Merge branch 'main' into update-trixie

.github/dependabot.yml

@@ -0,0 +1,10 @@
+# Docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "gardenlinux/garden-linux-maintainers"

.github/workflows/README.md

@@ -0,0 +1,21 @@
+# Garden Linux Builder CI Workflows
+
+## `build.yml`
+
+Build container images on all branches.
+
+For pushes on the `main` branch, tags based on the git sha are created and pushed to the container registry and a pseudo-release called `latest` is updated on GitHub.
+This allows users to follow a rolling-release approach if they desire.
+
+## `release.yml`
+
+Tag container images and create GitHub Releases.
+This workflow only runs on demand (workflow dispatch).
+It should be run if a new release is desired.
+The workflow dispatch needs a parameter `component` which specifies which version component should be increased.
+This is either `minor` (the default) or `major`.
+`major` should be picked in cases where the new version has breaking changes (for example between the `build` script and the container image).
+
+## `differential-shellcheck.yml`
+
+Finds new warnings using [shellcheck](https://www.shellcheck.net)

.github/workflows/build.yml

@@ -1,13 +1,16 @@
-on: push
+name: Build
+on:
+  push:
+  workflow_dispatch:
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: nkraetzschmar/workflow-telemetry-action@v1
+      - uses: gardenlinux/workflow-telemetry-action@v1
         with:
           metric_frequency: 1
           comment_on_pr: false
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: build
         run: |
           sudo apt-get update
@@ -26,12 +29,14 @@ jobs:
         with:
           name: build
           path: build
-  release:
+
+  # Run for new commits on the main branch
+  release-latest:
     runs-on: ubuntu-latest
     needs: build
     if: github.ref == 'refs/heads/main'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: tag latest
         run: |
           git tag --force latest
@@ -42,5 +47,5 @@ jobs:
           path: download
       - name: create release
         run: |
-          release="$(.github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} create latest Builder)"
+          release="$(.github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} create latest "Builder (latest)")"
           .github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} upload "$release" download/build

.github/workflows/bump.py

@@ -0,0 +1,96 @@
+#!/usr/bin/python
+
+"""
+Determine next version number for versions of a schema like v1.0
+based on existing git tags and which component to bump (minor/major).
+"""
+
+import subprocess
+import re
+import sys
+import os
+
+
+def convert_version_to_sortable_int(major, minor):
+    return major * 1000 + minor
+
+
+def determine_most_recent_existing_version():
+    tags = subprocess.run(["git", "tag"], capture_output=True).stdout.splitlines()
+
+    versions = []
+
+    for t in tags:
+        tag = t.decode()
+        if re.match(r"v[0-9]+.[0-9]+", tag):
+            tag_without_prefix = tag[1:]
+            components = tag_without_prefix.split(".")
+            assert len(components) == 2
+            major_int = int(components[0])
+            minor_int = int(components[1])
+            versions.append(
+                {
+                    "tag": tag,
+                    "sortNumber": convert_version_to_sortable_int(major_int, minor_int),
+                    "major": major_int,
+                    "minor": minor_int,
+                }
+            )
+
+    if len(versions) == 0:
+        print("No existing versions found")
+        return {
+            "tag": "v0.0",
+            "sortNumber": convert_version_to_sortable_int(0, 0),
+            "major": 0,
+            "minor": 0,
+        }
+
+    def keyToSortVersions(v):
+        return v["sortNumber"]
+
+    versions.sort(key=keyToSortVersions, reverse=True)
+    print(f"Sorted list of versions: {versions}")
+    highest_existing_version_number = versions[0]
+
+    return highest_existing_version_number
+
+
+def bump(most_recent_version, component_to_bump):
+    new_version = ""
+
+    if component_to_bump == "major":
+        new_major = most_recent_version["major"] + 1
+        new_version = f"v{new_major}.0"
+    elif component_to_bump == "minor":
+        new_minor = most_recent_version["minor"] + 1
+        major = most_recent_version["major"]
+        new_version = f"v{major}.{new_minor}"
+    else:
+        raise (
+            f"Invalid component provided: {component_to_bump}, only major or minor are supported."
+        )
+
+    return new_version
+
+
+def determine_component_to_bump():
+    if sys.argv[1] not in ["major", "minor"]:
+        raise ("Usage: bump.py (major|minor)")
+    return sys.argv[1]
+
+
+def main():
+    component_to_bump = determine_component_to_bump()
+    most_recent_version = determine_most_recent_existing_version()
+    new_version = bump(most_recent_version, component_to_bump)
+
+    if os.getenv("GITHUB_OUTPUT"):
+        with open(os.environ["GITHUB_OUTPUT"], "a") as file_handle:
+            print(f"newVersion={new_version}", file=file_handle)
+    else:
+        print(f"No GitHub env found. New version is {new_version}")
+
+
+if __name__ == "__main__":
+    main()

.github/workflows/differential-shellcheck.yml

@@ -0,0 +1,37 @@
+name: Differential ShellCheck
+on:
+  push:
+    branches:
+    - main
+    - rel-*
+  pull_request:
+    branches:
+    - main
+    - rel-*
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1
+        with:
+          fetch-depth: 0
+
+      - id: ShellCheck
+        name: Differential ShellCheck
+        uses: redhat-plumbers-in-action/differential-shellcheck@91e2582e40236f831458392d905578d680baa138 # pin@aa647ec4466543e8555c2c3b648124a9813cee44
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,43 @@
+name: Release
+on:
+  workflow_dispatch:
+    inputs:
+      component:
+        description: 'Version component to increment (Use *minor* unless we have breaking changes)'
+        required: true
+        type: choice
+        options:
+          - minor
+          - major
+jobs:
+  release-new-version:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && github.event.inputs.component != ''
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - run: echo Version Component to Increase is ${{ github.event.inputs.component }}
+      - name: get next version number
+        run: .github/workflows/bump.py ${{ github.event.inputs.component }}
+        id: bump
+      - run: echo New version number ${{ steps.bump.outputs.newVersion }}
+      - name: tag container image
+        run: |
+          SHA=$(git rev-parse HEAD)
+          podman login -u token -p ${{ github.token }} ghcr.io
+          podman pull ghcr.io/${{ github.repository }}:amd64-"$SHA"
+          podman pull ghcr.io/${{ github.repository }}:arm64-"$SHA"
+          podman manifest create ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }}
+          podman manifest add ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }} ghcr.io/${{ github.repository }}:amd64-"$SHA"
+          podman manifest add ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }} ghcr.io/${{ github.repository }}:arm64-"$SHA"
+          podman manifest push ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }}
+          sed -i 's|container_image=localhost/builder|container_image=ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }}|' build
+      - name: git tag
+        run: |
+          git tag ${{ steps.bump.outputs.newVersion }}
+          git push origin ${{ steps.bump.outputs.newVersion }}
+      - name: create release (new version)
+        run: |
+          release="$(.github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} create ${{ steps.bump.outputs.newVersion }} "Builder (${{ steps.bump.outputs.newVersion }})")"
+          .github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} upload "$release" download/build

Dockerfile

@@ -1,24 +1,28 @@
-FROM debian:trixie AS mv_data
+FROM debian:testing AS mv_data
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential ca-certificates git
-RUN git clone --depth=1 https://github.com/nkraetzschmar/mv_data
+RUN git clone --depth=1 https://github.com/gardenlinux/mv_data
 RUN make -C mv_data install
 
-FROM debian:trixie AS aws-kms-pkcs11
+FROM debian:testing AS aws-kms-pkcs11
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential awscli ca-certificates cmake git libcurl4-openssl-dev libengine-pkcs11-openssl libjson-c-dev libssl-dev libp11-kit-dev libp11-dev zlib1g-dev
 RUN git clone --depth=1 --recurse-submodules -b 1.11.25 https://github.com/aws/aws-sdk-cpp
 RUN mkdir aws-sdk-cpp/.build && cd aws-sdk-cpp/.build && cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DBUILD_ONLY="kms;acm-pca" .. && make -j "$(nproc)" install
-RUN git clone --depth=1 -b v0.0.10 https://github.com/JackOfMostTrades/aws-kms-pkcs11
+RUN git clone --depth=1 -b v0.0.10 https://github.com/gardenlinux/aws-kms-pkcs11
 RUN cd aws-kms-pkcs11 && make -j "$(nproc)" AWS_SDK_STATIC=y install
 RUN cp "/usr/lib/$(uname -m)-linux-gnu/pkcs11/aws_kms_pkcs11.so" /aws_kms_pkcs11.so
 
-FROM debian:trixie
+FROM debian:testing
+
+LABEL org.opencontainers.image.source="https://github.com/gardenlinux/builder"
+LABEL org.opencontainers.image.description="Builder for Garden Linux"
+
 COPY pkg.list /pkg.list
-RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends $(cat /pkg.list) && rm /pkg.list
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $(cat /pkg.list) && rm /pkg.list
 COPY --from=mv_data /usr/bin/mv_data /usr/bin/mv_data
 COPY --from=aws-kms-pkcs11 /aws_kms_pkcs11.so /aws_kms_pkcs11.so
 RUN mv /aws_kms_pkcs11.so "/usr/lib/$(uname -m)-linux-gnu/pkcs11/aws_kms_pkcs11.so"
 COPY builder /builder
 RUN mkdir /builder/cert
 COPY setup_namespace /usr/sbin/setup_namespace
-RUN echo 'root:0:65536' | tee /etc/subuid /etc/subgid > /dev/null
+RUN echo 'root:1:65535' | tee /etc/subuid /etc/subgid > /dev/null
 ENTRYPOINT [ "/usr/sbin/setup_namespace" ]

build

@@ -75,7 +75,14 @@ done
 
 if [ "$container_image" = localhost/builder ]; then
 	dir="$(dirname -- "$(realpath -- "${BASH_SOURCE[0]}")")"
-	"$container_engine" build -t "$container_image" "$dir"
+	# Build from 'builder.dockerfile' if that exists, otherwise the default file name will be 'Dockerfile' or 'Containerfile'.
+	# It is recommended to call the file 'builder.dockerfile' to make it's intention clear.
+	# That file might only contain a single line 'FROM ghcr.io/gardenlinux/builder:...' which can be updated via dependabot.
+	if [[ -f builder.dockerfile ]]; then
+		"$container_engine" build -t "$container_image" -f builder.dockerfile "$dir"
+	else 
+		"$container_engine" build -t "$container_image" "$dir"
+	fi
 fi
 
 repo="$(./get_repo)"

builder/Makefile

@@ -95,5 +95,5 @@ $(foreach artifact_rule,$(shell ./make_get_artifact_rules),$(eval $(call artifac
 	ln -f -s -r '$<' '.build/$*'
 
 # prevents match anything rule from applying to Makefile and image/convert scripts
-Makefile image image.release image.manifest $(shell find features -name 'convert.*' -o -name 'image.*'):
+Makefile image image.release image.manifest $(shell find features -name 'convert.*' -o -name image -o -name 'image.*'):
 	true

builder/image.d/makepart

@@ -50,7 +50,7 @@ sed 's/#.*//;/^[[:space:]]*$/d' \
 	resize=1
 	verity=0
 	secureboot=0
-	syslinux=$([[ "$(cut -c -5 <<< "$target")" = "/boot" ]] && [[ -f "$rootfs/usr/bin/syslinux" ]] && echo 1 || echo 0)
+	syslinux=$([[ "$(cut -c -5 <<< "$target")" = "/boot" ]] || [[ "$(tr -d '[:blank:]' <<< "$target")" = "/efi" ]] && [[ -f "$rootfs/usr/bin/syslinux" ]] && echo 1 || echo 0)
 	ephemeral=0
 	ephemeral_cryptsetup=0
 	weight=1

builder/image.d/makesecureboot

@@ -93,24 +93,20 @@ case "$BUILDER_ARCH" in
 	amd64)
 		uefi_arch=X64
 		gnu_arch=x86_64
-		initrd_vma=0x3000000
 		;;
 	arm64)
 		uefi_arch=AA64
 		gnu_arch=aarch64
-		initrd_vma=0x4000000
 		;;
 esac
 
 # create unified image
-cmdline_file=$(mktemp)
-echo "$cmdline" > "$cmdline_file"
-"${gnu_arch}-linux-gnu-objcopy" \
-	--add-section .cmdline="$cmdline_file" --change-section-vma .cmdline=0x1000000 \
-	--add-section .linux="$kernel_file" --change-section-vma .linux=0x2000000 \
-	--add-section .initrd="$initrd" --change-section-vma .initrd="$initrd_vma" \
-	"$rootfs/usr/lib/systemd/boot/efi/linux$(tr '[:upper:]' '[:lower:]' <<< "$uefi_arch").efi.stub" "$unified_image"
-rm "$cmdline_file"
+/usr/lib/systemd/ukify build \
+	--stub "$rootfs/usr/lib/systemd/boot/efi/linux$(tr '[:upper:]' '[:lower:]' <<< "$uefi_arch").efi.stub" \
+	--linux "$kernel_file" \
+	--initrd "$initrd" \
+	--cmdline "$cmdline" \
+	--output "$unified_image"
 
 efi_dir="$(mktemp -d)"
 mkdir -p "$efi_dir/EFI/BOOT/"