tfgrid/zosbuilder
11
0
Fork 1
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2142876e3d9f259425239784bd0a9096100cf1c0
zosbuilder/GITHUB_ACTIONS.md
Jan De Landtsheer 860b9aa161 feat: Implement complete Zero OS Alpine Initramfs Builder 
- Complete bash framework with strict error handling
- Modular library system (docker, alpine, components, initramfs, kernel, testing)
- Rust component integration (zinit, rfs, mycelium) with musl targeting
- Rootless Docker/Podman support for GitHub Actions
- Centralized configuration in config/build.conf
- 2-stage module loading system
- Strip + UPX optimization for minimal size
- Complete zinit integration replacing OpenRC
- GitHub Actions CI/CD pipeline
- Comprehensive documentation and usage guides

Components:
- Latest stable kernel 6.12.44
- Alpine Linux 3.22 base
- ThreeFold components: zinit, mycelium, rfs, corex
- Target: ~8-12MB final initramfs.cpio.xz
2025-08-31 12:31:49 +02:00

5.2 KiB
Raw Blame History

GitHub Actions Integration

Rootless Container Setup

Prerequisites

GitHub Actions runners need proper subuid/subgid configuration for rootless containers:

name: Build Zero OS Initramfs

on:
  push:
    branches: [ main, development ]
  pull_request:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v4
    
    - name: Setup rootless containers
      run: |
        # Configure subuid/subgid for runner user
        echo "runner:100000:65536" | sudo tee -a /etc/subuid
        echo "runner:100000:65536" | sudo tee -a /etc/subgid
        
        # Install container runtime
        sudo apt-get update
        sudo apt-get install -y podman
        
        # Verify rootless setup
        podman system info
    
    - name: Install build dependencies
      run: |
        sudo apt-get install -y \
          build-essential \
          rustc \
          cargo \
          upx-ucl \
          binutils \
          git \
          wget \
          qemu-system-x86 \
          cloud-hypervisor
    
    - name: Setup Rust musl target
      run: |
        rustup target add x86_64-unknown-linux-musl
        sudo apt-get install -y musl-tools
    
    - name: Build initramfs
      run: |
        chmod +x scripts/build.sh
        ./scripts/build.sh
    
    - name: Test with QEMU
      run: |
        chmod +x scripts/test.sh
        ./scripts/test.sh --qemu
    
    - name: Upload artifacts
      uses: actions/upload-artifact@v4
      with:
        name: zero-os-initramfs
        path: |
          dist/vmlinuz.efi
          dist/initramfs.cpio.xz
        retention-days: 30
    
    - name: Create release
      if: github.ref == 'refs/heads/main'
      uses: softprops/action-gh-release@v1
      with:
        tag_name: v${{ github.run_number }}
        files: |
          dist/vmlinuz.efi
          dist/initramfs.cpio.xz

Container Caching Strategy

Builder Container Reuse

    - name: Cache builder container
      uses: actions/cache@v4
      with:
        path: ~/.local/share/containers
        key: ${{ runner.os }}-containers-${{ hashFiles('Dockerfile') }}
        restore-keys: |
          ${{ runner.os }}-containers-
    
    - name: Build or reuse container
      run: |
        if ! podman image exists zero-os-builder:latest; then
          podman build -t zero-os-builder:latest .
        fi

Component Source Caching

    - name: Cache Rust components
      uses: actions/cache@v4
      with:
        path: |
          components/
          ~/.cargo/registry
          ~/.cargo/git
        key: ${{ runner.os }}-rust-${{ hashFiles('config/sources.conf') }}
        restore-keys: |
          ${{ runner.os }}-rust-

Security Considerations

Rootless Execution Benefits

  1. No privileged access required
  2. User namespace isolation
  3. Reduced attack surface
  4. Compatible with GitHub Actions security model

Container Security

# Use minimal Alpine base
FROM alpine:3.22

# Create non-root user
RUN adduser -D -s /bin/sh builder

# Install only required packages
RUN apk add --no-cache \
    build-base \
    rust \
    cargo \
    upx \
    git \
    wget

# Switch to non-root user
USER builder
WORKDIR /home/builder

Parallel Builds

Matrix Strategy for Testing

strategy:
  matrix:
    test_runner: [qemu, cloud-hypervisor]
    optimization: [size, speed]

steps:
- name: Build with optimization
  run: |
    export OPTIMIZATION_TARGET="${{ matrix.optimization }}"
    ./scripts/build.sh
    
- name: Test with runner
  run: |
    ./scripts/test.sh --runner ${{ matrix.test_runner }}

Environment Variables

Build Configuration

env:
  ALPINE_VERSION: "3.22"
  KERNEL_VERSION: "6.8.8" 
  RUST_TARGET: "x86_64-unknown-linux-musl"
  OPTIMIZATION_LEVEL: "max"
  CONTAINER_REGISTRY: "ghcr.io"

Secrets Management

    - name: Login to container registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

Troubleshooting

Common Issues

  1. Subuid/subgid not configured

    # Solution: Configure in setup step
echo "runner:100000:65536" | sudo tee -a /etc/subuid

  2. Container runtime not accessible

    # Solution: Use rootless podman
sudo apt-get install -y podman

  3. Rust musl target missing

    # Solution: Add target and tools
rustup target add x86_64-unknown-linux-musl
sudo apt-get install -y musl-tools

  4. UPX compression fails

    # Solution: Check UPX version compatibility
upx --version
upx --best --force binary || echo "UPX failed, continuing"

Performance Optimization

Build Time Reduction

  1. Container layer caching
  2. Rust dependency caching
  3. Parallel component builds
  4. Incremental compilation

Resource Usage

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    
    steps:
    - name: Configure build resources
      run: |
        # Limit parallel jobs based on available cores
        export MAKEFLAGS="-j$(nproc)"
        export CARGO_BUILD_JOBS="$(nproc)"