Use workflow-call to share templates and runner config

bleggett · bleggett · commit 83932573104e · 2025-08-26T17:35:08.000-04:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: Build Kernels
+name: Kernel Build
 on:
   # Weekly auto-build
   schedule:
@@ -15,87 +15,15 @@ on:
         type: boolean
         default: true
         required: true
+
+# this job will publish images, and needs higher perms.
 permissions:
   contents: read
   packages: write
   id-token: write
-concurrency:
-  group: "kernel-builder"
 jobs:
-  matrix:
-    name: matrix
-    runs-on: ubuntu-latest
-    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
-      with:
-        egress-policy: audit
-
-    - name: checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      with:
-        submodules: recursive
-    - name: install dependencies
-      run: ./hack/build/install-matrix-deps.sh
-    - name: generate matrix
-      run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${{ inputs.spec }}"'
-    - name: upload matrix
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      with:
-        name: matrix
-        path: "matrix.json"
-        compression-level: 0
-    - name: capture matrix
-      id: capture-matrix
-      run: >
-        echo "matrix=$(cat matrix.json)" >> "${GITHUB_OUTPUT}"
-    outputs:
-      matrix: "${{ steps.capture-matrix.outputs.matrix }}"
-  build:
-    name: "build ${{ matrix.builds.version }} ${{ matrix.builds.flavor }}"
-    needs: matrix
-    strategy:
-      fail-fast: false
-      matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
-    runs-on: "${{ matrix.builds.runner }}"
-    env:
-      KERNEL_PUBLISH: "${{ inputs.publish }}"
-      KERNEL_VERSION: "${{ matrix.builds.version }}"
-      KERNEL_SRC_URL: "${{ matrix.builds.source }}"
-      FIRMWARE_URL: "${{ matrix.builds.firmware_url }}"
-      FIRMWARE_SIG_URL: "${{ matrix.builds.firmware_sig_url }}"
-      KERNEL_FLAVOR: "${{ matrix.builds.flavor }}"
-      KERNEL_TAGS: "${{ join(matrix.builds.tags, ',') }}"
-      KERNEL_ARCHITECTURES: "${{ join(matrix.builds.architectures, ',') }}"
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
-        with:
-          egress-policy: audit
-
-      - name: checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          submodules: recursive
-      - name: install cosign
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-      - name: docker setup linux-kernel-oci
-        run: sudo python3 ./hack/build/docker-setup.py
-      - name: docker setup buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-      - name: docker login ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          registry: ghcr.io
-          username: "${{github.actor}}"
-          password: "${{secrets.GITHUB_TOKEN}}"
-      - name: generate docker script
-        run: "./hack/build/generate-docker-script.sh"
-      - name: upload docker script
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-        with:
-          name: "build-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}.sh"
-          path: "docker.sh"
-          compression-level: 0
-      - name: run docker script
-        run: sh -x docker.sh
+  test:
+    uses: ./.github/workflows/matrix.yml
+    with:
+      spec: inputs.spec
+      publish: inputs.publish
diff --git a/.github/workflows/matrix.yaml b/.github/workflows/matrix.yaml
@@ -0,0 +1,94 @@
+name: Build Kernel Matrix
+on:
+  workflow_call:
+    inputs:
+      spec:
+        description: 'Build Specification'
+        type: string
+        default: "new"
+        required: true
+      publish:
+        description: 'Publish Builds'
+        type: boolean
+        default: true
+        required: true
+concurrency:
+  group: "kernel-builder"
+jobs:
+  matrix:
+    name: matrix
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      with:
+        egress-policy: audit
+
+    - name: checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        submodules: recursive
+    - name: install dependencies
+      run: ./hack/build/install-matrix-deps.sh
+    - name: generate matrix
+      run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${{ inputs.spec }}"'
+    - name: upload matrix
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      with:
+        name: matrix
+        path: "matrix.json"
+        compression-level: 0
+    - name: capture matrix
+      id: capture-matrix
+      run: >
+        echo "matrix=$(cat matrix.json)" >> "${GITHUB_OUTPUT}"
+    outputs:
+      matrix: "${{ steps.capture-matrix.outputs.matrix }}"
+  build:
+    name: "build ${{ matrix.builds.version }} ${{ matrix.builds.flavor }}"
+    needs: matrix
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
+    runs-on: "${{ matrix.builds.runner }}"
+    env:
+      KERNEL_PUBLISH: "${{ inputs.publish }}"
+      KERNEL_VERSION: "${{ matrix.builds.version }}"
+      KERNEL_SRC_URL: "${{ matrix.builds.source }}"
+      FIRMWARE_URL: "${{ matrix.builds.firmware_url }}"
+      FIRMWARE_SIG_URL: "${{ matrix.builds.firmware_sig_url }}"
+      KERNEL_FLAVOR: "${{ matrix.builds.flavor }}"
+      KERNEL_TAGS: "${{ join(matrix.builds.tags, ',') }}"
+      KERNEL_ARCHITECTURES: "${{ join(matrix.builds.architectures, ',') }}"
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          submodules: recursive
+      - name: install cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      - name: docker setup linux-kernel-oci
+        run: sudo python3 ./hack/build/docker-setup.py
+      - name: docker setup buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
+      - name: docker login ghcr.io
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: ghcr.io
+          username: "${{github.actor}}"
+          password: "${{secrets.GITHUB_TOKEN}}"
+      - name: generate docker script
+        run: "./hack/build/generate-docker-script.sh"
+      - name: upload docker script
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: "build-${{ matrix.builds.version }}-${{ matrix.builds.flavor }}.sh"
+          path: "docker.sh"
+          compression-level: 0
+      - name: run docker script
+        run: sh -x docker.sh
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,69 +7,8 @@ on:
 permissions:
   contents: read
   packages: read
-env:
-  TEST_MATRIX_SPEC: "only-latest:flavor=host,zone,zone-nvidiagpu"
 jobs:
   test:
-    name: test
-    runs-on: edera-large
-    env:
-      FIRMWARE_URL: "https://cdn.kernel.org/pub/linux/kernel/firmware/linux-firmware-20250410.tar.xz"
-      FIRMWARE_SIG_URL: "https://cdn.kernel.org/pub/linux/kernel/firmware/linux-firmware-20250410.tar.sign"
-      KERNEL_ARCHITECTURES: "x86_64"
-    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
-      with:
-        egress-policy: audit
-
-    - name: checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      with:
-        submodules: recursive
-    - name: install dependencies
-      run: ./hack/build/install-matrix-deps.sh
-    - name: generate spec-new matrix
-      run: 'PATH="${HOME}/go/bin:${PATH}" KERNEL_BUILD_SPEC="new" ./hack/build/generate-matrix.sh'
-    - name: upload spec-new matrix
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      with:
-        name: spec-new-matrix
-        path: "matrix.json"
-        compression-level: 0
-    - name: generate spec-rebuild matrix
-      run: 'PATH="${HOME}/go/bin:${PATH}" KERNEL_BUILD_SPEC="rebuild" ./hack/build/generate-matrix.sh'
-    - name: upload spec-rebuild matrix
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      with:
-        name: spec-rebuild-matrix
-        path: "matrix.json"
-        compression-level: 0
-    - name: generate test matrix
-      run: 'PATH="${HOME}/go/bin:${PATH}" ./hack/build/generate-matrix.sh "${TEST_MATRIX_SPEC}"'
-    - name: upload test matrix
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      with:
-        name: test-matrix
-        path: "matrix.json"
-        compression-level: 0
-    - name: docker setup linux-kernel-oci
-      run: sudo python3 ./hack/build/docker-setup.py
-    - name: docker setup buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-    - name: docker login ghcr.io
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-      with:
-        registry: ghcr.io
-        username: "${{github.actor}}"
-        password: "${{secrets.GITHUB_TOKEN}}"
-    - name: generate docker script
-      run: "./hack/build/generate-docker-script.sh matrix.json"
-    - name: upload docker script
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      with:
-        name: "docker.sh"
-        path: "docker.sh"
-        compression-level: 0
-    - name: run docker script
-      run: sh -x docker.sh
+    uses: ./.github/workflows/matrix.yml
+    with:
+      spec: "only-latest:flavor=host,zone,zone-nvidiagpu"
diff --git a/config.yaml b/config.yaml
@@ -20,8 +20,7 @@ flavors:
   - 'nvidia-575.64.03'
   - 'nvidia-575.57.08'
   constraints:
-    series:
-    - '6.15'
+    lower: '6.15'
 - name: zone-openpax
   constraints:
     series:
