feature: replace Fedora with CoreOS kernel for stable releases (#116)

.github/actions/get-coreos-kernel/action.yml

@@ -0,0 +1,51 @@
+name: Get CoreOS Kernel
+
+inputs:
+  coreos-stream:
+    description: 'The CoreOS stream to pull the image from'
+    required: true
+    default: 'stable'
+
+outputs:
+  coreos-repo-version:
+    description: 'The Fedora repository version CoreOS sources their kernel from'
+    value: ${{ steps.extract-fedora-version.outputs.fedora-version }}
+  coreos-kernel-release:
+    description: 'The full CoreOS kernel version string'
+    value: ${{ steps.extract-kernel-release.outputs.kernel-release }}
+
+runs:
+  using: composite
+  steps:
+    - name: Pull CoreOS Image
+      shell: bash
+      env:
+        COREOS_STREAM: ${{ inputs.coreos-stream }}
+      run: |
+        docker pull quay.io/fedora/fedora-coreos:$COREOS_STREAM
+
+    - name: Extract Kernel Release
+      id: extract-kernel-release
+      shell: bash
+      env:
+        COREOS_STREAM: ${{ inputs.coreos-stream }}
+      run: |
+        KERNEL_RELEASE=$(docker run --rm --privileged quay.io/fedora/fedora-coreos:$COREOS_STREAM sh -c \
+          "rpm -qa | grep -oP 'kernel-core-\K[0-9]+\.[0-9]+\.[0-9]+-[0-9]+\.fc[0-9]+' | head -n 1")
+        echo "kernel-release=$KERNEL_RELEASE" >> $GITHUB_OUTPUT
+
+    - name: Extract Fedora Repository Version
+      shell: bash
+      id: extract-fedora-version
+      env:
+        KERNEL_RELEASE: ${{ steps.extract-kernel-release.outputs.kernel-release }}
+      run: |
+        FEDORA_VERSION=$(echo $KERNEL_RELEASE | grep -oP 'fc\K[0-9]+')
+        echo "fedora-version=$FEDORA_VERSION" >> $GITHUB_OUTPUT
+
+    - name: Cleanup
+      shell: bash
+      env:
+        COREOS_STREAM: ${{ inputs.coreos-stream }}
+      run: |
+        docker image rm quay.io/fedora/fedora-coreos:$COREOS_STREAM

.github/workflows/build.yml

@@ -20,14 +20,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        fedora-version: [39, 40]
+        fedora-version: [39, 40, stable]
         fedora-edition: [base, silverblue, kinoite]
     permissions:
       contents: read
       packages: write
       id-token: write
     env:
       IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }}
+      FEDORA_VERSION: ${{ matrix.fedora-version }}
+      COREOS_KERNEL: "N/A"
     outputs:
       base-image-tag: ${{ steps.generate-image-tags.outputs.primary-tag }}
     steps:
@@ -42,9 +44,22 @@ jobs:
         id: generate-image-tags
         with:
           image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }}
-          major-version: ${{ matrix.fedora-version }}
+          major-version: ${{ env.FEDORA_VERSION }}
           is-release: ${{ github.event_name != 'pull_request' }}
 
+      - name: Get CoreOS Kernel Information
+        if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }}
+        uses: ./.github/actions/get-coreos-kernel
+        id: get-coreos-kernel
+        with:
+          coreos-stream: ${{ env.FEDORA_VERSION }}
+
+      - name: Set CoreOS Environment Variables
+        if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }}
+        run: |
+          echo "COREOS_KERNEL=${{ steps.get-coreos-kernel.outputs.coreos-kernel-release }}" >> $GITHUB_ENV
+          echo "FEDORA_VERSION=${{ steps.get-coreos-kernel.outputs.coreos-repo-version }}" >> $GITHUB_ENV
+
       - name: Build Image
         id: build
         uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
@@ -56,8 +71,9 @@ jobs:
           tags: |
             ${{ steps.generate-image-tags.outputs.tags }}
           build-args: |
-            FEDORA_VERSION=${{ matrix.fedora-version }}
+            FEDORA_VERSION=${{ env.FEDORA_VERSION }}
             FEDORA_EDITION=${{ matrix.fedora-edition }}
+            COREOS_KERNEL=${{ env.COREOS_KERNEL }}
 
       - name: Push Image
         id: push
@@ -87,16 +103,18 @@ jobs:
 
       - name: Generate SBOM
         id: generate-sbom
+        if: github.event_name != 'pull_request'
         uses: ./.github/actions/generate-sbom
         with:
           image-ref: ${{ steps.push.outputs.registry-path }}
-          artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-sbom
+          artifact-name: ${{ matrix.fedora-edition }}-${{ env.FEDORA_VERSION }}-sbom
 
       - name: Scan SBOM
         uses: ./.github/actions/scan-sbom
+        if: github.event_name != 'pull_request'
         with:
           sbom-file: ${{ steps.generate-sbom.outputs.output-file }}
-          artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-scan
+          artifact-name: ${{ matrix.fedora-edition }}-${{ env.FEDORA_VERSION }}-scan
 
   build-nvidia:
     runs-on: ubuntu-latest
@@ -105,7 +123,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        fedora-version: [39, 40]
+        fedora-version: [39, 40, stable]
         fedora-edition: [base, silverblue, kinoite]
         nvidia-version: [550]
         include:
@@ -117,6 +135,8 @@ jobs:
       id-token: write
     env:
       IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }}
+      FEDORA_VERSION: ${{ matrix.fedora-version }}
+      COREOS_KERNEL: "N/A"
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
@@ -129,23 +149,36 @@ jobs:
         id: generate-image-tags
         with:
           image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }}
-          major-version: ${{ matrix.fedora-version }}
+          major-version: ${{ env.FEDORA_VERSION }}
           is-release: ${{ github.event_name != 'pull_request' }}
           nvidia-driver-version: ${{ matrix.nvidia-version }}
           nvidia-driver-is-stable: ${{ matrix.nvidia-is-stable }}
 
+      - name: Get CoreOS Kernel Information
+        if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }}
+        uses: ./.github/actions/get-coreos-kernel
+        id: get-coreos-kernel
+        with:
+          coreos-stream: ${{ env.FEDORA_VERSION }}
+
+      - name: Set CoreOS Environment Variables
+        if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }}
+        run: |
+          echo "COREOS_KERNEL=${{ steps.get-coreos-kernel.outputs.coreos-kernel-release }}" >> $GITHUB_ENV
+          echo "FEDORA_VERSION=${{ steps.get-coreos-kernel.outputs.coreos-repo-version }}" >> $GITHUB_ENV
+
       - name: Generate Base Image Tag
         id: generate-base-image-tag
         env:
-          FEDORA_VERSION: ${{ matrix.fedora-version }}
+          BASE_FEDORA_VERSION: ${{ matrix.fedora-version }}
           PR_NUMBER: ${{ github.event.number }}
           IS_PR: ${{ github.event_name == 'pull_request' }}
         run: |
           GIT_SHA=$(git rev-parse --short HEAD)
           if [ $IS_PR == 'true' ]; then
-            BASE_TAG="pr${PR_NUMBER}-${GIT_SHA}-${FEDORA_VERSION}"
+            BASE_TAG="pr${PR_NUMBER}-${GIT_SHA}-${BASE_FEDORA_VERSION}"
           else
-            BASE_TAG="${GIT_SHA}-${FEDORA_VERSION}"
+            BASE_TAG="${GIT_SHA}-${BASE_FEDORA_VERSION}"
           fi
           echo "base-tag=${BASE_TAG}" >> $GITHUB_OUTPUT
 
@@ -160,10 +193,11 @@ jobs:
           tags: |
             ${{ steps.generate-image-tags.outputs.tags }}
           build-args: |
-            FEDORA_VERSION=${{ matrix.fedora-version }}
+            FEDORA_VERSION=${{ env.FEDORA_VERSION }}
             FEDORA_EDITION=${{ matrix.fedora-edition }}
             NVIDIA_VERSION=${{ matrix.nvidia-version }}
             BASE_TAG=${{ steps.generate-base-image-tag.outputs.base-tag }}
+            NVIDIA_AKMODS_TAG=${{ matrix.fedora-version }}-${{ matrix.nvidia-version }}
 
       - name: Push Image
         id: push
@@ -194,15 +228,17 @@ jobs:
       - name: Generate SBOM
         id: generate-sbom
         uses: ./.github/actions/generate-sbom
+        if: github.event_name != 'pull_request'
         with:
           image-ref: ${{ steps.push.outputs.registry-path }}
-          artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-sbom
+          artifact-name: ${{ matrix.fedora-edition }}-${{ env.FEDORA_VERSION }}-nvidia${{ matrix.nvidia-version }}-sbom
 
       - name: Scan SBOM
         uses: ./.github/actions/scan-sbom
+        if: github.event_name != 'pull_request'
         with:
           sbom-file: ${{ steps.generate-sbom.outputs.output-file }}
-          artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-scan
+          artifact-name: ${{ matrix.fedora-edition }}-${{ env.FEDORA_VERSION }}-nvidia${{ matrix.nvidia-version }}-scan
 
   check:
     needs: [build-base, build-nvidia]

Containerfile

@@ -1,19 +1,21 @@
 ARG FEDORA_VERSION=40
 ARG FEDORA_EDITION=base
 ARG FEDORA_IMAGE=quay.io/fedora-ostree-desktops/${FEDORA_EDITION}:${FEDORA_VERSION}
+ARG COREOS_KERNEL="N/A"
 
 FROM ${FEDORA_IMAGE} as base
 
 ARG FEDORA_VERSION
 ARG FEDORA_EDITION
+ARG COREOS_KERNEL
 
 COPY files/_base /
 COPY files/_${FEDORA_EDITION} /
 
 COPY scripts/ /tmp/scripts
 
 RUN chmod +x /tmp/scripts/*.sh /tmp/scripts/_${FEDORA_EDITION}/*.sh && \
-  /tmp/scripts/setup.sh --version ${FEDORA_VERSION} --base ${FEDORA_EDITION} && \
+  /tmp/scripts/setup.sh --version ${FEDORA_VERSION} --base ${FEDORA_EDITION} --coreos-kernel ${COREOS_KERNEL} && \
   /tmp/scripts/cleanup.sh --version ${FEDORA_VERSION} --base ${FEDORA_EDITION} \
   && \
   rpm-ostree cleanup -m && \

scripts/_base/000-replace-kernel.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+set -euox pipefail
+
+COREOS_KERNEL=""
+FEDORA_VERSION=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --version)
+      FEDORA_VERSION="$2"
+      shift 2
+      ;;
+    --coreos-kernel)
+      COREOS_KERNEL="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown argument: $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ "$COREOS_KERNEL" == "N/A" ]]; then
+  exit 0
+fi
+
+KERNEL_VERSION=$COREOS_KERNEL
+KERNEL_MAJOR_MINOR_PATCH=$(echo $KERNEL_VERSION | cut -d '-' -f 1)
+KERNEL_RELEASE=$(echo $KERNEL_VERSION | cut -d '-' -f 2)
+rpm-ostree override replace --experimental \
+    https://kojipkgs.fedoraproject.org//packages/kernel/$KERNEL_MAJOR_MINOR_PATCH/$KERNEL_RELEASE/x86_64/kernel-$KERNEL_MAJOR_MINOR_PATCH-$KERNEL_RELEASE.x86_64.rpm \
+    https://kojipkgs.fedoraproject.org//packages/kernel/$KERNEL_MAJOR_MINOR_PATCH/$KERNEL_RELEASE/x86_64/kernel-core-$KERNEL_MAJOR_MINOR_PATCH-$KERNEL_RELEASE.x86_64.rpm \
+    https://kojipkgs.fedoraproject.org//packages/kernel/$KERNEL_MAJOR_MINOR_PATCH/$KERNEL_RELEASE/x86_64/kernel-modules-$KERNEL_MAJOR_MINOR_PATCH-$KERNEL_RELEASE.x86_64.rpm \
+    https://kojipkgs.fedoraproject.org//packages/kernel/$KERNEL_MAJOR_MINOR_PATCH/$KERNEL_RELEASE/x86_64/kernel-modules-core-$KERNEL_MAJOR_MINOR_PATCH-$KERNEL_RELEASE.x86_64.rpm \
+    https://kojipkgs.fedoraproject.org//packages/kernel/$KERNEL_MAJOR_MINOR_PATCH/$KERNEL_RELEASE/x86_64/kernel-modules-extra-$KERNEL_MAJOR_MINOR_PATCH-$KERNEL_RELEASE.x86_64.rpm

scripts/setup.sh

@@ -4,6 +4,7 @@ set -euox pipefail
 
 BASE=""
 FEDORA_VERSION=""
+COREOS_KERNEL=""
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
@@ -15,6 +16,10 @@ while [[ $# -gt 0 ]]; do
       FEDORA_VERSION="$2"
       shift 2
       ;;
+    --coreos-kernel)
+      COREOS_KERNEL="$2"
+      shift 2
+      ;;
     *)
       echo "Unknown argument: $1"
       exit 1
@@ -35,7 +40,7 @@ fi
 for script in /tmp/scripts/_base/*.sh; do
   if [[ -f "$script" ]]; then
     echo "Running $script"
-    bash "$script" --version "$FEDORA_VERSION"
+    bash "$script" --version "$FEDORA_VERSION" --coreos-kernel "$COREOS_KERNEL"
   fi
 done