kata-containers/.github/workflows/cc-payload.yaml

name: Publish Kata Containers payload for Confidential Containers
on:
  push:
    tags:
      - 'CC\-[0-9]+.[0-9]+.[0-9]+'

jobs:
  build-asset:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        asset:
          - cc-cloud-hypervisor
          - cc-kernel
          - cc-qemu
          - cc-rootfs-image
          - cc-virtiofsd
          - cc-sev-kernel
          - cc-sev-ovmf
          - cc-sev-rootfs-initrd
          - cc-tdx-kernel
          - cc-tdx-rootfs-image
          - cc-tdx-qemu
          - cc-tdx-td-shim
          - cc-tdx-tdvf
    steps:
      - uses: actions/checkout@v3
      - name: Build ${{ matrix.asset }}
        run: |
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          sudo cp -r "${build_dir}" "kata-build"
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v3
        with:
          name: kata-artifacts
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 1
          if-no-files-found: error

      - name: store-artifact root_hash_tdx.txt 
        uses: actions/upload-artifact@v3
        with:
          name: root_hash_tdx.txt
          path: tools/osbuilder/root_hash_tdx.txt
          retention-days: 1
          if-no-files-found: ignore

      - name: store-artifact root_hash_vanilla.txt 
        uses: actions/upload-artifact@v3
        with:
          name: root_hash_vanilla.txt
          path: tools/osbuilder/root_hash_vanilla.txt
          retention-days: 1
          if-no-files-found: ignore

  build-asset-cc-shim-v2:
    runs-on: ubuntu-latest
    needs: build-asset
    steps:
      - uses: actions/checkout@v3

      - name: Get root_hash_tdx.txt
        uses: actions/download-artifact@v3
        with:
          name: root_hash_tdx.txt
          path: tools/osbuilder/

      - name: Get root_hash_vanilla.txt
        uses: actions/download-artifact@v3
        with:
          name: root_hash_vanilla.txt
          path: tools/osbuilder/

      - name: Build cc-shim-v2
        run: |
          make cc-shim-v2-tarball
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
          sudo cp -r "${build_dir}" "kata-build"

      - name: store-artifact cc-shim-v2
        uses: actions/upload-artifact@v3
        with:
          name: kata-artifacts
          path: kata-build/kata-static-cc-shim-v2.tar.xz
          retention-days: 1
          if-no-files-found: error

  create-kata-tarball:
    runs-on: ubuntu-latest
    needs: [build-asset, build-asset-cc-shim-v2]
    steps:
      - uses: actions/checkout@v3
      - name: get-artifacts
        uses: actions/download-artifact@v3
        with:
          name: kata-artifacts
          path: kata-artifacts
      - name: merge-artifacts
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
      - name: store-artifacts
        uses: actions/upload-artifact@v3
        with:
          name: kata-static-tarball
          path: kata-static.tar.xz
          retention-days: 1
          if-no-files-found: error

  kata-payload:
    needs: create-kata-tarball
    runs-on: ubuntu-latest
    steps:
      - name: Login to quay.io
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@v3
      - name: get-kata-tarball
        uses: actions/download-artifact@v3
        with:
          name: kata-static-tarball

      - name: build-and-push-kata-payload
        id: build-and-push-kata-payload
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz