use self hosted wolfi runners for pre/postsubmit builds

.github/workflows/.build.yaml

@@ -0,0 +1,92 @@
+name: Reusable build workflow
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        required: true
+        type: string
+      melange-config:
+        required: false
+        type: string
+        default: ''
+
+jobs:
+  build:
+    runs-on: wolfi-builder-${{ matrix.arch }}
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: ["x86_64", "aarch64"]
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      # TODO: Replace this with custom wolfi image
+      - run: |
+          sudo apt update -y && \
+          sudo apt install unzip curl cmake pkg-config -y
+
+      - id: melange
+        uses: chainguard-dev/actions/melange-build@main
+        if: inputs.melange-config != ''
+        with:
+          multi-config: ${{ inputs.melange-config }}
+          empty-workspace: false
+          workdir: images/${{ inputs.image }}
+          sign-with-temporary-key: true
+          archs: ${{ matrix.arch }}
+
+      - name: 'Upload built packages archive to Github Artifacts'
+        uses: actions/upload-artifact@v3
+        if: inputs.melange-config != ''
+        with:
+          name: ${{ inputs.image }}-${{ matrix.arch }}
+          path: ./packages
+          retention-days: 1 # Low ttl since this is just an intermediary used once
+          if-no-files-found: error
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      # Fetch the build stages back down
+      - name: 'Download package archives'
+        uses: actions/download-artifact@v3
+        if: inputs.melange-config != ''
+        with:
+          name: ${{ inputs.image }}-aarch64
+          path: ./packages
+
+      - name: 'Download package archives'
+        uses: actions/download-artifact@v3
+        if: inputs.melange-config != ''
+        with:
+          name: ${{ inputs.image }}-x86_64
+          path: ./packages
+
+      # TODO: Replace this with custom wolfi image
+      - run: |
+          sudo apt update -y && \
+          sudo apt install unzip curl git -y
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: '1.5.*'
+          terraform_wrapper: false
+
+      # Setup local registry
+      - uses: chainguard-dev/actions/setup-registry@main
+        with:
+          port: 5000
+
+      # Build and push image using terraform-provider-apko
+      - name: Build image with apko/terraform
+        env:
+          TF_VAR_target_repository: localhost:5000/${{ inputs.image }}
+        run: |
+          set -x
+          cd images/${{ inputs.image }}/
+          terraform init
+          terraform apply -auto-approve

.github/workflows/presubmit-build.yaml

@@ -1,81 +1,145 @@
 on:
   pull_request:
-jobs:
-  presubmit-matrix:
-    runs-on: ubuntu-latest
-    outputs:
-      matrix: ${{ steps.generate-matrix.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - id: generate-matrix
-        run: |
-          set -x
-          # TODO: set ONLY env var based on changed files
-          matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)"
-          echo "matrix=${matrix}" >> $GITHUB_OUTPUT
-
-  presubmit-build:
-    runs-on: ubuntu-latest
-    needs: presubmit-matrix
-    strategy:
-      fail-fast: false
-      matrix: ${{ fromJson(needs.presubmit-matrix.outputs.matrix) }}
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-    steps:
-
-      # Setup required tooling etc.
-      - name: Setup QEMU
-        if: ${{ matrix.melangeConfig != '' }}
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: '1.3.*'
-          terraform_wrapper: false
-
-      # Checkout this repo's source code
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-      # Build custom package using melange (if specified)
-      - id: melange
-        if: ${{ matrix.melangeConfig != '' }}
-        uses: chainguard-dev/actions/melange-build@main
-        with:
-          multi-config: ${{ matrix.melangeConfig }}
-          empty-workspace: false
-          workdir: images/${{ matrix.imageName }}
-          sign-with-temporary-key: true
-          archs: x86_64,aarch64
-
-      # Setup local registry
-      - uses: chainguard-dev/actions/setup-registry@main
-        with:
-          port: 5000
-
-      # Build and push image using terraform-provider-apko
-      - name: Build image with apko/terraform
-        env:
-          TF_VAR_target_repository: localhost:5000/${{ matrix.imageName }}
-        run: |
-          set -x
-          cd images/${{ matrix.imageName }}/
-          terraform init
-          terraform apply -auto-approve
-
-  presubmit-roundup:
-    needs:
-      - presubmit-build
-    runs-on: ubuntu-latest
-    if: always()
-    steps:
-      - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
+jobs:
+  melange:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: melange
+      melange-config: configs/latest.melange.yaml
+
+  # apko:
+  #   uses: ./.github/workflows/.build.yaml
+  #   with:
+  #     image: apko
+  #     melange-config: configs/latest.melange.yaml
 
-      - if: ${{ env.WORKFLOW_CONCLUSION == 'success' }}
-        working-directory: /tmp
-        run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 0
+  wolfictl:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: wolfictl
 
-      - if: ${{ env.WORKFLOW_CONCLUSION == 'failure' }}
-        working-directory: /tmp
-        run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 1
+  # presubmit-build:
+  #   runs-on: wolfi-builder-${{ matrix.arch }}
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       arch: ["x86_64", "aarch64"]
+  #       name:
+  #         - apko
+  #         - melange
+  #         - sdk
+  #       include:
+  #         - name: apko
+  #           config: configs/latest.melange.yaml
+  #         - name: melange
+  #           config: configs/latest.melange.yaml
+  #         - name: sdk
+  #           config: configs/latest.melange.yaml
+  #   steps:
+  #     - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+  #
+  #     # TODO: Replace this with custom wolfi image
+  #     - run: |
+  #         sudo apt update -y && \
+  #         sudo apt install unzip curl cmake pkg-config -y
+  #
+  #     - id: melange
+  #       uses: chainguard-dev/actions/melange-build@main
+  #       with:
+  #         multi-config: ${{ matrix.config }}
+  #         empty-workspace: false
+  #         workdir: images/${{ matrix.name }}
+  #         sign-with-temporary-key: true
+  #         archs: ${{ matrix.arch }}
+  #
+  #     # upload to GHA artifact
+  #     - run: |
+  #         ls -lahR .
+  #
+  #     - name: 'Upload built packages archive to Github Artifacts'
+  #       uses: actions/upload-artifact@v3
+  #       with:
+  #         name: ${{ matrix.name }}-${{ matrix.arch }}
+  #         path: ./packages
+  #         retention-days: 1 # Low ttl since this is just an intermediary used once
+  #         if-no-files-found: error
+  #
+  # presubmit-build-image:
+  #   runs-on: ubuntu-latest
+  #   needs: presubmit-build
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       name:
+  #         - apko
+  #         - melange
+  #         - sdk
+  #         - wolfictl
+  #         - alpine-base
+  #         - gcc-musl
+  #         - musl-dynamic
+  #
+  #   permissions:
+  #     id-token: write
+  #     packages: write
+  #     contents: read
+  #
+  #   steps:
+  #     - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+  #
+  #     # Fetch the build stages back down
+  #       # NOTE: This could be per package, but it adds complexity and it's cheap to just get everything
+  #     - name: 'Download all package archives'
+  #       uses: actions/download-artifact@v3
+  #       with:
+  #         path: ./build-artifacts
+  #
+  #     - run: |
+  #         ls -lR .
+  #
+  #         mkdir packages
+  #         mv ./build-artifacts/**/* packages/
+  #
+  #     # TODO: Replace this with custom wolfi image
+  #     - run: |
+  #         sudo apt update -y && \
+  #         sudo apt install unzip curl git -y
+  #
+  #     - uses: hashicorp/setup-terraform@v2
+  #       with:
+  #         terraform_version: '1.5.*'
+  #         terraform_wrapper: false
+  #
+  #     - uses: chainguard-dev/actions/setup-melange@main
+  #
+  #     # Setup local registry
+  #     - uses: chainguard-dev/actions/setup-registry@main
+  #       with:
+  #         port: 5000
+  #
+  #     # Build and push image using terraform-provider-apko
+  #     - name: Build image with apko/terraform
+  #       env:
+  #         TF_VAR_target_repository: localhost:5000/${{ matrix.name }}
+  #       run: |
+  #         set -x
+  #         cd images/${{ matrix.name }}/
+  #         terraform init
+  #         terraform apply -auto-approve
+  #
+  # presubmit-roundup:
+  #   needs:
+  #     - presubmit-build-image
+  #   runs-on: ubuntu-latest
+  #   if: always()
+  #   steps:
+  #     - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
+  #
+  #     - if: ${{ env.WORKFLOW_CONCLUSION == 'success' }}
+  #       working-directory: /tmp
+  #       run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 0
+  #
+  #     - if: ${{ env.WORKFLOW_CONCLUSION == 'failure' }}
+  #       working-directory: /tmp
+  #       run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 1

.github/workflows/release.yaml

@@ -26,7 +26,7 @@ jobs:
           matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)"
           echo "matrix=${matrix}" >> $GITHUB_OUTPUT
   build:
-    runs-on: ubuntu-latest
+    runs-on: wolfi-builder-${{ matrix.arch }}
     needs: generate-matrix
     strategy:
       fail-fast: false
@@ -38,9 +38,11 @@ jobs:
     steps:
 
       # Setup required tooling etc.
-      - name: Setup QEMU
-        if: ${{ matrix.melangeConfig != '' }}
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+      # TODO: Replace this with custom wolfi image
+      - run: |
+          sudo apt update -y && \
+          sudo apt install unzip curl cmake pkg-config jq git -y
+
       - uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: '1.3.*'
@@ -58,7 +60,7 @@ jobs:
           empty-workspace: false
           workdir: images/${{ matrix.imageName }}
           sign-with-temporary-key: true
-          archs: x86_64,aarch64
+          archs: ${{ matrix.arch }}
 
       # Auth to GitHub Container Registry (ghcr.io)
       - name: Login to registry

hack/matrix.sh

@@ -5,13 +5,15 @@
 
 set -e
 matrix='{"include":[]}'
-for name in `find images -mindepth 1 -maxdepth 1 -type d | sed 's|images/||' | sort | xargs`; do
-    [[ "${ONLY}" == "" || "${ONLY}" == "${name}" ]] || continue
-    entry='{imageName: "'${name}'"}'
-    melange_config="$(cd images/${name} && find . -name '*.melange.yaml' | sed 's|./||')"
-    if [[ "${melange_config}" != "" ]]; then
-        entry="{imageName: \"${name}\", melangeConfig: \"${melange_config}\"}"
-    fi
-    matrix="$(echo "${matrix}" | jq -c ".include += [${entry}]")"
+for name in $(find images -mindepth 1 -maxdepth 1 -type d | sed 's|images/||' | sort | xargs); do
+	for arch in "x86_64" "aarch64"; do
+		[[ "${ONLY}" == "" || "${ONLY}" == "${name}" ]] || continue
+		entry='{imageName: "'${name}'", arch: "'${arch}'"}'
+		melange_config="$(cd images/${name} && find . -name '*.melange.yaml' | sed 's|./||')"
+		if [[ "${melange_config}" != "" ]]; then
+			entry="{imageName: \"${name}\", melangeConfig: \"${melange_config}\", arch: \"${arch}\"}"
+		fi
+		matrix="$(echo "${matrix}" | jq -c ".include += [${entry}]")"
+	done
 done
 echo "${matrix}"