diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 1f7ff4b0b..b14f4e613 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -68,6 +68,12 @@ inputs: buildBuddyApiKey: description: "BuildBuddy API key for caching Bazel artifacts" required: true + registry: + description: "Container registry to use" + required: true + githubToken: + description: "GitHub authorization token" + required: true outputs: kubeconfig: @@ -146,6 +152,11 @@ runs: targetOS: ${{ steps.determine-build-target.outputs.hostOS }} targetArch: ${{ steps.determine-build-target.outputs.hostArch }} + - name: Upload container images + if: inputs.cliVersion == '' + shell: bash + run: bazel run //:push + - name: Login to GCP (IAM service account) if: inputs.cloudProvider == 'gcp' uses: ./.github/actions/login_gcp @@ -161,6 +172,13 @@ runs: # extend token expiry to 6 hours to ensure constellation can terminate role-duration-seconds: 21600 + - name: Log in to the Container registry + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 + with: + registry: ${{ inputs.registry }} + username: ${{ github.actor }} + password: ${{ inputs.githubToken }} + - name: Login to Azure (IAM service principal) if: inputs.cloudProvider == 'azure' uses: ./.github/actions/login_azure diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 8266eb529..890a4cfa5 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -86,6 +86,8 @@ jobs: buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} + registry: ghcr.io + githubToken: ${{ secrets.GITHUB_TOKEN }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index 87968d557..56fd74d29 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -206,6 +206,7 @@ jobs: id-token: write checks: write contents: read + packages: write needs: [find-latest-image, split-cliImageVersion] if: always() && !cancelled() steps: @@ -259,6 +260,8 @@ jobs: buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} + registry: ghcr.io + githubToken: ${{ secrets.GITHUB_TOKEN }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index 608d9fedd..dbbfedb1d 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -204,6 +204,8 @@ jobs: buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} + registry: ghcr.io + githubToken: ${{ secrets.GITHUB_TOKEN }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 877ba3048..bf14bb25e 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -209,6 +209,8 @@ jobs: buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} + registry: ghcr.io + githubToken: ${{ secrets.GITHUB_TOKEN }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index f9c874f1d..1e4e66672 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -83,6 +83,12 @@ on: default: false required: false +env: + ARM_CLIENT_ID: ${{ secrets.AZURE_E2E_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_E2E_TENANT_ID }} + jobs: e2e-upgrade: runs-on: ubuntu-22.04 @@ -142,6 +148,8 @@ jobs: buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} + registry: ghcr.io + githubToken: ${{ secrets.GITHUB_TOKEN }} - name: Run upgrade test env: diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 75883b326..a0906e9f2 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -7,12 +7,30 @@ on: type: string description: "Git ref to checkout" required: false + pushContainers: + type: boolean + description: "Push containers pinned in the cli to container registry" + required: false + default: false + registry: + description: "Container registry to use" + type: string + default: ghcr.io workflow_call: inputs: ref: type: string description: "Git ref to checkout" required: true + pushContainers: + type: boolean + description: "Push containers pinned in the cli to container registry" + required: false + default: false + registry: + description: "Container registry to use" + type: string + default: ghcr.io jobs: build-cli: @@ -50,6 +68,37 @@ jobs: name: constellation-${{ matrix.os }}-${{ matrix.arch }} path: build/constellation-${{ matrix.os }}-${{ matrix.arch }} + push-containers: + runs-on: ubuntu-22.04 + if: inputs.pushContainers + permissions: + actions: read + contents: write + id-token: write + packages: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + with: + ref: ${{ inputs.ref || github.head_ref }} + + - name: Setup bazel + uses: ./.github/actions/setup_bazel + with: + useCache: "false" + + - name: Log in to the Container registry + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 + with: + registry: ${{ inputs.registry }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload referenced container images + shell: bash + run: bazel run //:push + provenance-subjects: runs-on: ubuntu-22.04 needs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78568234a..66ca9738b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -126,84 +126,9 @@ jobs: git diff --staged --quiet || git commit -m "chore: update version.txt to ${{ inputs.version }}" git push origin "${BRANCH}" - micro-services: - name: Build micro services - runs-on: ubuntu-22.04 - needs: [verify-inputs, prepare-release-branch] - permissions: - contents: read - packages: write - strategy: - matrix: - koTarget: - [ - ./joinservice/cmd, - ./keyservice/cmd, - ./verify/cmd, - ./operators/constellation-node-operator, - ] - include: - - koTarget: ./joinservice/cmd - name: join-service - - koTarget: ./keyservice/cmd - name: key-service - - koTarget: ./verify/cmd - name: verification-service - - koTarget: ./operators/constellation-node-operator - name: node-operator - steps: - - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - - - name: Build ${{ matrix.name }} micro service - uses: ./.github/actions/build_micro_service_ko - with: - koTarget: ${{ matrix.koTarget }} - name: ${{ matrix.name }} - pushTag: ${{ inputs.version }} - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} - - micro-services-metadata: - name: Build docker images - runs-on: ubuntu-22.04 - needs: [verify-inputs, prepare-release-branch] - permissions: - contents: read - packages: write - strategy: - matrix: - appName: [qemu-metadata-api, libvirt] - include: - - appName: qemu-metadata-api - dockerfile: ./hack/qemu-metadata-api/Dockerfile - - appName: libvirt - dockerfile: ./cli/internal/libvirt/Dockerfile - steps: - - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - - - name: Build docker image - uses: ./.github/actions/build_micro_service - with: - name: ${{ matrix.appName }} - pushTag: ${{ inputs.version }} - projectVersion: ${{ needs.verify-inputs.outputs.WITHOUT_V }} - dockerfile: ${{ matrix.dockerfile }} - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} - update-versions: name: Update container image versions - needs: [verify-inputs, micro-services, micro-services-metadata] + needs: [verify-inputs, prepare-release-branch] runs-on: ubuntu-22.04 permissions: contents: write @@ -217,23 +142,11 @@ jobs: with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - - name: Install crane - uses: ./.github/actions/setup_crane - - name: Update enterprise image version run: | sed -i "s/defaultImage = \"v[0-9]\+\.[0-9]\+\.[0-9]\+\"/defaultImage = \"${VERSION}\"/" internal/config/images_enterprise.go git add internal/config/images_enterprise.go - - name: Update micro service versions - run: | - for service in node-operator join-service key-service verification-service qemu-metadata-api; do - name=ghcr.io/edgelesssys/constellation/${service} - digest=$(crane digest "${name}:${VERSION}") - sed -i "s#\"${name}:v[0-9]\+\.[0-9]\+\.[0-9]\+[^@]*@sha256:[0-9a-f]\+\"#\"${name}:${VERSION}@${digest}\"#" internal/versions/versions.go - done - git add internal/versions/versions.go - - name: Commit run: | git config --global user.name "edgelessci" @@ -323,9 +236,11 @@ jobs: actions: read contents: write id-token: write + packages: write secrets: inherit with: ref: "refs/tags/${{ inputs.version }}" + pushContainers: true pr-get-changes-back-into-main: name: PR to Merge changes from release branch into main diff --git a/.github/workflows/warm-bazel-cache.yml b/.github/workflows/warm-bazel-cache.yml index 90e8cabfe..30375df5e 100644 --- a/.github/workflows/warm-bazel-cache.yml +++ b/.github/workflows/warm-bazel-cache.yml @@ -23,6 +23,7 @@ jobs: - name: Build common targets run: | bazel build \ + //:devbuild \ //bazel/ci/... \ //bootstrapper/cmd/bootstrapper:bootstrapper_linux_amd64 \ //cli:cli_oss_linux_amd64 \