ci: upload container images when running e2e tests

.github/actions/e2e_test/action.yml

@@ -68,6 +68,12 @@ inputs:
   buildBuddyApiKey:
     description: "BuildBuddy API key for caching Bazel artifacts"
     required: true
+  registry:
+    description: "Container registry to use"
+    required: true
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
 
 outputs:
   kubeconfig:
@@ -146,6 +152,11 @@ runs:
         targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
         targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
 
+    - name: Upload container images
+      if: inputs.cliVersion == ''
+      shell: bash
+      run: bazel run //:push
+
     - name: Login to GCP (IAM service account)
       if: inputs.cloudProvider == 'gcp'
       uses: ./.github/actions/login_gcp
@@ -161,6 +172,13 @@ runs:
         # extend token expiry to 6 hours to ensure constellation can terminate
         role-duration-seconds: 21600
 
+    - name: Log in to the Container registry
+      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
+
     - name: Login to Azure (IAM service principal)
       if: inputs.cloudProvider == 'azure'
       uses: ./.github/actions/login_azure

.github/workflows/e2e-test-daily.yml

@@ -86,6 +86,8 @@ jobs:
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Always terminate cluster
         if: always()

.github/workflows/e2e-test-manual.yml

@@ -206,6 +206,7 @@ jobs:
       id-token: write
       checks: write
       contents: read
+      packages: write
     needs: [find-latest-image, split-cliImageVersion]
     if: always() && !cancelled()
     steps:
@@ -259,6 +260,8 @@ jobs:
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Always terminate cluster
         if: always()

.github/workflows/e2e-test-release.yml

@@ -204,6 +204,8 @@ jobs:
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Always terminate cluster
         if: always()

.github/workflows/e2e-test-weekly.yml

@@ -209,6 +209,8 @@ jobs:
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Always terminate cluster
         if: always()

.github/workflows/e2e-upgrade.yml

@@ -83,6 +83,12 @@ on:
         default: false
         required: false
 
+env:
+  ARM_CLIENT_ID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
+  ARM_CLIENT_SECRET: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.AZURE_E2E_TENANT_ID }}
+
 jobs:
   e2e-upgrade:
     runs-on: ubuntu-22.04
@@ -142,6 +148,8 @@ jobs:
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run upgrade test
         env:

.github/workflows/release-cli.yml

@@ -7,12 +7,30 @@ on:
         type: string
         description: "Git ref to checkout"
         required: false
+      pushContainers:
+        type: boolean
+        description: "Push containers pinned in the cli to container registry"
+        required: false
+        default: false
+      registry:
+        description: "Container registry to use"
+        type: string
+        default: ghcr.io
   workflow_call:
     inputs:
       ref:
         type: string
         description: "Git ref to checkout"
         required: true
+      pushContainers:
+        type: boolean
+        description: "Push containers pinned in the cli to container registry"
+        required: false
+        default: false
+      registry:
+        description: "Container registry to use"
+        type: string
+        default: ghcr.io
 
 jobs:
   build-cli:
@@ -50,6 +68,37 @@ jobs:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: build/constellation-${{ matrix.os }}-${{ matrix.arch }}
 
+  push-containers:
+    runs-on: ubuntu-22.04
+    if: inputs.pushContainers
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        with:
+          ref: ${{ inputs.ref || github.head_ref }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel
+        with:
+          useCache: "false"
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload referenced container images
+        shell: bash
+        run: bazel run //:push
+
   provenance-subjects:
     runs-on: ubuntu-22.04
     needs:

.github/workflows/release.yml

@@ -126,84 +126,9 @@ jobs:
           git diff --staged --quiet || git commit -m "chore: update version.txt to ${{ inputs.version }}"
           git push origin "${BRANCH}"
 
-  micro-services:
-    name: Build micro services
-    runs-on: ubuntu-22.04
-    needs: [verify-inputs, prepare-release-branch]
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        koTarget:
-          [
-            ./joinservice/cmd,
-            ./keyservice/cmd,
-            ./verify/cmd,
-            ./operators/constellation-node-operator,
-          ]
-        include:
-          - koTarget: ./joinservice/cmd
-            name: join-service
-          - koTarget: ./keyservice/cmd
-            name: key-service
-          - koTarget: ./verify/cmd
-            name: verification-service
-          - koTarget: ./operators/constellation-node-operator
-            name: node-operator
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
-        with:
-          ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
-
-      - name: Build ${{ matrix.name }} micro service
-        uses: ./.github/actions/build_micro_service_ko
-        with:
-          koTarget: ${{ matrix.koTarget }}
-          name: ${{ matrix.name }}
-          pushTag: ${{ inputs.version }}
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
-
-  micro-services-metadata:
-    name: Build docker images
-    runs-on: ubuntu-22.04
-    needs: [verify-inputs, prepare-release-branch]
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        appName: [qemu-metadata-api, libvirt]
-        include:
-          - appName: qemu-metadata-api
-            dockerfile: ./hack/qemu-metadata-api/Dockerfile
-          - appName: libvirt
-            dockerfile: ./cli/internal/libvirt/Dockerfile
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
-        with:
-          ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
-
-      - name: Build docker image
-        uses: ./.github/actions/build_micro_service
-        with:
-          name: ${{ matrix.appName }}
-          pushTag: ${{ inputs.version }}
-          projectVersion: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
-          dockerfile: ${{ matrix.dockerfile }}
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
-
   update-versions:
     name: Update container image versions
-    needs: [verify-inputs, micro-services, micro-services-metadata]
+    needs: [verify-inputs, prepare-release-branch]
     runs-on: ubuntu-22.04
     permissions:
       contents: write
@@ -217,23 +142,11 @@ jobs:
         with:
           ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
 
-      - name: Install crane
-        uses: ./.github/actions/setup_crane
-
       - name: Update enterprise image version
         run: |
           sed -i "s/defaultImage = \"v[0-9]\+\.[0-9]\+\.[0-9]\+\"/defaultImage = \"${VERSION}\"/" internal/config/images_enterprise.go
           git add internal/config/images_enterprise.go
 
-      - name: Update micro service versions
-        run: |
-          for service in node-operator join-service key-service verification-service qemu-metadata-api; do
-            name=ghcr.io/edgelesssys/constellation/${service}
-            digest=$(crane digest "${name}:${VERSION}")
-            sed -i "s#\"${name}:v[0-9]\+\.[0-9]\+\.[0-9]\+[^@]*@sha256:[0-9a-f]\+\"#\"${name}:${VERSION}@${digest}\"#" internal/versions/versions.go
-          done
-          git add internal/versions/versions.go
-
       - name: Commit
         run: |
           git config --global user.name "edgelessci"
@@ -323,9 +236,11 @@ jobs:
       actions: read
       contents: write
       id-token: write
+      packages: write
     secrets: inherit
     with:
       ref: "refs/tags/${{ inputs.version }}"
+      pushContainers: true
 
   pr-get-changes-back-into-main:
     name: PR to Merge changes from release branch into main

.github/workflows/warm-bazel-cache.yml

@@ -23,6 +23,7 @@ jobs:
       - name: Build common targets
         run: |
           bazel build \
+            //:devbuild \
             //bazel/ci/... \
             //bootstrapper/cmd/bootstrapper:bootstrapper_linux_amd64 \
             //cli:cli_oss_linux_amd64 \