Forgot minisig and sha256 upload #34
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - v* | |
| workflow_dispatch: {} | |
| jobs: | |
| build: | |
| name: build image | |
| runs-on: warp-ubuntu-latest-x64-32x | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Restore cache | |
| id: restore-cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| cache.tar | |
| key: mkosi-buildernet- | |
| - name: Extract cache | |
| run: | | |
| if [[ -f cache.tar ]]; then | |
| sudo tar -xf cache.tar | |
| sudo rm -f cache.tar | |
| fi | |
| - name: Install tools | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y \ | |
| debian-archive-keyring \ | |
| minisign\ | |
| rclone | |
| pip3 install git+https://github.com/systemd/mkosi.git@$(cat .mkosi_version) | |
| - name: Create rclone config | |
| env: | |
| R2_FLASHBOTS_PUBLIC_ARTIFACTS_ACCESS_KEY: ${{ secrets.R2_FLASHBOTS_PUBLIC_ARTIFACTS_ACCESS_KEY }} | |
| R2_FLASHBOTS_PUBLIC_ARTIFACTS_SECRET_KEY: ${{ secrets.R2_FLASHBOTS_PUBLIC_ARTIFACTS_SECRET_KEY }} | |
| R2_FLASHBOTS_PUBLIC_ARTIFACTS_ENDPOINT: ${{ secrets.R2_FLASHBOTS_PUBLIC_ARTIFACTS_ENDPOINT }} | |
| run: | | |
| mkdir -p ~/.config/rclone | |
| cat << EOF > ~/.config/rclone/rclone.conf | |
| [r2-flashbots-public-artifacts] | |
| type = s3 | |
| provider = Cloudflare | |
| access_key_id = $R2_FLASHBOTS_PUBLIC_ARTIFACTS_ACCESS_KEY | |
| secret_access_key = $R2_FLASHBOTS_PUBLIC_ARTIFACTS_SECRET_KEY | |
| region = auto | |
| endpoint = $R2_FLASHBOTS_PUBLIC_ARTIFACTS_ENDPOINT | |
| acl = private | |
| EOF | |
| - name: Enable user namespaces | |
| run: | | |
| sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 | |
| - name: Build image | |
| run: | | |
| umask 022 | |
| mkosi --force -I buildernet.conf --image-version=${GITHUB_REF_NAME#v}-${GITHUB_SHA::8} | |
| - name: Prepare cache | |
| run: | | |
| sudo find . \( -name "mkosi.builddir" -o -name "mkosi.cache" -o -name "mkosi.tools" \) -type d -print0 | \ | |
| sudo tar --null -rf cache.tar -T - 2>/dev/null || true | |
| - uses: actions/cache/save@v4 | |
| id: save-cache | |
| with: | |
| path: cache.tar | |
| key: mkosi-buildernet-${{ github.run_id }} | |
| - name: Generate SHA256 checksums | |
| run: | | |
| cd mkosi.output | |
| sha256sum buildernet-*.{efi,tar.gz,vhd} | tee buildernet-${GITHUB_REF_NAME#v}-${GITHUB_SHA::8}.sha256 | |
| - name: Sign artifacts | |
| env: | |
| MINISIGN_SECRET_KEY: ${{ secrets.MINISIGN_SECRET_KEY }} | |
| MINISIGN_SECRET_KEY_PASSWORD: ${{ secrets.MINISIGN_SECRET_KEY_PASSWORD }} | |
| run: | | |
| mkdir -p ~/.minisign | |
| echo "$MINISIGN_SECRET_KEY" > ~/.minisign/minisign.key | |
| chmod 600 ~/.minisign/minisign.key | |
| echo "$MINISIGN_SECRET_KEY_PASSWORD" | minisign -Sm mkosi.output/buildernet-${GITHUB_REF_NAME#v}-${GITHUB_SHA::8}.sha256 \ | |
| -t "github.com/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}" | |
| - name: Upload to R2 | |
| run: | | |
| rclone copy -P --retries 3 --retries-sleep 20s --error-on-no-transfer \ | |
| --s3-upload-concurrency=8 --transfers=8 --include "buildernet-*.{efi,tar.gz,vhd,minisig,sha256}" \ | |
| mkosi.output r2-flashbots-public-artifacts:flashbots-public-artifacts/buildernet-images/${GITHUB_REF_NAME}/ | |