feat(ci): add unified "OpenNebula: Build and Test" workflow

yuravk · yuravk · commit 9fbf9e7ed5a4 · 2026-06-17T14:46:29.000+03:00
Single workflow_dispatch that builds the OpenNebula .qcow2 images with
Packer and boot-tests each one in-job, on the build runner, under
QEMU/KVM with a one-context CONTEXT ISO - no S3 round-trip, no separate
test job.

Both build runners are Ubuntu-with-KVM so the apt-based
opennebula-test-steps composite runs on the machine that just built the
image: x86_64 stays on ubuntu24-full-x64, and aarch64 now builds on
ubuntu24-full-arm64 (a1.metal) instead of almalinux-9-aarch64.
shared-steps' runner_os detection builds on Ubuntu for both arches.
Every built image is tested; for a build-only run use opennebula-build.yml.

opennebula-test-steps gains an optional image_file input: when set it
tests the locally-built qcow2 (chowns the root-owned Packer output, copies
it to base.qcow2) instead of downloading image_url. Backward-compatible -
the standalone opennebula-test.yml keeps passing image_url and is unchanged.
diff --git a/.github/actions/opennebula-test-steps/action.yml b/.github/actions/opennebula-test-steps/action.yml
@@ -3,8 +3,13 @@ description: "Boots an OpenNebula .qcow2 under QEMU/KVM with a one-context CONTE
 
 inputs:
   image_url:
-    description: "Public S3 URL to the OpenNebula .qcow2 image"
-    required: true
+    description: "Public URL to the OpenNebula .qcow2 image (provide this OR image_file)"
+    required: false
+    default: ''
+  image_file:
+    description: "Path to a locally-built OpenNebula .qcow2 (provide this OR image_url; takes precedence)"
+    required: false
+    default: ''
   image_filename:
     description: "Image filename (last path segment of image_url)"
     required: true
@@ -76,13 +81,24 @@ runs:
         chmod 700 ~/.ssh
         ssh-keygen -t ed25519 -N '' -C "opennebula-test-${GITHUB_RUN_ID}" -f ~/.ssh/opennebula_test
 
-    - name: Download base image
+    - name: Obtain base image
       shell: bash
       env:
         IMAGE_URL: ${{ inputs.image_url }}
+        IMAGE_FILE: ${{ inputs.image_file }}
       run: |
-        # Download base image
-        curl -fL --retry 5 --retry-delay 5 -o base.qcow2 "${IMAGE_URL}"
+        # Obtain base image: prefer a locally-built file, else download the URL
+        if [ -n "${IMAGE_FILE}" ]; then
+          # Packer runs under sudo, so the build output is root-owned; copy it
+          # out and take ownership before QEMU opens it.
+          sudo cp "${IMAGE_FILE}" base.qcow2
+          sudo chown "$(id -u):$(id -g)" base.qcow2
+        elif [ -n "${IMAGE_URL}" ]; then
+          curl -fL --retry 5 --retry-delay 5 -o base.qcow2 "${IMAGE_URL}"
+        else
+          echo "[Error] one of image_file or image_url must be provided"
+          exit 1
+        fi
         qemu-img info base.qcow2
 
     - name: Create writable qcow2 overlay (100 GiB)
@@ -330,7 +346,11 @@ runs:
         {
           echo "## OpenNebula Image Test"
           echo ""
-          echo "- **Image**: [${IMAGE_FILENAME}](${IMAGE_URL})"
+          if [ -n "${IMAGE_URL:-}" ]; then
+            echo "- **Image**: [${IMAGE_FILENAME}](${IMAGE_URL})"
+          else
+            echo "- **Image**: \`${IMAGE_FILENAME}\`"
+          fi
           echo "- **Arch (filename)**: \`${ALMA_ARCH_FULL}\`"
           if [ -n "${ALMA_RELEASE:-}" ]; then
             echo "- **AlmaLinux release**: \`${ALMA_RELEASE}\`"
@@ -375,7 +395,7 @@ runs:
         TEXT: |
           :almalinux: **${{ inputs.image_filename }}**, OpenNebula image test, by the GitHub [Action](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
-          **Image**: [${{ inputs.image_filename }}](${{ inputs.image_url }})
+          ${{ inputs.image_url && format('**Image**: [{0}]({1})', inputs.image_filename, inputs.image_url) || format('**Image**: `{0}`', inputs.image_filename) }}
           **Arch (filename)**: `${{ inputs.alma_arch_full }}`
           ${{ env.ALMA_RELEASE && format('**AlmaLinux release**: `{0}`', env.ALMA_RELEASE) || '' }}
           ${{ env.SYSTEM_ARCH && format('**System architecture**: `{0}`', env.SYSTEM_ARCH) || '' }}
diff --git a/.github/workflows/opennebula-build-test.yml b/.github/workflows/opennebula-build-test.yml
@@ -0,0 +1,249 @@
+name: "OpenNebula: Build and Test"
+
+# Unified OpenNebula pipeline: build the .qcow2 images with Packer and
+# boot-test each one in-job, directly on the build runner, under QEMU/KVM
+# with a one-context CONTEXT ISO (no S3 round-trip, no separate test job).
+#
+# Both build runners are Ubuntu-with-KVM (x86_64 -> ubuntu24-full-x64,
+# aarch64 -> ubuntu24-full-arm64), so the opennebula-test-steps composite
+# (apt-based, needs /dev/kvm) runs on the same machine that just built the
+# image. shared-steps' runner_os detection builds happily on Ubuntu for
+# both arches.
+#
+# Every built image is tested; for a build-only run use opennebula-build.yml.
+#
+# Stage implementations live in composite actions:
+#   .github/actions/shared-steps           - Packer build (all clouds)
+#   .github/actions/opennebula-test-steps  - QEMU/KVM boot test of the local qcow2
+
+on:
+  workflow_dispatch:
+      inputs:
+
+        date_time_stamp:
+          description: 'Custom date+time stamp, YYYYMMDDhhmmss'
+          required: false
+          default: ''
+
+        version_major:
+          description: 'AlmaLinux major version'
+          required: true
+          default: '10'
+          type: choice
+          options:
+            - 10-kitten
+            - 10
+            - 9
+            - 8
+
+        self-hosted:
+          description: "Build aarch64 image on self-hosted runner"
+          required: true
+          type: boolean
+          default: true
+
+        store_as_artifact:
+          description: "Store images to the workflow Artifacts"
+          required: true
+          type: boolean
+          default: false
+
+        upload_to_s3:
+          description: "Upload to S3 Bucket"
+          required: true
+          type: boolean
+          default: true
+
+        notify_mattermost:
+          description: "Send notification to Mattermost"
+          required: true
+          type: boolean
+          default: true
+env:
+  PACKER_GITHUB_API_TOKEN: ${{ secrets.GIT_HUB_TOKEN }}
+
+jobs:
+  init-data:
+    name: Initialize common data
+    runs-on: ubuntu-24.04
+    outputs:
+      time_stamp: ${{ steps.date-time-stamp.outputs.time_stamp }}
+      date_stamp: ${{ steps.date-time-stamp.outputs.date_stamp }}
+    steps:
+      - name: Date+time stamp
+        id: date-time-stamp
+        run: |
+          # date+time stamp, YYYYMMDDhhmmss
+          if [ "${{ inputs.date_time_stamp }}" != "" ]; then
+            date_time_stamp="${{ inputs.date_time_stamp }}"
+          else
+            date_time_stamp=$(date -u '+%Y%m%d%H%M%S')
+          fi
+          echo "time_stamp=${date_time_stamp}" >> $GITHUB_OUTPUT
+
+          # date stamp, YYYYMMDD
+          date_stamp=${date_time_stamp:0:-6}
+          echo "date_stamp=${date_stamp}" >> "$GITHUB_OUTPUT"
+
+  build-gh-hosted:
+    name: ${{ matrix.variant }} opennebula-x86_64 build+test
+    permissions:
+      id-token: write
+      contents: read
+    needs: [init-data]
+    # use runs-on runners if within the almalinux org, otherwise GH runners.
+    # Both are Ubuntu-with-KVM (metal in the org, nested-KVM on the gh-hosted
+    # fallback), so the in-job QEMU test can boot the image just built.
+    runs-on: >-
+      ${{
+        github.repository_owner == 'AlmaLinux' &&
+          format('runs-on={0}/family=c7i.metal-24xl+c7a.metal-48xl+*8gd.metal*/image=ubuntu24-full-x64', github.run_id)
+        ||
+        'ubuntu-24.04'
+      }}
+    strategy:
+      fail-fast: false
+      matrix:
+        variant: >-
+          ${{ fromJSON(
+            ( inputs.version_major == '10-kitten' || inputs.version_major == '10' )
+              && format('["{0}", "{0}-v2"]', inputs.version_major)
+              || format('["{0}"]', inputs.version_major)
+          ) }}
+
+    env:
+      TIME_STAMP: ${{ needs.init-data.outputs.time_stamp }}
+      DATE_STAMP: ${{ needs.init-data.outputs.date_stamp }}
+
+    steps:
+      - name: Checkout ${{ github.action_repository }}
+        uses: actions/checkout@v6
+
+      - uses: ./.github/actions/shared-steps
+        name: ${{ matrix.variant }} opennebula-x86_64 image
+        with:
+          type: opennebula
+          variant: ${{ matrix.variant }}
+          arch: x86_64
+          S3_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ vars.AWS_REGION }}
+          AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET }}
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
+          MATTERMOST_CHANNEL: ${{ vars.MATTERMOST_CHANNEL }}
+          store_as_artifact: ${{ inputs.store_as_artifact }}
+          upload_to_s3: ${{ inputs.upload_to_s3 }}
+          notify_mattermost: ${{ inputs.notify_mattermost }}
+          run_test: 'false'
+          runner: ${{ github.repository_owner == 'AlmaLinux' && 'aws-ec2' || 'gh_hosted' }}
+        env:
+          PACKER_GITHUB_API_TOKEN: ${{ secrets.GIT_HUB_TOKEN }}
+
+      - uses: ./.github/actions/opennebula-test-steps
+        name: Test ${{ matrix.variant }} opennebula-x86_64 image
+        with:
+          image_file: ${{ env.IMAGE_FILE }}
+          image_url: ${{ inputs.upload_to_s3 && format('https://{0}.s3-accelerate.dualstack.amazonaws.com/{1}/{2}', vars.AWS_S3_BUCKET, env.AWS_S3_PATH, env.IMAGE_NAME) || '' }}
+          image_filename: ${{ env.IMAGE_NAME }}
+          alma_arch: x86_64
+          alma_arch_full: ${{ contains(matrix.variant, 'v2') && 'x86_64_v2' || 'x86_64' }}
+          release_string: ${{ env.RELEASE_STRING }}
+          notify_mattermost: ${{ inputs.notify_mattermost }}
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
+          MATTERMOST_CHANNEL: ${{ vars.MATTERMOST_CHANNEL }}
+
+  # The job is to start self-hosted runner on AWS EC2 instance if not in the almalinux org
+  # It does nothing if in the almalinux org, so 'Setup and start runner' step is skipped
+  start-self-hosted-runner:
+    name: ${{ inputs.version_major }} opennebula-aarch64 runner
+    if: ${{ inputs.self-hosted }}
+    runs-on: ubuntu-24.04
+    needs: [init-data]
+
+    steps:
+    - name: Setup and start runner
+      if: github.repository_owner != 'AlmaLinux'
+      uses: unblocked/ec2-action-builder@v1.12
+      with:
+        github_token: ${{ secrets.GIT_HUB_TOKEN }}
+        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws_region: ${{ vars.AWS_REGION }}
+        ec2_ami_id: ${{ secrets.EC2_AMI_ID_AL9_AARCH64 }}
+
+        ec2_subnet_id: ${{ secrets.EC2_SUBNET_ID}}                  # Subnet and Security Group should match
+        ec2_security_group_id: ${{ secrets.EC2_SECURITY_GROUP_ID }} # Availability Zones list for 'a1.metal' Instance Type
+        ec2_instance_type: a1.metal
+
+        ec2_root_disk_size_gb: "16"         # override default size which is too small for actions and tests stuff
+        ec2_root_disk_ebs_class: "gp3"      # use faster and cheeper storage instead of default 'gp2'
+        ec2_instance_ttl: 30                # Optional (default is 60 minutes)
+        ec2_spot_instance_strategy: None    # Other options are: SpotOnly, BestEffort, MaxPerformance
+        ec2_instance_tags: >                # Required for IAM role resource permission scoping
+          [
+            {"Key": "Project", "Value": "GitHub Actions Self-hosted Runners"}
+          ]
+
+  build-self-hosted:
+    name: ${{ inputs.version_major }} opennebula-aarch64 build+test
+    permissions:
+      id-token: write
+      contents: read
+    if: ${{ inputs.self-hosted }}
+    needs: [init-data, start-self-hosted-runner]
+    # AlmaLinux org: RunsOn a1.metal with the Ubuntu arm64 image (NOT
+    # almalinux-9-aarch64) so the in-job QEMU test can run - shared-steps
+    # builds fine on Ubuntu via its runner_os detection, and the bare-metal
+    # a1 has /dev/kvm.
+    #
+    # Forks fall back to the self-hosted EC2 a1.metal runner. That AMI is
+    # AlmaLinux 9 (EL9), where the apt-based test composite cannot run - the
+    # in-job test step will fail there; fork CI should test via opennebula-test.yml.
+    runs-on: >-
+      ${{
+        github.repository_owner == 'AlmaLinux' &&
+          format('runs-on={0}/family=a1.metal/image=ubuntu24-full-arm64/volume=40g', github.run_id)
+        ||
+        github.run_id
+      }}
+
+    env:
+      TIME_STAMP: ${{ needs.init-data.outputs.time_stamp }}
+      DATE_STAMP: ${{ needs.init-data.outputs.date_stamp }}
+
+    steps:
+      - name: Checkout ${{ github.action_repository }}
+        uses: actions/checkout@v6
+
+      - uses: ./.github/actions/shared-steps
+        name: ${{ inputs.version_major }} opennebula-aarch64 image
+        with:
+          type: opennebula
+          variant: ${{ inputs.version_major }}
+          arch: aarch64
+          S3_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ vars.AWS_REGION }}
+          AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET }}
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
+          MATTERMOST_CHANNEL: ${{ vars.MATTERMOST_CHANNEL }}
+          store_as_artifact: ${{ inputs.store_as_artifact }}
+          upload_to_s3: ${{ inputs.upload_to_s3 }}
+          notify_mattermost: ${{ inputs.notify_mattermost }}
+          run_test: 'false'
+          runner: aws-ec2
+        env:
+          PACKER_GITHUB_API_TOKEN: ${{ secrets.GIT_HUB_TOKEN }}
+
+      - uses: ./.github/actions/opennebula-test-steps
+        name: Test ${{ inputs.version_major }} opennebula-aarch64 image
+        with:
+          image_file: ${{ env.IMAGE_FILE }}
+          image_url: ${{ inputs.upload_to_s3 && format('https://{0}.s3-accelerate.dualstack.amazonaws.com/{1}/{2}', vars.AWS_S3_BUCKET, env.AWS_S3_PATH, env.IMAGE_NAME) || '' }}
+          image_filename: ${{ env.IMAGE_NAME }}
+          alma_arch: aarch64
+          alma_arch_full: aarch64
+          release_string: ${{ env.RELEASE_STRING }}
+          notify_mattermost: ${{ inputs.notify_mattermost }}
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
+          MATTERMOST_CHANNEL: ${{ vars.MATTERMOST_CHANNEL }}
