2022-11-29 10:58:22 -05:00
|
|
|
name: Make updated OS images available on release
|
|
|
|
|
|
|
|
on:
|
|
|
|
release:
|
|
|
|
types: [published]
|
|
|
|
workflow_dispatch:
|
|
|
|
inputs:
|
|
|
|
tag:
|
|
|
|
description: "Semantic version tag of the release (vX.Y.Z)."
|
|
|
|
required: true
|
2022-12-09 05:51:38 -05:00
|
|
|
latest:
|
|
|
|
description: "Whether to update the latest tag."
|
|
|
|
type: boolean
|
|
|
|
default: false
|
2022-11-29 10:58:22 -05:00
|
|
|
|
|
|
|
jobs:
|
2023-05-25 04:14:42 -04:00
|
|
|
complete-release-branch-transaction:
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
permissions:
|
|
|
|
id-token: write
|
2023-12-19 11:37:49 -05:00
|
|
|
contents: write
|
2023-05-25 04:14:42 -04:00
|
|
|
env:
|
|
|
|
FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
|
|
|
outputs:
|
|
|
|
RELEASE_BRANCH: ${{ env.RELEASE_BRANCH }}
|
|
|
|
WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
2024-06-19 09:19:41 -04:00
|
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
2023-08-28 03:21:25 -04:00
|
|
|
with:
|
|
|
|
fetch-depth: 0 # fetch all history
|
2023-05-25 04:14:42 -04:00
|
|
|
|
|
|
|
- name: Determine branch names
|
|
|
|
run: |
|
2023-12-19 14:19:46 -05:00
|
|
|
RELEASE_BRANCH="release/${FULL_VERSION%.*}"
|
2023-08-28 03:21:25 -04:00
|
|
|
WORKING_BRANCH="tmp/${FULL_VERSION}"
|
2023-05-25 04:14:42 -04:00
|
|
|
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
|
|
|
|
echo "WORKING_BRANCH=${WORKING_BRANCH}" | tee -a "$GITHUB_ENV"
|
|
|
|
|
2023-09-26 05:15:28 -04:00
|
|
|
- name: Create or update release branch
|
2023-05-25 04:14:42 -04:00
|
|
|
run: |
|
|
|
|
git fetch
|
2023-09-26 05:15:28 -04:00
|
|
|
git checkout "${WORKING_BRANCH}" # ensure branch exists locally
|
|
|
|
git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"
|
2023-05-25 04:14:42 -04:00
|
|
|
|
2022-11-29 10:58:22 -05:00
|
|
|
update:
|
|
|
|
runs-on: ubuntu-22.04
|
2023-04-14 12:04:03 -04:00
|
|
|
outputs:
|
|
|
|
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
|
2022-11-29 10:58:22 -05:00
|
|
|
steps:
|
|
|
|
- name: Checkout
|
2024-06-19 09:19:41 -04:00
|
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
2022-11-29 10:58:22 -05:00
|
|
|
|
2023-01-11 05:40:27 -05:00
|
|
|
- name: Override latest
|
|
|
|
if: github.event.inputs.latest == 'true'
|
2023-04-14 12:04:03 -04:00
|
|
|
id: input-passthrough
|
|
|
|
run: echo "latest=true" | tee -a "$GITHUB_OUTPUT"
|
2023-01-11 05:40:27 -05:00
|
|
|
|
|
|
|
- name: Check if should mark latest
|
|
|
|
if: github.event.inputs.latest != 'true'
|
2023-04-14 12:04:03 -04:00
|
|
|
id: check-last-release
|
2023-01-11 05:40:27 -05:00
|
|
|
env:
|
2023-04-14 12:04:03 -04:00
|
|
|
REPO: edgelesssys/constellation
|
2023-01-11 05:40:27 -05:00
|
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
run: |
|
2023-04-14 12:04:03 -04:00
|
|
|
latest_release_tag=$(
|
|
|
|
gh api \
|
|
|
|
-H "Accept: application/vnd.github+json" \
|
|
|
|
"/repos/${REPO}/releases/latest" \
|
|
|
|
| jq -r '.tag_name'
|
|
|
|
)
|
|
|
|
|
|
|
|
current_tag=${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
2023-01-11 05:40:27 -05:00
|
|
|
echo "Latest release tag: ${latest_release_tag}"
|
2023-04-14 12:04:03 -04:00
|
|
|
echo "Current tag: ${current_tag}"
|
|
|
|
|
|
|
|
if [[ "${latest_release_tag}" == "${current_tag}" ]]; then
|
|
|
|
echo "latest=true" | tee -a "$GITHUB_OUTPUT"
|
2023-01-11 05:40:27 -05:00
|
|
|
else
|
2023-04-14 12:04:03 -04:00
|
|
|
echo "latest=false" | tee -a "$GITHUB_OUTPUT"
|
2023-01-11 05:40:27 -05:00
|
|
|
fi
|
|
|
|
|
2023-03-10 04:21:58 -05:00
|
|
|
add-image-version-to-versionsapi:
|
|
|
|
needs: [update]
|
|
|
|
name: "Add image version to versionsapi"
|
|
|
|
permissions:
|
|
|
|
contents: read
|
|
|
|
id-token: write
|
|
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
|
|
with:
|
|
|
|
command: add
|
|
|
|
add_release: true
|
|
|
|
stream: stable
|
2023-04-14 12:04:03 -04:00
|
|
|
version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
2023-03-10 04:21:58 -05:00
|
|
|
kind: image
|
2023-04-14 12:04:03 -04:00
|
|
|
add_latest: ${{ needs.update.outputs.latest == 'true' }}
|
2022-12-30 04:12:48 -05:00
|
|
|
|
2023-03-10 04:21:58 -05:00
|
|
|
add-cli-version-to-versionsapi:
|
2023-04-14 12:04:03 -04:00
|
|
|
needs: [update, add-image-version-to-versionsapi] # run workflow calls after each other
|
2023-03-10 04:21:58 -05:00
|
|
|
name: "Add CLI version to versionsapi"
|
|
|
|
permissions:
|
|
|
|
contents: read
|
|
|
|
id-token: write
|
|
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
|
|
with:
|
|
|
|
command: add
|
|
|
|
add_release: true
|
|
|
|
stream: stable
|
2023-04-14 12:04:03 -04:00
|
|
|
version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
2023-03-10 04:21:58 -05:00
|
|
|
kind: cli
|
2023-04-14 12:04:03 -04:00
|
|
|
add_latest: ${{ needs.update.outputs.latest == 'true' }}
|
2023-05-25 04:14:42 -04:00
|
|
|
|
|
|
|
remove-temporary-branch:
|
|
|
|
needs:
|
|
|
|
[
|
|
|
|
complete-release-branch-transaction,
|
|
|
|
add-image-version-to-versionsapi,
|
|
|
|
add-cli-version-to-versionsapi,
|
|
|
|
]
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
permissions:
|
|
|
|
id-token: write
|
2023-12-19 11:37:49 -05:00
|
|
|
contents: write
|
2023-05-25 04:14:42 -04:00
|
|
|
steps:
|
|
|
|
- name: Checkout
|
2024-06-19 09:19:41 -04:00
|
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
2023-05-25 04:14:42 -04:00
|
|
|
|
|
|
|
- name: Remove temporary branch
|
2024-01-09 13:37:56 -05:00
|
|
|
run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
|
2024-01-15 07:58:30 -05:00
|
|
|
|
|
|
|
mirror-gcp-mpi:
|
|
|
|
name: "Mirror GCP Marketplace Image"
|
|
|
|
needs: [add-image-version-to-versionsapi]
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
permissions:
|
|
|
|
id-token: write
|
|
|
|
contents: read
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
2024-06-19 09:19:41 -04:00
|
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
2024-01-15 07:58:30 -05:00
|
|
|
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
|
|
|
|
|
|
- name: Login to AWS
|
2024-02-21 09:29:06 -05:00
|
|
|
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
2024-01-15 07:58:30 -05:00
|
|
|
with:
|
|
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
|
|
aws-region: eu-central-1
|
|
|
|
|
|
|
|
- name: Fetch latest release version
|
|
|
|
id: fetch-version
|
|
|
|
uses: ./.github/actions/versionsapi
|
|
|
|
with:
|
|
|
|
command: latest
|
|
|
|
stream: stable
|
|
|
|
ref: "-"
|
|
|
|
|
|
|
|
- name: Fetch GCP image reference
|
|
|
|
id: fetch-reference
|
|
|
|
shell: bash
|
|
|
|
run: |
|
2024-04-16 12:13:47 -04:00
|
|
|
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
|
2024-01-15 07:58:30 -05:00
|
|
|
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
|
|
|
|
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
|
|
|
|
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
|
|
|
|
echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
|
|
|
|
- name: Login to GCP
|
|
|
|
uses: ./.github/actions/login_gcp
|
|
|
|
with:
|
|
|
|
service_account: "mp-image-uploader@edgeless-systems-public.iam.gserviceaccount.com"
|
|
|
|
|
|
|
|
- name: Mirror
|
|
|
|
shell: bash
|
|
|
|
run: |
|
|
|
|
gcloud --project=edgeless-systems-public compute images create ${{ steps.fetch-reference.outputs.reference }} \
|
|
|
|
--source-image=${{ steps.fetch-reference.outputs.reference }} \
|
|
|
|
--source-image-project=constellation-images \
|
|
|
|
--licenses=projects/edgeless-systems-public/global/licenses/cloud-marketplace-c3d24830a0502e29-df1ebeb69c0ba664
|