Skip to content

[DRAFT] Add build workflow #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: kernel-and-docker
Choose a base branch
from
Open

[DRAFT] Add build workflow #13

wants to merge 8 commits into from

Conversation

niccoloraspa
Copy link
Contributor

@niccoloraspa niccoloraspa commented Jun 20, 2025
edited
Loading

This PR introduces a GitHub Actions workflow to automate the building of mkosi images using Nix in a CI environment.

The workflow builds the tdx-dummy.conf configuration as a test case for now.

I setup nix directly in the GitHub action for now, while we wait to finalize the Docker builder.

Features

  • Uses Warp runners for faster build times
  • Prepared for future caching implementation (commented out for now)

@niccoloraspa niccoloraspa changed the base branch from main to kernel-and-docker June 20, 2025 09:59
@fnerdman
Copy link
Contributor

FYI, i know of two projects that have working ci piplines for mkosi builds, might help looking at them and getting inspired/having the code in your llm context:

https://github.com/edgelesssys/constellation/blob/main/.github/workflows/build-os-image.yml
https://github.com/confidential-containers/cloud-api-adaptor/blob/main/.github/workflows/podvm_mkosi.yaml

also, interestingly, cloud-api-adapter uses container registries to store built images and metadata. they use this tool: https://oras.land/

ilyaluk
ilyaluk reviewed Jun 24, 2025
View reviewed changes
.github/workflows/build.yaml
Comment on lines +38 to +39
echo 'kernel.unprivileged_userns_clone=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the container is ephemeral anyway, it'll be easier to just set sysctl in runtime:

Suggested change
echo 'kernel.unprivileged_userns_clone=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo sysctl kernel.unprivileged_userns_clone=1

@alexhulbert alexhulbert force-pushed the kernel-and-docker branch 2 times, most recently from 13fcc15 to 0573d61 Compare July 23, 2025 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilyaluk ilyaluk ilyaluk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@niccoloraspa @fnerdman @ilyaluk @alexhulbert