Skip to content

feat: Ensure CONFIG_HID_GPD is enabled. #45

feat: Ensure CONFIG_HID_GPD is enabled.

feat: Ensure CONFIG_HID_GPD is enabled. #45

Workflow file for this run

name: Build (arch)
on:
workflow_dispatch:
inputs:
version:
description: 'Enter a tagged OGC kernel version in the format <kernel-version>-ogc<rev>'
required: true
push:
tags:
- 'v*'
env:
OCI_REPO: ghcr.io/${{ github.repository }}-arch
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build-arch:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
attestations: write
artifact-metadata: write
container:
image: docker.io/archlinux:base-devel
volumes:
- /usr:/usr-host
- /opt:/opt-host
options: --privileged
steps:
- name: Prepare environment
shell: bash
run: |
# Lowercase the image uri
echo "OCI_REPO=${OCI_REPO,,}" >> ${GITHUB_ENV}
- name: Maximize build space
run: |
df -h
rm -rf /usr-host/share/dotnet
rm -rf /usr-host/share/swift
rm -rf /usr-host/share/java
rm -rf /usr-host/local/lib/android
rm -rf /opt-host/ghc
rm -rf /opt-host/hostedtoolcache
rm -rf /opt-host/az
df -h
- name: Checkout sources
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Set up pacman keyring
run: |
pacman-key --init
pacman-key --populate archlinux
mkdir -p /etc/gnupg && echo "auto-key-retrieve" >> /etc/gnupg/gpg.conf
- name: Install dependencies
run: |
pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra sed wget
- name: Get version
id: version
shell: bash
run: |
if [ -n "${{ github.event.inputs.version }}" ]; then
OGC_VERSION="${{ github.event.inputs.version }}"
else
TAG="${{ github.ref_name }}"
OGC_VERSION="${TAG#v}"
fi
KERNEL_VERSION="${OGC_VERSION%-ogc*}"
MAJOR_VERSION="${KERNEL_VERSION%%.*}.x"
echo "ogc_version=$OGC_VERSION" >> "$GITHUB_OUTPUT"
echo "kernel_version=$KERNEL_VERSION" >> "$GITHUB_OUTPUT"
echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"
OGC_REV="${OGC_VERSION##*-ogc}"
BASE_KVER="${KERNEL_VERSION%.*}"
STABLE_KVER="${KERNEL_VERSION##*.}"
if [ "$STABLE_KVER" = "0" ]; then
TAR_KVER="$BASE_KVER"
else
TAR_KVER="$KERNEL_VERSION"
fi
echo "ogc_rev=$OGC_REV" >> "$GITHUB_OUTPUT"
echo "base_kver=$BASE_KVER" >> "$GITHUB_OUTPUT"
echo "stable_kver=$STABLE_KVER" >> "$GITHUB_OUTPUT"
echo "tar_kver=$TAR_KVER" >> "$GITHUB_OUTPUT"
- name: Setup ORAS
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
- name: Compute content hash
id: content-hash
shell: bash
run: |
HASH=$(
{
echo "ogc_version=${{ steps.version.outputs.ogc_version }}"
echo "distro=arch"
sha256sum \
arch/PKGBUILD \
arch/config \
config/arch.config.set \
config/ogc.config.set \
config/arch.config.unset \
config/ogc.config.unset \
.github/workflows/arch.yaml
} | sha256sum | cut -d' ' -f1
)
SHORT_HASH="${HASH:0:12}"
echo "hash=$SHORT_HASH" >> "$GITHUB_OUTPUT"
echo "Content hash: $SHORT_HASH"
- name: Check for existing build
id: check-existing
shell: bash
run: |
REPO="${OCI_REPO,,}"
TAG="sha-${{ steps.content-hash.outputs.hash }}"
if oras manifest fetch "${REPO}:${TAG}" > /dev/null 2>&1; then
echo "exists=true" >> "$GITHUB_OUTPUT"
echo "::notice::Skipping build, artifact with content hash ${TAG} already exists"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
echo "No existing artifact for ${TAG}, proceeding with build"
fi
- name: Get build number
if: steps.check-existing.outputs.exists != 'true'
id: buildnum
shell: bash
run: |
VERSION_PREFIX="${{ steps.version.outputs.ogc_version }}"
REPO="${OCI_REPO,,}"
EXISTING=$(oras repo tags "${REPO}" 2>/dev/null | { grep -cE "^${VERSION_PREFIX}\.[0-9]+$" || true; })
BUILD_NUM=$((EXISTING + 1))
echo "build_num=$BUILD_NUM" >> "$GITHUB_OUTPUT"
echo "Build number: $BUILD_NUM"
- name: Substitute versions
if: steps.check-existing.outputs.exists != 'true'
shell: bash
run: |
OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
ARCH_PKGVER="${OGC_VERSION/-/.}"
TAR_KVER="${{ steps.version.outputs.tar_kver }}"
BUILD_NUM="${{ steps.buildnum.outputs.build_num }}"
sed -i \
-e "s/@@OGC_VERSION@@/${ARCH_PKGVER}/" \
-e "s/@@TAR_KVER@@/${TAR_KVER}/" \
-e "s/@@BUILDNUM@@/${BUILD_NUM}/" \
arch/PKGBUILD
- name: Create build user
if: steps.check-existing.outputs.exists != 'true'
run: |
useradd -m build
mkdir -p /home/build/linux
cp -vR * /home/build/linux
chown -vR build /home/build/linux
- name: Download and verify kernel source
if: steps.check-existing.outputs.exists != 'true'
shell: bash
run: |
TAR_KVER="${{ steps.version.outputs.tar_kver }}"
MAJOR_VERSION="${{ steps.version.outputs.major_version }}"
OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${TAR_KVER}.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${TAR_KVER}.tar.sign
wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch
wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch.sig
# Import kernel.org signing keys (Linus Torvalds & Greg Kroah-Hartman)
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys \
ABAF11C65A2970B130ABE3C479BE3E4300411886 \
647F28654894E3BD457199BE38DBBDC86092693E
# Import OGC patch signing key
gpg --import $GITHUB_WORKSPACE/public.key
# Verify kernel tarball signature
xz -dc linux-${TAR_KVER}.tar.xz | gpg --verify linux-${TAR_KVER}.tar.sign -
# Verify OGC monolithic patch signature
gpg --verify monolithic.patch.sig monolithic.patch
tar -xf linux-${TAR_KVER}.tar.xz
cd linux-${TAR_KVER}
patch -Np1 < ../monolithic.patch
- name: Merge kernel configuration files
if: steps.check-existing.outputs.exists != 'true'
uses: OpenGamingCollective/kernel-configurator@5b4abc58a2edf89941180dbbe33b26415db23b0b # v1.0.1
with:
config: arch/config
set: |
config/arch.config.set
config/ogc.config.set
unset: |
config/arch.config.unset
config/ogc.config.unset
output: linux-${{ steps.version.outputs.tar_kver }}/.config
- name: Validate combined kernel config file
if: steps.check-existing.outputs.exists != 'true'
shell: bash
run: |
cd linux-${{ steps.version.outputs.tar_kver }}
make olddefconfig
- name: Build linux package
if: steps.check-existing.outputs.exists != 'true'
id: build-kernel-package
shell: bash
run: |
TAR_KVER="${{ steps.version.outputs.tar_kver }}"
# Pre-populate makepkg source cache
cp linux-${TAR_KVER}.tar.xz /home/build/linux/arch/
cp monolithic.patch /home/build/linux/arch/
# Copy patched config
cp linux-${TAR_KVER}/.config /home/build/linux/arch/config
chown -R build /home/build/linux
su build /usr/bin/bash -c "cd /home/build/linux/arch && MAKEFLAGS=-j$(nproc) makepkg --skippgpcheck --skipchecksums --skipinteg"
. /home/build/linux/arch/PKGBUILD
full_version=${pkgver}-${pkgrel}
echo "full_version=$full_version" >> "$GITHUB_OUTPUT"
- name: Setup Cosign
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Login to ghcr.io
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push OCI artifact
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
id: push
run: |
VERSION="${{ steps.version.outputs.ogc_version }}.${{ steps.buildnum.outputs.build_num }}"
REPO="${{ env.OCI_REPO }}"
cd /home/build/linux/arch
DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest')
if [ -z "$DIGEST" ]; then
echo "::error::Failed to capture digest from oras push"
exit 1
fi
oras tag "${REPO}:${VERSION}" latest
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Tag with content hash
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
run: |
REPO="${{ env.OCI_REPO }}"
VERSION="${{ steps.version.outputs.ogc_version }}.${{ steps.buildnum.outputs.build_num }}"
oras tag "${REPO}:${VERSION}" \
"sha-${{ steps.content-hash.outputs.hash }}"
- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
run: |
VERSION="${{ steps.version.outputs.ogc_version }}.${{ steps.buildnum.outputs.build_num }}"
REPO="${{ env.OCI_REPO }}"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"
- name: Attest build provenance
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
with:
subject-name: ${{ env.OCI_REPO }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Verify signature
if: startsWith(github.ref, 'refs/tags/') && steps.check-existing.outputs.exists != 'true'
run: |
VERSION="${{ steps.version.outputs.ogc_version }}.${{ steps.buildnum.outputs.build_num }}"
REPO="${{ env.OCI_REPO }}"
cosign verify \
--certificate-identity-regexp=".*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
"${REPO}:${VERSION}"