GCP image pipeline final tweaks and additions

jonathanspw · jonathanspw · commit c4a156bd6b26 · 2025-12-05T18:20:53.000-06:00
diff --git a/.github/actions/shared-steps/action.yml b/.github/actions/shared-steps/action.yml
@@ -438,6 +438,12 @@ runs:
         # don't fail if this doesn't exist, we may not always generate it
         sudo mv sbom-data-*.json $(basename ${image_file}).sbom-data.json || true
 
+    - name: Generate SBOM
+      shell: bash
+      run: |
+        echo "Generating SBOM document of ${{ env.IMAGE_FILE }}"
+        sudo .venv-sbom/bin/python3 sbom-tools/sbom_generator.py "${{ env.IMAGE_NAME }}" "${{ env.IMAGE_FILE }}.sbom-data.json" "${{ env.IMAGE_FILE }}.sbom.spdx.json"
+
     - id: 'google-auth-dev-images'
       if: env.IMAGE_TYPE == 'gcp'
       uses: 'google-github-actions/auth@v2'
@@ -449,11 +455,16 @@ runs:
       if: env.IMAGE_TYPE == 'gcp'
       uses: 'google-github-actions/setup-gcloud@v3.0.0'
 
-    - name: 'Upload output to GCP storage bucket'
+    - name: Upload output to GCP storage bucket
       if: env.IMAGE_TYPE == 'gcp'
       shell: bash
       run: gcloud storage cp ${{ env.IMAGE_FILE }} gs://almalinux-images-dev/almalinux-${version_major}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}-v$(date +'%Y%m%d')/root.tar.gz
 
+    - name: Upload SBOM data to GCP storage bucket
+      if: env.IMAGE_TYPE == 'gcp'
+      shell: bash
+      run: gcloud storage cp ${{ env.IMAGE_FILE }}.sbom.spdx.json gs://almalinux-images-dev-sbom/almalinux-${version_major}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}-v$(date +'%Y%m%d').sbom.spdx.json
+
     - name: Clone gce_image_publish repo
       if: env.IMAGE_TYPE == 'gcp'
       uses: actions/checkout@v5
@@ -497,24 +508,6 @@ runs:
           -source_gcs_path="gs://almalinux-images-dev/" \
           vm-scripts/gcp/almalinux_${version_major}${{ inputs.arch == 'aarch64' && '_arm64' || '' }}.publish.json
 
-    # - name: 'Run Google cloud-image-testing tests (basic suite)'
-    #   if: env.IMAGE_TYPE == 'gcp' && inputs.run_test == 'true'
-    #   shell: bash
-    #   run: |
-    #     cd cloud-image-tests
-    #     ./bin/manager \
-    #       -local_path bin \
-    #       -project almalinux-image-testing-469421 \
-    #       -filter '^(cvm|livemigrate|suspendresume|loadbalancer|guestagent|hostnamevalidation|imageboot|licensevalidation|network|security|hotattach|lssd|disk|packagevalidation|ssh|metadata|vmspec)$' \
-    #       -images 'projects/almalinux-dev-images-469421/global/images/family/almalinux-${{ env.version_major }}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}' \
-    #       -parallel_stagger 10s -parallel_count 20
-
-    - name: Generate SBOM
-      shell: bash
-      run: |
-        echo "Generating SBOM document of ${{ env.IMAGE_FILE }}"
-        sudo .venv-sbom/bin/python3 sbom-tools/sbom_generator.py "${{ env.IMAGE_NAME }}" "${{ env.IMAGE_FILE }}.sbom-data.json" "${{ env.IMAGE_FILE }}.sbom.spdx.json"
-
     - name: Test ${{ inputs.type }} ${{ inputs.variant }} image
       if: inputs.run_test == 'true' && contains(inputs.type, 'vagrant')
       shell: bash
diff --git a/.github/workflows/gcp-publish.yml b/.github/workflows/gcp-publish.yml
@@ -0,0 +1,113 @@
+name: GCP Image Publish
+
+on:
+  workflow_dispatch:
+      inputs:
+        version_major:
+          description: 'AlmaLinux major version'
+          required: true
+          default: ''
+          type: choice
+          options:
+            - 10-kitten
+            - 10
+            - 9
+            - 8
+        arch:
+          description: 'Architecture we are publishing'
+          required: true
+          default: ''
+          type: choice
+          options:
+            - x86_64
+            - aarch64
+        image_datetag:
+          description: 'Date tag of the image to publish after the "v" in the image name.  E.g. for almalinux-10-arm64-v20251205 the date tag is "20251205"'
+          required: true
+          default: ''
+
+jobs:
+  publish-image:
+    name: Publish Images to almalinux-cloud GCP Project (prod)
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      # we don't need the checked out files, but this is required for the google auth action to work
+      - uses: actions/checkout@v5
+
+      - name: Build image name from inputs
+        id: build-image-name
+        run: |
+          IMAGE_NAME="almalinux-${{ inputs.version_major }}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}-v${{ inputs.image_datetag }}"
+          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+
+    # todo: this is for prod
+    #   - id: google-auth-image-release
+    #     uses: google-github-actions/auth@v2
+    #     with:
+    #         workload_identity_provider: projects/1071098808632/locations/global/workloadIdentityPools/github-actions/providers/github
+    #         service_account: gh-actions-prod-release@almalinux-image-release.iam.gserviceaccount.com
+
+      - id: 'google-auth-dev-images'
+        uses: 'google-github-actions/auth@v2'
+        with:
+            workload_identity_provider: 'projects/443728870479/locations/global/workloadIdentityPools/github-actions/providers/github'
+            service_account: 'github-actions-cloud-images@almalinux-dev-images-469421.iam.gserviceaccount.com'
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v3.0.0
+
+    # TODO: re-enable this for prod    
+    #   - name: Copy image to almalinux-cloud project
+    #     run: |
+    #       gcloud storage cp gs://almalinux-images-dev/${{ steps.build-image-name.outputs.image_name }}/root.tar.gz gs://almalinux-images-prod/${{ steps.build-image-name.outputs.image_name }}/root.tar.gz
+
+      - name: Get gce_image_publish tool
+        run: |
+          wget https://storage.googleapis.com/compute-image-tools/release/linux/gce_image_publish
+          chmod +x gce_image_publish
+
+    # todo: this is the prod version      
+    #   - name: Create production image on GCP
+    #     shell: bash
+    #     run: |
+    #         ./gce_image_publish \
+    #         -var:environment=prod \
+    #         -skip_confirmation \
+    #         -rollout_rate=60 \
+    #         -work_project="almalinux-image-release" \
+    #         -source_gcs_path="gs://almalinux-images-prod/" \
+    #         -source_version="${{ inputs.image_datetag }}" \
+    #         vm-scripts/gcp/almalinux_${{ inputs.version_major }}${{ inputs.arch == 'aarch64' && '_arm64' || '' }}.publish.json
+
+      - name: Create production image on GCP
+        shell: bash
+        run: |
+            ./gce_image_publish \
+            -var:environment=test \
+            -skip_confirmation \
+            -replace \
+            -rollout_rate=0 \
+            -work_project="almalinux-dev-images-469421" \
+            -source_gcs_path="gs://almalinux-dev-images-469421/" \
+            -source_version="${{ inputs.image_datetag }}" \
+            vm-scripts/gcp/almalinux_${{ inputs.version_major }}${{ inputs.arch == 'aarch64' && '_arm64' || '' }}.publish.json
+
+    # todo: prod version
+    #   - name: Get ID of image just created
+    #     shell: bash
+    #     run: |
+    #         IMAGE_ID=$(gcloud compute images describe ${{ steps.build-image-name.outputs.image_name }} --project=almalinux-cloud --format='value(id)')
+    #         echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV
+
+      - name: Get ID of image just created
+        shell: bash
+        run: |
+            IMAGE_ID=$(gcloud compute images describe ${{ steps.build-image-name.outputs.image_name }} --project=almalinux-dev-images-469421 --format='value(id)')
+            echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV
+
+      - name: Print image ID
+        run: |
+          echo "Published image ID is $IMAGE_ID"
