Add Debian-based image for kernel build jobs

theihor · theihor · commit fe466103a76d · 2026-01-27T14:45:46.000-08:00
Update automated build workflows to build 5 images: - x86_64 Ubuntu runner - aarch64 Ubuntu runner - s390x Ubuntu runner - x86_64 Debian builder - aarch64 Debian builder With this change, Ubuntu runners don't install build dependencies from libbpf/ci/setup-build-env action, only run-vmtest dependencies. For context see kernel-patches/vmtest#433 Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -11,50 +11,67 @@ on:
   push:
     branches:
       - main
-      - staging
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
   pull_request:
     branches:
       - main
-      - staging
   workflow_dispatch:
 
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
-
+  LIBBPF_CI_TAG: v4
+  RUNNER_VERSION: 2.331.0
 
 jobs:
   build:
-
-    runs-on: ubuntu-latest
+    name: ${{ matrix.tag }}
+    runs-on: ${{ matrix.runs_on }}
     permissions:
       contents: read
       packages: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
     strategy:
+      fail-fast: false
       matrix:
-        ubuntu_version: [noble]
-        arch: [s390x, aarch64, x86_64]
         include:
-          - arch: s390x
-            dockerfile: s390x.Dockerfile
-            platform: linux/s390x
+          - arch: x86_64
+            dockerfile: Dockerfile
+            platform: linux/amd64
+            tag: main-noble-x86_64
+            runs_on: ubuntu-latest
+
           - arch: aarch64
             dockerfile: Dockerfile
             platform: linux/arm64
+            tag: main-noble-aarch64
+            runs_on: ubuntu-24.04-arm
+
+          - arch: s390x
+            dockerfile: s390x.Dockerfile
+            platform: linux/s390x
+            tag: main-noble-s390x
+            runs_on: ubuntu-latest
+
           - arch: x86_64
-            dockerfile: Dockerfile
+            dockerfile: kbuilder-debian.Dockerfile
             platform: linux/amd64
+            tag: kbuilder-debian-x86_64
+            runs_on: ubuntu-latest
+
+          - arch: aarch64
+            dockerfile: kbuilder-debian.Dockerfile
+            platform: linux/arm64
+            tag: kbuilder-debian-aarch64
+            runs_on: ubuntu-24.04-arm
 
     steps:
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
@@ -66,9 +83,8 @@ jobs:
         run: cosign version
 
       - name: Set up QEMU
+        if: matrix.arch == 's390x'
         uses: docker/setup-qemu-action@v3
-        with:
-          image: tonistiigi/binfmt:qemu-v9.2.2
 
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v3
@@ -83,27 +99,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=auto
-            prefix=
-            suffix=-${{ matrix.ubuntu_version }}-${{ matrix.arch }}
-          tags: |
-            # Generate old tag names (e.g main-s390x, main-x86_64...) when building noble
-            # branch event
-            type=ref,enable=${{ matrix.ubuntu_version == 'noble' }},suffix=-${{ matrix.arch }},event=branch
-            # pr event
-            type=ref,enable=${{ matrix.ubuntu_version == 'noble' }},prefix=pr-,suffix=-${{ matrix.arch }},event=pr
-            # tags for all pr/branches
-            type=ref,event=branch,enable=true,priority=600
-            type=ref,event=pr,enable=true,prefix=pr-,priority=600
-
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
@@ -113,10 +108,11 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.tag }}
           platforms: ${{ matrix.platform }}
-          build-args: UBUNTU_VERSION=${{ matrix.ubuntu_version }}
+          build-args: |
+            LIBBPF_CI_TAG=${{ env.LIBBPF_CI_TAG }}
+            RUNNER_VERSION=${{ env.RUNNER_VERSION }}
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
@@ -127,7 +123,6 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-          TAGS: ${{ steps.meta.outputs.tags }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign --yes ${TAGS}
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.tag }}
diff --git a/.github/workflows/version_bump.yml b/.github/workflows/version_bump.yml
@@ -1,7 +1,7 @@
-name: s390x version bump
+name: RUNNER_VERSION bump
 
 # This workflow pulls the latest official actions runner version using GH API
-# and update our s390x Dockerfile.
+# and update RUNNER_VERSION variable.
 # If a change happens, the change will be commited in a versioned branch and
 # a PR will be created. Upon merging, the branch will be deleted.
 #
@@ -14,13 +14,13 @@ on:
 
 jobs:
   bump_version:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: write
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Get latest runner release
         id: release
@@ -35,14 +35,30 @@ jobs:
 
       - name: Update release
         id: bump
-        run: sed -i 's#^ARG RUNNER_VERSION=.*#ARG RUNNER_VERSION=${{ steps.release.outputs.ACTIONS_VERSION}}#' s390x.Dockerfile
+        run: |
+          sed -i 's#RUNNER_VERSION:.*#RUNNER_VERSION: ${{ steps.release.outputs.ACTIONS_VERSION }}#' .github/workflows/publish.yml
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          title: "[automated] s390x: bump RUNNER_VERSION to v${{ steps.release.outputs.ACTIONS_VERSION}}"
-          commit-message: "[automated] s390x: bump RUNNER_VERSION to v${{ steps.release.outputs.ACTIONS_VERSION}}"
-          branch: "version-bump/${{ steps.release.outputs.ACTIONS_VERSION}}"
-          delete-branch: true
-          body: ""
-          reviewers: anakryiko, chantra, danielocfb, yurinnick, theihor
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUNNER_VERSION: ${{ steps.release.outputs.ACTIONS_VERSION }}
+          BRANCH: version-bump/${{ steps.release.outputs.ACTIONS_VERSION }}
+        run: |
+
+          if git diff --quiet; then
+            echo "No changes to commit"
+            exit 0
+          fi
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git checkout -b "${BRANCH}"
+          git add -A
+          git commit -m "[automated] Bump RUNNER_VERSION to v${VERSION}"
+          git push -u origin "${BRANCH}"
+
+          gh pr create \
+            --title "[automated] Bump RUNNER_VERSION to v${VERSION}" \
+            --body "" \
+            --reviewer anakryiko,danielocfb,theihor
diff --git a/Dockerfile b/Dockerfile
@@ -5,11 +5,6 @@ FROM myoung34/github-runner:ubuntu-${UBUNTU_VERSION}
 ARG UBUNTU_VERSION
 
 COPY install-dependencies.sh /tmp/install-dependencies.sh
-RUN bash /tmp/install-dependencies.sh
-
-RUN apt-get clean
+RUN bash /tmp/install-dependencies.sh run
 
 COPY token.sh /token.sh
-
-COPY setup-mirror-repos.sh /tmp/setup-mirror-repos.sh
-RUN bash /tmp/setup-mirror-repos.sh
diff --git a/install-dependencies.sh b/install-dependencies.sh
@@ -1,27 +1,40 @@
 #!/bin/bash
 
-set -euo pipefail
+set -xeuo pipefail
+
+export DEPS=${1:-"all"} # "build", "run" or "all"
 
 # Most of the BPF CI dependencies are set up by libbpf/ci/setup-build-env action
 # This script runs a subset of that, in order to cache the packages at image build time
-export LIBBPF_CI_TAG=v3
+export LIBBPF_CI_TAG=${LIBBPF_CI_TAG:-"v4"}
+export RUNNER_VERSION=${RUNNER_VERSION:-2.331.0}
 
 # These should correspond to https://github.com/kernel-patches/vmtest/blob/master/.github/scripts/matrix.py#L20-L21
-# Otherwise there is no point in caching dependencies in the image
-export GCC_VERSION=15
-export LLVM_VERSION=21
-
-# do not install pahole and cross-compilation toolchain in the docker image
-export TARGET_ARCH=$(uname -m)
-export PAHOLE_BRANCH=none
+# Otherwise there is no point in caching the dependencies in the image
+export GCC_VERSION=${GCC_VERSION:-15}
+export LLVM_VERSION=${LLVM_VERSION:-21}
 
 scratch=$(mktemp -d)
 cd $scratch
+
+# Install pre-requisites for GitHub Actions Runner client app
+# https://github.com/actions/runner/blob/main/docs/start/envlinux.md
+curl -Lf https://raw.githubusercontent.com/actions/runner/v${RUNNER_VERSION}/src/Misc/layoutbin/installdependencies.sh \
+     -o install-gha-runner-deps.sh
+bash install-gha-runner-deps.sh
+
+# Use libbpf/ci/setup-build-env scripts
 git clone --depth 1 --branch $LIBBPF_CI_TAG https://github.com/libbpf/ci.git actions
 
-# Install build dependencies only on x86_64, we cross-compile everything else
-if [ "$(uname -m)" == "x86_64" ]; then
+if [ "$DEPS" = "all" ] || [ "$DEPS" = "build" ]; then
+        # do not install cross-compilation toolchain by default
+        export TARGET_ARCH=$(uname -m)
         cd "${scratch}/actions/setup-build-env" && ./action.sh
 fi
 
-cd "${scratch}/actions/run-vmtest" && ./install-dependencies.sh
+if [ "$DEPS" = "all" ] || [ "$DEPS" = "run" ]; then
+        cd "${scratch}/actions/run-vmtest" && ./install-dependencies.sh
+fi
+
+cd / && rm -rf $scratch
+sudo apt-get clean
diff --git a/kbuilder-debian.Dockerfile b/kbuilder-debian.Dockerfile
@@ -0,0 +1,17 @@
+FROM debian:experimental
+
+ARG RUNNER_VERSION=2.331.0
+ARG LIBBPF_CI_TAG=v4
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y && apt-get install -y --no-install-recommends \
+    ca-certificates curl git sudo wget
+
+COPY setup-mirror-repos.sh /tmp/setup-mirror-repos.sh
+RUN bash /tmp/setup-mirror-repos.sh
+
+COPY install-dependencies.sh /tmp/install-dependencies.sh
+RUN bash /tmp/install-dependencies.sh build
+
+RUN apt-get clean
diff --git a/s390x.Dockerfile b/s390x.Dockerfile
@@ -52,7 +52,7 @@ RUN apt-get install -y --no-install-recommends \
     software-properties-common sudo tar unzip wget zip zstd
 
 COPY install-dependencies.sh /tmp/install-dependencies.sh
-RUN /tmp/install-dependencies.sh
+RUN /tmp/install-dependencies.sh run
 
 RUN apt-get -y install aspnetcore-runtime-8.0
 
diff --git a/setup-mirror-repos.sh b/setup-mirror-repos.sh
@@ -2,11 +2,6 @@
 
 set -euo pipefail
 
-if [ "$(uname -m)" != "x86_64" ]; then
-        echo "Skip setting up mirror repos in non-x86_64 image"
-        exit 0
-fi
-
 mkdir -p /libbpfci/mirrors
 git clone https://github.com/kernel-patches/bpf.git /libbpfci/mirrors/linux
 chmod -R a+rX /libbpfci/mirrors
