rock5: CI release process

Build the kernel and hack the Talos `Makefile` slightly to pass
the board and optionally a specific kernel commit via a context
override. (This isn't done using the standard Talos approach for
custom kernels where you re-pack the initfs since we have a forked
installer anyway, this is faster because we can do it in a single
pack and `xz` takes forever.)

All commits get Docker images for the kernel + installer. Tags
get `metal-rock_5b-arm64.img.xz` generated from the commit image (and
the installer re-tagged with the Git tag) and attached to a GitHub
release.

.github/workflows/kernel.yaml

@@ -0,0 +1,60 @@
+name: Kernel
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches: ['release-1.4']
+    paths:
+      - docker-bake.hcl
+      - hack/boards/defconfig
+      - .github/workflows/kernel.yaml
+  schedule:
+    - cron: '15 18 * * 2' # 18:15 UTC on Tuesday
+
+jobs:
+  kernel:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: none
+
+    outputs:
+      digest: ${{ steps.docker.outputs.digest }}
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: docker.io
+          username: milas
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      # we need the local repo contents to get files from `./hack/boards`
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - uses: docker/metadata-action@v4
+        id: meta
+        with:
+          images: docker.io/milas/rock5-talos-kernel
+          flavor: latest=false
+          tags: |
+            type=schedule,pattern={{date 'YYYYMMDD'}}
+            type=schedule,pattern=latest
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - uses: docker/bake-action@v2
+        with:
+          push: true
+          pull: true
+          targets: kernel
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          set: |
+            *.cache-from=type=gha
+            *.cache-to=type=gha,mode=max
+            *.attest=type=provenance,mode=max

.github/workflows/talos.yaml

@@ -0,0 +1,97 @@
+name: Talos Images
+
+on:
+  push:
+    branches: [ 'main', 'release-*' ]
+    tags:
+      - "v*"
+
+env:
+  # REGISTRY is used by Talos makefile targets
+  REGISTRY: docker.io
+  # USERNAME is used by Talos makefile targets
+  USERNAME: milas
+
+jobs:
+  talos-installer-image:
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      packages: none
+
+    strategy:
+      matrix:
+        board: [rock-5a, rock-5b]
+
+    steps:
+      - uses: docker/setup-buildx-action@v2
+
+      - uses: docker/setup-qemu-action@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          # ^^^ populated from mandatory vars for Talos makefile
+          # just done to keep in sync, not for flexibility
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          # need history for `git describe` to work for Talos `Makefile`
+          fetch-depth: 0
+
+      - name: Build and push Talos installer image
+        run: make installer
+        env:
+          PUSH: '1'
+          IMAGE_NAME: rock5-talos
+          ROCK5_BOARD: ${{ matrix.board }}
+          PLATFORM: linux/arm64
+          PROGRESS: plain
+
+  # TODO(milas): refactor to split release from eMMC image & use matrix strategy
+  talos-emmc-image:
+    runs-on: ubuntu-22.04
+    needs: talos-installer-image
+
+    if: contains(github.ref, 'refs/tags/')
+
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - uses: actions/checkout@v3
+
+      - name: Build Flashable Image for Rock 5B
+        run: |
+          mkdir -p _out/
+          make sbc-rock_5b
+        env:
+          IMAGE_NAME: rock5-talos
+          IMAGE_TAG: ${{ github.ref_name }}-rock-5b
+          ROCK5_BOARD: rock-5b
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          fail_on_unmatched_files: true
+          files: _out/metal-rock_5b-arm64.img.xz
+          generate_release_notes: true

Dockerfile

@@ -1,4 +1,4 @@
-# syntax = docker/dockerfile-upstream:1.5.2-labs
+# syntax = docker/dockerfile:1-labs
 
 # Meta args applied to stage base names.
 
@@ -7,6 +7,7 @@ ARG IMPORTVET
 ARG PKGS
 ARG EXTRAS
 ARG INSTALLER_ARCH
+ARG ROCK5_BOARD
 
 # Resolve package images using ${PKGS} to be used later in COPY --from=.
 
@@ -78,6 +79,12 @@ FROM ghcr.io/siderolabs/kernel:${PKGS} AS pkg-kernel
 FROM --platform=amd64 ghcr.io/siderolabs/kernel:${PKGS} AS pkg-kernel-amd64
 FROM --platform=arm64 ghcr.io/siderolabs/kernel:${PKGS} AS pkg-kernel-arm64
 
+FROM docker.io/milas/rock5-talos-kernel AS rock5-kernel
+
+FROM scratch AS rock5-extlinux
+ARG ROCK5_BOARD
+COPY hack/boards/${ROCK5_BOARD}/extlinux.conf /extlinux.conf
+
 FROM --platform=arm64 ghcr.io/siderolabs/u-boot:${PKGS} AS pkg-u-boot-arm64
 FROM --platform=arm64 ghcr.io/siderolabs/raspberrypi-firmware:${PKGS} AS pkg-raspberrypi-firmware-arm64
 
@@ -393,7 +400,7 @@ COPY --from=talosctl-linux /talosctl-linux-${TARGETARCH} /talosctl
 ARG TAG
 ENV VERSION ${TAG}
 LABEL "alpha.talos.dev/version"="${VERSION}"
-LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
+LABEL org.opencontainers.image.source=https://github.com/milas/rock5-talos
 ENTRYPOINT ["/talosctl"]
 
 FROM base AS talosctl-darwin-amd64-build
@@ -534,6 +541,7 @@ COPY --from=pkg-kmod-arm64 /usr/lib/libkmod.* /rootfs/lib/
 COPY --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/sbin/modprobe
 COPY --from=pkg-kernel-arm64 /lib/modules /rootfs/lib/modules
 COPY --from=machined-build-arm64 /machined /rootfs/sbin/init
+COPY --from=rock5-kernel /lib/modules /rootfs/lib/modules
 # the orderly_poweroff call by the kernel will call '/sbin/poweroff'
 RUN ln /rootfs/sbin/init /rootfs/sbin/poweroff
 RUN chmod +x /rootfs/sbin/poweroff
@@ -635,7 +643,7 @@ COPY --from=initramfs-archive /initramfs.xz /initramfs-${TARGETARCH}.xz
 
 FROM scratch AS talos
 COPY --from=rootfs / /
-LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
+LABEL org.opencontainers.image.source=https://github.com/milas/rock5-talos
 ENTRYPOINT ["/sbin/init"]
 
 # The installer target generates an image that can be used to install Talos to
@@ -658,10 +666,23 @@ COPY --from=pkg-kernel-amd64 /boot/vmlinuz /usr/install/amd64/vmlinuz
 COPY --from=pkg-kernel-amd64 /dtb /usr/install/amd64/dtb
 COPY --from=initramfs-archive-amd64 /initramfs.xz /usr/install/amd64/initramfs.xz
 
+FROM milas/rock5-u-boot:latest-rock-5a-radxa AS u-boot-rock-5a
+
+#FROM milas/rock5-u-boot:latest-rock-5b-radxa AS u-boot-rock-5b
+FROM scratch AS u-boot-rock-5b
+
+ADD https://dl.radxa.com/rock5/sw/images/loader/rock-5b/debug/rock-5b-spi-image-g3caf61a44c2-debug.img /spi/spi_image.img
+
 FROM scratch AS install-artifacts-arm64
 COPY --from=pkg-grub-arm64 /usr/lib/grub /usr/lib/grub
-COPY --from=pkg-kernel-arm64 /boot/vmlinuz /usr/install/arm64/vmlinuz
-COPY --from=pkg-kernel-arm64 /dtb /usr/install/arm64/dtb
+#COPY --from=pkg-kernel-arm64 /boot/vmlinuz /usr/install/arm64/vmlinuz
+#COPY --from=pkg-kernel-arm64 /dtb /usr/install/arm64/dtb
+COPY --from=u-boot-rock-5a --link /spi/spi_image.img /usr/install/arm64/u-boot/rock_5a/u-boot.img
+COPY --from=u-boot-rock-5b --link /spi/spi_image.img /usr/install/arm64/u-boot/rock_5b/u-boot.img
+COPY --from=rock5-kernel --link /vmlinuz /usr/install/arm64/
+COPY --from=rock5-kernel --link /dtb /usr/install/arm64/dtb
+COPY --from=rock5-extlinux --link / /usr/install/arm64/extlinux
+
 COPY --from=initramfs-archive-arm64 /initramfs.xz /usr/install/arm64/initramfs.xz
 COPY --from=pkg-u-boot-arm64 / /usr/install/arm64/u-boot
 COPY --from=pkg-raspberrypi-firmware-arm64 / /usr/install/arm64/raspberrypi-firmware
@@ -706,7 +727,7 @@ COPY --from=installer-image / /
 ARG TAG
 ENV VERSION ${TAG}
 LABEL "alpha.talos.dev/version"="${VERSION}"
-LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
+LABEL org.opencontainers.image.source=https://github.com/milas/rock5-talos
 ENTRYPOINT ["/bin/installer"]
 
 FROM installer-image-squashed AS installer

Makefile

@@ -1,9 +1,13 @@
+ifndef ROCK5_BOARD
+$(error ROCK5_BOARD is required)
+endif
+
 REGISTRY ?= ghcr.io
 USERNAME ?= siderolabs
 SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty)
 TAG ?= $(shell git describe --tag --always --dirty --match v[0-9]\*)
 ABBREV_TAG ?= $(shell git describe --tag --always --match v[0-9]\* --abbrev=0 )
-TAG_SUFFIX ?=
+TAG_SUFFIX ?= -$(ROCK5_BOARD)
 SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
 IMAGE_REGISTRY ?= $(REGISTRY)
 IMAGE_TAG ?= $(TAG)$(TAG_SUFFIX)
@@ -98,10 +102,21 @@ BUILD := docker buildx build
 PLATFORM ?= linux/amd64
 PROGRESS ?= auto
 PUSH ?= false
+PROVENANCE ?= true
+ROCK5_KERNEL ?= ''
+ROCK5_UBOOT ?= ''
+
 COMMON_ARGS := --file=Dockerfile
 COMMON_ARGS += --progress=$(PROGRESS)
 COMMON_ARGS += --platform=$(PLATFORM)
 COMMON_ARGS += --push=$(PUSH)
+COMMON_ARGS += --provenance=$(PROVENANCE)
+ifneq ($(ROCK5_UBOOT), '')
+COMMON_ARGS += --build-context=u-boot-$(ROCK5_BOARD)=$(ROCK5_UBOOT)
+endif
+ifneq ($(ROCK5_KERNEL), '')
+COMMON_ARGS += --build-context=rock5-kernel=$(ROCK5_KERNEL)
+endif
 COMMON_ARGS += --build-arg=TOOLS=$(TOOLS)
 COMMON_ARGS += --build-arg=PKGS=$(PKGS)
 COMMON_ARGS += --build-arg=EXTRAS=$(EXTRAS)
@@ -134,6 +149,7 @@ COMMON_ARGS += --build-arg=SHA=$(SHA)
 COMMON_ARGS += --build-arg=USERNAME=$(USERNAME)
 COMMON_ARGS += --build-arg=REGISTRY=$(REGISTRY)
 COMMON_ARGS += --build-arg=ABBREV_TAG=$(ABBREV_TAG)
+COMMON_ARGS += --build-arg=ROCK5_BOARD=$(ROCK5_BOARD)
 
 CI_ARGS ?=
 
@@ -207,7 +223,7 @@ docker-%: ## Builds the specified target defined in the Dockerfile using the doc
 	@$(MAKE) target-$* TARGET_ARGS="--output type=docker,dest=$(DEST)/$*.tar,name=$(REGISTRY_AND_USERNAME)/$*:$(IMAGE_TAG) $(TARGET_ARGS)"
 
 registry-%: ## Builds the specified target defined in the Dockerfile using the image/registry output type. The build result will be pushed to the registry if PUSH=true.
-	@$(MAKE) target-$* TARGET_ARGS="--output type=image,name=$(REGISTRY_AND_USERNAME)/$*:$(IMAGE_TAG) $(TARGET_ARGS)"
+	@$(MAKE) target-$* TARGET_ARGS="--output type=image,name=$(REGISTRY_AND_USERNAME)/$${IMAGE_NAME:-$*}:$(IMAGE_TAG) $(TARGET_ARGS)"
 
 hack-test-%: ## Runs the specified script in ./hack/test with well known environment variables.
 	@./hack/test/$*.sh
@@ -280,10 +296,10 @@ images-essential: image-aws image-gcp image-metal ## Builds only essential image
 images: image-aws image-azure image-digital-ocean image-exoscale image-gcp image-hcloud image-metal image-nocloud image-openstack image-oracle image-scaleway image-upcloud image-vmware image-vultr ## Builds all known images (AWS, Azure, DigitalOcean, Exoscale, GCP, HCloud, Metal, NoCloud, Openstack, Oracle, Scaleway, UpCloud, Vultr and VMware).
 
 sbc-%: ## Builds the specified SBC image. Valid options are rpi_4, rpi_generic, rock64, bananapi_m64, libretech_all_h3_cc_h5, rockpi_4, rockpi_4c, pine64, jetson_nano and nanopi_r4s (e.g. sbc-rpi_4)
-	@docker pull $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG)
+	@docker pull --platform=linux/arm64 $(REGISTRY_AND_USERNAME)/$${IMAGE_NAME:-imager}:$(IMAGE_TAG)
 	@ . ./hack/imager.sh && \
 	    tmpdir=$$(prepare_extension_images linux/arm64 $(IMAGER_SYSTEM_EXTENSIONS)) && \
-		docker run --rm -v /dev:/dev -v "$${tmpdir}:/system/extensions" --privileged $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG) image --platform metal --arch arm64 --board $* --tar-to-stdout $(IMAGER_ARGS) | tar xz -C $(ARTIFACTS) ; \
+		docker run --platform=linux/arm64 --rm -v /dev:/dev -v "$${tmpdir}:/system/extensions" --privileged $(REGISTRY_AND_USERNAME)/$${IMAGE_NAME:-imager}:$(IMAGE_TAG) image --platform metal --arch arm64 --board $* --tar-to-stdout $(IMAGER_ARGS) | tar xz -C $(ARTIFACTS) ; \
 		rm -rf "$${tmpdir}"
 
 sbcs: sbc-rpi_4 sbc-rpi_generic sbc-rock64 sbc-bananapi_m64 sbc-libretech_all_h3_cc_h5 sbc-rockpi_4 sbc-rockpi_4c sbc-pine64 sbc-jetson_nano sbc-nanopi_r4s ## Builds all known SBC images (Raspberry Pi 4 Model B, Rock64, Banana Pi M64, Radxa ROCK Pi 4, Radxa ROCK Pi 4c, Pine64, Libre Computer Board ALL-H3-CC, Jetson Nano and Nano Pi R4S).

docker-bake.hcl

@@ -0,0 +1,38 @@
+# virtual target for CI
+# https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {}
+
+target kernel {
+  inherits = ["docker-metadata-action"]
+  context   = "https://github.com/milas/rock5-toolchain.git"
+  target    = "kernel"
+  platforms = ["linux/arm64"]
+  contexts  = {
+    defconfig    = "./hack/boards/defconfig"
+  }
+}
+
+// TODO: this doesn't work because there's still more build args needed
+#target "talos-installer" {
+#  tags      = ["ghcr.io/milas/rock5-talos:${BOARD}"]
+#  target    = "talos-installer"
+#  platforms = ["linux/arm64"]
+#  args      = {
+#    TOOLS                = "ghcr.io/siderolabs/tools:v1.3.0-1-g712379c"
+#    PKGS                 = "v1.3.0-9-g9543590"
+#    EXTRAS               = "v1.3.0-1-g3773d71"
+#    GOFUMPT_VERSION      = "v0.4.0"
+#    GOIMPORTS_VERSION    = "v0.1.11"
+#    STRINGER_VERSION     = "v0.1.12"
+#    ENUMER_VERSION       = "v1.1.2"
+#    DEEPCOPY_GEN_VERSION = "v0.21.3"
+#    VTPROTOBUF_VERSION   = "v0.2.0"
+#    GOLANGCILINT_VERSION = "v1.50.0"
+#    DEEPCOPY_VERSION     = "v0.5.5"
+#    IMPORTVET            = "ghcr.io/siderolabs/importvet:1549a5c"
+#  }
+#  contexts = {
+#    "ghcr.io/milas/rock5-talos-kernel:${BOARD}" = "target:kernel"
+#    #    "ghcr.io/milas/${BOARD}-u-boot" = "target:_u-boot"
+#  }
+#}