BPF CI: Switch to Debian-based kernel builders

theihor · theihor · commit e8c5ba2e3819 · 2026-01-27T12:09:13.000-08:00
Use a custom Debian-base docker image for kernel build jobs (kernel-patches/runner#94). Bump libbpf/ci actions to v4 (libbpf/ci#210). Other nits: - set CROSS_COMPILE only for s390x - simplify Linux source download - remove setup docker/qemu logic - in gcc-bpf, install github cli on demand Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
diff --git a/.github/scripts/download-gcc-bpf.sh b/.github/scripts/download-gcc-bpf.sh
@@ -7,6 +7,19 @@ INSTALL_DIR=$(realpath $2)
 
 cd /tmp
 
+if ! command -v gh &> /dev/null; then
+    # https://github.com/cli/cli/blob/trunk/docs/install_linux.md
+    (type -p wget >/dev/null || (sudo apt update && sudo apt install wget -y)) \
+	&& sudo mkdir -p -m 755 /etc/apt/keyrings \
+	&& out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+	&& cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
+	&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+	&& sudo mkdir -p -m 755 /etc/apt/sources.list.d \
+	&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+	&& sudo apt update \
+	&& sudo apt install gh -y
+fi
+
 tag=$(gh release list -L 1 -R ${GCC_BPF_RELEASE_GH_REPO} --json tagName -q .[].tagName)
 if [[ -z "$tag" ]]; then
     echo "Could not find latest GCC BPF release at ${GCC_BPF_RELEASE_GH_REPO}"
@@ -27,4 +40,3 @@ rm -rf $INSTALL_DIR
 mv -v $dir $INSTALL_DIR
 
 cd -
-
diff --git a/.github/workflows/ai-code-review.yml b/.github/workflows/ai-code-review.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
 
       - name: Download Linux source tree
-        uses: libbpf/ci/get-linux-source@v3
+        uses: libbpf/ci/get-linux-source@v4
         with:
           repo: ${{ github.event.pull_request.head.repo.clone_url }}
           rev: ${{ github.event.pull_request.head.sha }}
@@ -78,7 +78,7 @@ jobs:
           cp ci/claude/settings.json ~/.claude/settings.json
 
       - name: Download Linux source tree
-        uses: libbpf/ci/get-linux-source@v3
+        uses: libbpf/ci/get-linux-source@v4
         with:
           repo: ${{ github.event.pull_request.head.repo.clone_url }}
           rev: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/gcc-bpf.yml b/.github/workflows/gcc-bpf.yml
@@ -28,12 +28,9 @@ on:
 jobs:
   test:
     name: GCC BPF
-    runs-on: >-
-      ${{
-          contains(fromJSON(inputs.runs_on), 'codebuild')
-          && format('codebuild-bpf-ci-{0}-{1}', github.run_id, github.run_attempt)
-          || fromJSON(inputs.runs_on)
-      }}
+    runs-on:
+      - ${{ format('codebuild-bpf-ci-{0}-{1}', github.run_id, github.run_attempt) }}
+      - image:custom-linux-ghcr.io/kernel-patches/runner:kbuilder-debian-x86_64
     env:
       ARCH: ${{ inputs.arch }}
       BPF_NEXT_BASE_BRANCH: 'master'
@@ -52,7 +49,7 @@ jobs:
 
       - if: ${{ inputs.download_sources }}
         name: Download bpf-next tree
-        uses: libbpf/ci/get-linux-source@v3
+        uses: libbpf/ci/get-linux-source@v4
         with:
           dest: ${{ env.REPO_ROOT }}
           rev: ${{ env.BPF_NEXT_BASE_BRANCH }}
@@ -63,7 +60,7 @@ jobs:
         with:
           path: 'src'
 
-      - uses:  libbpf/ci/patch-kernel@v3
+      - uses:  libbpf/ci/patch-kernel@v4
         with:
           patches-root: '${{ github.workspace }}/ci/diffs'
           repo-root: ${{ env.REPO_ROOT }}
@@ -78,7 +75,7 @@ jobs:
         run: zstd -d -T0 vmlinux-${{ inputs.arch }}-${{ inputs.toolchain_full }}.tar.zst --stdout | tar -xf -
 
       - name: Setup build environment
-        uses: libbpf/ci/setup-build-env@v3
+        uses: libbpf/ci/setup-build-env@v4
         with:
           arch: ${{ inputs.arch }}
           gcc-version: ${{ inputs.gcc_version }}
@@ -91,7 +88,7 @@ jobs:
         run: .github/scripts/download-gcc-bpf.sh ${{ env.GCC_BPF_RELEASE_REPO }} ${{ env.GCC_BPF_INSTALL_DIR }}
 
       - name: Build selftests/bpf/test_progs-bpf_gcc
-        uses: libbpf/ci/build-selftests@v3
+        uses: libbpf/ci/build-selftests@v4
         env:
           BPF_GCC: ${{ env.GCC_BPF_INSTALL_DIR }}
           MAX_MAKE_JOBS: 32
diff --git a/.github/workflows/kernel-build.yml b/.github/workflows/kernel-build.yml
@@ -46,44 +46,31 @@ on:
 jobs:
   build:
     name: build kernel and selftests ${{ inputs.release && '-O2' || '' }}
-    # To run on CodeBuild, runs-on value must correspond to the AWS
-    # CodeBuild project associated with the kernel-patches webhook
-    # However matrix.py passes just a 'codebuild' string
-    runs-on: >-
-      ${{
-          contains(fromJSON(inputs.runs_on), 'codebuild')
-          && format('codebuild-bpf-ci-{0}-{1}', github.run_id, github.run_attempt)
-          || fromJSON(inputs.runs_on)
-      }}
+    runs-on:
+      - ${{ github.repository == 'kernel-patches/bpf-rc' && 'ubuntu-latest'
+         || format('codebuild-bpf-ci-{0}-{1}', github.run_id, github.run_attempt) }}
+      # AWS docs about image override: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-action-runners-update-labels.html
+      - image:${{ inputs.arch == 'aarch64' && 'custom-arm-ghcr.io/kernel-patches/runner:kbuilder-debian-aarch64'
+               || 'custom-linux-ghcr.io/kernel-patches/runner:kbuilder-debian-x86_64' }}
     env:
         ARTIFACTS_ARCHIVE: "vmlinux-${{ inputs.arch }}-${{ inputs.toolchain_full }}.tar.zst"
-        BPF_NEXT_BASE_BRANCH: 'master'
         BPF_NEXT_FETCH_DEPTH: 64 # A bit of history is needed to facilitate incremental builds
-        CROSS_COMPILE: ${{ inputs.arch != 'x86_64' && 'true' || '' }}
+        CROSS_COMPILE: ${{ inputs.arch == 's390x' && 'true' || '' }}
         BUILD_SCHED_EXT_SELFTESTS: ${{ inputs.arch == 'x86_64' || inputs.arch == 'aarch64' && 'true' || '' }}
         KBUILD_OUTPUT: ${{ github.workspace }}/kbuild-output
         KERNEL: ${{ inputs.kernel }}
         KERNEL_ROOT: ${{ github.workspace }}
+        KERNEL_ORIGIN: ${{ github.repository == 'kernel-patches/bpf-rc' && 'https://github.com/kernel-patches/bpf-rc.git'
+                        || 'https://github.com/kernel-patches/bpf.git'
+                        }}
+        KERNEL_REVISION: ${{ inputs.download_sources && 'bpf-next' || github.sha }}
         REFERENCE_REPO_PATH: /libbpfci/mirrors/linux
         REPO_PATH: ""
         REPO_ROOT: ${{ github.workspace }}
-        RUNNER_TYPE: ${{ contains(fromJSON(inputs.runs_on), 'codebuild') && 'codebuild' || 'default' }}
+        RUNNER_TYPE: codebuild
     steps:
 
-      # git version 2.43.0 (current Ubuntu 24 installation)
-      # does not support git clone --revision option
-      # so make sure latest git is installed
-      - name: Install latest git
-        shell: bash
-        run: |
-            sudo apt-get update
-            sudo apt-get install -y software-properties-common
-            sudo add-apt-repository -y ppa:git-core/ppa
-            sudo apt-get update
-            sudo apt-get install -y git
-            git --version
-
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           sparse-checkout: |
             .github
@@ -93,42 +80,14 @@ jobs:
         shell: bash
         run: .github/scripts/tmpfsify-workspace.sh
 
-      - if: ${{ ! inputs.download_sources }}
-        name: git clone ${{ github.repository }}@${{ github.sha }}
-        shell: bash
-        run: |
-          if [ -d "${{ env.REFERENCE_REPO_PATH }}" ]; then
-            git clone \
-              --revision ${{ github.sha }} \
-              --reference-if-able ${{ env.REFERENCE_REPO_PATH }} \
-              https://github.com/${{ github.repository }}.git .kernel
-          else
-            git clone \
-              --revision ${{ github.sha }} \
-              --depth ${{ inputs.download_sources && 1 || env.BPF_NEXT_FETCH_DEPTH }} \
-              https://github.com/${{ github.repository }}.git .kernel
-          fi
-
-      - if: ${{ inputs.download_sources }}
-        name: Download bpf-next tree
+      - name: Download bpf-next tree @ ${{ env.KERNEL_REVISION }}
+        uses: libbpf/ci/get-linux-source@v4
         env:
           FETCH_DEPTH: ${{ env.BPF_NEXT_FETCH_DEPTH }}
-        uses: libbpf/ci/get-linux-source@v3
         with:
           dest: '.kernel'
-          rev: ${{ env.BPF_NEXT_BASE_BRANCH }}
-
-      - uses: libbpf/ci/prepare-incremental-build@v3
-        with:
-          repo-root: '.kernel'
-          base-branch: >-
-            ${{    inputs.download_sources && env.BPF_NEXT_BASE_BRANCH
-                || github.event_name == 'pull_request' && github.base_ref
-                || github.ref_name
-             }}
-          arch: ${{ inputs.arch }}
-          toolchain_full: ${{ inputs.toolchain_full }}
-          kbuild-output: ${{ env.KBUILD_OUTPUT }}
+          repo: ${{ env.KERNEL_ORIGIN }}
+          rev: ${{ env.KERNEL_REVISION }}
 
       - name: Move linux source in place
         shell: bash
@@ -139,33 +98,21 @@ jobs:
           cd ..
           rmdir .kernel
 
-      - uses:  libbpf/ci/patch-kernel@v3
+      - uses:  libbpf/ci/patch-kernel@v4
         with:
           patches-root: '${{ github.workspace }}/ci/diffs'
           repo-root: ${{ env.REPO_ROOT }}
 
       - name: Setup build environment
-        uses: libbpf/ci/setup-build-env@v3
+        uses: libbpf/ci/setup-build-env@v4
         with:
           arch: ${{ inputs.arch }}
           gcc-version: ${{ inputs.gcc_version }}
           llvm-version: ${{ inputs.llvm_version }}
           pahole: master
 
-        # We have to setup qemu+binfmt in order to enable cross-compation of selftests.
-        # During selftests build, freshly built bpftool is executed.
-        # On self-hosted bare-metal hosts binfmt is pre-configured.
-      - if: ${{ env.RUNNER_TYPE == 'codebuild' && env.CROSS_COMPILE }}
-        name: Set up docker
-        uses: docker/setup-docker-action@v4
-      - if: ${{ env.RUNNER_TYPE == 'codebuild' && env.CROSS_COMPILE }}
-        name: Setup binfmt and qemu
-        uses: docker/setup-qemu-action@v3
-        with:
-          image: tonistiigi/binfmt:qemu-v9.2.0
-
       - name: Build kernel image
-        uses: libbpf/ci/build-linux@v3
+        uses: libbpf/ci/build-linux@v4
         with:
           arch: ${{ inputs.arch }}
           toolchain: ${{ inputs.toolchain }}
@@ -174,7 +121,7 @@ jobs:
           llvm-version: ${{ inputs.llvm_version }}
 
       - name: Build selftests/bpf
-        uses: libbpf/ci/build-selftests@v3
+        uses: libbpf/ci/build-selftests@v4
         env:
           MAX_MAKE_JOBS: 32
           RELEASE: ${{ inputs.release && '1' || '' }}
@@ -186,7 +133,7 @@ jobs:
 
       - if: ${{ env.BUILD_SCHED_EXT_SELFTESTS }}
         name: Build selftests/sched_ext
-        uses: libbpf/ci/build-scx-selftests@v3
+        uses: libbpf/ci/build-scx-selftests@v4
         with:
           kbuild-output: ${{ env.KBUILD_OUTPUT }}
           repo-root: ${{ env.REPO_ROOT }}
@@ -197,7 +144,7 @@ jobs:
 
       - if: ${{ github.event_name != 'push' }}
         name: Build samples
-        uses: libbpf/ci/build-samples@v3
+        uses: libbpf/ci/build-samples@v4
         with:
           arch: ${{ inputs.arch }}
           toolchain: ${{ inputs.toolchain }}
@@ -206,7 +153,7 @@ jobs:
           llvm-version: ${{ inputs.llvm_version }}
       - name: Tar artifacts
         id: tar-artifacts
-        uses: libbpf/ci/tar-artifacts@v3
+        uses: libbpf/ci/tar-artifacts@v4
         env:
           ARCHIVE_BPF_SELFTESTS: 'true'
           ARCHIVE_MAKE_HELPERS: 'true'
diff --git a/.github/workflows/kernel-test.yml b/.github/workflows/kernel-test.yml
@@ -65,7 +65,7 @@ jobs:
         run: zstd -d -T0  vmlinux-${{ inputs.arch }}-${{ inputs.toolchain_full }}.tar.zst --stdout | tar -xf -
 
       - name: Run selftests
-        uses: libbpf/ci/run-vmtest@v3
+        uses: libbpf/ci/run-vmtest@v4
         # https://github.com/actions/runner/issues/1483#issuecomment-1031671517
         # booleans are weird in GH.
         continue-on-error: ${{ fromJSON(env.CONTINUE_ON_ERROR) }}
diff --git a/.github/workflows/veristat-kernel.yml b/.github/workflows/veristat-kernel.yml
@@ -50,7 +50,7 @@ jobs:
         run: zstd -d -T0  vmlinux-${{ env.ARCH_AND_TOOL }}.tar.zst --stdout | tar -xf -
 
       - name: Run veristat
-        uses: libbpf/ci/run-vmtest@v3
+        uses: libbpf/ci/run-vmtest@v4
         with:
           arch: x86_64
           vmlinuz: '${{ github.workspace }}/vmlinuz'
diff --git a/.github/workflows/veristat-meta.yml b/.github/workflows/veristat-meta.yml
@@ -71,7 +71,7 @@ jobs:
           AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
 
       - name: Run veristat
-        uses: libbpf/ci/run-vmtest@v3
+        uses: libbpf/ci/run-vmtest@v4
         with:
           arch: x86_64
           vmlinuz: '${{ github.workspace }}/vmlinuz'
diff --git a/.github/workflows/veristat-scx.yml b/.github/workflows/veristat-scx.yml
@@ -35,7 +35,7 @@ jobs:
           sparse-checkout: |
             .github
             ci
-      - uses: libbpf/ci/build-scx-scheds@v3
+      - uses: libbpf/ci/build-scx-scheds@v4
         with:
           output-dir: ${{ env.SCX_BUILD_OUTPUT }}
       - name: Collect scx progs
@@ -88,7 +88,7 @@ jobs:
           path: ${{ env.SCX_PROGS }}
 
       - name: Run veristat
-        uses: libbpf/ci/run-vmtest@v3
+        uses: libbpf/ci/run-vmtest@v4
         with:
           arch: x86_64
           vmlinuz: '${{ github.workspace }}/vmlinuz'
