mkosi/action.yaml at main · systemd/mkosi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: setup-mkosi
description: Install mkosi

inputs:
  apk:
    description: Install the apk package manager (required to bootstrap a postmarketOS tools tree)
    required: false
    default: "false"

runs:
  using: composite
  steps:
    - name: Permit unprivileged access to kvm, vhost-vsock and vhost-net devices
      shell: bash
      run: |
        sudo mkdir -p /etc/tmpfiles.d
        sudo cp /usr/lib/tmpfiles.d/static-nodes-permissions.conf /etc/tmpfiles.d/
        sudo sed -i '/kvm/s/0660/0666/g'   /etc/tmpfiles.d/static-nodes-permissions.conf
        sudo sed -i '/vhost/s/0660/0666/g' /etc/tmpfiles.d/static-nodes-permissions.conf
        sudo tee /etc/udev/rules.d/99-kvm4all.rules <<- EOF
        KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"
        KERNEL=="vhost-vsock", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-vsock"
        KERNEL=="vhost-net", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-net"
        EOF
        sudo udevadm control --reload-rules
        # kvm/vhost might not be available (e.g.: s390x, ppc64le)
        sudo modprobe kvm || true
        sudo modprobe vhost_vsock || true
        sudo modprobe vhost_net || true
        [[ -e /dev/kvm ]] && sudo udevadm trigger --name-match=kvm
        [[ -e /dev/vhost-vsock ]] && sudo udevadm trigger --name-match=vhost-vsock
        [[ -e /dev/vhost-net ]] && sudo udevadm trigger --name-match=vhost-net
        [[ -e /dev/kvm ]] && sudo chmod 666 /dev/kvm
        [[ -e /dev/vhost-vsock ]] && sudo chmod 666 /dev/vhost-vsock
        [[ -e /dev/vhost-net ]] && sudo chmod 666 /dev/vhost-net
        lsmod
        [[ -e /dev/kvm ]] && ls -l /dev/kvm
        [[ -e /dev/vhost-vsock ]] && ls -l /dev/vhost-vsock
        [[ -e /dev/vhost-net ]] && ls -l /dev/vhost-net
        id

    - name: Check clock source
      shell: bash
      run: cat /sys/devices/system/clocksource/clocksource0/current_clocksource

    - name: Show environment
      shell: bash
      run: env

    - name: Show CPU
      shell: bash
      run: lscpu

    - name: Show memory
      shell: bash
      run: lsmem

    - name: Enable unprivileged user namespaces
      shell: bash
      run: |
        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0

    - name: Create missing mountpoints
      shell: bash
      run: |
        sudo mkdir -p /var/lib/ca-certificates

    # Both the unix-chkpwd and swtpm profiles are broken (https://gitlab.com/apparmor/apparmor/-/issues/402) so let's
    # just disable and remove apparmor completely. It's not relevant in this context anyway.
    # TODO: Remove if https://github.com/actions/runner-images/issues/10015 is ever fixed.
    - name: Disable and mask apparmor service
      shell: bash
      run: |
        # This command fails with a non-zero error code even though it unloads the apparmor profiles.
        # https://gitlab.com/apparmor/apparmor/-/issues/403
        sudo aa-teardown || true
        sudo apt-get remove apparmor

    - name: Ensure git history is available
      shell: bash
      run: |
        if [[ ! -e "$X_GITHUB_ACTION_PATH/.git" ]]; then
            rm -rf "$X_GITHUB_ACTION_PATH"
            git clone "https://github.com/$X_GITHUB_ACTION_REPOSITORY" "$X_GITHUB_ACTION_PATH"
            git -C "$X_GITHUB_ACTION_PATH" checkout "$X_GITHUB_ACTION_REF"
        fi
      # https://github.com/actions/runner/issues/2473
      env:
        X_GITHUB_ACTION_REPOSITORY: ${{ github.action_repository }}
        X_GITHUB_ACTION_PATH: ${{ github.action_path }}
        X_GITHUB_ACTION_REF: ${{ github.action_ref }}

    - name: Install
      shell: bash
      run: sudo ln -svf $X_GITHUB_ACTION_PATH/bin/mkosi /usr/bin/mkosi
      # https://github.com/actions/runner/issues/2473
      env:
        X_GITHUB_ACTION_PATH: ${{ github.action_path }}

    - name: Install apk
      # ubuntu-24.04 doesn't package apk, so fetch the official statically-linked binary from
      # upstream so mkosi can use it to populate the postmarketOS tools tree.
      #
      # NOTE: apk is dropped into /usr/bin and not /usr/local/bin because later CI
      # scripts (like .github/workflows/ci.yml) clean up /usr/local
      if: ${{ inputs.apk == 'true' }}
      shell: bash
      run: |
        sudo curl -fsSL -o /usr/bin/apk https://gitlab.alpinelinux.org/api/v4/projects/5/packages/generic/v3.0.6/x86_64/apk.static
        echo 'f1489e05bace7d7dd0a687fcd38d50b585ac660af4231668b123649bef3718c4  /usr/bin/apk' | sha256sum --check
        sudo chmod +x /usr/bin/apk

    - name: Dependencies
      shell: bash
      run: |
        sudo apt-get update

        # makepkg and pacman-package-manager were only added in noble (24.04).
        # Probe for each and skip the ones the host's apt repos don't have.
        # Callers running this action on older releases (e.g. ubuntu-22.04) otherwise fail with "Unable to locate package".
        arch_pkgs=()
        for pkg in makepkg pacman-package-manager; do
          if apt-cache show "$pkg" 2>/dev/null | grep -q '^Package: '; then
            arch_pkgs+=("$pkg")
          else
            echo "Skipping $pkg: not available in apt repositories on this host."
          fi
        done

        sudo apt-get install --assume-yes --no-install-recommends \
          debian-archive-keyring \
          dnf \
          zypper \
          "${arch_pkgs[@]}"