pull request
+          SHA_SHORT="$(git rev-parse --short HEAD)"
+          COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
+          COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")
+
+          BUILD_TAGS=("${VARIANT}" "${VARIANT}-${TIMESTAMP}")
+
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+              echo "Generated the following commit tags: "
+              for TAG in "${COMMIT_TAGS[@]}"; do
+                  echo "${TAG}"
+              done
+
+              alias_tags=("${COMMIT_TAGS[@]}")
+          else
+              alias_tags=("${BUILD_TAGS[@]}")
+          fi
+
+          echo "Generated the following build tags: "
+          for TAG in "${BUILD_TAGS[@]}"; do
+              echo "${TAG}"
+          done
+
+          echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
+
+      - name: Retrieve akmods signing key
+        run: |
+          mkdir -p certs
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+              echo "Using test signing key"
+          else
+              echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv
+          fi
+          # DEBUG: get character count of key
+          wc -c certs/private_key.priv
+
+      # Build metadata
+      - name: Image Metadata
+        uses: docker/metadata-action@v4
+        id: meta
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
+            org.opencontainers.image.description=ublue-os ${{ env.IMAGE_NAME }} with akmods-nvidia packages pre-built
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
+            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4
+      # Build image using Buildah action
+      - name: Build Image
+        id: build_image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          containerfiles: |
+            ./build.Containerfile
+          image: ${{ env.IMAGE_NAME }}
+          tags: |
+            ${{ steps.generate-tags.outputs.alias_tags }}
+          build-args: |
+            IMAGE_NAME=base
+            FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
+            NVIDIA_MAJOR_VERSION=${{ matrix.driver_version }}
+          labels: ${{ steps.meta.outputs.labels }}
+          oci: false
+
+      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
+      # https://github.com/macbre/push-to-ghcr/issues/12
+      - name: Lowercase Registry
+        id: registry_case
+        uses: ASzc/change-string-case-action@v5
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      # Push the image to GHCR (Image Registry)
+      - name: Push To GHCR
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        env:
+          REGISTRY_USER: ${{ github.actor }}
+          REGISTRY_PASSWORD: ${{ github.token }}
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ${{ steps.registry_case.outputs.lowercase }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --disable-content-trust
+
+      # Sign container
+      - uses: sigstore/cosign-installer@v3.0.1
+
+      # Only needed when running `cosign sign` using a key
+      - name: Write signing key to disk
+        run: |
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
+          # DEBUG: get character count of key
+          wc -c cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign container image
+        run: |
+          cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+        env:
+          TAGS: ${{ steps.push.outputs.digest }}
+          COSIGN_EXPERIMENTAL: false
+
+      - name: Echo outputs
+        run: |
+          echo "${{ toJSON(steps.push.outputs) }}"
+
   push-ghcr:
     name: Build and push image
+    needs: build-akmods
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -108,8 +265,10 @@ jobs:
               done
 
               alias_tags=("${COMMIT_TAGS[@]}")
+              echo "AKMODS_VERSION=pr-${{ github.event.number }}-${{ matrix.major_version }}" >> $GITHUB_ENV
           else
               alias_tags=("${BUILD_TAGS[@]}")
+              echo "AKMODS_VERSION=${{ matrix.major_version }}" >> $GITHUB_ENV
           fi
 
           echo "Generated the following build tags: "
@@ -148,12 +307,13 @@ jobs:
         uses: redhat-actions/buildah-build@v2
         with:
           containerfiles: |
-            ./Containerfile
+            ./install.Containerfile
           image: ${{ env.IMAGE_NAME }}
           tags: |
             ${{ steps.generate-tags.outputs.alias_tags }}
           build-args: |
             IMAGE_NAME=${{ matrix.image_name }}
+            AKMODS_VERSION=${{ env.AKMODS_VERSION }}
             FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
             NVIDIA_MAJOR_VERSION=${{ matrix.driver_version }}
           labels: ${{ steps.meta.outputs.labels }}
diff --git a/build.Containerfile b/build.Containerfile
@@ -25,18 +25,8 @@ ADD files/etc/sway/environment /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/envi
 
 RUN /tmp/build.sh
 
-FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}
-
-ARG IMAGE_NAME="${IMAGE_NAME}"
+FROM scratch
 
+COPY --from=builder /var/cache /var/cache
 COPY --from=builder /tmp/ublue-os /tmp/ublue-os
-COPY --from=builder /var/cache/akmods /tmp/akmods
 COPY --from=builder /tmp/ublue-os-nvidia-addons /tmp/ublue-os-nvidia-addons
-
-COPY install.sh /tmp/install.sh
-COPY post-install.sh /tmp/post-install.sh
-RUN /tmp/install.sh
-RUN /tmp/post-install.sh
-RUN rm -rf /tmp/* /var/*
-RUN ostree container commit
-RUN mkdir -p /var/tmp && chmod -R 1777 /var/tmp
diff --git a/install.Containerfile b/install.Containerfile
@@ -0,0 +1,24 @@
+ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
+ARG BASE_IMAGE="ghcr.io/ublue-os/${IMAGE_NAME}-main"
+ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-37}"
+ARG NVIDIA_MAJOR_VERSION="${NVIDIA_MAJOR_VERSION:-525}"
+ARG AKMODS_VERSION="${AKMODS_VERSION:-37}"
+
+FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}
+
+ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION}"
+ARG NVIDIA_MAJOR_VERSION="${NVIDIA_MAJOR_VERSION}"
+ARG AKMODS_VERSION="${AKMODS_VERSION}"
+
+ARG BUILDER_IMAGE="ghcr.io/ublue-os/akmods-nvidia:${AKMODS_VERSION}-${NVIDIA_MAJOR_VERSION}"
+ARG IMAGE_NAME="${IMAGE_NAME}"
+
+COPY --from=${BUILDER_IMAGE} / .
+
+COPY install.sh /tmp/install.sh
+COPY post-install.sh /tmp/post-install.sh
+RUN /tmp/install.sh
+RUN /tmp/post-install.sh
+RUN rm -rf /tmp/* /var/*
+RUN ostree container commit
+RUN mkdir -p /var/tmp && chmod -R 1777 /var/tmp
diff --git a/install.sh b/install.sh
@@ -7,11 +7,11 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-{cisco-openh264,modular
 install -D /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo \
     /etc/yum.repos.d/nvidia-container-runtime.repo
 
-source /tmp/akmods/nvidia-vars
+source /var/cache/akmods/nvidia-vars
 
 rpm-ostree install \
     xorg-x11-drv-${NVIDIA_PACKAGE_NAME}-{,cuda-,devel-,kmodsrc-,power-}${NVIDIA_FULL_VERSION} \
     nvidia-container-toolkit nvidia-vaapi-driver \
-    /tmp/akmods/${NVIDIA_PACKAGE_NAME}/kmod-${NVIDIA_PACKAGE_NAME}-${KERNEL_VERSION}-${NVIDIA_AKMOD_VERSION}.fc${RELEASE}.rpm \
+    /var/cache/akmods/${NVIDIA_PACKAGE_NAME}/kmod-${NVIDIA_PACKAGE_NAME}-${KERNEL_VERSION}-${NVIDIA_AKMOD_VERSION}.fc${RELEASE}.rpm \
     /tmp/ublue-os-nvidia-addons/rpmbuild/RPMS/noarch/ublue-os-nvidia-addons-*.rpm \
     /tmp/ublue-os/rpmbuild/RPMS/noarch/ublue-os-just-*.noarch.rpm
