.github: migrate to SDK container based Github Actions

Now that Flatcar SDK does not support cork of mantle any more, we need to migrate the Github Actions of coreos-overlay to the new container SDK based approach. Simply download a container image of the latest Flatcar release, run the container, generate patches from there. Note, since the Flatcar scripts repo of LTS-2021 still does not have necessary Container SDK scripts like run_sdk_container, we need to skip checking out a specific base branch in case of LTS-2021.
2025-09-30 18:12:08 +02:00 · 2022-09-13 13:22:38 +02:00 · 2022-09-13 13:22:38 +02:00 · 70b15a8ffb
commit 70b15a8ffb
parent 5a93f08705
2 changed files with 69 additions and 63 deletions
--- a/sdk_container/src/third_party/coreos-overlay/.github/workflows/common.sh
+++ b/sdk_container/src/third_party/coreos-overlay/.github/workflows/common.sh
@ -2,14 +2,18 @@

 set -euo pipefail

-readonly SDK_OUTER_TOPDIR="${HOME}/flatcar-sdk"
+readonly SDK_OUTER_TOPSCRIPTSDIR="${HOME}/flatcar-sdk/scripts"
+readonly SDK_OUTER_TOPDIR="${SDK_OUTER_TOPSCRIPTSDIR}/sdk_container"
 readonly SDK_OUTER_SRCDIR="${SDK_OUTER_TOPDIR}/src"
 readonly SDK_INNER_SRCDIR="/mnt/host/source/src"

 readonly BUILDBOT_USERNAME="Flatcar Buildbot"
 readonly BUILDBOT_USEREMAIL="buildbot@flatcar-linux.org"

-function enter() ( cd ../../..; exec cork enter -- $@ )
+function enter() {
+  ${SDK_OUTER_TOPSCRIPTSDIR}/run_sdk_container -n "${PACKAGES_CONTAINER}" \
+    -C "${SDK_NAME}" "$@"
+}

 # Return a valid ebuild file name for ebuilds of the given category name,
 # package name, and the old version. If the single ebuild file already exists,
@ -32,36 +36,48 @@ function get_ebuild_filename() {
 }

 function prepare_git_repo() {
-  local our_remote_url
-
+  # the original coreos-overlay repo outside the SDK container
  git config user.name "${BUILDBOT_USERNAME}"
  git config user.email "${BUILDBOT_USEREMAIL}"
  git reset --hard HEAD
  git fetch origin
-  git checkout -B "${BASE_BRANCH}" "origin/${BASE_BRANCH}"
-  our_remote_url=$(git remote get-url origin)

-  # setup overlay repo inside SDK too (be fork friendly)
-  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" remote add our_remote "${our_remote_url}"
-  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" fetch our_remote
-  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" checkout -B "${BASE_BRANCH}" "our_remote/${BASE_BRANCH}"
+  git checkout -B "${BASE_BRANCH}" "origin/${BASE_BRANCH}"
+
+  # inside the SDK container
+  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" config \
+    user.name "${BUILDBOT_USERNAME}"
+  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" config \
+    user.email "${BUILDBOT_USEREMAIL}"
 }

 # caller needs to set pass a parameter as a branch name to be created.
 function checkout_branches() {
  TARGET_BRANCH=$1
+  CHECKOUT_SCRIPTS=$2

  [[ -z "${TARGET_BRANCH}" ]] && echo "No target branch specified. exit." && return 1

-  git -C "${SDK_OUTER_SRCDIR}/scripts" checkout -B "${BASE_BRANCH}" "github/${BASE_BRANCH}"
-  git -C "${SDK_OUTER_SRCDIR}/third_party/portage-stable" checkout -B "${BASE_BRANCH}" "github/${BASE_BRANCH}"
-
-  if git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" show-ref "remotes/our_remote/${TARGET_BRANCH}"; then
-    echo "Target branch already exists. exit.";
-    return 1
+  # Check out the scripts repo only if CHECKOUT_SCRIPTS == true, due to
+  # a corner case of its LTS-2021 branch does not have run_sdk_container.
+  if [[ "${CHECKOUT_SCRIPTS}" = true ]]; then
+    git -C "${SDK_OUTER_TOPSCRIPTSDIR}" checkout -B "${BASE_BRANCH}" \
+      "origin/${BASE_BRANCH}"
  fi

-  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" checkout -B "${TARGET_BRANCH}" "our_remote/${BASE_BRANCH}"
+  # update submodules like portage-stable under the scripts directories
+  git submodule update --init --recursive
+
+  if git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" show-ref "remotes/origin/${TARGET_BRANCH}"; then
+    echo "Target branch already exists. exit.";
+  fi
+
+  # Each submodule directory should be explicitly set from BASE_BRANCH,
+  # as the submodule refs could be only updated during the night.
+  git -C "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" checkout \
+    -B "${TARGET_BRANCH}" "origin/${BASE_BRANCH}"
+  git -C "${SDK_OUTER_SRCDIR}/third_party/portage-stable" checkout \
+    -B "${TARGET_BRANCH}" "origin/${BASE_BRANCH}"
 }

 function regenerate_manifest() {
@ -115,7 +131,8 @@ function generate_patches() {

  pushd "${SDK_OUTER_SRCDIR}/third_party/coreos-overlay" >/dev/null || exit

-  enter ebuild "${SDK_INNER_SRCDIR}/third_party/coreos-overlay/${CATEGORY_NAME}/${PKGNAME_SIMPLE}/${PKGNAME_SIMPLE}-${VERSION_NEW}.ebuild" manifest --force
+  enter ebuild "${SDK_INNER_SRCDIR}/third_party/coreos-overlay/${CATEGORY_NAME}/${PKGNAME_SIMPLE}/${PKGNAME_SIMPLE}-${VERSION_NEW}.ebuild" \
+    manifest --force

  # We can only create the actual commit in the actual source directory, not under the SDK.
  # So create a format-patch, and apply to the actual source.
--- a/sdk_container/src/third_party/coreos-overlay/.github/workflows/setup-flatcar-sdk.sh
+++ b/sdk_container/src/third_party/coreos-overlay/.github/workflows/setup-flatcar-sdk.sh
@ -2,62 +2,51 @@

 set -euo pipefail

-sudo apt-get install -y lbzip2
+sudo ln -sfn /bin/bash /bin/sh
+sudo apt-get install -y ca-certificates curl git gnupg lbzip2 lsb-release \
+    qemu-user-static
+sudo mkdir -p /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
+    | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
+    https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
+    | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get update
+sudo apt-get install -y docker-ce docker-ce-cli containerd.io \
+    docker-compose-plugin

-CORK_VERSION=$(curl -sL https://api.github.com/repos/kinvolk/mantle/releases/latest | jq -r .tag_name | sed -e 's/^v//')
-curl -L -o cork https://github.com/kinvolk/mantle/releases/download/v"${CORK_VERSION}"/cork-"${CORK_VERSION}"-amd64
-curl -L -o cork.sig https://github.com/kinvolk/mantle/releases/download/v"${CORK_VERSION}"/cork-"${CORK_VERSION}"-amd64.sig
-curl -LO https://kinvolk.io/flatcar-container-linux/security/image-signing-key/Flatcar_Image_Signing_Key.asc
-gpg --import Flatcar_Image_Signing_Key.asc
-gpg --verify cork.sig cork
-rm -f cork.sig Flatcar_Image_Signing_Key.asc
-chmod +x cork
-mkdir -p ~/.local/bin
-mv cork ~/.local/bin
-
-export PATH=$PATH:$HOME/.local/bin
 mkdir -p ~/flatcar-sdk
+git -C ~/flatcar-sdk clone https://github.com/flatcar-linux/scripts

-pushd ~/flatcar-sdk || exit
-cork create || true
+pushd ~/flatcar-sdk/scripts || exit

-sudo tee "./chroot/etc/portage/make.conf" <<EOF
-PORTDIR="/mnt/host/source/src/third_party/portage-stable"
-PORTDIR_OVERLAY="/mnt/host/source/src/third_party/coreos-overlay"
-DISTDIR="/mnt/host/source/.cache/distfiles"
-PKGDIR="/var/lib/portage/pkgs"
-PORT_LOGDIR="/var/log/portage"
-EOF
+source ci-automation/ci_automation_common.sh
+source sdk_container/.repo/manifests/version.txt

-sudo tee "./chroot/etc/portage/repos.conf/coreos.conf" <<EOF
-[DEFAULT]
-main-repo = portage-stable
+git submodule update --init --recursive

-[gentoo]
-disabled = true
+arch="amd64"
+channel_version="alpha-${FLATCAR_VERSION_ID}"
+check_version_string "${channel_version}"

-[coreos]
-location = /mnt/host/source/src/third_party/coreos-overlay
+export SDK_NAME="flatcar-sdk-${arch}"

-[portage-stable]
-location = /mnt/host/source/src/third_party/portage-stable
-EOF
+# Pin the docker image version to that of the latest release.
+docker_sdk_vernum="$(curl -s -S -f -L \
+    https://alpha.release.flatcar-linux.net/amd64-usr/current/version.txt \
+    | grep -m 1 FLATCAR_SDK_VERSION= | cut -d = -f 2- \
+)"

-# /var under the chroot has to be writable by the runner user
-sudo chown -R runner:docker ~/flatcar-sdk/chroot/var
+docker_image_from_registry_or_buildcache "${SDK_NAME}" "${docker_sdk_vernum}"
+export SDK_NAME="$(docker_image_fullname "${SDK_NAME}" "${docker_sdk_vernum}")"

-function enter() ( exec cork enter -- $@ )
+vernum="${channel_version#*-}" # remove main-,alpha-,beta-,stable-,lts- version tag
+docker_vernum="$(vernum_to_docker_image_version "${vernum}")"
+export PACKAGES_CONTAINER="flatcar-packages-${arch}-${docker_vernum}"

-# To be able to generate metadata, we need to configure a profile
-# /etc/portage/make.profile, a symlink pointing to the SDK profile.
-enter sudo eselect profile set --force "coreos:coreos/amd64/sdk"
-
-# make edb directory group-writable to run egencache
-enter sudo chmod g+w /var/cache/edb
-
-git -C src/third_party/coreos-overlay reset --hard github/main
-git -C src/third_party/coreos-overlay config user.name 'Flatcar Buildbot'
-git -C src/third_party/coreos-overlay config user.email 'buildbot@flatcar-linux.org'
 popd || exit

 echo ::set-output name=path::"${PATH}"
+echo ::set-output name=PACKAGES_CONTAINER::"${PACKAGES_CONTAINER}"
+echo ::set-output name=SDK_NAME::"${SDK_NAME}"