move towards single branch

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @dfinity/node

.github/workflows/images.yml

@@ -0,0 +1,142 @@
+name: images
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - docker/**
+
+env:
+  KERNEL: kernel
+
+jobs:
+  dockerfile-changes:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: filter
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+        with:
+          filters: |
+            kernel: docker/Dockerfile.kernel
+            ovmf: docker/Dockerfile.ovmf
+            qemu: docker/Dockerfile.qemu
+    outputs:
+      kernel: ${{ steps.filter.outputs.kernel }}
+      ovmf: ${{ steps.filter.outputs.ovmf }}
+      qemu: ${{  steps.filter.outputs.qemu }}
+
+  builder-kernel:
+    runs-on: ubuntu-latest
+    needs: dockerfile-changes
+    if: needs.dockerfile-changes.outputs.kernel == 'true'
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: |
+          docker buildx create \
+            --use \
+            --name builder \
+            --platform linux/amd64 \
+            --driver docker-container
+
+          docker buildx build \
+            -f docker/Dockerfile.kernel \
+            -t ghcr.io/dfinity/kernel-builder:${{ github.sha }} \
+            --platform linux/amd64 \
+            --build-arg SOURCE_DATE_EPOCH=0 \
+            --output type=docker,dest=archive.tar,rewrite-timestamp=true \
+                .
+
+          docker load -i archive.tar
+
+      - name: Login to container registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io \
+            -u ${{ github.actor }} \
+            --password-stdin
+
+      - name: Publish docker image
+        run: |
+          docker push ghcr.io/dfinity/kernel-builder:${{ github.sha }}
+
+  builder-ovmf:
+    runs-on: ubuntu-latest
+    needs: dockerfile-changes
+    if: needs.dockerfile-changes.outputs.ovmf == 'true'
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: |
+          docker buildx create \
+            --use \
+            --name builder \
+            --platform linux/amd64 \
+            --driver docker-container
+
+          docker buildx build \
+            -f docker/Dockerfile.kernel \
+            -t ghcr.io/dfinity/ovmf-builder:${{ github.sha }} \
+            --platform linux/amd64 \
+            --build-arg SOURCE_DATE_EPOCH=0 \
+            --output type=docker,dest=archive.tar,rewrite-timestamp=true \
+                .
+
+          docker load -i archive.tar
+
+      - name: Login to container registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io \
+            -u ${{ github.actor }} \
+            --password-stdin
+
+      - name: Publish docker image
+        run: |
+          docker push ghcr.io/dfinity/ovmf-builder:${{ github.sha }}
+
+  builder-qemu:
+    runs-on: ubuntu-latest
+    needs: dockerfile-changes
+    if: needs.dockerfile-changes.outputs.qemu == 'true'
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: |
+          docker buildx create \
+            --use \
+            --name builder \
+            --platform linux/amd64 \
+            --driver docker-container
+
+          docker buildx build \
+            -f docker/Dockerfile.kernel \
+            -t ghcr.io/dfinity/qemu-builder:${{ github.sha }} \
+            --platform linux/amd64 \
+            --build-arg SOURCE_DATE_EPOCH=0 \
+            --output type=docker,dest=archive.tar,rewrite-timestamp=true \
+                .
+
+          docker load -i archive.tar
+
+      - name: Login to container registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io \
+            -u ${{ github.actor }} \
+            --password-stdin
+
+      - name: Publish docker image
+        run: |
+          docker push ghcr.io/dfinity/qemu-builder:${{ github.sha }}

.github/workflows/targets.yml

@@ -0,0 +1,69 @@
+name: targets
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - build/**
+      - image-ref/**
+
+jobs:
+  image-ref-changes:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: filter
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+        with:
+          filters: |
+            kernel: image-ref/kernel.txt
+            ovmf: image-ref/ovmf.txt
+            qemu: image-ref/qemu.txt
+    outputs:
+      kernel: ${{ steps.filter.outputs.kernel }}
+      ovmf: ${{ steps.filter.outputs.ovmf }}
+      qemu: ${{  steps.filter.outputs.qemu }}
+
+  build-script-changes:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: filter
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+        with:
+          filters: |
+            kernel: build/kernel.sh
+            ovmf: build/ovmf.sh
+            qemu: build/qemu.sh
+    outputs:
+      kernel: ${{ steps.filter.outputs.kernel }}
+      ovmf: ${{ steps.filter.outputs.ovmf }}
+      qemu: ${{  steps.filter.outputs.qemu }}
+
+  kernel:
+    runs-on: ubuntu-latest
+    needs: [image-ref-changes, build-script-changes]
+    if: needs.image-ref-changes.outputs.kernel == 'true' || needs.build-script-changes.outputs.kernel == 'true'
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          echo "builder-kernel:$(cat image-ref/kernel.txt)"
+
+  ovmf:
+    runs-on: ubuntu-latest
+    needs: [image-ref-changes, build-script-changes]
+    if: needs.image-ref-changes.outputs.ovmf == 'true' || needs.build-script-changes.outputs.ovmf == 'true'
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          echo "builder-ovmf:$(cat image-ref/ovmf.txt)"
+
+  qemu:
+    runs-on: ubuntu-latest
+    needs: [image-ref-changes, build-script-changes]
+    if: needs.image-ref-changes.outputs.qemu == 'true' || needs.build-script-changes.outputs.qemu == 'true'
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          echo "builder-qemu:$(cat image-ref/qemu.txt)"

LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2024 DFINITY Foundation
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,8 +1,7 @@
 # SEV-SNP Dependencies
 
-## Branches
+This repository contains dependencies for [SEV-SNP](https://www.amd.com/en/developer/sev.html) (Secure Encrypted Virtualization - Secure Nested Paging) related projects.
 
-- [Builders](https://github.com/rikonor/sev-snp-deps/tree/builders)
-- [Linux Kernel](https://github.com/rikonor/sev-snp-deps/tree/linux-kernel)
-- [OVMF](https://github.com/rikonor/sev-snp-deps/tree/ovmf)
-- [QEMU](https://github.com/rikonor/sev-snp-deps/tree/qemu)
+## License
+
+This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.

build/kernel.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+echo "Building mr kernel"

build/ovmf.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+echo "Building ovmf"

build/qemu.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+echo "Building qemu"

docker/Dockerfile.kernel

@@ -0,0 +1,36 @@
+FROM debian:trixie-20240513-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# https://snapshot.debian.org/archive/debian/20240515T144351Z/
+ARG SNAPSHOT=20240515T144351Z
+
+RUN \
+  --mount=type=cache,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    : "Enabling snapshot" && \
+    sed -i -e '/Types: deb/ a\Snapshot: true' /etc/apt/sources.list.d/debian.sources && \
+    : "Enabling cache" && \
+    rm -f /etc/apt/apt.conf.d/docker-clean && \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
+    : "Fetching the snapshot and installing ca-certificates in one command" && \
+    apt install --update --snapshot "${SNAPSHOT}" -o Acquire::Check-Valid-Until=false -o Acquire::https::Verify-Peer=false -y ca-certificates && \
+    : "Install dependencies" && \
+    apt install --snapshot "${SNAPSHOT}" -y \
+        bc \
+        bison \
+        cpio \
+        debhelper \
+        dpkg-dev \
+        flex \
+        gcc \
+        initramfs-tools \
+        kmod \
+        libelf-dev \
+        libssl-dev \
+        lsb-release \
+        make \
+        rsync \
+    && \
+    : "Clean up for improving reproducibility (optional)" && \
+    rm -rf /var/log/* /var/cache/ldconfig/aux-cache

docker/Dockerfile.ovmf

@@ -0,0 +1,27 @@
+FROM debian:trixie-20240513-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# https://snapshot.debian.org/archive/debian/20240515T144351Z/
+ARG SNAPSHOT=20240515T144351Z
+
+RUN \
+  --mount=type=cache,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    : "Enabling snapshot" && \
+    sed -i -e '/Types: deb/ a\Snapshot: true' /etc/apt/sources.list.d/debian.sources && \
+    : "Enabling cache" && \
+    rm -f /etc/apt/apt.conf.d/docker-clean && \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
+    : "Fetching the snapshot and installing ca-certificates in one command" && \
+    apt install --update --snapshot "${SNAPSHOT}" -o Acquire::Check-Valid-Until=false -o Acquire::https::Verify-Peer=false -y ca-certificates && \
+    : "Install dependencies" && \
+    apt install --snapshot "${SNAPSHOT}" -y \
+        build-essential \
+        iasl \
+        nasm \
+        python-is-python3 \
+        uuid-dev \
+    && \
+    : "Clean up for improving reproducibility (optional)" && \
+    rm -rf /var/log/* /var/cache/ldconfig/aux-cache