This is an infrastructure repository of TrenchBoot organization meant to serve as a storage for relatively generic CI workflows used by other repositories of the organization.
<root>
├── .github/workflows/ (path to reusable workflows dictated by GitHub)
│ ├── qubes-dom0-package.yml (workflow for v1 (Make) Qubes OS builder)
│ └── qubes-dom0-packagev2.yml (workflow for v2 (Python) Qubes OS builder)
└── qubes-builder-docker/ (container used by v1 workflow)
Both workflows do the following:
- Checkout repository with package source.
- Build or fetch from cache Docker container which is used in the next step.
- Perform the build and produce Qubes OS packages (this is where workflows differ the most).
- Upload built RPM files as CI artifacts.
- If workflow was started by a tag push, a release on that tag is created to
preserve artifacts indefinitely and make them available for download without
logging into GitHub. Release's body contains
wgetandcurlcommands which can be pasted into console to obtain the corresponding artifact.
This workflow uses Make-based Qubes OS builder and works by
generating a set of patches for qubes-component starting from base-commit
which are then inserted into component's *.spec.in file to be picked up
during RPM build process.
This workflow is suitable for Qubes OS components which reference an upstream
release and provide a set of patches on top of it. Other ("native") components
that contain sources along with packaging information should use
qubes-dom0-packagev2 because patching isn't set up in their *.spec.in and
it wouldn't be able to affect files such as *.spec.in that get processed
before patching.
This workflow additionally caches dom0 chroot environment between successive runs of the Docker container which somewhat reduces build time.
| Parameter | Type | Req. | Def. | Description |
|---|---|---|---|---|
base-commit |
string | Yes | - | First upstream commit to be used as a base for git format-patch command. |
patch-start |
number | Yes | - | --start-number argument for git format-patch command. |
qubes-component |
string | Yes | - | Name of QubesOS component as recognized by its build system. |
spec-pattern |
string | Yes | - | sed pattern used to find insert position for patches in *.spec.in files. |
spec-file |
string | No | "" |
Name used for *.spec.in file, if empty qubes-component is stripped from everything before the last dash (e.g. vmm-xen -> xen). Extensions (.spec.in) are always added, don't specify them here. |
Used by TrenchBoot/xen and TrenchBoot/grub.
This workflow uses new (v2) Python-based Qubes OS builder and works by patching
builder configuration file (builder.yml) to use TrenchBoot's fork of the
package, hence significantly reduced set of parameters.
There is also no need to use qubes-builder-docker/ in this case because
builder's repository contains its own Docker image.
| Parameter | Type | Req. | Def. | Description |
|---|---|---|---|---|
qubes-component |
string | Yes | - | Name of QubesOS component as recognized by its build system. |
qubes-pkg-src-dir |
string | No | - | Relative path to directory containing Qubes OS package. |
Used by TrenchBoot/qubes-antievilmaid and
TrenchBoot/secure-kernel-loader. The latter makes use of
qubes-pkg-src-dir as Qubes OS package is stored within the repository itself.
Full details can be found in GitHub's documentation on reusable workflows. Below is just an example which should be sufficient when no modifications to workflows are necessary.
Create a workflow file like .github/workflows/build.yml inside of your
repository. It will have 3 parts: name, triggering conditions and invocation
of one of the workflows defined here. Let's use TrenchBoot/grub as an
example.
name: Test build and package QubesOS RPMsSpecify workflow title used for identification in UI.
on:
push:
branches:
- 'intel-txt-aem*'
tags:
- '*'Activate this workflow on push of any tag or a branch which starts with
intel-txt-aem (including this branch, i.e. * can expand to an empty string).
jobs:
qubes-dom0-package:
uses: TrenchBoot/.github/.github/workflows/qubes-dom0-package.yml@master
with:
base-commit: 'ae94b97be2b81b625d6af6654d3ed79078b50ff6'
patch-start: 1100
qubes-component: 'grub2'
spec-pattern: '/^Patch1001:/'Invoke v1 workflow from master branch of this repository with the set of
parameters as described in a section above.
This project was partially funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.
