github-actions: Upload built kernel binaries as a downloadable artifact

[kemotaha]

Summary

• Add an upload-artifact step to the multi-arch CI workflow that publishes the kernel binaries tarball produced by ctrliq/kernel-container-build#32.
• Tarball inside the artifact: kernel-<kernelrelease>-<arch>.tar.xz (contains vmlinuz, System.map, modules tree, and optionally config/initramfs).
• Artifact name in the run: kernel-binaries-<arch> (one per matrix arch).

Order of operations

Land ctrliq/kernel-container-build#32 first. Until that's merged, this PR's upload step will find no file in output/ and will log a warning (if-no-files-found: warn) — non-fatal so production CI isn't broken if this lands out of order. Once kernel-container-build has merged and is producing the tarball reliably, consider flipping to if-no-files-found: error.

How to use the tarball

Once both PRs are merged, every CI run on a {user}_<base> push will produce two new artifacts on the run summary page:

• kernel-binaries-x86_64
• kernel-binaries-aarch64

Download

Via the GitHub UI: Actions tab → run → scroll to the Artifacts section at the bottom → click kernel-binaries-<arch> to download a ZIP containing the .tar.xz.

Via CLI:

gh run download <RUN_ID> -R ctrliq/kernel-src-tree -n kernel-binaries-x86_64 -D ./
# yields: kernel-<KREL>-x86_64.tar.xz

Install on a target host (RHEL/Rocky 8/9/10)

TARBALL=kernel-<KREL>-x86_64.tar.xz
KREL=<KREL>   # e.g. 5.14.0-_jmaple__ciqlts9_2-01e4dfc2e+

# 1. Extract vmlinuz, System.map, optional initramfs, and the modules tree to /
sudo tar -xJf "$TARBALL" -C /

# 2. Refresh module dependency database
sudo depmod -a "$KREL"

# 3. Regenerate the initramfs against this host's storage drivers
#    (the bundled initramfs was built inside the CI container and is not
#    guaranteed to match your rootfs/devices)
sudo dracut --force /boot/initramfs-"$KREL".img "$KREL"

# 4. Add a GRUB entry and make it the default
sudo grubby --add-kernel=/boot/vmlinuz-"$KREL" \
            --initrd=/boot/initramfs-"$KREL".img \
            --title="CIQ test: $KREL" \
            --copy-default
sudo grubby --set-default=/boot/vmlinuz-"$KREL"

# 5. Reboot — pick the new kernel from GRUB if not default
sudo reboot

# 6. Confirm
uname -r       # should print <KREL>

To roll back after testing:

sudo grubby --set-default=/boot/vmlinuz-<stock-kernel>
sudo grubby --remove-kernel=/boot/vmlinuz-"$KREL"
sudo reboot

Caveat: UEFI Secure Boot

The kernel in the tarball is not signed by any trusted UEFI key. On hosts with Secure Boot enabled, shim/GRUB will refuse to load it (error: prohibited by secure boot policy). Either:

• Disable Secure Boot on the target host (firmware setup, or mokutil --disable-validation followed by an interactive MOK Manager confirmation at next boot), or
• Sign the vmlinuz with a key already enrolled in shim's MOK db before installing.

Validation

• End-to-end build on a real Rocky 9 VM (pulp.prod.ciq.dev/ciq/cicd/lts-images/builder + lts-9.2-kernel-builder) against a ciqlts9_2 checkout: tarball appears at output/kernel-*.tar.xz and is a valid xz archive
• Naming format: kernel-5.14.0-_jmaple__ciqlts9_2-01e4dfc2e+-x86_64.tar.xz (version + arch, no redundancy)
• Compressed size ~80 MB (x86_64) / ~56 MB (aarch64); 2235 .ko files on x86_64
• Real CI integration via workflow_dispatch: https://github.com/ctrliq/kernel-src-tree/actions/runs/25837047151 — both kernel-binaries-x86_64 and kernel-binaries-aarch64 artifacts published
• Tarball installed and booted on a real RHEL/Rocky 9.6 host with Secure Boot disabled — kernel runs, modules load, no errors in dmesg

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds an upload-artifact step to the multi-arch CI workflow so the kernel binaries tarball (produced by a companion change in kernel-container-build) is published as a downloadable per-arch artifact.

Changes:

• New Upload kernel binaries tarball step using actions/upload-artifact@v7.0.1, matching output/kernel-*.tar.xz.
• Configured with if: always(), if-no-files-found: warn, and a 7-day retention to remain non-fatal until the producing PR lands.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

[shreeya-patel98]

I have requested change for one minor thing in the kernel-container-repo PR, this one looks good to me.

Also, I think it would be nice to do the same for getting kselftest and ltp artifact so when we are in a rush to test things, we can just install the compiled binaries and run it locally.