Skip to content

feat: Generate config and apply needed changes with new kernel-configurator action #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KyleGospo wants to merge 2 commits into
base: main
Choose a base branch
from
+314 −12,602
Open

feat: Generate config and apply needed changes with new kernel-configurator action #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b7690e2
feat: Generate config and apply needed changes with new kernel-config…
KyleGospo Mar 24, 2026
2278720
fix: Apply OpenSSF recommendations for permissions
KyleGospo Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 62 additions & 17 deletions .github/workflows/arch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ env:

permissions:
contents: read
packages: write
id-token: write
attestations: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -27,6 +24,13 @@ jobs:
build-arch:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write
id-token: write
attestations: write
artifact-metadata: write

container:
image: docker.io/archlinux:base-devel
volumes:
Expand Down Expand Up @@ -73,28 +77,69 @@ jobs:

- name: Install dependencies
run: |
pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra sed
pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra sed wget

- name: Configure AppArmor as default LSM
- name: Get version
id: version
shell: bash
run: |
sed -i 's/^CONFIG_LSM=.*/CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor,bpf"/' config
if [ -n "${{ github.event.inputs.version }}" ]; then
OGC_VERSION="${{ github.event.inputs.version }}"
else
TAG="${{ github.ref_name }}"
OGC_VERSION="${TAG#v}"
fi
KERNEL_VERSION="${OGC_VERSION%-ogc*}"
MAJOR_VERSION="${KERNEL_VERSION%%.*}.x"
echo "ogc_version=$OGC_VERSION" >> "$GITHUB_OUTPUT"
echo "kernel_version=$KERNEL_VERSION" >> "$GITHUB_OUTPUT"
echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"

- name: Download and extract kernel source
shell: bash
run: |
KERNEL_VERSION="${{ steps.version.outputs.kernel_version }}"
MAJOR_VERSION="${{ steps.version.outputs.major_version }}"
OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${KERNEL_VERSION}.tar.xz
wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch
tar -xf linux-${KERNEL_VERSION}.tar.xz
cd linux-${KERNEL_VERSION}
patch -Np1 < ../monolithic.patch

- name: Generate default config
shell: bash
run: |
cd linux-${{ steps.version.outputs.kernel_version }}
make defconfig

- name: Configure kernel
uses: OpenGamingCollective/kernel-configurator@5b4abc58a2edf89941180dbbe33b26415db23b0b # v1.0.1
with:
config: linux-${{ steps.version.outputs.kernel_version }}/.config
set: |
global.config.set
arch/config.set
unset: |
global.config.unset
arch/config.unset

- name: Build linux package
id: build-kernel-package
shell: bash
run: |
su build bash -c "cd /home/build/linux/arch && MAKEFLAGS=-j$(nproc) makepkg --skippgpcheck"
KERNEL_VERSION="${{ steps.version.outputs.kernel_version }}"
# Pre-populate makepkg source cache
cp linux-${KERNEL_VERSION}.tar.xz /home/build/linux/arch/
cp monolithic.patch /home/build/linux/arch/
# Copy patched config
cp linux-${KERNEL_VERSION}/.config /home/build/linux/arch/config
chown -R build /home/build/linux
su build bash -c "cd /home/build/linux/arch && MAKEFLAGS=-j$(nproc) makepkg --skippgpcheck --skipchecksums --skipinteg"
. /home/build/linux/arch/PKGBUILD
full_version=${pkgver}-${pkgrel}
echo "full_version=$full_version" >> "$GITHUB_OUTPUT"

- name: Get OGC version
if: startsWith(github.ref, 'refs/tags/')
id: version
run: |
TAG="${{ github.ref_name }}"
echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"

- name: Setup ORAS
if: startsWith(github.ref, 'refs/tags/')
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
Expand All @@ -112,7 +157,7 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
id: push
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cd /home/build/linux/arch
DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest')
Expand All @@ -134,15 +179,15 @@ jobs:
- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"

- name: Verify signature
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cosign verify \
--certificate-identity-regexp=".*" \
Expand Down
82 changes: 62 additions & 20 deletions .github/workflows/fedora.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ env:

permissions:
contents: read
packages: write
id-token: write
attestations: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -27,6 +24,13 @@ jobs:
build-rpm:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write
id-token: write
attestations: write
artifact-metadata: write

container:
image: fedora:latest
volumes:
Expand Down Expand Up @@ -61,28 +65,66 @@ jobs:
- name: Dependencies
run: |
dnf -y builddep fedora/kernel.spec
dnf -y install jq sed
dnf -y install jq sed wget
- name: Configure SELinux as default LSM
- name: Get version
id: version
shell: bash
run: |
sed -i 's/^CONFIG_LSM=.*/CONFIG_LSM="landlock,lockdown,yama,integrity,selinux,bpf"/' config
if [ -n "${{ github.event.inputs.version }}" ]; then
OGC_VERSION="${{ github.event.inputs.version }}"
else
TAG="${{ github.ref_name }}"
OGC_VERSION="${TAG#v}"
fi
KERNEL_VERSION="${OGC_VERSION%-ogc*}"
MAJOR_VERSION="${KERNEL_VERSION%%.*}.x"
echo "ogc_version=$OGC_VERSION" >> "$GITHUB_OUTPUT"
echo "kernel_version=$KERNEL_VERSION" >> "$GITHUB_OUTPUT"
echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"
- name: build
- name: Download and extract kernel source
shell: bash
run: |
TOPDIR="$(pwd)/rpmbuild"
KERNEL_VERSION="${{ steps.version.outputs.kernel_version }}"
MAJOR_VERSION="${{ steps.version.outputs.major_version }}"
OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${KERNEL_VERSION}.tar.xz
wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch
tar -xf linux-${KERNEL_VERSION}.tar.xz
cd linux-${KERNEL_VERSION}
patch -Np1 < ../monolithic.patch
- name: Generate default config
shell: bash
run: |
cd linux-${{ steps.version.outputs.kernel_version }}
make defconfig
- name: Configure kernel
uses: OpenGamingCollective/kernel-configurator@5b4abc58a2edf89941180dbbe33b26415db23b0b # v1.0.1
with:
config: linux-${{ steps.version.outputs.kernel_version }}/.config
set: |
global.config.set
fedora/config.set
unset: |
global.config.unset
fedora/config.unset
- name: Build
run: |
KERNEL_VERSION="${{ steps.version.outputs.kernel_version }}"
TOPDIR="$(pwd)/rpmbuild"
mkdir -p "$TOPDIR"/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
cp fedora/* $TOPDIR/SOURCES
# Pre-populate SOURCES with already-downloaded files
cp linux-${KERNEL_VERSION}.tar.xz "$TOPDIR/SOURCES/"
cp monolithic.patch "$TOPDIR/SOURCES/"
cp fedora/kvm_stat.logrotate "$TOPDIR/SOURCES/"
# Copy patched config
cp linux-${KERNEL_VERSION}/.config "$TOPDIR/SOURCES/config"
rpmbuild --define "_topdir $TOPDIR" -ba ./fedora/kernel.spec
- name: Get OGC version
if: startsWith(github.ref, 'refs/tags/')
id: version
run: |
TAG="${{ github.ref_name }}"
echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
- name: Setup ORAS
if: startsWith(github.ref, 'refs/tags/')
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
Expand All @@ -100,7 +142,7 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
id: push
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
TOPDIR="$(pwd)/rpmbuild"
mkdir -p /tmp/rpms
Expand All @@ -126,15 +168,15 @@ jobs:
- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"
- name: Verify signature
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cosign verify \
--certificate-identity-regexp=".*" \
Expand Down
75 changes: 52 additions & 23 deletions .github/workflows/ubuntu.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ env:

permissions:
contents: read
packages: write
id-token: write
attestations: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -27,6 +24,13 @@ jobs:
build-deb:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write
id-token: write
attestations: write
artifact-metadata: write

container:
image: ubuntu:latest
volumes:
Expand Down Expand Up @@ -65,28 +69,53 @@ jobs:
apt-get install -y build-essential devscripts debhelper dh-python asciidoc-base bc bison cpio dwarves flex jq kmod libdw-dev libiberty-dev libnuma-dev libslang2-dev lz4 rsync wget xmlto git curl sed
apt-get install -y libunwind-dev libpfm4-dev coccinelle openjdk-17-jdk libcapstone-dev libbabeltrace-dev systemtap-sdt-dev libzstd-dev dwarves zstd libbfd-dev libperl-dev libssl-dev
- name: Get sources
- name: Get version
id: version
shell: bash
run: |
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.19.8.tar.xz
wget https://github.com/OpenGamingCollective/linux/releases/download/v6.19.8-ogc1/monolithic.patch
tar -xf linux-6.19.8.tar.xz
cd linux-6.19.8
cp ../config .config
sed -i 's/^CONFIG_LSM=.*/CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor,bpf"/' .config
patch -Np1 < "../monolithic.patch"
if [ -n "${{ github.event.inputs.version }}" ]; then
OGC_VERSION="${{ github.event.inputs.version }}"
else
TAG="${{ github.ref_name }}"
OGC_VERSION="${TAG#v}"
fi
KERNEL_VERSION="${OGC_VERSION%-ogc*}"
MAJOR_VERSION="${KERNEL_VERSION%%.*}.x"
echo "ogc_version=$OGC_VERSION" >> "$GITHUB_OUTPUT"
echo "kernel_version=$KERNEL_VERSION" >> "$GITHUB_OUTPUT"
echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"
- name: Build
- name: Download and extract kernel source
run: |
cd linux-6.19.8
make olddefconfig
fakeroot make -j$(nproc) bindeb-pkg
KERNEL_VERSION="${{ steps.version.outputs.kernel_version }}"
MAJOR_VERSION="${{ steps.version.outputs.major_version }}"
OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${KERNEL_VERSION}.tar.xz
wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch
tar -xf linux-${KERNEL_VERSION}.tar.xz
cd linux-${KERNEL_VERSION}
patch -Np1 < ../monolithic.patch
- name: Generate default config
run: |
cd linux-${{ steps.version.outputs.kernel_version }}
make defconfig
- name: Get OGC version
if: startsWith(github.ref, 'refs/tags/')
id: version
- name: Configure kernel
uses: OpenGamingCollective/kernel-configurator@5b4abc58a2edf89941180dbbe33b26415db23b0b # v1.0.1
with:
config: linux-${{ steps.version.outputs.kernel_version }}/.config
set: |
global.config.set
ubuntu/config.set
unset: |
global.config.unset
ubuntu/config.unset
- name: Build
run: |
TAG="${{ github.ref_name }}"
echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
cd linux-${{ steps.version.outputs.kernel_version }}
fakeroot make -j$(nproc) bindeb-pkg
- name: Setup ORAS
if: startsWith(github.ref, 'refs/tags/')
Expand All @@ -105,7 +134,7 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
id: push
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cd $GITHUB_WORKSPACE
DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.deb | jq -r '.digest')
Expand All @@ -127,15 +156,15 @@ jobs:
- name: Sign artifacts
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cosign sign --yes "${REPO}:${VERSION}"
cosign sign --yes "${REPO}:latest"
- name: Verify signature
if: startsWith(github.ref, 'refs/tags/')
run: |
VERSION="${{ steps.version.outputs.version }}"
VERSION="${{ steps.version.outputs.ogc_version }}"
REPO="${{ env.OCI_REPO }}"
cosign verify \
--certificate-identity-regexp=".*" \
Expand Down
2 changes: 0 additions & 2 deletions arch/PKGBUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,6 @@ prepare() {

echo "Setting config..."
cp ../config .config
make olddefconfig
diff -u ../config .config || :

make -s kernelrelease > version
echo "Prepared $pkgbase version $(<version)"
Expand Down
1 change: 0 additions & 1 deletion arch/config
View file
Open in desktop

This file was deleted.

Loading
Loading