OpenGamingCollective · KyleGospo · Mar 24, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml
@@ -15,9 +15,6 @@ env:
 
 permissions:
     contents: read
-    packages: write
-    id-token: write
-    attestations: write
 
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
@@ -27,6 +24,13 @@ jobs:
     build-arch:
         runs-on: ubuntu-latest
 
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+            attestations: write
+            artifact-metadata: write
+
         container:
             image: docker.io/archlinux:base-devel
             volumes:
@@ -58,13 +62,6 @@ jobs:
               with:
                   persist-credentials: false
 
-            - name: Create build user
-              run: |
-                  useradd -m build
-                  mkdir -p /home/build/linux
-                  cp -vR * /home/build/linux
-                  chown -vR build /home/build/linux
-
             - name: Set up pacman keyring
               run: |
                   pacman-key --init
@@ -73,28 +70,118 @@ jobs:
 
             - name: Install dependencies
               run: |
-                  pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra sed
+                  pacman -Syu --noconfirm bc cpio gettext jq libelf pahole perl python rust rust-bindgen rust-src tar xz graphviz imagemagick python-sphinx python-yaml texlive-latexextra sed wget
+
+            - name: Get version
+              id: version
+              shell: bash
+              run: |
+                  if [ -n "${{ github.event.inputs.version }}" ]; then
+                    OGC_VERSION="${{ github.event.inputs.version }}"
+                  else
+                    TAG="${{ github.ref_name }}"
+                    OGC_VERSION="${TAG#v}"
+                  fi
+                  KERNEL_VERSION="${OGC_VERSION%-ogc*}"
+                  MAJOR_VERSION="${KERNEL_VERSION%%.*}.x"
+                  echo "ogc_version=$OGC_VERSION" >> "$GITHUB_OUTPUT"
+                  echo "kernel_version=$KERNEL_VERSION" >> "$GITHUB_OUTPUT"
+                  echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"
+                  OGC_REV="${OGC_VERSION##*-ogc}"
+                  BASE_KVER="${KERNEL_VERSION%.*}"
+                  STABLE_KVER="${KERNEL_VERSION##*.}"
+                  if [ "$STABLE_KVER" = "0" ]; then
+                    TAR_KVER="$BASE_KVER"
+                  else
+                    TAR_KVER="$KERNEL_VERSION"
+                  fi
+                  echo "ogc_rev=$OGC_REV" >> "$GITHUB_OUTPUT"
+                  echo "base_kver=$BASE_KVER" >> "$GITHUB_OUTPUT"
+                  echo "stable_kver=$STABLE_KVER" >> "$GITHUB_OUTPUT"
+                  echo "tar_kver=$TAR_KVER" >> "$GITHUB_OUTPUT"
+
+            - name: Substitute versions
+              shell: bash
+              run: |
+                  OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
+                  ARCH_PKGVER="${OGC_VERSION/-/.}"
+                  TAR_KVER="${{ steps.version.outputs.tar_kver }}"
+                  sed -i \
+                    -e "s/@@OGC_VERSION@@/${ARCH_PKGVER}/" \
+                    -e "s/@@TAR_KVER@@/${TAR_KVER}/" \
+                    arch/PKGBUILD
+
+            - name: Create build user
+              run: |
+                  useradd -m build
+                  mkdir -p /home/build/linux
+                  cp -vR * /home/build/linux
+                  chown -vR build /home/build/linux
 
-            - name: Configure AppArmor as default LSM
+            - name: Download and verify kernel source
+              shell: bash
+              run: |
+                  TAR_KVER="${{ steps.version.outputs.tar_kver }}"
+                  MAJOR_VERSION="${{ steps.version.outputs.major_version }}"
+                  OGC_VERSION="${{ steps.version.outputs.ogc_version }}"
+                  wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${TAR_KVER}.tar.xz
+                  wget https://cdn.kernel.org/pub/linux/kernel/v${MAJOR_VERSION}/linux-${TAR_KVER}.tar.sign
+                  wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch
+                  wget https://github.com/OpenGamingCollective/linux/releases/download/v${OGC_VERSION}/monolithic.patch.sig
+                  # Import kernel.org signing keys (Linus Torvalds & Greg Kroah-Hartman)
+                  gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys \
+                    ABAF11C65A2970B130ABE3C479BE3E4300411886 \
+                    647F28654894E3BD457199BE38DBBDC86092693E
+                  # Import OGC patch signing key
+                  gpg --import $GITHUB_WORKSPACE/public.key
+                  # Verify kernel tarball signature
+                  xz -dc linux-${TAR_KVER}.tar.xz | gpg --verify linux-${TAR_KVER}.tar.sign -
+                  # Verify OGC monolithic patch signature
+                  gpg --verify monolithic.patch.sig monolithic.patch
+                  tar -xf linux-${TAR_KVER}.tar.xz
+                  cd linux-${TAR_KVER}
+                  patch -Np1 < ../monolithic.patch
+
+            - name: Generate default config
+              shell: bash
               run: |
-                  sed -i 's/^CONFIG_LSM=.*/CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor,bpf"/' config
+                  cd linux-${{ steps.version.outputs.tar_kver }}
+                  make x86_64_defconfig
+
+            - name: Configure kernel
+              uses: OpenGamingCollective/kernel-configurator@5b4abc58a2edf89941180dbbe33b26415db23b0b # v1.0.1
+              with:
+                  config: linux-${{ steps.version.outputs.tar_kver }}/.config
+                  set: |
+                      config/generic.config.set
+                      config/ogc.config.set
+                      arch/config.set
+                  unset: |
+                      config/ogc.config.unset
+                      arch/config.unset
+
+            - name: Upload kernel config
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+              with:
+                  name: kernel-config
+                  path: linux-${{ steps.version.outputs.tar_kver }}/.config
 
             - name: Build linux package
               id: build-kernel-package
               shell: bash
               run: |
-                  su build bash -c "cd /home/build/linux/arch && MAKEFLAGS=-j$(nproc) makepkg --skippgpcheck"
+                  TAR_KVER="${{ steps.version.outputs.tar_kver }}"
+                  # Pre-populate makepkg source cache
+                  cp linux-${TAR_KVER}.tar.xz /home/build/linux/arch/
+                  cp monolithic.patch /home/build/linux/arch/
+                  # Copy patched config
+                  cp linux-${TAR_KVER}/.config /home/build/linux/arch/config
+                  chown -R build /home/build/linux
+                  su build bash -c "cd /home/build/linux/arch && MAKEFLAGS=-j$(nproc) makepkg --skippgpcheck --skipchecksums --skipinteg"
                   . /home/build/linux/arch/PKGBUILD
                   full_version=${pkgver}-${pkgrel}
                   echo "full_version=$full_version" >> "$GITHUB_OUTPUT"
 
-            - name: Get OGC version
-              if: startsWith(github.ref, 'refs/tags/')
-              id: version
-              run: |
-                  TAG="${{ github.ref_name }}"
-                  echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
-
             - name: Setup ORAS
               if: startsWith(github.ref, 'refs/tags/')
               uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
@@ -112,7 +199,7 @@ jobs:
               if: startsWith(github.ref, 'refs/tags/')
               id: push
               run: |
-                  VERSION="${{ steps.version.outputs.version }}"
+                  VERSION="${{ steps.version.outputs.ogc_version }}"
                   REPO="${{ env.OCI_REPO }}"
                   cd /home/build/linux/arch
                   DIGEST=$(oras push --format json "${REPO}:${VERSION}" ./*.pkg.tar.zst | jq -r '.digest')
@@ -123,6 +210,14 @@ jobs:
                   oras tag "${REPO}:${VERSION}" latest
                   echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
+            - name: Sign artifacts
+              if: startsWith(github.ref, 'refs/tags/')
+              run: |
+                  VERSION="${{ steps.version.outputs.ogc_version }}"
+                  REPO="${{ env.OCI_REPO }}"
+                  cosign sign --yes "${REPO}:${VERSION}"
+                  cosign sign --yes "${REPO}:latest"
+
             - name: Attest build provenance
               if: startsWith(github.ref, 'refs/tags/')
               uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
@@ -131,18 +226,10 @@ jobs:
                   subject-digest: ${{ steps.push.outputs.digest }}
                   push-to-registry: true
 
-            - name: Sign artifacts
-              if: startsWith(github.ref, 'refs/tags/')
-              run: |
-                  VERSION="${{ steps.version.outputs.version }}"
-                  REPO="${{ env.OCI_REPO }}"
-                  cosign sign --yes "${REPO}:${VERSION}"
-                  cosign sign --yes "${REPO}:latest"
-
             - name: Verify signature
               if: startsWith(github.ref, 'refs/tags/')
               run: |
-                  VERSION="${{ steps.version.outputs.version }}"
+                  VERSION="${{ steps.version.outputs.ogc_version }}"
                   REPO="${{ env.OCI_REPO }}"
                   cosign verify \
                     --certificate-identity-regexp=".*" \