[Release-1.30] Build and push k3s image to GHCR

.drone.yml

@@ -512,10 +512,11 @@ steps:
     - pull_request
 
 - name: build-e2e-image
-  image: rancher/dapper:v0.6.0
+  image: docker:25.0.5
   commands:
     - DOCKER_BUILDKIT=1 docker build --target test-e2e -t test-e2e -f Dockerfile.test .
-    - SKIP_VALIDATE=true SKIP_AIRGAP=true GOCOVER=1 dapper ci
+    - apk add make git bash
+    - GOCOVER=1 make local-binary
     - cp dist/artifacts/* /tmp/artifacts/
   volumes:
   - name: cache

.github/workflows/build-k3s.yaml

@@ -1,52 +1,147 @@
-name: Build K3s
-
 on: 
   workflow_call:
     inputs:
       arch:
         type: string
-        description: 'Architecture to build (ubuntu-latest or ubuntu-24.04-arm)'
-        default: 'ubuntu-latest'
+        description: 'Architecture to build (amd64, arm64, or arm)'
+        default: 'amd64'
       os:
         type: string
         description: 'Target OS (linux or windows)'
         default: 'linux'
       upload-image:
         type: boolean
+        description: 'Build and upload k3s image (only works on arm64 or amd64)'
+        required: false
+        default: false
+      upload-build:
+        type: boolean
+        description: 'Upload contents of build/out, used to build the k3s image externally'
         required: false
         default: false
+      cache:
+        type: string
+        description: 'Cache mode: "read", "write", or empty for no cache'
+        required: false
+        default: ''
+
+# Note that is workflow requires the following permissions:
+#   contents: read
+# If using the cache: write option, you will need:
+#   packages: write
+# If using the cache: read option, you will need:
+#   packages: read
+
 
-permissions:
-  contents: read
 
 jobs:
   build:
-    name: Build K3s (${{ inputs.os }} on ${{ inputs.arch }})
-    runs-on: ${{ inputs.arch }}
+    name: Build # DO NOT CHANGE THIS NAME, we rely on it for INSTALL_K3S_PR functionality
+    runs-on: ${{ contains(inputs.arch, 'arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
     timeout-minutes: 20
     env:
       BIN_EXT: ${{ inputs.os == 'windows' && '.exe' || '' }}
-      ARTIFACT_EXT: ${{ inputs.os == 'windows' && '-windows' || (contains(inputs.arch, 'arm') && '-arm64' || '') }}
+      ARCH_EXT: ${{ inputs.os == 'windows' && '-windows' || format('-{0}', inputs.arch) }}
       GOOS: ${{ inputs.os }}
     steps:
     - name: Checkout K3s
       uses: actions/checkout@v4
-
-    - name: Build K3s binary
+
+    - name: Set up QEMU
+      if: inputs.arch == 'arm'
+      uses: docker/setup-qemu-action@v3
+      with:
+        cache-image: false
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Determine Git Version Info
+      id: git_vars
       run: |
-        DOCKER_BUILDKIT=1 SKIP_IMAGE=1 SKIP_AIRGAP=1 SKIP_VALIDATE=1 GOCOVER=1 GOOS=${{ env.GOOS }} make
-        sha256sum dist/artifacts/k3s${{ env.BIN_EXT }} | sed 's|dist/artifacts/||' > dist/artifacts/k3s${{ env.BIN_EXT }}.sha256sum
+        source ./scripts/git_version.sh
+        {
+          echo "git_tag=${GIT_TAG}"
+          echo "tree_state=${TREE_STATE}"
+          echo "commit=${COMMIT}"
+          echo "dirty=${DIRTY}"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Login to GitHub Container Registry
+      if: inputs.cache == 'write'
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build K3s Binary Native
+      if: inputs.arch == 'arm64' || inputs.arch == 'amd64'
+      env:
+          DOCKER_BUILD_SUMMARY: false
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        file: ./Dockerfile.local
+        target: result
+        # Defined actions like this don't ingest GITHUB_ENV, so use outputs
+        # and manual set the build arguments
+        build-args: |
+          GIT_TAG=${{ steps.git_vars.outputs.git_tag }}
+          TREE_STATE=${{ steps.git_vars.outputs.tree_state }}
+          COMMIT=${{ steps.git_vars.outputs.commit }}
+          DIRTY=${{ steps.git_vars.outputs.dirty }}
+        cache-from: ${{ inputs.cache != '' && format('type=registry,ref=ghcr.io/{0}:cache-{1}', github.repository, inputs.arch) || '' }}
+        cache-to: ${{ inputs.cache == 'write' && format('type=registry,ref=ghcr.io/{0}:cache-{1},mode=max', github.repository, inputs.arch) || '' }}
+        push: false
+        provenance: mode=min
+        outputs: type=local,dest=.
+
+    - name: Build K3s Binary Emulated
+      if: inputs.arch != 'arm64' && inputs.arch != 'amd64'
+      env:
+        PLATFORM: ${{ inputs.arch == 'arm' && 'linux/arm/v7' || format('linux/{0}', inputs.arch) }}
+        DOCKER_BUILD_SUMMARY: false
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        file: ./Dockerfile.local
+        target: result
+        build-args: |
+          GIT_TAG=${{ steps.git_vars.outputs.git_tag }}
+          TREE_STATE=${{ steps.git_vars.outputs.tree_state }}
+          COMMIT=${{ steps.git_vars.outputs.commit }}
+          DIRTY=${{ steps.git_vars.outputs.dirty }}
+        push: false
+        provenance: mode=min
+        platforms: ${{ env.PLATFORM }}
+        outputs: type=local,dest=.
+
+    - name: Caculate binary checksum
+      run: |
+        if [ ${{ inputs.arch }} == 'amd64' ]; then
+          sha256sum dist/artifacts/k3s${{ env.BIN_EXT }} | sed 's|dist/artifacts/||' > dist/artifacts/k3s${{ env.BIN_EXT }}.sha256sum
+        elif [ ${{ inputs.arch }} == "arm" ]; then
+          sha256sum dist/artifacts/k3s-armhf | sed 's|dist/artifacts/||' > dist/artifacts/k3s${{ env.ARCH_EXT }}.sha256sum
+        else
+          sha256sum dist/artifacts/k3s${{ env.ARCH_EXT }}${{ env.BIN_EXT }} | sed 's|dist/artifacts/||' > dist/artifacts/k3s${{ env.ARCH_EXT }}${{ env.BIN_EXT }}.sha256sum
+        fi
 
     - name: Build K3s image
-      if: inputs.upload-image == true && inputs.os == 'linux'
-      run: make package-image
+      if: inputs.upload-image == true && inputs.os == 'linux' && (inputs.arch == 'amd64' || inputs.arch == 'arm64')
+      run: ./scripts/package-image
 
     - name: "Save K3s image"
       if: inputs.upload-image == true && inputs.os == 'linux'
       run: docker image save rancher/k3s -o ./dist/artifacts/k3s-image.tar
-
+
+    - name: "Save K3s build"
+      if: inputs.upload-build == true  && inputs.os == 'linux'
+      run: |
+        mv ./build/out/data-linux.tar.zst ./dist/artifacts/data-linux${{ env.ARCH_EXT }}.tar.zst
+
     - name: "Upload K3s Artifacts"
       uses: actions/upload-artifact@v4
       with:
-        name: k3s${{ env.ARTIFACT_EXT }}
-        path: dist/artifacts/k3s*
+        name: k3s${{ env.ARCH_EXT }}
+        path: dist/artifacts/

.github/workflows/e2e.yaml

@@ -29,14 +29,22 @@ permissions:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      packages: write # permissions cannot be conditional, so we need to set this for all jobs
     uses: ./.github/workflows/build-k3s.yaml
     with:
       upload-image: true
+      cache: ${{ github.ref == 'refs/heads/master' && 'write' || 'read' }}
   build-arm64:
     uses: ./.github/workflows/build-k3s.yaml
+    permissions:
+      contents: read
+      packages: write
     with:
-      arch: ubuntu-24.04-arm
+      arch: arm64
       upload-image: true
+      cache: ${{ github.ref == 'refs/heads/master' && 'write' || 'read' }}
   e2e:
     name: "E2E Tests"
     needs: build
@@ -71,18 +79,15 @@ jobs:
       - name: "Vagrant Plugin(s)"
         run: vagrant plugin install vagrant-k3s vagrant-reload vagrant-scp
       - name: Install Go
-        uses: actions/setup-go@v5
-        with: 
-          go-version-file: 'go.mod'
-          cache: false
+        uses: ./.github/actions/setup-go
       - name: Install Kubectl
         run: |
            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
            sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
       - name: "Download k3s binary"
         uses: actions/download-artifact@v4
         with:
-          name: k3s
+          name: k3s-amd64
           path: ./dist/artifacts
 
       - name: Run ${{ matrix.etest }} Test
@@ -177,17 +182,10 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-    - name: "Download K3s image (amd64)"
-      if: ${{ matrix.arch == 'amd64' }}
+    - name: "Download K3s image"
       uses: actions/download-artifact@v4
       with:
-        name: k3s
-        path: ./dist/artifacts
-    - name: "Download K3s image (arm64)"
-      if: ${{ matrix.arch == 'arm64' }}
-      uses: actions/download-artifact@v4
-      with:
-        name: k3s-arm64
+        name: k3s-${{ matrix.arch }}
         path: ./dist/artifacts
     - name: Load and set K3s image
       run: |

.github/workflows/install.yaml

@@ -54,7 +54,7 @@ jobs:
       - name: "Download k3s binary"
         uses: actions/download-artifact@v4
         with:
-          name: k3s
+          name: k3s-amd64
           path: tests/install/${{ matrix.vm }}
       - name: "Vagrant Up"
         run: vagrant up --no-tty --no-provision

.github/workflows/integration.yaml

@@ -29,9 +29,13 @@ env:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      packages: read
     uses: ./.github/workflows/build-k3s.yaml
     with:
       os: linux
+      cache: read
   build-windows:
     uses: ./.github/workflows/build-k3s.yaml
     with:
@@ -56,7 +60,7 @@ jobs:
     - name: "Download k3s binary"
       uses: actions/download-artifact@v4
       with:
-        name: k3s
+        name: k3s-amd64
         path: ./dist/artifacts
     - name: Run Integration Tests
       run: | 

.github/workflows/release.yml

@@ -0,0 +1,104 @@
+name: K3s Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  build-amd64:
+    name: Build Binary (amd64)
+    uses: ./.github/workflows/build-k3s.yaml
+    with:
+      cache: '' # No cache for release builds
+      upload-build: true
+
+  build-arm64:
+    name: Build Binary (arm64)
+    uses: ./.github/workflows/build-k3s.yaml
+    with:
+      arch: arm64
+      cache: '' # No cache for release builds
+      upload-build: true
+
+  build-arm:
+    name: Build Binary (arm)
+    uses: ./.github/workflows/build-k3s.yaml
+    with:
+      arch: arm
+      cache: '' # No cache for release builds
+      upload-build: true
+
+  push-release-image:
+    name: Build and Push Multi-Arch Image
+    runs-on: ubuntu-latest
+    permissions: 
+      packages: write # Needed to push images to GHCR
+    needs: [build-amd64, build-arm64, build-arm]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: COnfigure image tags
+        id: tag_config
+        run: |
+          TAG=${GITHUB_REF#refs/tags/}
+
+          # Base configuration - always transform the main tag
+          # Transforms v1.32.4-rc1+k3s1 → v1.32.4-rc1-k3s1
+          BASE_CONFIG="type=raw,value=${TAG//+/-}"
+
+          if [[ "${TAG,,}" == *"rc"* ]]; then
+            echo "RC release detected: $TAG"
+            echo "tag_spec=$BASE_CONFIG" >> $GITHUB_OUTPUT
+          else
+            echo "Stable release detected: $TAG"
+            echo "tag_spec=$BASE_CONFIG
+          type=semver,pattern=v{{major}}.{{minor}}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/k3s
+          flavor: latest=false
+          tags: ${{ steps.tag_config.outputs.tag_spec }}
+
+      - name: "Download K3s build"
+        uses: actions/download-artifact@v4
+        with:
+          pattern: k3s*
+          path: ./dist/artifacts
+          merge-multiple: true
+
+      - name: Prepare build folder
+        run: |
+          mkdir -p ./build/out
+          cp ./dist/artifacts/data-* ./build/out
+
+      - name: Build and push K3s runtime image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./package/Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            DRONE_TAG=${{ github.ref_name }}
+

.github/workflows/trivy.yaml

@@ -25,8 +25,7 @@ jobs:
 
     - name: Build K3s Image
       run: |
-        make local
-        make package-image
+        make local-image
         make tag-image-latest
 
     - name: Run Trivy vulnerability scanner