Workflow (by @byron-marohn via pull_request) #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # SPDX-FileCopyrightText: (C) 2025 Intel Corporation | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: "QEMU & Kubevirt: Build, Trivy & ClamAV Scan" | |
| run-name: "Workflow (by @${{ github.actor }} via ${{ github.event_name }})" | |
| # Only run at most 1 workflow concurrently per PR, unlimited for branches | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "*" | |
| jobs: | |
| qemu-build-and-scan: | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| qemu-artifact-id: ${{ steps.upload-qemu.outputs.artifact-id }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 # All history, not just latest commit | |
| ref: ${{ github.event.pull_request.head.sha }} # Check out the actual commit, not a fake merge commit | |
| - name: Setup Tools & Common Variables | |
| uses: ./.github/actions/setup-tools | |
| - name: Cache QEMU source & build directory | |
| id: cache-qemu | |
| uses: actions/cache@v4 | |
| env: | |
| cache-name: cache-qemu | |
| with: | |
| path: workspace/qemu-8.2.1 | |
| # Use the hash of the document this workflow is based on to decide whether the build should be re-run or not | |
| key: qemu-binary-${{ hashFiles('kubevirt-patch/README.md') }} | |
| - name: Build and patch QEMU | |
| if: ${{ steps.cache-qemu.outputs.cache-hit != 'true' }} | |
| # Each logical block here is copied exactly from a code block in kubevirt-patch/README.md | |
| run: | | |
| mkdir -p workspace | |
| cd workspace | |
| wget -N --no-check-certificate https://download.01.org/intel-linux-overlay/ubuntu/pool/main/q/qemu/qemu_8.2.1+ppa1-noble9.debian.tar.xz | |
| mkdir qemu_8.2.1+ppa1-noble9.debian | |
| tar -xf 'qemu_8.2.1+ppa1-noble9.debian.tar.xz' -C 'qemu_8.2.1+ppa1-noble9.debian' | |
| wget -N --no-check-certificate https://download.qemu.org/qemu-8.2.1.tar.xz | |
| tar -xf qemu-8.2.1.tar.xz | |
| cd qemu-8.2.1 | |
| cp -r ../qemu_8.2.1+ppa1-noble9.debian/debian/patches/sriov/ . | |
| git apply ./sriov/*.patch | |
| ./tests/lcitool/libvirt-ci/bin/lcitool --data-dir ./tests/lcitool dockerfile centos-stream-9 qemu > Dockerfile.centos-stream9 | |
| perl -p -i -e 's|zstd &&|zstd libslirp-devel liburing-devel libbpf-devel libblkio-devel &&|g' Dockerfile.centos-stream9 | |
| docker build -t qemu_build:centos-stream9 -f Dockerfile.centos-stream9 . | |
| cat <<EOF > buildscript.sh | |
| #!/bin/bash | |
| set -x | |
| set -e | |
| cd /src | |
| rm -rf build | |
| ./configure --prefix=/usr --enable-kvm --disable-xen --enable-libusb --enable-debug-info --enable-debug --enable-sdl --enable-vhost-net --enable-spice --disable-debug-tcg --enable-opengl --enable-gtk --enable-virtfs --target-list=x86_64-softmmu --audio-drv-list=pa --firmwarepath=/usr/share/qemu-firmware:/usr/share/ipxe/qemu:/usr/share/seavgabios:/usr/share/seabios:/usr/share/qemu-kvm/ --disable-spice | |
| mkdir -p build | |
| cd build | |
| ninja | |
| ninja install | |
| EOF | |
| chmod +x buildscript.sh | |
| docker run \ | |
| -v $(pwd):/src:Z \ | |
| -w /src \ | |
| --entrypoint=/src/buildscript.sh \ | |
| --security-opt label=disable \ | |
| qemu_build:centos-stream9 | |
| ls -la build/qemu-system-x86_64 | |
| sha256sum build/qemu-system-x86_64 | |
| - name: Upload qemu-system-x86_64 artifact | |
| id: upload-qemu | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: qemu-artifact | |
| path: | | |
| workspace/qemu-8.2.1/build/qemu-system-x86_64 | |
| # - name: trivy qemu source scan | |
| # continue-on-error: true | |
| # shell: bash | |
| # run: | | |
| # cd workspace/qemu-8.2.1 | |
| # trivy --version | |
| # which trivy | |
| # trivy image --download-db-only | |
| # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl | |
| # | |
| # # Use the downloaded template | |
| # trivy fs . --format template --template "@trivy-html.tpl" --exit-code 1 --severity MEDIUM,HIGH,CRITICAL -o "trivy_code_scan_qemu.html" | |
| # | |
| # - name: Upload trivy reports | |
| # uses: actions/upload-artifact@v4 | |
| # with: | |
| # name: trivy-code-scan-results-core | |
| # path: | | |
| # workspace/qemu-8.2.1/trivy_code_scan_qemu.html | |
| # | |
| # - name: ClamAV QEMU Antivirus Scan | |
| # continue-on-error: true | |
| # shell: bash | |
| # run: | | |
| # echo "Starting ClamAV scan on workspace/qemu-8.2.1/build/..." | |
| # | |
| # docker run --rm \ | |
| # --mount type=bind,source=./workspace/qemu-8.2.1/build/,target=/scandir \ | |
| # clamav/clamav:stable \ | |
| # clamscan --recursive --log=/scandir/clamav-scan-report.log \ | |
| # /scandir | |
| # | |
| # SCAN_EXIT_CODE=$? | |
| # sudo chown $USER:$USER workspace/qemu-8.2.1/build/clamav-scan-report.log 2>/dev/null || true | |
| # | |
| # if [ $SCAN_EXIT_CODE -ne 0 ]; then | |
| # echo "ClamAV scan failed or found issues" | |
| # exit 1 | |
| # fi | |
| - name: Upload QEMU Antivirus Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: antivirus-qemu-report-core | |
| path: workspace/qemu-8.2.1/build/clamav-scan-report.log | |
| kubevirt-build-and-scan: | |
| needs: qemu-build-and-scan | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| ######################################################################################################3 | |
| # The kubevirt workflow requires 30+ GB of free space to run successfully | |
| # These steps delete many unnecessary files from the actions runner so that enough space is available | |
| - name: Disable man-db to make package install and removal faster | |
| run: | | |
| echo 'set man-db/auto-update false' | sudo debconf-communicate >/dev/null | |
| sudo dpkg-reconfigure man-db | |
| - name: Free Disk Space (Ubuntu) | |
| # This is a fork of the popular jlumbroso/free-disk-space@main with faster performance | |
| # @byron-marohn reviewed all the code in this specific commit on Jun 19 2025 | |
| uses: xc2/free-disk-space@fbe203b3788f2bebe2c835a15925da303eaa5efe | |
| with: | |
| tool-cache: true | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: true | |
| swap-storage: false # Retain swap file for improved build performance | |
| ######################################################################################################3 | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 # All history, not just latest commit | |
| ref: ${{ github.event.pull_request.head.sha }} # Check out the actual commit, not a fake merge commit | |
| - name: Setup Tools & Common Variables | |
| uses: ./.github/actions/setup-tools | |
| with: | |
| go: "false" | |
| - name: Cache Kubevirt output artifacts | |
| id: cache-kubevirt | |
| uses: actions/cache@v4 | |
| env: | |
| cache-name: cache-kubevirt | |
| with: | |
| path: workspace/kubevirt-artifacts | |
| # Use the hash of the document this workflow is based on to decide whether the build should be re-run or not | |
| key: kubevirt-binary-${{ hashFiles('kubevirt-patch/0001-Bump-dependency-versions-for-kubevirt-v1.5.0.patch', 'kubevirt-patch/0001-Patching-Kubevirt-with-GTK-libraries_v1.patch', 'kubevirt-patch/README.md') }} | |
| - name: Run local docker registry | |
| run: | | |
| # Run a local registry | |
| docker run -d -p 5000:5000 --name registry registry:2.7 | |
| - name: Download QEMU artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| artifact-ids: ${{ needs.qemu-build-and-scan.outputs.qemu-artifact-id }} | |
| path: . # Will unpack into a folder with the name used in upload-artifact, containing the binary | |
| - name: Build and patch kubevirt | |
| if: ${{ steps.cache-kubevirt.outputs.cache-hit != 'true' }} | |
| # Each logical block here is copied exactly from a code block in kubevirt-patch/README.md | |
| run: | | |
| mkdir -p $EDV_HOME/workspace | |
| cd $EDV_HOME/workspace | |
| git clone https://github.com/kubevirt/kubevirt.git | |
| cd kubevirt | |
| git checkout v1.5.0 | |
| git apply $EDV_HOME/kubevirt-patch/0001-Bump-dependency-versions-for-kubevirt-v1.5.0.patch | |
| git apply $EDV_HOME/kubevirt-patch/0001-Patching-Kubevirt-with-GTK-libraries_v1.patch | |
| mkdir build | |
| cp $EDV_HOME/qemu-artifact/qemu-system-x86_64 build/qemu-system-x86_64 | |
| QEMU_SHA256="$(sha256sum ./build/qemu-system-x86_64 | cut -d ' ' -f 1)" | |
| echo "QEMU_SHA256=$QEMU_SHA256" | |
| perl -p -i -e "s|<SHA256SUM_OF_PATCHED_QEMU>|$QEMU_SHA256|g" WORKSPACE | |
| export DOCKER_PREFIX=localhost:5000 | |
| export DOCKER_TAG=$EDV_VERSION | |
| make rpm-deps | |
| make all | |
| make bazel-build-images | |
| make push | |
| make manifests | |
| - name: Export kubevirt build artifacts to output directory | |
| if: ${{ steps.cache-kubevirt.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p $EDV_HOME/workspace/kubevirt-artifacts | |
| cp $EDV_HOME/workspace/kubevirt/_out/manifests/release/kubevirt-operator.yaml | |
| cp $EDV_HOME/workspace/kubevirt/_out/manifests/release/kubevirt-cr.yaml | |
| docker image pull localhost:5000/sidecar-shim:$EDV_VERSION | |
| docker image pull localhost:5000/virt-api:$EDV_VERSION | |
| docker image pull localhost:5000/virt-handler:$EDV_VERSION | |
| docker image pull localhost:5000/virt-launcher:$EDV_VERSION | |
| docker image pull localhost:5000/virt-operator:$EDV_VERSION | |
| docker image pull localhost:5000/virt-controller:$EDV_VERSION | |
| docker save -o sidecar-shim.tar localhost:5000/sidecar-shim:$EDV_VERSION | |
| docker save -o virt-api.tar localhost:5000/virt-api:$EDV_VERSION | |
| docker save -o virt-controller.tar localhost:5000/virt-controller:$EDV_VERSION | |
| docker save -o virt-handler.tar localhost:5000/virt-handler:$EDV_VERSION | |
| docker save -o virt-launcher.tar localhost:5000/virt-launcher:$EDV_VERSION | |
| docker save -o virt-operator.tar localhost:5000/virt-operator:$EDV_VERSION | |
| tar czf intel-idv-kubevirt-$EDV_VERSION.tar.gz *.tar *.yaml | |
| echo "Contents of $(pwd):" | |
| ls -hal | |
| echo "Partition sizes & free space following build:" | |
| df -h | |
| - name: Upload kubevirt artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: kubevirt artifacts | |
| path: | | |
| workspace/kubevirt-artifacts/intel-idv-kubevirt-${{ env.EDV_VERSION }}.tar.gz |