canonical · Meulengracht · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -17,37 +17,52 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
-    runs-on: [self-hosted, spread-enabled]
+  build_release:
+    runs-on: ubuntu-latest
+    outputs:
+      snap_name: ${{ steps.release.outputs.snap_name }}
+      snap_artifact: ${{ steps.release.outputs.snap_artifact }}
     steps:
-      - name: Cleanup job workspace
-        id: cleanup-job-workspace
-        run: |
-          rm -rf "${{ github.workspace }}"
-          mkdir "${{ github.workspace }}"
-      - uses: actions/checkout@v4
-
-      - name: Build snap
-        run: |
-          spread -artifacts=./artifacts google-nested:tests/spread/build/
-          find ./artifacts -type f -name "*.artifact" -exec cp {} "${{ github.workspace }}" \;
-
-      - uses: actions/upload-artifact@v4
+      - name: Build and release to edge channel
+        id: release
+        env:
+          LP_CREDENTIALS: ${{ secrets.LP_CREDENTIALS }}
+        uses: snapcore/system-snaps-cicd-tools/action-rebuild-base@main
         with:
-          name: core-snap
-          path: "${{ github.workspace }}/core22.artifact"
-
-      - name: Discard spread workers
-        if: always()
-        run: |
-          shopt -s nullglob
-          for r in .spread-reuse.*.yaml; do
-            spread -discard -reuse-pid="$(echo "$r" | grep -o -E '[0-9]+')"
-          done
+          branch: ${{ github.event_name == 'pull_request' && github.ref || github.ref_name }}
+          publish: false
+  build_fips_release:
+    runs-on: ubuntu-latest
+    outputs:
+      snap_name: ${{ steps.release.outputs.snap_name }}
+      snap_artifact: ${{ steps.release.outputs.snap_artifact }}
+    steps:
+      - name: Build and release to edge channel
+        id: release
+        env:
+          LP_CREDENTIALS: ${{ secrets.LP_CREDENTIALS }}
+        uses: snapcore/system-snaps-cicd-tools/action-rebuild-base@main
+        with:
+          branch: ${{ github.event_name == 'pull_request' && github.ref || github.ref_name }}
+          fips: true
+          publish: false
 
   tests-main:
     runs-on: [self-hosted, spread-enabled]
-    needs: build
+    needs: [build_release, build_fips_release]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - variant: standard
+            artifact_name: ${{ needs.build_release.outputs.snap_artifact }}
+            core_variant: ''
+          - variant: fips
+            artifact_name: ${{ needs.build_fips_release.outputs.snap_artifact }}
+            core_variant: fips
+    name: tests-main (${{ matrix.variant }})
+    env:
+      CORE_VARIANT: ${{ matrix.core_variant }}
     steps:
       - name: Cleanup job workspace
         id: cleanup-job-workspace
@@ -57,8 +72,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
         with:
-          name: core-snap
-          path: "${{ github.workspace }}/core22.artifact"
+          name: ${{ matrix.artifact_name }}
+          path: "${{ github.workspace }}"
 
       - name: Run tests
         uses: ./.github/actions/run-spread-tests
@@ -72,9 +87,21 @@ jobs:
           for r in .spread-reuse.*.yaml; do
             spread -discard -reuse-pid="$(echo "$r" | grep -o -E '[0-9]+')"
           done
+
   tests-snapd:
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build_release, build_fips_release]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - variant: standard
+            artifact_name: ${{ needs.build_release.outputs.snap_artifact }}
+            snap_name: ${{ needs.build_release.outputs.snap_name }}
+          - variant: fips
+            artifact_name: ${{ needs.build_fips_release.outputs.snap_artifact }}
+            snap_name: ${{ needs.build_fips_release.outputs.snap_name }}
+    name: tests-snapd (${{ matrix.variant }})
     steps:
       - name: Cleanup job workspace
         id: cleanup-job-workspace
@@ -91,7 +118,8 @@ jobs:
           path: snapd
       - uses: actions/download-artifact@v4
         with:
-          name: core-snap
+          name: ${{ matrix.artifact_name }}
+          path: "${{ github.workspace }}"
 
       - name: Install spread
         run: curl -s https://storage.googleapis.com/snapd-spread-tests/spread/spread-amd64.tar.gz | sudo tar xzv -C /usr/bin
@@ -101,6 +129,13 @@ jobs:
         run: |
           . "core-base/tests/lib/prepare-utils.sh"
 
+          # determine variant, but for standard builds we want to pass 
+          # an empty string to the utils functions
+          variant="${{ matrix.variant }}"
+          if [ "$variant" = "standard" ]; then
+              variant=""
+          fi
+
           echo "************* INSTALLING DEPS *************"
           install_core22_deps
 
@@ -111,9 +146,9 @@ jobs:
           prepare_core22_cloudinit
 
           echo "************* BUILDING CORE22 IMAGE *************"
-          uc_snap="$(get_core_snap_name)"
-          mv core22.artifact "$uc_snap"
-          build_core22_image
+          uc_snap="$(get_core_snap_name "$variant")"
+          mv "${{ matrix.snap_name }}" "$uc_snap"
+          build_core22_image "$variant"
 
           echo "************* STARTING CORE22 VM *************"
           start_snapd_core_vm '${{ github.workspace }}'

diff --git a/spread.yaml b/spread.yaml
@@ -5,6 +5,7 @@ environment:
   PROJECT_PATH: $SETUPDIR
   PATH: $PATH:$PROJECT_PATH/tests/bin
   TESTSLIB: $PROJECT_PATH/tests/lib
+  BUILD_VARIANT: '$(HOST: echo "${CORE_VARIANT:-}")'
   SNAP_BRANCH: "edge" # stable/edge/beta
   UC_VERSION: 22
   # TODO: are these vars needed still?
@@ -132,7 +133,7 @@ suites:
 
     prepare: |
       # prepare common uc image setup by repacking snaps, etc
-      "$TESTSLIB"/prepare-uc.sh
+      "$TESTSLIB"/prepare-uc.sh "$BUILD_VARIANT"
     restore-each: |
       # delete the nested VM image after each task finishes so we don't use too much
       # disk space

diff --git a/tests/lib/prepare-uc.sh b/tests/lib/prepare-uc.sh
@@ -3,6 +3,8 @@
 set -e
 set -x
 
+BUILD_VARIANT="${1:-}"
+
 # include auxiliary functions from this script
 . "$TESTSLIB/prepare-utils.sh"
 
@@ -116,16 +118,16 @@ snap pack --filename=upstream-snapd.snap "$snapddir"
 rm -r $snapddir
 
 # build the core22 snap if it has not been provided to us by CI
-uc_snap="$(get_core_snap_name)"
+uc_snap="$(get_core_snap_name "$BUILD_VARIANT")"
 if [ ! -f "$PROJECT_PATH/core${UC_VERSION}.artifact" ]; then
-    build_core22_snap "$PROJECT_PATH"
+    build_core22_snap "$PROJECT_PATH" "$BUILD_VARIANT"
 else
     # use provided core22 snap
     cp "$PROJECT_PATH/core${UC_VERSION}.artifact" "$uc_snap"
 fi
 
 # finally build the uc image
-build_core22_image
+build_core22_image "$BUILD_VARIANT"
 
 # setup some data we will inject into ubuntu-seed partition of the image above
 # that snapd.spread-tests-run-mode-tweaks.service will ingest

diff --git a/tests/lib/prepare-utils.sh b/tests/lib/prepare-utils.sh
@@ -115,8 +115,14 @@ start_snapd_core_vm() {
 }
 
 get_core_snap_name() {
+    local variant="${2:-}"
+
     printf -v date '%(%Y%m%d)T' -1
-    echo "core22_${date}_amd64.snap"
+    if [ "$variant" = "fips" ]; then
+        echo "core22-fips_${date}_amd64.snap"
+    else
+        echo "core22_${date}_amd64.snap"
+    fi    
 }
 
 install_core22_deps() {
@@ -191,10 +197,18 @@ prepare_core22_cloudinit() {
 build_core22_snap() {
     local project_dir="$1"
     local current_dir="$(pwd)"
+    local variant="${2:-}"
 
     # run snapcraft
     (
         cd "$project_dir"
+
+        # if it's the fips variant, rename the remote url to trigger
+        # the fips build
+        if [ "$variant" = "fips" ]; then
+            git remote set-url origin "$(git remote get-url origin | sed 's/$/-fips/')"
+        fi
+
         sudo snapcraft --destructive-mode --verbose
 
         # copy the snap to the calling directory if they are not the same
@@ -205,7 +219,8 @@ build_core22_snap() {
 }
 
 build_core22_image() {
-    local core_snap_name="$(get_core_snap_name)"
+    local variant="${1:-}"
+    local core_snap_name="$(get_core_snap_name "$variant")"
     ubuntu-image snap \
         -i 8G \
         --snap $core_snap_name \

diff --git a/tests/spread/build/build-fips-snap/task.yaml b/tests/spread/build/build-fips-snap/task.yaml
@@ -0,0 +1,21 @@
+summary: Builds the core snap
+manual: true
+
+artifacts:
+  - core22-fips.artifact
+
+prepare: |
+  # for various utilities
+  . "$TESTSLIB/prepare-utils.sh"
+
+  # install dependencies
+  install_core22_deps
+
+execute: |
+  # for various utilities
+  . "$TESTSLIB/prepare-utils.sh"
+
+  build_core22_snap "$PROJECT_PATH" "fips"
+
+  SNAP_NAME="$(get_core_snap_name "fips")"
+  cp "$PROJECT_PATH/$SNAP_NAME" "core22-fips.artifact"