From 775eaa66618bd5c0acccb8a377e8c302ea88a0fa Mon Sep 17 00:00:00 2001
From: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
Date: Tue, 16 Sep 2025 09:55:53 +0100
Subject: [PATCH 1/2] ci: naming the download/upload of the kas lockfile

Next patch will introduce new artifact downloads and uploads in the steps.
It is better to start naming that steps of the job so that they are easier
to identify when we look at the logs.
Also rename the artifact to kas-lockfile since it is more obvious
that it represents a kas locking file.

Signed-off-by: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
---
 .github/actions/compile/action.yml |  5 +++--
 .github/workflows/build-yocto.yml  | 12 +++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/.github/actions/compile/action.yml b/.github/actions/compile/action.yml
index cc1302875..c7b0ba2f8 100644
--- a/.github/actions/compile/action.yml
+++ b/.github/actions/compile/action.yml
@@ -21,9 +21,10 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/download-artifact@v6
+    - name: Download kas lockfile
+      uses: actions/download-artifact@v6
       with:
-        name: kas-lock
+        name: kas-lockfile
         path: ci/
 
     - name: Setup build variables and sstate-cache
diff --git a/.github/workflows/build-yocto.yml b/.github/workflows/build-yocto.yml
index 79c87b14e..9f24e4ab3 100644
--- a/.github/workflows/build-yocto.yml
+++ b/.github/workflows/build-yocto.yml
@@ -36,9 +36,10 @@ jobs:
         run: |
           ${KAS_CONTAINER} lock --update ci/base.yml:ci/qcom-distro.yml
 
-      - uses: actions/upload-artifact@v4
+      - name: Upload kas lockfile
+        uses: actions/upload-artifact@v4
         with:
-          name: kas-lock
+          name: kas-lockfile
           path: ci/*.lock.yml
 
   yocto-run-checks:
@@ -48,10 +49,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v6
+      - name: Download kas lockfile
+        uses: actions/download-artifact@v6
         with:
-          name: kas-lock
-          path: ci/
+          name: kas-lockfile
+          path: ci
 
       - name: Run yocto-check-layer
         run: |

From 1f8614f19ee9676293ef565ca24ee5071862976c Mon Sep 17 00:00:00 2001
From: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
Date: Mon, 15 Sep 2025 10:46:34 +0100
Subject: [PATCH 2/2] ci: do not save the kas-container in the persistent space

Since [1], kas-container is downloaded by a job and stored in the persistent
storage (as KAS_CONTAINER). However this seems unsafe since each job will override
kas-container in the persistent storage. We should download kas-container in a
workflow specific folder instead.

[1] https://github.com/qualcomm-linux/meta-qcom/pull/846

Fixes: #1015

Signed-off-by: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
---
 .github/actions/compile/action.yml | 23 +++++++++++++++++------
 .github/workflows/build-yocto.yml  | 25 +++++++++++++++++++++----
 2 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/.github/actions/compile/action.yml b/.github/actions/compile/action.yml
index c7b0ba2f8..565121da2 100644
--- a/.github/actions/compile/action.yml
+++ b/.github/actions/compile/action.yml
@@ -12,8 +12,6 @@ inputs:
     required: true
   cache_dir:
     required: true
-  kas:
-    required: true
 outputs:
   url:
     description: Location of the published binaries
@@ -27,6 +25,19 @@ runs:
         name: kas-lockfile
         path: ci/
 
+    - name: Download kas-container
+      uses: actions/download-artifact@v6
+      with:
+         name: kas-container
+         path: ${{runner.temp}}
+
+    - name: Setting up kas-container
+      shell: bash
+      run: |
+        KAS_CONTAINER=$RUNNER_TEMP/kas-container
+        echo "KAS_CONTAINER=$KAS_CONTAINER" >> $GITHUB_ENV
+        chmod +x $KAS_CONTAINER
+
     - name: Setup build variables and sstate-cache
       shell: bash
       run: |
@@ -39,25 +50,25 @@ runs:
       shell: bash
       run: |
         mkdir $KAS_WORK_DIR
-        ${{inputs.kas}} dump --resolve-env --resolve-local --resolve-refs \
+        $KAS_CONTAINER dump --resolve-env --resolve-local --resolve-refs \
           ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }} > kas-build.yml
 
     - name: Kas qcom world build
       shell: bash
       run: |
-        ${{inputs.kas}} build ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }}:ci/world.yml
+        $KAS_CONTAINER build ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }}:ci/world.yml
         ci/kas-container-shell-helper.sh ci/yocto-pybootchartgui.sh
         mv $KAS_WORK_DIR/build/buildchart.svg buildchart-world.svg
 
     - name: Kas build images
       shell: bash
       run: |
-        ${{inputs.kas}} build ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }}
+        $KAS_CONTAINER build ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }}
         ci/kas-container-shell-helper.sh ci/yocto-pybootchartgui.sh
         mv $KAS_WORK_DIR/build/buildchart.svg .
 
         if [ "${{ inputs.machine }}" = "qcom-armv8a" ]; then
-          ${{inputs.kas}} build ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }}:ci/initramfs-test.yml
+          $KAS_CONTAINER build ci/mirror.yml:ci/${{ inputs.machine }}.yml${{ inputs.distro_yaml }}${{ inputs.kernel_yaml }}:ci/initramfs-test.yml
         fi
 
     - uses: actions/upload-artifact@v4
diff --git a/.github/workflows/build-yocto.yml b/.github/workflows/build-yocto.yml
index 9f24e4ab3..e26b2f895 100644
--- a/.github/workflows/build-yocto.yml
+++ b/.github/workflows/build-yocto.yml
@@ -10,15 +10,16 @@ on:
 env:
   CACHE_DIR: /efs/qli/meta-qcom
   KAS_REPO_REF_DIR: /efs/qli/meta-qcom/kas-mirrors
-  KAS_CONTAINER: /efs/qli/meta-qcom/kas-mirrors/kas-container
 
 jobs:
   kas-setup:
     if: github.repository == 'qualcomm-linux/meta-qcom'
     runs-on: [self-hosted, qcom-u2404, amd64-ssd]
     steps:
-      - name: Update kas-container
+      - name: Setting up kas-container
         run: |
+          KAS_CONTAINER=$RUNNER_TEMP/kas-container
+          echo "KAS_CONTAINER=$KAS_CONTAINER" >> $GITHUB_ENV
           LATEST=$(git ls-remote --tags --refs --sort="v:refname" https://github.com/siemens/kas | tail -n1 | sed 's/.*\///')
           wget -qO ${KAS_CONTAINER} https://raw.githubusercontent.com/siemens/kas/refs/tags/$LATEST/kas-container
           chmod +x ${KAS_CONTAINER}
@@ -42,6 +43,12 @@ jobs:
           name: kas-lockfile
           path: ci/*.lock.yml
 
+      - name: Upload kas-container
+        uses: actions/upload-artifact@v4
+        with:
+          name: kas-container
+          path: ${{ env.KAS_CONTAINER }}
+
   yocto-run-checks:
     needs: kas-setup
     if: github.repository == 'qualcomm-linux/meta-qcom'
@@ -55,6 +62,18 @@ jobs:
           name: kas-lockfile
           path: ci
 
+      - name: Download kas-container
+        uses: actions/download-artifact@v6
+        with:
+          name: kas-container
+          path: ${{ runner.temp }}
+
+      - name: Setting up kas-container
+        run: |
+          KAS_CONTAINER=$RUNNER_TEMP/kas-container
+          echo "KAS_CONTAINER=$KAS_CONTAINER" >> $GITHUB_ENV
+          chmod +x $KAS_CONTAINER
+
       - name: Run yocto-check-layer
         run: |
           ci/kas-container-shell-helper.sh ci/yocto-check-layer.sh
@@ -102,7 +121,6 @@ jobs:
           kernel_yaml: ${{matrix.kernel.yamlfile}}
           kernel_dirname: ${{matrix.kernel.dirname}}
           cache_dir: ${CACHE_DIR}
-          kas: ${KAS_CONTAINER}
 
   compile:
     needs: compile_warm_up
@@ -183,7 +201,6 @@ jobs:
           kernel_yaml: ${{matrix.kernel.yamlfile}}
           kernel_dirname: ${{matrix.kernel.dirname}}
           cache_dir: ${CACHE_DIR}
-          kas: ${KAS_CONTAINER}
 
   publish_summary:
     needs: compile