diff --git a/.github/scripts/container/create.sh b/.github/scripts/container/create.sh new file mode 100644 index 000000000..cb980b0b1 --- /dev/null +++ b/.github/scripts/container/create.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${GITHUB_REPOSITORY_ID:-}" ]; then + echo "GITHUB_REPOSITORY_ID is unset!" + exit 1 +fi + +if [ -z "${GITHUB_WORKSPACE:-}" ]; then + echo "GITHUB_WORKSPACE is unset!" + exit 1 +fi + +IMAGE="${1:-}" + +if [ -z "${IMAGE}" ]; then + echo "Container image is unset!" + exit 1 +fi + +if command -v docker &> /dev/null; then + DOCKER="docker" +elif command -v podman &> /dev/null; then + DOCKER="podman" +else + echo "Could not find docker / podman!" + exit 1 +fi + +exec "${DOCKER}" run -d --name "${GITHUB_REPOSITORY_ID}" \ + -v "${GITHUB_WORKSPACE}:/working" --workdir "/working" \ + --entrypoint "tail" "${IMAGE}" -f /dev/null \ No newline at end of file diff --git a/.github/scripts/container/exec.sh b/.github/scripts/container/exec.sh new file mode 100644 index 000000000..41596465b --- /dev/null +++ b/.github/scripts/container/exec.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${GITHUB_REPOSITORY_ID:-}" ]; then + echo "GITHUB_REPOSITORY_ID is unset!" + exit 1 +fi + +if [ -z "${1:-}" ]; then + echo "Arguments are unset!" + exit 1 +fi + +ENVVARS=() +COMMAND=() + +while (( "${#}" )); do + case "$1" in + -e) + ENVVARS+=("-e") + shift + + ENVVARS+=("$1") + shift + ;; + --) + shift + while (( "${#}" )); do + COMMAND+=("$1") + shift + done + ;; + esac +done + +if command -v docker &> /dev/null; then + DOCKER="docker" +elif command -v podman &> /dev/null; then + DOCKER="podman" +else + echo "Could not find docker / podman!" + exit 1 +fi + +exec "${DOCKER}" exec "${ENVVARS[@]}" "${GITHUB_REPOSITORY_ID}" "${COMMAND[@]}" \ No newline at end of file diff --git a/.github/scripts/package/arch.sh b/.github/scripts/package/arch.sh new file mode 100644 index 000000000..d7d44be8d --- /dev/null +++ b/.github/scripts/package/arch.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${1:-}" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +pacman() +{ + command pacman --noconfirm "$@" +} + +case "${1:-}" in +setup-builddeps) + # Update the container + pacman -Syu + + # Install makepkg deps + pacman -S sudo binutils fakeroot base-devel git + + # Install tools for singing the kernel for secureboot + pacman -S sbsigntools + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/arch/kernel/MOK.key + cp pkg/keys/surface.crt pkg/arch/kernel/MOK.crt + ;; +build-packages) + pushd pkg/arch/kernel || exit 1 + + # Fix permissions (can't makepkg as root) + echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers + chown -R nobody . + + # Package compression settings (Matches latest Arch) + export PKGEXT='.pkg.tar.zst' + export COMPRESSZST=(zstd -c -T0 --ultra -20 -) + export MAKEFLAGS="-j2" + + # Build + su nobody --pty -p -s /bin/bash -c 'makepkg -sf --skippgpcheck --noconfirm' + + # Prepare release + mkdir release + find . -name '*.pkg.tar.zst' -type f -exec mv {} release \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/arch/kernel/release || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.pkg.tar.zst' -type f -exec \ + gpg --detach-sign --batch --no-tty -u "${GPG_KEY_ID}" {} \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/package/debian.sh b/.github/scripts/package/debian.sh new file mode 100644 index 000000000..74cdce3a1 --- /dev/null +++ b/.github/scripts/package/debian.sh @@ -0,0 +1,146 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${1:-}" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +apt-get() +{ + command apt-get -y "$@" +} + +MAINLINE_REPO="git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack" +MAINLINE_BRANCH="cod/mainline" + +case "${1:-}" in +setup-builddeps) + SOURCES="$(sed 's/^deb /deb-src /' /etc/apt/sources.list)" + echo "${SOURCES}" >> /etc/apt/sources.list + + ln -snf /usr/share/zoneinfo/UTC /etc/localtime + echo UTC > /etc/timezone + + apt-get update + apt-get upgrade + apt-get install build-essential fakeroot rsync git wget software-properties-common \ + zstd lz4 sbsigntool debhelper dpkg-dev dpkg-sig + apt-get build-dep linux + + # install python 3.11, required for configuring the kernel via Ubuntu's annotation format + add-apt-repository -y ppa:deadsnakes + + apt-get update + apt-get upgrade + apt-get install python3.11 + + rm -f /usr/bin/python + rm -f /usr/bin/python3 + ln -s /usr/bin/python3.11 /usr/bin/python + ln -s /usr/bin/python3.11 /usr/bin/python3 + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + mkdir -p pkg/debian/kernel/keys + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/debian/kernel/keys/MOK.key + cp pkg/keys/surface.crt pkg/debian/kernel/keys/MOK.crt + ;; +build-packages) + pushd pkg/debian/kernel || exit 1 + + . version.conf + + # setup git + git config --global user.name "surfacebot" + git config --global user.email "surfacebot@users.noreply.github.com" + + # get ubuntu mainline source + # see https://kernel.ubuntu.com/~kernel-ppa/mainline + git clone "${MAINLINE_REPO}" --branch "${MAINLINE_BRANCH}/v${KERNEL_VERSION}" --depth 1 linux + + if [ -d "keys" ]; then + mv keys linux + fi + + pushd linux || exit 1 + + # apply surface build/packaging patches + find .. -name '*.patch' -type f -exec git apply --index --reject {} \; + + git add . + git commit --allow-empty -m "Apply linux-surface packaging patches" + + KERNEL_MAJORVER="${KERNEL_VERSION%.*}" + + # apply surface patches + find "../../../../patches/${KERNEL_MAJORVER}" -name '*.patch' -type f -exec \ + git apply --index --reject {} \; + + git add . + git commit --allow-empty -m "Apply linux-surface patches" + + # generate base config + ./debian/scripts/misc/annotations --arch amd64 --flavour generic --export > ../base.config + + # merge configs + ./scripts/kconfig/merge_config.sh \ + ../base.config \ + ../ubuntu.config \ + "../../../../configs/surface-${KERNEL_MAJORVER}.config" + + # Explicitly set package version, including revision. This is picked up by 'make bindeb-pkg'. + export KDEB_PKGVERSION="${KERNEL_VERSION}${KERNEL_LOCALVERSION}-${KERNEL_REVISION}" + + # The DPKG in Ubuntu 22.04 defaults to using ZSTD, which is not yet supported by the DPKG in Debian 11 + export KDEB_COMPRESS="xz" + + make bindeb-pkg -j "$(nproc)" + + popd || exit 1 + popd || exit 1 + + pushd pkg/debian/meta || exit 1 + + ./mkdebian.sh "$(make -C ../kernel/linux -s kernelrelease)" "${KERNEL_REVISION}" + dpkg-buildpackage -b -Zxz + + popd || exit 1 + + pushd pkg/debian || exit 1 + + mkdir release + + find . -name 'linux-libc-dev*.deb' -type f -exec rm {} \; + find . -name '*.deb' -type f -exec cp {} release \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/debian/release || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.deb' -type f -exec \ + dpkg-sig -g "--batch --no-tty" --sign builder -k "${GPG_KEY_ID}" {} \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/package/fedora.sh b/.github/scripts/package/fedora.sh new file mode 100644 index 000000000..aed0360e0 --- /dev/null +++ b/.github/scripts/package/fedora.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "$1" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +dnf() +{ + command dnf -y "$@" +} + +case "$1" in +setup-builddeps) + # Setup build environment + dnf distro-sync + dnf install @rpm-development-tools git rpm-sign + + # Install build dependencies + dnf builddep kernel + + # Install additional build dependencies + dnf install sbsigntools + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key + cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt + ;; +build-packages) + pushd pkg/fedora/kernel-surface || exit 1 + + # setup git + git config --global user.name "surfacebot" + git config --global user.email "surfacebot@users.noreply.github.com" + + # Build source RPM packages + python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm + + # Remove the kernel-ark tree to get as much free disk space as possible + rm -rf kernel-ark + + # Build binary RPM packages + find srpm -name '*.src.rpm' -type f -exec rpmbuild -rb \ + --define "_topdir ${PWD}/rpmbuild" --define "_rpmdir ${PWD}/out" {} \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/fedora/kernel-surface/out/x86_64 || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.rpm' -type f -exec \ + rpm --resign {} --define "_gpg_name ${GPG_KEY_ID}" \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/repository/arch.sh b/.github/scripts/repository/arch.sh new file mode 100644 index 000000000..63c301b70 --- /dev/null +++ b/.github/scripts/repository/arch.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +pacman() +{ + command pacman --noconfirm "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +pacman -Syu +pacman -S base-devel git + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find arch-latest -type f -exec cp {} repo/arch \; +pushd repo/arch || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.pkg.tar.zst')" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Arch Linux ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/scripts/repository/debian.sh b/.github/scripts/repository/debian.sh new file mode 100644 index 000000000..83a8c9863 --- /dev/null +++ b/.github/scripts/repository/debian.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +apt-get() +{ + command apt-get -y "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +apt-get update +apt-get install git + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find debian-latest -type f -exec cp {} repo/debian \; +pushd repo/debian || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.deb')" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Debian ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/scripts/repository/fedora.sh b/.github/scripts/repository/fedora.sh new file mode 100644 index 000000000..dc62149fa --- /dev/null +++ b/.github/scripts/repository/fedora.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +dnf() +{ + command dnf -y "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +FEDORA="${1:-}" + +if [ -z "${FEDORA}" ]; then + echo "Fedora version is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +dnf install git findutils + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find "fedora-${FEDORA}-latest" -type f -exec cp {} "repo/fedora/f${FEDORA}" \; +pushd "repo/fedora/f${FEDORA}" || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.rpm' -type f)" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Fedora ${FEDORA} ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/workflows/arch.yml b/.github/workflows/arch.yml index f5498db03..ff9b15e58 100644 --- a/.github/workflows/arch.yml +++ b/.github/workflows/arch.yml @@ -1,146 +1,124 @@ -on: - push: - tags: - - 'arch-*' - name: Arch env: GPG_KEY_ID: 56C464BAAC421453 +on: + push: + tags: + - 'arch-*' + + repository_dispatch: + workflow_dispatch: + jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: archlinux steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - # Install makepkg deps - pacman -Syu --noconfirm - pacman -S --noconfirm sudo binutils fakeroot grep base-devel git sbsigntools libffi python + - name: Checkout code + uses: actions/checkout@v3 - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - cd pkg + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + archlinux - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key - cp keys/surface.crt arch/kernel/MOK.crt + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/arch.sh setup-builddeps - - name: Build - run: | - cd pkg/arch/kernel + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/arch.sh setup-secureboot - # Fix permissions (can't makepkg as root) - echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers - chown -R nobody . + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/arch.sh build-packages - # Package compression settings (Matches latest Arch) - export PKGEXT='.pkg.tar.zst' - export COMPRESSZST=(zstd -c -T0 --ultra -20 -) - export MAKEFLAGS="-j2" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/arch.sh sign-packages - # Build - su nobody --pty -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm' - - - name: Prepare release - run: | - mkdir release - mv pkg/arch/kernel/*.pkg.tar.zst release - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd release - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - export GPG_TTY=$(tty) - - # sign packages - ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: arch-latest - path: release + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: arch-latest + path: pkg/arch/kernel/release release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: arch-latest - path: arch-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: arch-latest + path: arch-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: archlinux steps: - - name: Install dependencies - run: | - pacman -Syu --noconfirm - pacman -S --noconfirm base-devel git + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: arch-latest - path: arch-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: arch-latest + path: arch-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + archlinux - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp arch-latest/* repo/arch/ - cd repo/arch - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.pkg.tar.zst'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git switch -c "${update_branch}" - git add . - git commit -m "Update Arch Linux kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/arch.sh \ No newline at end of file diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml index 2def8ea83..19a0ebc73 100644 --- a/.github/workflows/debian.yml +++ b/.github/workflows/debian.yml @@ -1,221 +1,124 @@ +name: Debian + +env: + GPG_KEY_ID: 56C464BAAC421453 + on: push: tags: - 'debian-*' -name: Debian - -env: - GPG_KEY_ID: 56C464BAAC421453 - KERNEL_VERSION: 6.4.4 - KERNEL_REVISION: 3 - LOCALVERSION: -surface - MAINLINE_REPO: git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack - MAINLINE_BRANCH: cod/mainline - TZ: UTC + repository_dispatch: + workflow_dispatch: jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: ubuntu:20.04 steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - sed 's/^deb /deb-src /' /etc/apt/sources.list >> /etc/apt/sources.list - ln -snf /usr/share/zoneinfo/$TZ /etc/localtime - echo $TZ > /etc/timezone - apt-get -y update - apt-get -y upgrade - apt-get -y install build-essential fakeroot rsync git wget software-properties-common \ - zstd lz4 sbsigntool debhelper dpkg-dev dpkg-sig - apt-get -y build-dep linux + - name: Checkout code + uses: actions/checkout@v3 - - name: Install Python 3.11 - run: | - # install python 3.11, required for configuring the kernel via Ubuntu's annotation format - add-apt-repository -y ppa:deadsnakes + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + ubuntu:20.04 - apt-get -y update - apt-get -y upgrade + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/debian.sh setup-builddeps - apt-get -y install python3.11 + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/debian.sh setup-secureboot - rm -f /usr/bin/python - rm -f /usr/bin/python3 - ln -s /usr/bin/python3.11 /usr/bin/python - ln -s /usr/bin/python3.11 /usr/bin/python3 + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/debian.sh build-packages - - name: Prepare kernel source - run: | - cd pkg/debian/kernel + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/debian.sh sign-packages - # setup git - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # get ubuntu mainline source - # see https://kernel.ubuntu.com/~kernel-ppa/mainline - git clone "$MAINLINE_REPO" --branch "$MAINLINE_BRANCH/v$KERNEL_VERSION" --depth 1 linux - - cd linux - - # apply surface build/packaging patches - for PATCH in ../*.patch; do - git apply --index --reject ${PATCH} - done - - git add . - git commit --allow-empty -m "Apply linux-surface packaging patches" - - # apply surface patches - for PATCH in ../../../../patches/${KERNEL_VERSION%.*}/*.patch; do - git apply --index --reject ${PATCH} - done - - git add . - git commit --allow-empty -m "Apply linux-surface patches" - - - name: Configure - run: | - cd pkg/debian/kernel/linux - - # generate base config - ./debian/scripts/misc/annotations --arch amd64 --flavour generic --export > ../base.config - - # merge configs - ./scripts/kconfig/merge_config.sh \ - ../base.config \ - ../ubuntu.config \ - ../../../../configs/surface-${KERNEL_VERSION%.*}.config - - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - cd pkg - - mkdir -p debian/kernel/linux/keys - - # unlock/copy key and certificate - echo "$SB_KEY" | base64 -d > debian/kernel/linux/keys/MOK.key - cp keys/surface.crt debian/kernel/linux/keys/MOK.crt - - - name: Build kernel - env: - # The DPKG in Ubuntu 22.04 defaults to using ZSTD, - # which is not yet supported by the DPKG in Debian 11 - KDEB_COMPRESS: xz - run: | - cd pkg/debian/kernel/linux - - # Explicitly set package version, including revision. This is picked up - # by 'make bindeb-pkg'. - export KDEB_PKGVERSION="${KERNEL_VERSION}${LOCALVERSION}-${KERNEL_REVISION}" - - make bindeb-pkg -j2 - - - name: Build meta-package - run: | - cd pkg/debian/meta - ./mkdebian.sh $(make -C ../kernel/linux -s kernelrelease) ${KERNEL_REVISION} - dpkg-buildpackage -b -Zxz - - - name: Prepare release - run: | - mkdir release - rm pkg/debian/kernel/linux-libc-dev*.deb - mv pkg/debian/kernel/*.deb release - mv pkg/debian/*.deb release - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - export GPG_TTY=$(tty) - - # sign package - dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID release/*.deb - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: debian-latest - path: release + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: debian-latest + path: pkg/debian/release release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: debian-latest - path: debian-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: debian-latest + path: debian-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: debian:sid steps: - - name: Install dependencies - run: | - apt-get update - apt-get install -y git + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: debian-latest - path: debian-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: debian-latest + path: debian-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + debian:sid - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp debian-latest/* repo/debian/ - cd repo/debian - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.deb'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git switch -c "${update_branch}" - git add . - git commit -m "Update Debian kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/debian.sh diff --git a/.github/workflows/fedora-37.yml b/.github/workflows/fedora-37.yml index 6191aca2b..0d7095f95 100644 --- a/.github/workflows/fedora-37.yml +++ b/.github/workflows/fedora-37.yml @@ -1,144 +1,125 @@ +name: Fedora 37 + +env: + FEDORA: 37 + GPG_KEY_ID: 56C464BAAC421453 + on: push: tags: - 'fedora-37-*' -name: Fedora 37 - -env: - GPG_KEY_ID: 56C464BAAC421453 + repository_dispatch: + workflow_dispatch: jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:37 steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - dnf distro-sync -y - dnf install -y git make gcc flex bison bzip2 rpm-build - dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' + - name: Checkout code + uses: actions/checkout@v3 - # Install build dependencies - dnf builddep -y kernel + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # Install additional build dependencies - dnf install -y sbsigntools + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-builddeps - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key - cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-secureboot - - name: Build packages - run: | - cd pkg/fedora/kernel-surface + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh build-packages - # setup git - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/fedora.sh sign-packages - # Build source RPM packages - python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm - - # Remove the kernel-ark tree to get as much free disk space as possible - rm -rf kernel-ark - - # Build binary RPM packages - rpmbuild -rb --define "_rpmdir $PWD/out" srpm/*.src.rpm - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd pkg/fedora/kernel-surface/out/x86_64 - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - - # sign packages - rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: fedora-37-latest - path: pkg/fedora/kernel-surface/out/x86_64 + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: pkg/fedora/kernel-surface/out/x86_64 release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-37-latest - path: fedora-37-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:37 steps: - - name: Install dependencies - run: | - dnf install -y git findutils + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-37-latest - path: fedora-37-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp fedora-37-latest/* repo/fedora/f37 - cd repo/fedora/f37 - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.rpm'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git checkout -b "${update_branch}" - git add . - git commit -m "Update Fedora 37 kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/fedora.sh ${{ env.FEDORA }} \ No newline at end of file diff --git a/.github/workflows/fedora-38.yml b/.github/workflows/fedora-38.yml index abb0255c1..9b151aa7a 100644 --- a/.github/workflows/fedora-38.yml +++ b/.github/workflows/fedora-38.yml @@ -1,144 +1,125 @@ +name: Fedora 38 + +env: + FEDORA: 38 + GPG_KEY_ID: 56C464BAAC421453 + on: push: tags: - 'fedora-38-*' -name: Fedora 38 - -env: - GPG_KEY_ID: 56C464BAAC421453 + repository_dispatch: + workflow_dispatch: jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:38 steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - dnf distro-sync -y - dnf install -y git make gcc flex bison bzip2 rpm-build - dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' + - name: Checkout code + uses: actions/checkout@v3 - # Install build dependencies - dnf builddep -y kernel + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # Install additional build dependencies - dnf install -y sbsigntools + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-builddeps - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key - cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-secureboot - - name: Build packages - run: | - cd pkg/fedora/kernel-surface + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh build-packages - # setup git - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/fedora.sh sign-packages - # Build source RPM packages - python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm - - # Remove the kernel-ark tree to get as much free disk space as possible - rm -rf kernel-ark - - # Build binary RPM packages - rpmbuild -rb --define "_rpmdir $PWD/out" srpm/*.src.rpm - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd pkg/fedora/kernel-surface/out/x86_64 - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - - # sign packages - rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: fedora-38-latest - path: pkg/fedora/kernel-surface/out/x86_64 + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: pkg/fedora/kernel-surface/out/x86_64 release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-38-latest - path: fedora-38-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:38 steps: - - name: Install dependencies - run: | - dnf install -y git findutils + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-38-latest - path: fedora-38-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp fedora-38-latest/* repo/fedora/f38 - cd repo/fedora/f38 - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.rpm'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git checkout -b "${update_branch}" - git add . - git commit -m "Update Fedora 38 kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/fedora.sh ${{ env.FEDORA }} \ No newline at end of file diff --git a/pkg/debian/kernel/version.conf b/pkg/debian/kernel/version.conf new file mode 100644 index 000000000..183bf4229 --- /dev/null +++ b/pkg/debian/kernel/version.conf @@ -0,0 +1,3 @@ +KERNEL_VERSION="6.4.4" +KERNEL_REVISION="2" +KERNEL_LOCALVERSION="-surface" \ No newline at end of file diff --git a/pkg/fedora/kernel-surface/build-linux-surface.py b/pkg/fedora/kernel-surface/build-linux-surface.py index 5d4d594bd..967d21cd5 100755 --- a/pkg/fedora/kernel-surface/build-linux-surface.py +++ b/pkg/fedora/kernel-surface/build-linux-surface.py @@ -18,13 +18,13 @@ PACKAGE_NAME = "surface" ## Fedora tags: kernel-X.Y.Z ## Upstream tags: vX.Y.Z ## -PACKAGE_TAG = "kernel-6.3.13-0" +PACKAGE_TAG = "kernel-6.4.4-0" ## ## The release number of the modified kernel package. ## e.g. 300 for kernel-6.3.1-300.fc38.foo ## -PACKAGE_RELEASE = "2" +PACKAGE_RELEASE = "1" ## ## Build options for configuring which parts of the kernel package are enabled. diff --git a/pkg/fedora/kernel-surface/configs/fedora.config b/pkg/fedora/kernel-surface/configs/fedora.config index 4fadc81e1..3ef4a0dc1 100644 --- a/pkg/fedora/kernel-surface/configs/fedora.config +++ b/pkg/fedora/kernel-surface/configs/fedora.config @@ -6,10 +6,4 @@ ## The build fails because this is not enabled in the config set for RHEL, ## but enabled automatically by one of our patches. ## -CONFIG_VIDEO_V4L2_SUBDEV_API=y - -## -## Compress debug info to prevent GitHub Actions from running out of space. -## -CONFIG_DEBUG_INFO_COMPRESSED_ZLIB=y -# CONFIG_DEBUG_INFO_COMPRESSED_NONE is not set +CONFIG_VIDEO_V4L2_SUBDEV_API=y \ No newline at end of file diff --git a/pkg/fedora/kernel-surface/patches/0001-iptsd.patch b/pkg/fedora/kernel-surface/patches/0001-iptsd.patch index 1add9f26f..d35cffa88 100644 --- a/pkg/fedora/kernel-surface/patches/0001-iptsd.patch +++ b/pkg/fedora/kernel-surface/patches/0001-iptsd.patch @@ -1,6 +1,6 @@ -From 5fc0582727cb64230d1c2ac02001263f92a9b82c Mon Sep 17 00:00:00 2001 +From 1cad947df5f2ec874863e42cce595a76dad64cc2 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sun, 14 May 2023 09:21:43 +0200 +Date: Sat, 22 Jul 2023 10:33:03 +0200 Subject: [PATCH] Pull in iptsd as a weak dependency Signed-off-by: Dorian Stoll @@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 1 insertion(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index 51f43b21b018..d61276b49d95 100644 +index d3dafe56aa64..24823cd8b784 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -938,6 +938,7 @@ Requires(pre): %{kernel_prereq}\ +@@ -1052,6 +1052,7 @@ Requires(pre): %{kernel_prereq}\ Requires(pre): %{initrd_prereq}\ Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\ Recommends: linux-firmware\ @@ -21,5 +21,5 @@ index 51f43b21b018..d61276b49d95 100644 Conflicts: xfsprogs < 4.3.0-1\ Conflicts: xorg-x11-drv-vmmouse < 13.0.99\ -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/0002-provides.patch b/pkg/fedora/kernel-surface/patches/0002-provides.patch index 6a109fe9f..1f032adfc 100644 --- a/pkg/fedora/kernel-surface/patches/0002-provides.patch +++ b/pkg/fedora/kernel-surface/patches/0002-provides.patch @@ -1,6 +1,6 @@ -From 4f7a333fc3dbacc4b3fa25ea117cb59f865878af Mon Sep 17 00:00:00 2001 +From 17907fed744ae17414a1ad8bebc335e12dac7691 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sun, 14 May 2023 15:04:22 +0200 +Date: Sat, 22 Jul 2023 10:34:38 +0200 Subject: [PATCH] Let kernel-surface provide the standard package names Signed-off-by: Dorian Stoll @@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 5 insertions(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index 51f43b21b018..2d91719b7d93 100644 +index 24823cd8b784..ea7de5884a89 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -598,6 +598,7 @@ Requires: kernel-core-uname-r = %{KVERREL} +@@ -697,6 +697,7 @@ Requires: kernel-core-uname-r = %{KVERREL} Requires: kernel-modules-uname-r = %{KVERREL} Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) @@ -20,15 +20,15 @@ index 51f43b21b018..2d91719b7d93 100644 %endif -@@ -1226,6 +1227,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} +@@ -1352,6 +1353,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{specrpmversion}-%{release}\ - Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\ - Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{uname_suffix %{?1:+%{1}}}\ + Provides: kernel-devel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\ Provides: installonlypkg(kernel)\ AutoReqProv: no\ Requires(pre): findutils\ -@@ -1255,6 +1257,7 @@ against the %{?2:%{2} }kernel package.\ +@@ -1381,6 +1383,7 @@ against the %{?2:%{2} }kernel package.\ Summary: Meta package to install matching core and devel packages for a given %{?2:%{2} }kernel\ Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\ Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\ @@ -36,22 +36,22 @@ index 51f43b21b018..2d91719b7d93 100644 %description %{?1:%{1}-}devel-matched\ This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\ %{nil} -@@ -1373,6 +1376,7 @@ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\ +@@ -1502,6 +1505,7 @@ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{uname_suffix %{1}}\ + Requires: realtime-setup\ + %endif\ Provides: installonlypkg(kernel)\ +Provides: kernel = %{KVERREL}+%{1}\ %description %{1}\ The meta-package for the %{1} kernel\ %{nil} -@@ -1387,6 +1391,7 @@ The meta-package for the %{1} kernel\ +@@ -1534,6 +1538,7 @@ This package provides KVM modules for package kernel%{?1:-%{1}}.\ Summary: %{variant_summary}\ - Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Provides: installonlypkg(kernel)\ +Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-core-uname-r = %{KVERREL}\ - Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Requires: kernel-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ + Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch b/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch index de7e02ec1..2146a7b37 100644 --- a/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch +++ b/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch @@ -1,6 +1,6 @@ -From 360961a67b03503c59b7434ccc5bd1d2fa40b55e Mon Sep 17 00:00:00 2001 +From 819c1b06089925d6944bf2dad9dc29649b7510d5 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sun, 14 May 2023 18:16:38 +0200 +Date: Sat, 22 Jul 2023 10:40:32 +0200 Subject: [PATCH] Let kernel-surface conflict with older versions of the package @@ -10,10 +10,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 20 insertions(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index d952180f91ef..dc95736a227e 100644 +index ea7de5884a89..43dce82a9d36 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -599,6 +599,10 @@ Requires: kernel-modules-uname-r = %{KVERREL} +@@ -698,6 +698,10 @@ Requires: kernel-modules-uname-r = %{KVERREL} Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) Provides: kernel = %{KVERREL} @@ -24,8 +24,8 @@ index d952180f91ef..dc95736a227e 100644 %endif -@@ -1230,6 +1234,8 @@ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\ - Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1355,6 +1359,8 @@ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{uname_suff + Provides: kernel-devel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\ Provides: installonlypkg(kernel)\ +Conflicts: %{package_name}-devel < 6.3.7-2\ @@ -33,7 +33,7 @@ index d952180f91ef..dc95736a227e 100644 AutoReqProv: no\ Requires(pre): findutils\ Requires: findutils\ -@@ -1259,6 +1265,8 @@ Summary: Meta package to install matching core and devel packages for a given %{ +@@ -1384,6 +1390,8 @@ Summary: Meta package to install matching core and devel packages for a given %{ Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\ Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\ Provides: kernel-devel-matched = %{specrpmversion}-%{release}\ @@ -42,60 +42,60 @@ index d952180f91ef..dc95736a227e 100644 %description %{?1:%{1}-}devel-matched\ This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\ %{nil} -@@ -1291,6 +1299,8 @@ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1416,6 +1424,8 @@ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{uname_suffix + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules-internal < 6.3.7-2\ +Obsoletes: %{package_name}-modules-internal < 6.3.7-2\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -@@ -1312,6 +1322,8 @@ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1437,6 +1447,8 @@ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{uname_suffix %{? + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules-extra < 6.3.7-2\ +Obsoletes: %{package_name}-modules-extra < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-modules-extra-uname-r = %{KVERREL}\ + Requires: kernel-modules-extra-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ %endif\ -@@ -1335,6 +1347,8 @@ Provides: installonlypkg(kernel-module)\ - Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1460,6 +1472,8 @@ Provides: installonlypkg(kernel-module)\ + Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules < 6.3.7-2\ +Obsoletes: %{package_name}-modules < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-modules-uname-r = %{KVERREL}\ + Requires: kernel-modules-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ %endif\ -@@ -1357,6 +1371,8 @@ Provides: kernel-modules-core = %{specrpmversion}-%{release}%{?1:+%{1}}\ +@@ -1482,6 +1496,8 @@ Provides: kernel-modules-core = %{specrpmversion}-%{release}%{uname_suffix %{?1: Provides: installonlypkg(kernel-module)\ - Provides: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules-core < 6.3.7-2\ +Obsoletes: %{package_name}-modules-core < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-modules-core-uname-r = %{KVERREL}\ + Requires: kernel-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ + %endif\ +@@ -1504,6 +1520,8 @@ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{uname_suffix %{1}}\ + %if "%{1}" == "rt" || "%{1}" == "rt-debug"\ + Requires: realtime-setup\ %endif\ -@@ -1376,6 +1392,8 @@ summary: kernel meta-package for the %{1} kernel\ - Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\ +Conflicts: %{package_name} < 6.3.7-2\ +Obsoletes: %{package_name} < 6.3.7-2\ Provides: installonlypkg(kernel)\ Provides: kernel = %{KVERREL}+%{1}\ %description %{1}\ -@@ -1393,6 +1411,8 @@ Summary: %{variant_summary}\ - Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1539,6 +1557,8 @@ Summary: %{variant_summary}\ + Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Provides: installonlypkg(kernel)\ Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\ +Conflicts: %{package_name}-core < 6.3.7-2\ +Obsoletes: %{package_name}-core < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-core-uname-r = %{KVERREL}\ - Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Requires: kernel-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ + Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch b/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch index 8eda4e43b..bd0b940d5 100644 --- a/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch +++ b/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch @@ -1,6 +1,6 @@ -From a45b4c3fcb7d364f236a25e03378a6b03a9cc627 Mon Sep 17 00:00:00 2001 +From 81141a454f41cbc5fd41b778f85b10552c8676e8 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sat, 3 Jun 2023 11:47:02 +0200 +Date: Sat, 22 Jul 2023 10:41:11 +0200 Subject: [PATCH] Install scripts and service files for keeping the surface kernel the default @@ -10,10 +10,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 34 insertions(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index dc95736a227e..4d6504ca721b 100644 +index 43dce82a9d36..28df94e561d4 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -911,6 +911,11 @@ Source4000: README.rst +@@ -1025,6 +1025,11 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml @@ -25,7 +25,7 @@ index dc95736a227e..4d6504ca721b 100644 ## Patches needed for building this package %if !%{nopatches} -@@ -944,6 +949,7 @@ Requires(pre): %{initrd_prereq}\ +@@ -1058,6 +1063,7 @@ Requires(pre): %{initrd_prereq}\ Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\ Recommends: linux-firmware\ Recommends: iptsd\ @@ -33,7 +33,7 @@ index dc95736a227e..4d6504ca721b 100644 Requires(preun): systemd >= 200\ Conflicts: xfsprogs < 4.3.0-1\ Conflicts: xorg-x11-drv-vmmouse < 13.0.99\ -@@ -958,6 +964,14 @@ AutoProv: yes\ +@@ -1072,6 +1078,14 @@ AutoProv: yes\ %{nil} @@ -48,7 +48,7 @@ index dc95736a227e..4d6504ca721b 100644 %package doc Summary: Various documentation bits found in the kernel source Group: Documentation -@@ -2691,6 +2705,11 @@ find Documentation -type d | xargs chmod u+w +@@ -2945,6 +2959,11 @@ find Documentation -type d | xargs chmod u+w cd linux-%{KVERREL} @@ -60,7 +60,7 @@ index dc95736a227e..4d6504ca721b 100644 %if %{with_doc} docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease} -@@ -2938,6 +2957,15 @@ popd +@@ -3197,6 +3216,15 @@ popd ### scripts ### @@ -76,7 +76,7 @@ index dc95736a227e..4d6504ca721b 100644 %if %{with_tools} %post -n %{package_name}-tools-libs /sbin/ldconfig -@@ -3313,6 +3341,12 @@ fi +@@ -3609,6 +3637,12 @@ fi\ %{_libexecdir}/kselftests %endif @@ -87,8 +87,8 @@ index dc95736a227e..4d6504ca721b 100644 +%{_presetdir}/90-linux-surface-default-watchdog.preset + # empty meta-package + %if %{with_up_base} %ifnarch %nobuildarches noarch - %files -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch b/pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch deleted file mode 100644 index 977cac06e..000000000 --- a/pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 1a1b787441b355ea9bbcaf335d3c3ae5ca44534f Mon Sep 17 00:00:00 2001 -From: "Justin M. Forbes" -Date: Wed, 12 Jul 2023 07:34:54 -0500 -Subject: [PATCH] Add hid-uclogic-test to mod-internal.list - -Signed-off-by: Justin M. Forbes ---- - redhat/scripts/mod/mod-internal.list | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/redhat/scripts/mod/mod-internal.list b/redhat/scripts/mod/mod-internal.list -index b0368901ff30..3bebd2dfc05c 100644 ---- a/redhat/scripts/mod/mod-internal.list -+++ b/redhat/scripts/mod/mod-internal.list -@@ -26,6 +26,7 @@ fat_test - fortify_kunit - gss_krb5_test - hashtable_test -+hid-uclogic-test - iio-test-format - iio-test-rescale - is_signed_type_kunit --- -2.41.0 - diff --git a/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch b/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch index 1f8ca29f7..ad06521be 100644 --- a/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch +++ b/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch @@ -1,6 +1,6 @@ -From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001 +From 71133b4337411ddd550d5e5ef68a12c510740b2c Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sat, 13 May 2023 16:39:50 +0200 +Date: Sat, 22 Jul 2023 10:45:33 +0200 Subject: [PATCH] Use a custom key and certificate for Secure Boot signing Signed-off-by: Dorian Stoll @@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index 51f43b21b018..76d1ad8e2818 100644 +index 28df94e561d4..fd44abc4118a 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs +@@ -805,6 +805,7 @@ BuildRequires: system-sb-certs %ifarch x86_64 aarch64 BuildRequires: nss-tools BuildRequires: pesign >= 0.10-4 @@ -20,7 +20,7 @@ index 51f43b21b018..76d1ad8e2818 100644 %endif %endif %endif -@@ -762,6 +763,13 @@ Source1: Makefile.rhelver +@@ -864,6 +865,13 @@ Source1: Makefile.rhelver %define signing_key_filename kernel-signing-s390.cer %endif @@ -34,8 +34,8 @@ index 51f43b21b018..76d1ad8e2818 100644 %if %{?released_kernel} Source10: redhatsecurebootca5.cer -@@ -1860,9 +1868,7 @@ BuildKernel() { - fi +@@ -2096,9 +2104,7 @@ BuildKernel() { + SignImage=$KernelImage %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} @@ -45,7 +45,7 @@ index 51f43b21b018..76d1ad8e2818 100644 %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then -@@ -2393,9 +2399,6 @@ BuildKernel() { +@@ -2650,9 +2656,6 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %ifarch x86_64 aarch64 @@ -56,5 +56,5 @@ index 51f43b21b018..76d1ad8e2818 100644 install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %endif -- -2.40.1 +2.41.0