constellation/.github/workflows/on-release.yml

180 lines
6.0 KiB
YAML
Raw Normal View History

name: Make updated OS images available on release
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: "Semantic version tag of the release (vX.Y.Z)."
required: true
latest:
description: "Whether to update the latest tag."
type: boolean
default: false
jobs:
complete-release-branch-transaction:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: write
env:
FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
outputs:
RELEASE_BRANCH: ${{ env.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
2023-08-28 03:21:25 -04:00
with:
fetch-depth: 0 # fetch all history
- name: Determine branch names
run: |
2023-12-19 14:19:46 -05:00
RELEASE_BRANCH="release/${FULL_VERSION%.*}"
2023-08-28 03:21:25 -04:00
WORKING_BRANCH="tmp/${FULL_VERSION}"
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
echo "WORKING_BRANCH=${WORKING_BRANCH}" | tee -a "$GITHUB_ENV"
- name: Create or update release branch
run: |
git fetch
git checkout "${WORKING_BRANCH}" # ensure branch exists locally
git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"
update:
runs-on: ubuntu-22.04
outputs:
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Override latest
if: github.event.inputs.latest == 'true'
id: input-passthrough
run: echo "latest=true" | tee -a "$GITHUB_OUTPUT"
- name: Check if should mark latest
if: github.event.inputs.latest != 'true'
id: check-last-release
env:
REPO: edgelesssys/constellation
GH_TOKEN: ${{ github.token }}
run: |
latest_release_tag=$(
gh api \
-H "Accept: application/vnd.github+json" \
"/repos/${REPO}/releases/latest" \
| jq -r '.tag_name'
)
current_tag=${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
echo "Latest release tag: ${latest_release_tag}"
echo "Current tag: ${current_tag}"
if [[ "${latest_release_tag}" == "${current_tag}" ]]; then
echo "latest=true" | tee -a "$GITHUB_OUTPUT"
else
echo "latest=false" | tee -a "$GITHUB_OUTPUT"
fi
add-image-version-to-versionsapi:
needs: [update]
name: "Add image version to versionsapi"
permissions:
contents: read
id-token: write
uses: ./.github/workflows/versionsapi.yml
with:
command: add
add_release: true
stream: stable
version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
kind: image
add_latest: ${{ needs.update.outputs.latest == 'true' }}
add-cli-version-to-versionsapi:
needs: [update, add-image-version-to-versionsapi] # run workflow calls after each other
name: "Add CLI version to versionsapi"
permissions:
contents: read
id-token: write
uses: ./.github/workflows/versionsapi.yml
with:
command: add
add_release: true
stream: stable
version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
kind: cli
add_latest: ${{ needs.update.outputs.latest == 'true' }}
remove-temporary-branch:
needs:
[
complete-release-branch-transaction,
add-image-version-to-versionsapi,
add-cli-version-to-versionsapi,
]
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Remove temporary branch
run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
mirror-gcp-mpi:
name: "Mirror GCP Marketplace Image"
needs: [add-image-version-to-versionsapi]
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/setup_bazel_nix
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
- name: Fetch latest release version
id: fetch-version
uses: ./.github/actions/versionsapi
with:
command: latest
stream: stable
ref: "-"
- name: Fetch GCP image reference
id: fetch-reference
shell: bash
run: |
Support SEV-SNP on GCP (#3011) * terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 12:13:47 -04:00
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"
- name: Login to GCP
uses: ./.github/actions/login_gcp
with:
service_account: "mp-image-uploader@edgeless-systems-public.iam.gserviceaccount.com"
- name: Mirror
shell: bash
run: |
gcloud --project=edgeless-systems-public compute images create ${{ steps.fetch-reference.outputs.reference }} \
--source-image=${{ steps.fetch-reference.outputs.reference }} \
--source-image-project=constellation-images \
--licenses=projects/edgeless-systems-public/global/licenses/cloud-marketplace-c3d24830a0502e29-df1ebeb69c0ba664