From 7c7ba21c90e16aa1c9981122d8d02d6c07b9b8ae Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 22 Jul 2023 20:27:44 +0200 Subject: [PATCH 1/6] pkg: fedora: Create containers manually, reclaim space from the runner The GitHub runners usually have about 14 GB of free space. This is not enough to build a full Fedora kernel with debug symbols. Disabling the debug symbols is not an option, because they are needed to generate data for BPF programs, and because it would mean more patches to the spec file which I would like to avoid. The runners contain a bunch of software that is entirely useless for our purposes. For example, a full .NET distribution, the entire Android SDK, and a bunch of cached container images that arent Fedora. However, with GitHubs container directive it is not possible to remove these, because no custom code is ever executed on the runner itself. To execute code on the runner, the container has to be created and used manually. To simplify this, all of the actual logic has been moved to a dedicated script, similar to how the CI on iptsd is set up. --- .github/scripts/container/create.sh | 33 +++++ .github/scripts/container/exec.sh | 46 +++++++ .github/scripts/package/fedora.sh | 76 ++++++++++ .github/scripts/repository/fedora.sh | 72 ++++++++++ .github/workflows/fedora-37.yml | 199 ++++++++++++--------------- .github/workflows/fedora-38.yml | 199 ++++++++++++--------------- 6 files changed, 403 insertions(+), 222 deletions(-) create mode 100644 .github/scripts/container/create.sh create mode 100644 .github/scripts/container/exec.sh create mode 100644 .github/scripts/package/fedora.sh create mode 100644 .github/scripts/repository/fedora.sh diff --git a/.github/scripts/container/create.sh b/.github/scripts/container/create.sh new file mode 100644 index 000000000..cb980b0b1 --- /dev/null +++ b/.github/scripts/container/create.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${GITHUB_REPOSITORY_ID:-}" ]; then + echo "GITHUB_REPOSITORY_ID is unset!" + exit 1 +fi + +if [ -z "${GITHUB_WORKSPACE:-}" ]; then + echo "GITHUB_WORKSPACE is unset!" + exit 1 +fi + +IMAGE="${1:-}" + +if [ -z "${IMAGE}" ]; then + echo "Container image is unset!" + exit 1 +fi + +if command -v docker &> /dev/null; then + DOCKER="docker" +elif command -v podman &> /dev/null; then + DOCKER="podman" +else + echo "Could not find docker / podman!" + exit 1 +fi + +exec "${DOCKER}" run -d --name "${GITHUB_REPOSITORY_ID}" \ + -v "${GITHUB_WORKSPACE}:/working" --workdir "/working" \ + --entrypoint "tail" "${IMAGE}" -f /dev/null \ No newline at end of file diff --git a/.github/scripts/container/exec.sh b/.github/scripts/container/exec.sh new file mode 100644 index 000000000..41596465b --- /dev/null +++ b/.github/scripts/container/exec.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${GITHUB_REPOSITORY_ID:-}" ]; then + echo "GITHUB_REPOSITORY_ID is unset!" + exit 1 +fi + +if [ -z "${1:-}" ]; then + echo "Arguments are unset!" + exit 1 +fi + +ENVVARS=() +COMMAND=() + +while (( "${#}" )); do + case "$1" in + -e) + ENVVARS+=("-e") + shift + + ENVVARS+=("$1") + shift + ;; + --) + shift + while (( "${#}" )); do + COMMAND+=("$1") + shift + done + ;; + esac +done + +if command -v docker &> /dev/null; then + DOCKER="docker" +elif command -v podman &> /dev/null; then + DOCKER="podman" +else + echo "Could not find docker / podman!" + exit 1 +fi + +exec "${DOCKER}" exec "${ENVVARS[@]}" "${GITHUB_REPOSITORY_ID}" "${COMMAND[@]}" \ No newline at end of file diff --git a/.github/scripts/package/fedora.sh b/.github/scripts/package/fedora.sh new file mode 100644 index 000000000..aed0360e0 --- /dev/null +++ b/.github/scripts/package/fedora.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "$1" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +dnf() +{ + command dnf -y "$@" +} + +case "$1" in +setup-builddeps) + # Setup build environment + dnf distro-sync + dnf install @rpm-development-tools git rpm-sign + + # Install build dependencies + dnf builddep kernel + + # Install additional build dependencies + dnf install sbsigntools + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key + cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt + ;; +build-packages) + pushd pkg/fedora/kernel-surface || exit 1 + + # setup git + git config --global user.name "surfacebot" + git config --global user.email "surfacebot@users.noreply.github.com" + + # Build source RPM packages + python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm + + # Remove the kernel-ark tree to get as much free disk space as possible + rm -rf kernel-ark + + # Build binary RPM packages + find srpm -name '*.src.rpm' -type f -exec rpmbuild -rb \ + --define "_topdir ${PWD}/rpmbuild" --define "_rpmdir ${PWD}/out" {} \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/fedora/kernel-surface/out/x86_64 || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.rpm' -type f -exec \ + rpm --resign {} --define "_gpg_name ${GPG_KEY_ID}" \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/repository/fedora.sh b/.github/scripts/repository/fedora.sh new file mode 100644 index 000000000..dc62149fa --- /dev/null +++ b/.github/scripts/repository/fedora.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +dnf() +{ + command dnf -y "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +FEDORA="${1:-}" + +if [ -z "${FEDORA}" ]; then + echo "Fedora version is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +dnf install git findutils + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find "fedora-${FEDORA}-latest" -type f -exec cp {} "repo/fedora/f${FEDORA}" \; +pushd "repo/fedora/f${FEDORA}" || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.rpm' -type f)" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Fedora ${FEDORA} ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/workflows/fedora-37.yml b/.github/workflows/fedora-37.yml index 6191aca2b..525d178ee 100644 --- a/.github/workflows/fedora-37.yml +++ b/.github/workflows/fedora-37.yml @@ -1,144 +1,121 @@ +name: Fedora 37 + +env: + FEDORA: 37 + GPG_KEY_ID: 56C464BAAC421453 + on: push: tags: - 'fedora-37-*' -name: Fedora 37 - -env: - GPG_KEY_ID: 56C464BAAC421453 - jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:37 steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - dnf distro-sync -y - dnf install -y git make gcc flex bison bzip2 rpm-build - dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' + - name: Checkout code + uses: actions/checkout@v3 - # Install build dependencies - dnf builddep -y kernel + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # Install additional build dependencies - dnf install -y sbsigntools + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-builddeps - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key - cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-secureboot - - name: Build packages - run: | - cd pkg/fedora/kernel-surface + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh build-packages - # setup git - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/fedora.sh sign-packages - # Build source RPM packages - python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm - - # Remove the kernel-ark tree to get as much free disk space as possible - rm -rf kernel-ark - - # Build binary RPM packages - rpmbuild -rb --define "_rpmdir $PWD/out" srpm/*.src.rpm - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd pkg/fedora/kernel-surface/out/x86_64 - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - - # sign packages - rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: fedora-37-latest - path: pkg/fedora/kernel-surface/out/x86_64 + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: pkg/fedora/kernel-surface/out/x86_64 release: name: Publish release needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-37-latest - path: fedora-37-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:37 steps: - - name: Install dependencies - run: | - dnf install -y git findutils + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-37-latest - path: fedora-37-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp fedora-37-latest/* repo/fedora/f37 - cd repo/fedora/f37 - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.rpm'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git checkout -b "${update_branch}" - git add . - git commit -m "Update Fedora 37 kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/fedora.sh ${{ env.FEDORA }} \ No newline at end of file diff --git a/.github/workflows/fedora-38.yml b/.github/workflows/fedora-38.yml index abb0255c1..3396243a8 100644 --- a/.github/workflows/fedora-38.yml +++ b/.github/workflows/fedora-38.yml @@ -1,144 +1,121 @@ +name: Fedora 38 + +env: + FEDORA: 38 + GPG_KEY_ID: 56C464BAAC421453 + on: push: tags: - 'fedora-38-*' -name: Fedora 38 - -env: - GPG_KEY_ID: 56C464BAAC421453 - jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:38 steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - dnf distro-sync -y - dnf install -y git make gcc flex bison bzip2 rpm-build - dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' + - name: Checkout code + uses: actions/checkout@v3 - # Install build dependencies - dnf builddep -y kernel + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # Install additional build dependencies - dnf install -y sbsigntools + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-builddeps - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key - cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/fedora.sh setup-secureboot - - name: Build packages - run: | - cd pkg/fedora/kernel-surface + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/fedora.sh build-packages - # setup git - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/fedora.sh sign-packages - # Build source RPM packages - python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm - - # Remove the kernel-ark tree to get as much free disk space as possible - rm -rf kernel-ark - - # Build binary RPM packages - rpmbuild -rb --define "_rpmdir $PWD/out" srpm/*.src.rpm - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd pkg/fedora/kernel-surface/out/x86_64 - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - - # sign packages - rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: fedora-38-latest - path: pkg/fedora/kernel-surface/out/x86_64 + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: pkg/fedora/kernel-surface/out/x86_64 release: name: Publish release needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-38-latest - path: fedora-38-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: registry.fedoraproject.org/fedora:38 steps: - - name: Install dependencies - run: | - dnf install -y git findutils + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: fedora-38-latest - path: fedora-38-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: fedora-${{ env.FEDORA }}-latest + path: fedora-${{ env.FEDORA }}-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + registry.fedoraproject.org/fedora:${{ env.FEDORA }} - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp fedora-38-latest/* repo/fedora/f38 - cd repo/fedora/f38 - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.rpm'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git checkout -b "${update_branch}" - git add . - git commit -m "Update Fedora 38 kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/fedora.sh ${{ env.FEDORA }} \ No newline at end of file From da389ab837ef0954d6af88febb707ec37b3f2b46 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 22 Jul 2023 20:35:35 +0200 Subject: [PATCH 2/6] pkg: fedora: Disable compressed debug info --- pkg/fedora/kernel-surface/configs/fedora.config | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pkg/fedora/kernel-surface/configs/fedora.config b/pkg/fedora/kernel-surface/configs/fedora.config index 4fadc81e1..3ef4a0dc1 100644 --- a/pkg/fedora/kernel-surface/configs/fedora.config +++ b/pkg/fedora/kernel-surface/configs/fedora.config @@ -6,10 +6,4 @@ ## The build fails because this is not enabled in the config set for RHEL, ## but enabled automatically by one of our patches. ## -CONFIG_VIDEO_V4L2_SUBDEV_API=y - -## -## Compress debug info to prevent GitHub Actions from running out of space. -## -CONFIG_DEBUG_INFO_COMPRESSED_ZLIB=y -# CONFIG_DEBUG_INFO_COMPRESSED_NONE is not set +CONFIG_VIDEO_V4L2_SUBDEV_API=y \ No newline at end of file From 854c619a8ffd05320e372fc05af43a2cae0ab9a8 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 22 Jul 2023 22:12:00 +0200 Subject: [PATCH 3/6] pkg: arch: Move to script based workflow --- .github/scripts/package/arch.sh | 77 +++++++++++ .github/scripts/repository/arch.sh | 66 ++++++++++ .github/workflows/arch.yml | 200 +++++++++++++---------------- 3 files changed, 230 insertions(+), 113 deletions(-) create mode 100644 .github/scripts/package/arch.sh create mode 100644 .github/scripts/repository/arch.sh diff --git a/.github/scripts/package/arch.sh b/.github/scripts/package/arch.sh new file mode 100644 index 000000000..d7d44be8d --- /dev/null +++ b/.github/scripts/package/arch.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${1:-}" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +pacman() +{ + command pacman --noconfirm "$@" +} + +case "${1:-}" in +setup-builddeps) + # Update the container + pacman -Syu + + # Install makepkg deps + pacman -S sudo binutils fakeroot base-devel git + + # Install tools for singing the kernel for secureboot + pacman -S sbsigntools + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/arch/kernel/MOK.key + cp pkg/keys/surface.crt pkg/arch/kernel/MOK.crt + ;; +build-packages) + pushd pkg/arch/kernel || exit 1 + + # Fix permissions (can't makepkg as root) + echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers + chown -R nobody . + + # Package compression settings (Matches latest Arch) + export PKGEXT='.pkg.tar.zst' + export COMPRESSZST=(zstd -c -T0 --ultra -20 -) + export MAKEFLAGS="-j2" + + # Build + su nobody --pty -p -s /bin/bash -c 'makepkg -sf --skippgpcheck --noconfirm' + + # Prepare release + mkdir release + find . -name '*.pkg.tar.zst' -type f -exec mv {} release \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/arch/kernel/release || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.pkg.tar.zst' -type f -exec \ + gpg --detach-sign --batch --no-tty -u "${GPG_KEY_ID}" {} \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/repository/arch.sh b/.github/scripts/repository/arch.sh new file mode 100644 index 000000000..63c301b70 --- /dev/null +++ b/.github/scripts/repository/arch.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +pacman() +{ + command pacman --noconfirm "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +pacman -Syu +pacman -S base-devel git + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find arch-latest -type f -exec cp {} repo/arch \; +pushd repo/arch || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.pkg.tar.zst')" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Arch Linux ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/workflows/arch.yml b/.github/workflows/arch.yml index f5498db03..f1e54a24b 100644 --- a/.github/workflows/arch.yml +++ b/.github/workflows/arch.yml @@ -1,146 +1,120 @@ -on: - push: - tags: - - 'arch-*' - name: Arch env: GPG_KEY_ID: 56C464BAAC421453 +on: + push: + tags: + - 'arch-*' + jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: archlinux steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - # Install makepkg deps - pacman -Syu --noconfirm - pacman -S --noconfirm sudo binutils fakeroot grep base-devel git sbsigntools libffi python + - name: Checkout code + uses: actions/checkout@v3 - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - cd pkg + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + archlinux - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key - cp keys/surface.crt arch/kernel/MOK.crt + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/arch.sh setup-builddeps - - name: Build - run: | - cd pkg/arch/kernel + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/arch.sh setup-secureboot - # Fix permissions (can't makepkg as root) - echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers - chown -R nobody . + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/arch.sh build-packages - # Package compression settings (Matches latest Arch) - export PKGEXT='.pkg.tar.zst' - export COMPRESSZST=(zstd -c -T0 --ultra -20 -) - export MAKEFLAGS="-j2" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/arch.sh sign-packages - # Build - su nobody --pty -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm' - - - name: Prepare release - run: | - mkdir release - mv pkg/arch/kernel/*.pkg.tar.zst release - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd release - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - export GPG_TTY=$(tty) - - # sign packages - ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: arch-latest - path: release + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: arch-latest + path: pkg/arch/kernel/release release: name: Publish release needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: arch-latest - path: arch-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: arch-latest + path: arch-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: archlinux steps: - - name: Install dependencies - run: | - pacman -Syu --noconfirm - pacman -S --noconfirm base-devel git + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: arch-latest - path: arch-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: arch-latest + path: arch-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + archlinux - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp arch-latest/* repo/arch/ - cd repo/arch - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.pkg.tar.zst'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git switch -c "${update_branch}" - git add . - git commit -m "Update Arch Linux kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/arch.sh \ No newline at end of file From ffa8b7c606748cb8dcb0575c0223ed0a413b3a1d Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sun, 23 Jul 2023 11:53:50 +0200 Subject: [PATCH 4/6] pkg: debian: Move to script based workflow For the future we should consider adapting the Fedora python scripts for Debian and move the logic out of the CI script into a dedicated packaging script. --- .github/scripts/package/debian.sh | 146 ++++++++++++++ .github/scripts/repository/debian.sh | 66 +++++++ .github/workflows/debian.yml | 275 +++++++++------------------ pkg/debian/kernel/version.conf | 3 + 4 files changed, 302 insertions(+), 188 deletions(-) create mode 100644 .github/scripts/package/debian.sh create mode 100644 .github/scripts/repository/debian.sh create mode 100644 pkg/debian/kernel/version.conf diff --git a/.github/scripts/package/debian.sh b/.github/scripts/package/debian.sh new file mode 100644 index 000000000..74cdce3a1 --- /dev/null +++ b/.github/scripts/package/debian.sh @@ -0,0 +1,146 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${1:-}" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +apt-get() +{ + command apt-get -y "$@" +} + +MAINLINE_REPO="git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack" +MAINLINE_BRANCH="cod/mainline" + +case "${1:-}" in +setup-builddeps) + SOURCES="$(sed 's/^deb /deb-src /' /etc/apt/sources.list)" + echo "${SOURCES}" >> /etc/apt/sources.list + + ln -snf /usr/share/zoneinfo/UTC /etc/localtime + echo UTC > /etc/timezone + + apt-get update + apt-get upgrade + apt-get install build-essential fakeroot rsync git wget software-properties-common \ + zstd lz4 sbsigntool debhelper dpkg-dev dpkg-sig + apt-get build-dep linux + + # install python 3.11, required for configuring the kernel via Ubuntu's annotation format + add-apt-repository -y ppa:deadsnakes + + apt-get update + apt-get upgrade + apt-get install python3.11 + + rm -f /usr/bin/python + rm -f /usr/bin/python3 + ln -s /usr/bin/python3.11 /usr/bin/python + ln -s /usr/bin/python3.11 /usr/bin/python3 + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + mkdir -p pkg/debian/kernel/keys + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/debian/kernel/keys/MOK.key + cp pkg/keys/surface.crt pkg/debian/kernel/keys/MOK.crt + ;; +build-packages) + pushd pkg/debian/kernel || exit 1 + + . version.conf + + # setup git + git config --global user.name "surfacebot" + git config --global user.email "surfacebot@users.noreply.github.com" + + # get ubuntu mainline source + # see https://kernel.ubuntu.com/~kernel-ppa/mainline + git clone "${MAINLINE_REPO}" --branch "${MAINLINE_BRANCH}/v${KERNEL_VERSION}" --depth 1 linux + + if [ -d "keys" ]; then + mv keys linux + fi + + pushd linux || exit 1 + + # apply surface build/packaging patches + find .. -name '*.patch' -type f -exec git apply --index --reject {} \; + + git add . + git commit --allow-empty -m "Apply linux-surface packaging patches" + + KERNEL_MAJORVER="${KERNEL_VERSION%.*}" + + # apply surface patches + find "../../../../patches/${KERNEL_MAJORVER}" -name '*.patch' -type f -exec \ + git apply --index --reject {} \; + + git add . + git commit --allow-empty -m "Apply linux-surface patches" + + # generate base config + ./debian/scripts/misc/annotations --arch amd64 --flavour generic --export > ../base.config + + # merge configs + ./scripts/kconfig/merge_config.sh \ + ../base.config \ + ../ubuntu.config \ + "../../../../configs/surface-${KERNEL_MAJORVER}.config" + + # Explicitly set package version, including revision. This is picked up by 'make bindeb-pkg'. + export KDEB_PKGVERSION="${KERNEL_VERSION}${KERNEL_LOCALVERSION}-${KERNEL_REVISION}" + + # The DPKG in Ubuntu 22.04 defaults to using ZSTD, which is not yet supported by the DPKG in Debian 11 + export KDEB_COMPRESS="xz" + + make bindeb-pkg -j "$(nproc)" + + popd || exit 1 + popd || exit 1 + + pushd pkg/debian/meta || exit 1 + + ./mkdebian.sh "$(make -C ../kernel/linux -s kernelrelease)" "${KERNEL_REVISION}" + dpkg-buildpackage -b -Zxz + + popd || exit 1 + + pushd pkg/debian || exit 1 + + mkdir release + + find . -name 'linux-libc-dev*.deb' -type f -exec rm {} \; + find . -name '*.deb' -type f -exec cp {} release \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/debian/release || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.deb' -type f -exec \ + dpkg-sig -g "--batch --no-tty" --sign builder -k "${GPG_KEY_ID}" {} \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/repository/debian.sh b/.github/scripts/repository/debian.sh new file mode 100644 index 000000000..83a8c9863 --- /dev/null +++ b/.github/scripts/repository/debian.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +apt-get() +{ + command apt-get -y "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +apt-get update +apt-get install git + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find debian-latest -type f -exec cp {} repo/debian \; +pushd repo/debian || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.deb')" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Debian ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml index 2def8ea83..e248d1c05 100644 --- a/.github/workflows/debian.yml +++ b/.github/workflows/debian.yml @@ -1,221 +1,120 @@ +name: Debian + +env: + GPG_KEY_ID: 56C464BAAC421453 + on: push: tags: - 'debian-*' -name: Debian - -env: - GPG_KEY_ID: 56C464BAAC421453 - KERNEL_VERSION: 6.4.4 - KERNEL_REVISION: 3 - LOCALVERSION: -surface - MAINLINE_REPO: git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack - MAINLINE_BRANCH: cod/mainline - TZ: UTC - jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: ubuntu:20.04 steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - sed 's/^deb /deb-src /' /etc/apt/sources.list >> /etc/apt/sources.list - ln -snf /usr/share/zoneinfo/$TZ /etc/localtime - echo $TZ > /etc/timezone - apt-get -y update - apt-get -y upgrade - apt-get -y install build-essential fakeroot rsync git wget software-properties-common \ - zstd lz4 sbsigntool debhelper dpkg-dev dpkg-sig - apt-get -y build-dep linux + - name: Checkout code + uses: actions/checkout@v3 - - name: Install Python 3.11 - run: | - # install python 3.11, required for configuring the kernel via Ubuntu's annotation format - add-apt-repository -y ppa:deadsnakes + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + ubuntu:20.04 - apt-get -y update - apt-get -y upgrade + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/debian.sh setup-builddeps - apt-get -y install python3.11 + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/debian.sh setup-secureboot - rm -f /usr/bin/python - rm -f /usr/bin/python3 - ln -s /usr/bin/python3.11 /usr/bin/python - ln -s /usr/bin/python3.11 /usr/bin/python3 + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/debian.sh build-packages - - name: Prepare kernel source - run: | - cd pkg/debian/kernel + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/debian.sh sign-packages - # setup git - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # get ubuntu mainline source - # see https://kernel.ubuntu.com/~kernel-ppa/mainline - git clone "$MAINLINE_REPO" --branch "$MAINLINE_BRANCH/v$KERNEL_VERSION" --depth 1 linux - - cd linux - - # apply surface build/packaging patches - for PATCH in ../*.patch; do - git apply --index --reject ${PATCH} - done - - git add . - git commit --allow-empty -m "Apply linux-surface packaging patches" - - # apply surface patches - for PATCH in ../../../../patches/${KERNEL_VERSION%.*}/*.patch; do - git apply --index --reject ${PATCH} - done - - git add . - git commit --allow-empty -m "Apply linux-surface patches" - - - name: Configure - run: | - cd pkg/debian/kernel/linux - - # generate base config - ./debian/scripts/misc/annotations --arch amd64 --flavour generic --export > ../base.config - - # merge configs - ./scripts/kconfig/merge_config.sh \ - ../base.config \ - ../ubuntu.config \ - ../../../../configs/surface-${KERNEL_VERSION%.*}.config - - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - cd pkg - - mkdir -p debian/kernel/linux/keys - - # unlock/copy key and certificate - echo "$SB_KEY" | base64 -d > debian/kernel/linux/keys/MOK.key - cp keys/surface.crt debian/kernel/linux/keys/MOK.crt - - - name: Build kernel - env: - # The DPKG in Ubuntu 22.04 defaults to using ZSTD, - # which is not yet supported by the DPKG in Debian 11 - KDEB_COMPRESS: xz - run: | - cd pkg/debian/kernel/linux - - # Explicitly set package version, including revision. This is picked up - # by 'make bindeb-pkg'. - export KDEB_PKGVERSION="${KERNEL_VERSION}${LOCALVERSION}-${KERNEL_REVISION}" - - make bindeb-pkg -j2 - - - name: Build meta-package - run: | - cd pkg/debian/meta - ./mkdebian.sh $(make -C ../kernel/linux -s kernelrelease) ${KERNEL_REVISION} - dpkg-buildpackage -b -Zxz - - - name: Prepare release - run: | - mkdir release - rm pkg/debian/kernel/linux-libc-dev*.deb - mv pkg/debian/kernel/*.deb release - mv pkg/debian/*.deb release - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - export GPG_TTY=$(tty) - - # sign package - dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID release/*.deb - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: debian-latest - path: release + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: debian-latest + path: pkg/debian/release release: name: Publish release needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: debian-latest - path: debian-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: debian-latest + path: debian-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: debian:sid steps: - - name: Install dependencies - run: | - apt-get update - apt-get install -y git + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: debian-latest - path: debian-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: debian-latest + path: debian-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + debian:sid - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp debian-latest/* repo/debian/ - cd repo/debian - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.deb'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git switch -c "${update_branch}" - git add . - git commit -m "Update Debian kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/debian.sh diff --git a/pkg/debian/kernel/version.conf b/pkg/debian/kernel/version.conf new file mode 100644 index 000000000..183bf4229 --- /dev/null +++ b/pkg/debian/kernel/version.conf @@ -0,0 +1,3 @@ +KERNEL_VERSION="6.4.4" +KERNEL_REVISION="2" +KERNEL_LOCALVERSION="-surface" \ No newline at end of file From 30c9a9caa548dab803aaea0ca2a132c411887099 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Mon, 24 Jul 2023 14:58:38 +0200 Subject: [PATCH 5/6] pkg: Allow triggering a CI run manually This will only build the kernel, sign it and upload it as an artifact. Useful for testing changes. --- .github/workflows/arch.yml | 4 ++++ .github/workflows/debian.yml | 4 ++++ .github/workflows/fedora-37.yml | 4 ++++ .github/workflows/fedora-38.yml | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/.github/workflows/arch.yml b/.github/workflows/arch.yml index f1e54a24b..ff9b15e58 100644 --- a/.github/workflows/arch.yml +++ b/.github/workflows/arch.yml @@ -7,6 +7,9 @@ on: push: tags: - 'arch-*' + + repository_dispatch: + workflow_dispatch: jobs: build: @@ -68,6 +71,7 @@ jobs: release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml index e248d1c05..19a0ebc73 100644 --- a/.github/workflows/debian.yml +++ b/.github/workflows/debian.yml @@ -8,6 +8,9 @@ on: tags: - 'debian-*' + repository_dispatch: + workflow_dispatch: + jobs: build: name: Build Kernel @@ -68,6 +71,7 @@ jobs: release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/fedora-37.yml b/.github/workflows/fedora-37.yml index 525d178ee..0d7095f95 100644 --- a/.github/workflows/fedora-37.yml +++ b/.github/workflows/fedora-37.yml @@ -9,6 +9,9 @@ on: tags: - 'fedora-37-*' + repository_dispatch: + workflow_dispatch: + jobs: build: name: Build Kernel @@ -69,6 +72,7 @@ jobs: release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/fedora-38.yml b/.github/workflows/fedora-38.yml index 3396243a8..9b151aa7a 100644 --- a/.github/workflows/fedora-38.yml +++ b/.github/workflows/fedora-38.yml @@ -9,6 +9,9 @@ on: tags: - 'fedora-38-*' + repository_dispatch: + workflow_dispatch: + jobs: build: name: Build Kernel @@ -69,6 +72,7 @@ jobs: release: name: Publish release + if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/') needs: [build] runs-on: ubuntu-latest steps: From 16fc34fcf940f46e8c6ad13f97b71f7d1266174d Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 22 Jul 2023 10:46:38 +0200 Subject: [PATCH 6/6] pkg: fedora: Rebase onto v6.4.4 --- .../kernel-surface/build-linux-surface.py | 4 +- .../kernel-surface/patches/0001-iptsd.patch | 10 +-- .../patches/0002-provides.patch | 32 ++++----- .../patches/0003-obsoletes.patch | 68 +++++++++---------- .../patches/0004-default-kernel.patch | 22 +++--- ...id-uclogic-test-to-mod-internal.list.patch | 25 ------- .../secureboot/0001-secureboot.patch | 18 ++--- 7 files changed, 77 insertions(+), 102 deletions(-) delete mode 100644 pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch diff --git a/pkg/fedora/kernel-surface/build-linux-surface.py b/pkg/fedora/kernel-surface/build-linux-surface.py index 5d4d594bd..967d21cd5 100755 --- a/pkg/fedora/kernel-surface/build-linux-surface.py +++ b/pkg/fedora/kernel-surface/build-linux-surface.py @@ -18,13 +18,13 @@ PACKAGE_NAME = "surface" ## Fedora tags: kernel-X.Y.Z ## Upstream tags: vX.Y.Z ## -PACKAGE_TAG = "kernel-6.3.13-0" +PACKAGE_TAG = "kernel-6.4.4-0" ## ## The release number of the modified kernel package. ## e.g. 300 for kernel-6.3.1-300.fc38.foo ## -PACKAGE_RELEASE = "2" +PACKAGE_RELEASE = "1" ## ## Build options for configuring which parts of the kernel package are enabled. diff --git a/pkg/fedora/kernel-surface/patches/0001-iptsd.patch b/pkg/fedora/kernel-surface/patches/0001-iptsd.patch index 1add9f26f..d35cffa88 100644 --- a/pkg/fedora/kernel-surface/patches/0001-iptsd.patch +++ b/pkg/fedora/kernel-surface/patches/0001-iptsd.patch @@ -1,6 +1,6 @@ -From 5fc0582727cb64230d1c2ac02001263f92a9b82c Mon Sep 17 00:00:00 2001 +From 1cad947df5f2ec874863e42cce595a76dad64cc2 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sun, 14 May 2023 09:21:43 +0200 +Date: Sat, 22 Jul 2023 10:33:03 +0200 Subject: [PATCH] Pull in iptsd as a weak dependency Signed-off-by: Dorian Stoll @@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 1 insertion(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index 51f43b21b018..d61276b49d95 100644 +index d3dafe56aa64..24823cd8b784 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -938,6 +938,7 @@ Requires(pre): %{kernel_prereq}\ +@@ -1052,6 +1052,7 @@ Requires(pre): %{kernel_prereq}\ Requires(pre): %{initrd_prereq}\ Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\ Recommends: linux-firmware\ @@ -21,5 +21,5 @@ index 51f43b21b018..d61276b49d95 100644 Conflicts: xfsprogs < 4.3.0-1\ Conflicts: xorg-x11-drv-vmmouse < 13.0.99\ -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/0002-provides.patch b/pkg/fedora/kernel-surface/patches/0002-provides.patch index 6a109fe9f..1f032adfc 100644 --- a/pkg/fedora/kernel-surface/patches/0002-provides.patch +++ b/pkg/fedora/kernel-surface/patches/0002-provides.patch @@ -1,6 +1,6 @@ -From 4f7a333fc3dbacc4b3fa25ea117cb59f865878af Mon Sep 17 00:00:00 2001 +From 17907fed744ae17414a1ad8bebc335e12dac7691 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sun, 14 May 2023 15:04:22 +0200 +Date: Sat, 22 Jul 2023 10:34:38 +0200 Subject: [PATCH] Let kernel-surface provide the standard package names Signed-off-by: Dorian Stoll @@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 5 insertions(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index 51f43b21b018..2d91719b7d93 100644 +index 24823cd8b784..ea7de5884a89 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -598,6 +598,7 @@ Requires: kernel-core-uname-r = %{KVERREL} +@@ -697,6 +697,7 @@ Requires: kernel-core-uname-r = %{KVERREL} Requires: kernel-modules-uname-r = %{KVERREL} Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) @@ -20,15 +20,15 @@ index 51f43b21b018..2d91719b7d93 100644 %endif -@@ -1226,6 +1227,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} +@@ -1352,6 +1353,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{specrpmversion}-%{release}\ - Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\ - Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{uname_suffix %{?1:+%{1}}}\ + Provides: kernel-devel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\ Provides: installonlypkg(kernel)\ AutoReqProv: no\ Requires(pre): findutils\ -@@ -1255,6 +1257,7 @@ against the %{?2:%{2} }kernel package.\ +@@ -1381,6 +1383,7 @@ against the %{?2:%{2} }kernel package.\ Summary: Meta package to install matching core and devel packages for a given %{?2:%{2} }kernel\ Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\ Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\ @@ -36,22 +36,22 @@ index 51f43b21b018..2d91719b7d93 100644 %description %{?1:%{1}-}devel-matched\ This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\ %{nil} -@@ -1373,6 +1376,7 @@ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\ +@@ -1502,6 +1505,7 @@ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{uname_suffix %{1}}\ + Requires: realtime-setup\ + %endif\ Provides: installonlypkg(kernel)\ +Provides: kernel = %{KVERREL}+%{1}\ %description %{1}\ The meta-package for the %{1} kernel\ %{nil} -@@ -1387,6 +1391,7 @@ The meta-package for the %{1} kernel\ +@@ -1534,6 +1538,7 @@ This package provides KVM modules for package kernel%{?1:-%{1}}.\ Summary: %{variant_summary}\ - Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Provides: installonlypkg(kernel)\ +Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-core-uname-r = %{KVERREL}\ - Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Requires: kernel-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ + Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch b/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch index de7e02ec1..2146a7b37 100644 --- a/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch +++ b/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch @@ -1,6 +1,6 @@ -From 360961a67b03503c59b7434ccc5bd1d2fa40b55e Mon Sep 17 00:00:00 2001 +From 819c1b06089925d6944bf2dad9dc29649b7510d5 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sun, 14 May 2023 18:16:38 +0200 +Date: Sat, 22 Jul 2023 10:40:32 +0200 Subject: [PATCH] Let kernel-surface conflict with older versions of the package @@ -10,10 +10,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 20 insertions(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index d952180f91ef..dc95736a227e 100644 +index ea7de5884a89..43dce82a9d36 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -599,6 +599,10 @@ Requires: kernel-modules-uname-r = %{KVERREL} +@@ -698,6 +698,10 @@ Requires: kernel-modules-uname-r = %{KVERREL} Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) Provides: kernel = %{KVERREL} @@ -24,8 +24,8 @@ index d952180f91ef..dc95736a227e 100644 %endif -@@ -1230,6 +1234,8 @@ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\ - Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1355,6 +1359,8 @@ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{uname_suff + Provides: kernel-devel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\ Provides: installonlypkg(kernel)\ +Conflicts: %{package_name}-devel < 6.3.7-2\ @@ -33,7 +33,7 @@ index d952180f91ef..dc95736a227e 100644 AutoReqProv: no\ Requires(pre): findutils\ Requires: findutils\ -@@ -1259,6 +1265,8 @@ Summary: Meta package to install matching core and devel packages for a given %{ +@@ -1384,6 +1390,8 @@ Summary: Meta package to install matching core and devel packages for a given %{ Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\ Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\ Provides: kernel-devel-matched = %{specrpmversion}-%{release}\ @@ -42,60 +42,60 @@ index d952180f91ef..dc95736a227e 100644 %description %{?1:%{1}-}devel-matched\ This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\ %{nil} -@@ -1291,6 +1299,8 @@ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1416,6 +1424,8 @@ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{uname_suffix + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules-internal < 6.3.7-2\ +Obsoletes: %{package_name}-modules-internal < 6.3.7-2\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -@@ -1312,6 +1322,8 @@ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1437,6 +1447,8 @@ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{uname_suffix %{? + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules-extra < 6.3.7-2\ +Obsoletes: %{package_name}-modules-extra < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-modules-extra-uname-r = %{KVERREL}\ + Requires: kernel-modules-extra-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ %endif\ -@@ -1335,6 +1347,8 @@ Provides: installonlypkg(kernel-module)\ - Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1460,6 +1472,8 @@ Provides: installonlypkg(kernel-module)\ + Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules < 6.3.7-2\ +Obsoletes: %{package_name}-modules < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-modules-uname-r = %{KVERREL}\ + Requires: kernel-modules-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ %endif\ -@@ -1357,6 +1371,8 @@ Provides: kernel-modules-core = %{specrpmversion}-%{release}%{?1:+%{1}}\ +@@ -1482,6 +1496,8 @@ Provides: kernel-modules-core = %{specrpmversion}-%{release}%{uname_suffix %{?1: Provides: installonlypkg(kernel-module)\ - Provides: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ - Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ + Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ +Conflicts: %{package_name}-modules-core < 6.3.7-2\ +Obsoletes: %{package_name}-modules-core < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-modules-core-uname-r = %{KVERREL}\ + Requires: kernel-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ + %endif\ +@@ -1504,6 +1520,8 @@ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{uname_suffix %{1}}\ + %if "%{1}" == "rt" || "%{1}" == "rt-debug"\ + Requires: realtime-setup\ %endif\ -@@ -1376,6 +1392,8 @@ summary: kernel meta-package for the %{1} kernel\ - Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\ - Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\ +Conflicts: %{package_name} < 6.3.7-2\ +Obsoletes: %{package_name} < 6.3.7-2\ Provides: installonlypkg(kernel)\ Provides: kernel = %{KVERREL}+%{1}\ %description %{1}\ -@@ -1393,6 +1411,8 @@ Summary: %{variant_summary}\ - Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\ +@@ -1539,6 +1557,8 @@ Summary: %{variant_summary}\ + Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Provides: installonlypkg(kernel)\ Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\ +Conflicts: %{package_name}-core < 6.3.7-2\ +Obsoletes: %{package_name}-core < 6.3.7-2\ %if %{-m:1}%{!-m:0}\ - Requires: kernel-core-uname-r = %{KVERREL}\ - Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Requires: kernel-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ + Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\ -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch b/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch index 8eda4e43b..bd0b940d5 100644 --- a/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch +++ b/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch @@ -1,6 +1,6 @@ -From a45b4c3fcb7d364f236a25e03378a6b03a9cc627 Mon Sep 17 00:00:00 2001 +From 81141a454f41cbc5fd41b778f85b10552c8676e8 Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sat, 3 Jun 2023 11:47:02 +0200 +Date: Sat, 22 Jul 2023 10:41:11 +0200 Subject: [PATCH] Install scripts and service files for keeping the surface kernel the default @@ -10,10 +10,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 34 insertions(+) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index dc95736a227e..4d6504ca721b 100644 +index 43dce82a9d36..28df94e561d4 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -911,6 +911,11 @@ Source4000: README.rst +@@ -1025,6 +1025,11 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml @@ -25,7 +25,7 @@ index dc95736a227e..4d6504ca721b 100644 ## Patches needed for building this package %if !%{nopatches} -@@ -944,6 +949,7 @@ Requires(pre): %{initrd_prereq}\ +@@ -1058,6 +1063,7 @@ Requires(pre): %{initrd_prereq}\ Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\ Recommends: linux-firmware\ Recommends: iptsd\ @@ -33,7 +33,7 @@ index dc95736a227e..4d6504ca721b 100644 Requires(preun): systemd >= 200\ Conflicts: xfsprogs < 4.3.0-1\ Conflicts: xorg-x11-drv-vmmouse < 13.0.99\ -@@ -958,6 +964,14 @@ AutoProv: yes\ +@@ -1072,6 +1078,14 @@ AutoProv: yes\ %{nil} @@ -48,7 +48,7 @@ index dc95736a227e..4d6504ca721b 100644 %package doc Summary: Various documentation bits found in the kernel source Group: Documentation -@@ -2691,6 +2705,11 @@ find Documentation -type d | xargs chmod u+w +@@ -2945,6 +2959,11 @@ find Documentation -type d | xargs chmod u+w cd linux-%{KVERREL} @@ -60,7 +60,7 @@ index dc95736a227e..4d6504ca721b 100644 %if %{with_doc} docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease} -@@ -2938,6 +2957,15 @@ popd +@@ -3197,6 +3216,15 @@ popd ### scripts ### @@ -76,7 +76,7 @@ index dc95736a227e..4d6504ca721b 100644 %if %{with_tools} %post -n %{package_name}-tools-libs /sbin/ldconfig -@@ -3313,6 +3341,12 @@ fi +@@ -3609,6 +3637,12 @@ fi\ %{_libexecdir}/kselftests %endif @@ -87,8 +87,8 @@ index dc95736a227e..4d6504ca721b 100644 +%{_presetdir}/90-linux-surface-default-watchdog.preset + # empty meta-package + %if %{with_up_base} %ifnarch %nobuildarches noarch - %files -- -2.40.1 +2.41.0 diff --git a/pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch b/pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch deleted file mode 100644 index 977cac06e..000000000 --- a/pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 1a1b787441b355ea9bbcaf335d3c3ae5ca44534f Mon Sep 17 00:00:00 2001 -From: "Justin M. Forbes" -Date: Wed, 12 Jul 2023 07:34:54 -0500 -Subject: [PATCH] Add hid-uclogic-test to mod-internal.list - -Signed-off-by: Justin M. Forbes ---- - redhat/scripts/mod/mod-internal.list | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/redhat/scripts/mod/mod-internal.list b/redhat/scripts/mod/mod-internal.list -index b0368901ff30..3bebd2dfc05c 100644 ---- a/redhat/scripts/mod/mod-internal.list -+++ b/redhat/scripts/mod/mod-internal.list -@@ -26,6 +26,7 @@ fat_test - fortify_kunit - gss_krb5_test - hashtable_test -+hid-uclogic-test - iio-test-format - iio-test-rescale - is_signed_type_kunit --- -2.41.0 - diff --git a/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch b/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch index 1f8ca29f7..ad06521be 100644 --- a/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch +++ b/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch @@ -1,6 +1,6 @@ -From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001 +From 71133b4337411ddd550d5e5ef68a12c510740b2c Mon Sep 17 00:00:00 2001 From: Dorian Stoll -Date: Sat, 13 May 2023 16:39:50 +0200 +Date: Sat, 22 Jul 2023 10:45:33 +0200 Subject: [PATCH] Use a custom key and certificate for Secure Boot signing Signed-off-by: Dorian Stoll @@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template -index 51f43b21b018..76d1ad8e2818 100644 +index 28df94e561d4..fd44abc4118a 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template -@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs +@@ -805,6 +805,7 @@ BuildRequires: system-sb-certs %ifarch x86_64 aarch64 BuildRequires: nss-tools BuildRequires: pesign >= 0.10-4 @@ -20,7 +20,7 @@ index 51f43b21b018..76d1ad8e2818 100644 %endif %endif %endif -@@ -762,6 +763,13 @@ Source1: Makefile.rhelver +@@ -864,6 +865,13 @@ Source1: Makefile.rhelver %define signing_key_filename kernel-signing-s390.cer %endif @@ -34,8 +34,8 @@ index 51f43b21b018..76d1ad8e2818 100644 %if %{?released_kernel} Source10: redhatsecurebootca5.cer -@@ -1860,9 +1868,7 @@ BuildKernel() { - fi +@@ -2096,9 +2104,7 @@ BuildKernel() { + SignImage=$KernelImage %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} @@ -45,7 +45,7 @@ index 51f43b21b018..76d1ad8e2818 100644 %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then -@@ -2393,9 +2399,6 @@ BuildKernel() { +@@ -2650,9 +2656,6 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %ifarch x86_64 aarch64 @@ -56,5 +56,5 @@ index 51f43b21b018..76d1ad8e2818 100644 install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %endif -- -2.40.1 +2.41.0