Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-11 23:49:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

AB#2249 Rework image build pipeline (#326)

Browse Source 
* Rework image build pipeline

* Dont cancel workflow runs on main

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-08-03 16:01:36 +02:00 committed by GitHub
parent d3435b06a2
commit 5da92d9d8b
22 changed files with 341 additions and 281 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/actions/build_bootstrapper/action.yml vendored Normal file
View File

@ -0,0 +1,26 @@
name: Build bootstrapper
description: Build the Constellation bootstrapper binary
inputs:
outputPath:
description: 'Output path of the binary'
default: './bootstrapper'
required: true
runs:
using: 'composite'
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
- name: Install Dependencies
shell: bash
run: sudo apt-get update && sudo apt-get -y install cmake make
- name: Build the bootstrapper
shell: bash
run: |
mkdir -p build && cd build
cmake ..
make bootstrapper
mv -n bootstrapper "${{ inputs.outputPath }}"

3
.github/actions/build_cli/action.yml vendored
View File

@ -47,6 +47,7 @@ runs:
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a
with: with:
go-version: "1.18" go-version: "1.18"
- name: Build hack/pcr-reader - name: Build hack/pcr-reader
run: | run: |
go build . go build .
@ -58,7 +59,7 @@ runs:
- name: Build CLI - name: Build CLI
run: | run: |
GIT_TAG=$(git describe --tags --always --dirty --abbrev=0) GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)
mkdir build mkdir -p build
cd build cd build
cmake -DCLI_VERSION:STRING=${GIT_TAG} .. cmake -DCLI_VERSION:STRING=${GIT_TAG} ..
make -j`nproc` cli make -j`nproc` cli

33
.github/actions/build_debugd/action.yml vendored Normal file
View File

@ -0,0 +1,33 @@
name: Build debugd
description: Build the Constellation debugd binary
inputs:
outputPath:
description: 'Output path of the binary'
default: './debugd'
required: true
runs:
using: 'composite'
steps:
- name: Install Go
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a
with:
go-version: "1.18"
- name: Install Dependencies
shell: bash
run: sudo apt-get update && sudo apt-get -y install cmake make
- name: Build debugd
shell: bash
run: |
homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)"
mkdir -p build && cd build
cmake ..
export GOCACHE=${homedir}/.cache/go-build
export GOPATH=${homedir}/go
export GOPRIVATE=github.com/edgelesssys
export GOMODCACHE=${homedir}/.cache/go-mod
make debugd cdbg
mv -n debugd "${{ inputs.outputPath }}"

26
.github/actions/build_disk_mapper/action.yml vendored Normal file
View File

@ -0,0 +1,26 @@
name: Build disk-mapper
description: Build the Constellation disk-mapper binary
inputs:
outputPath:
description: 'Output path of the binary'
default: './disk-mapper'
required: true
runs:
using: 'composite'
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
- name: Install Dependencies
shell: bash
run: sudo apt-get update && sudo apt-get -y install cmake make
- name: Build the disk-mapper
shell: bash
run: |
mkdir -p build && cd build
cmake ..
make disk-mapper
mv -n disk-mapper "${{ inputs.outputPath }}"

2
.github/actions/build_micro_service/action.yml vendored
View File

@ -35,7 +35,7 @@ runs:
tags: | tags: |
type=raw,value=latest,enable={{is_default_branch}} type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }} type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
type=raw,value=${{ steps.pseudo-version.outputs.pseudo-version }},enable=${{ '' != steps.pseudo-version.outputs.pseudo-version }} type=raw,value=${{ steps.pseudo-version.outputs.pseudoVersion }},enable=${{ '' != steps.pseudo-version.outputs.pseudoVersion }}
type=ref,event=branch type=ref,event=branch
- name: Set up Docker Buildx - name: Set up Docker Buildx

32
.github/actions/pseudo_version/action.yml vendored
View File

@ -1,9 +1,20 @@
name: Determine pseudo version name: Determine pseudo version
description: "Determine go-like pseudo version to use as container image tag." description: "Determine go-like pseudo version to use as container image tag."
outputs: outputs:
pseudo-version: pseudoVersion:
description: "Pseudo version based on the current HEAD" description: "Pseudo version based on the current HEAD"
value: ${{ steps.pseudo-version.outputs.pseudo-version }} value: ${{ steps.pseudo-version.outputs.pseudoVersion }}
semanticVersion:
description: "Semantic version based on the current HEAD"
value: ${{ steps.pseudo-version.outputs.semanticVersion }}
timestamp:
description: "Commit timestamp based on the current HEAD"
value: ${{ steps.pseudo-version.outputs.timestamp }}
branchName:
description: "Branch name"
value: ${{ steps.pseudo-version.outputs.branchName }}
runs: runs:
using: 'composite' using: 'composite'
steps: steps:
@ -11,6 +22,7 @@ runs:
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a
with: with:
go-version: "1.18" go-version: "1.18"
- name: get pseudo version - name: get pseudo version
id: pseudo-version id: pseudo-version
run: | run: |
@ -21,6 +33,18 @@ runs:
else else
git fetch --tags -v git fetch --tags -v
fi fi
echo "::set-output name=pseudo-version::$(go run .)" homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)"
export GOCACHE=${homedir}/.cache/go-build
export GOPATH=${homedir}/go
export GOPRIVATE=github.com/edgelesssys
export GOMODCACHE=${homedir}/.cache/go-mod
pseudoVersion=$(go run .)
semanticVersion=$(go run . -semantic-version)
timestamp=$(go run . -print-timestamp)
branchName=$(go run . -print-branch)
echo "::set-output name=pseudoVersion::${pseudoVersion}"
echo "::set-output name=semanticVersion::${semanticVersion}"
echo "::set-output name=timestamp::${timestamp}"
echo "::set-output name=branchName::${branchName}"
working-directory: hack/pseudo-version working-directory: hack/pseudo-version
shell: bash shell: bash {0}

45
.github/docs/README.md vendored
View File

@ -88,3 +88,48 @@ az role assignment create --role "User Access Administrator" --scope /subscripti
Next, [add API permissions to Managed Identity](https://github.com/edgelesssys/wiki/blob/master/other_tech/azure.md#adding-api-permission-to-managed-identity) Next, [add API permissions to Managed Identity](https://github.com/edgelesssys/wiki/blob/master/other_tech/azure.md#adding-api-permission-to-managed-identity)
Store output of `az ad sp ...` in [GitHub Action Secret](https://github.com/edgelesssys/constellation/settings/secrets/actions) or create a local secret file for act to consume. Store output of `az ad sp ...` in [GitHub Action Secret](https://github.com/edgelesssys/constellation/settings/secrets/actions) or create a local secret file for act to consume.
## Image versions
The [build-coreos](../workflows/build-coreos.yml) workflow can be used to trigger an image build.
The workflow can be used to build debug or release images.
A debug image uses [`debugd`](../../debugd/) as its bootstrapper binary, while release images use the actual [`bootstrapper`](../../bootstrapper/)
Workflows for the main branch will always build debug images.
The image will be named and categorized depending on the branch the build is triggered from.
In the following, __Release__ refers to non debug images build from a release branch, e.g. `release/v1.4.0`,
__Debug__ refers to debug images build from either main or a release branch,
and __Branch__ refers to any image build from a branch that is not main or a release branch.
Non debug images built from main follow the __Branch__ image naming scheme.
### GCP
Type | Image Family | Image Name
-|-|-
Release | constellation | constellation-v\<major\>-\<minor\>-\<patch\>
Debug | constellation-debug-v\<major\>-\<minor\>-\<patch\> | constellation-\<commit-timestamp\>
Branch | constellation-\<branch-name\> | constellation-\<commit-timestamp\>
Example:
Type | Image Family | Image Name
-|-|-
Release | constellation | constellation-v1-5-0
Debug | constellation-v1-5-0 | constellation-20220912123456
Branch | constellation-ref-cli | constellation-20220912123456
### Azure
Type | Gallery | Image Definition | Image Version
-|-|-|-
Release | Constellation | constellation | \<major\>.\<minor\>.\<patch\>
Debug | Constellation_Debug | v\<major\>.\<minor\>.\<patch\> | \<commit-timestamp\>
Branch | Constellation_Testing | \<branch-name\> | \<commit-timestamp\>
Example:
Type | Image Definition | Image Version
-|-|-
Release | constellation | 1.5.0
Debug | v1.5.0 | 2022.0912.123456
Branch | ref-cli | 2022.0912.123456

5
.github/workflows/build-access-manager-image.yml vendored
View File

@ -12,11 +12,6 @@ on:
- "access_manager/**" - "access_manager/**"
- "internal/deploy/**" - "internal/deploy/**"
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs: jobs:
build-access-manager: build-access-manager:
runs-on: ubuntu-latest runs-on: ubuntu-latest

38
.github/workflows/build-binaries.yml vendored Normal file
View File

@ -0,0 +1,38 @@
# Build Constellation binaries as quality control
name: Build Constellation binaries
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
build-binaries:
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Build the bootstrapper
id: build-bootstrapper
uses: ./.github/actions/build_bootstrapper
- name: Build debugd
id: build-debugd
uses: ./.github/actions/build_debugd
- name: Build disk-mapper
id: build-disk-mapper
uses: ./.github/actions/build_disk_mapper
- name: Build CLI
id: build-cli
uses: ./.github/actions/build_cli

72
.github/workflows/build-bootstrapper.yml vendored
View File

@ -1,72 +0,0 @@
# We build the bootstrapper as part of each PR to see that the build still works. An image is only created once merged to main (see condition on call-coreos).
name: Build and Upload the bootstrapper
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build-bootstrapper:
name: "Build the bootstrapper"
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
outputs:
bootstrapper-name: ${{ steps.copy.outputs.bootstrapper-name }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
- name: Install Dependencies
id: prepare
run: sudo apt-get update && sudo apt-get -y install awscli cmake make
- name: Build and tag the bootstrapper
id: build
run: |
mkdir build && cd build
cmake ..
make bootstrapper
mv bootstrapper bootstrapper-$(sha512sum bootstrapper | cut -d " " -f 1)
- name: Copy bootstrapper to S3 if not exists
id: copy
# Only upload the bootstrapper if this action is triggered from main branch
if: ${{ github.ref == 'refs/heads/main' }}
run: >
aws s3api head-object --bucket ${{ secrets.PUBLIC_BUCKET_NAME }} --key bootstrapper/$(ls | grep "bootstrapper-")
|| (
echo "::set-output name=bootstrapper-name::$(ls | grep "bootstrapper-")"
&& aws s3 cp ${{ github.workspace }}/build/ s3://${{ secrets.PUBLIC_BUCKET_NAME }}/bootstrapper/ --exclude "*" --include "bootstrapper-*" --include "constellation" --recursive --quiet)
shell: bash {0}
working-directory: ${{ github.workspace }}/build/
# This is disabled for now as release images need to be built manually anyway.
# For cases where you need a new image because of bootstrapper changes, either trigger a manual build or use a debug image.
# call-coreos:
# needs: build-bootstrapper
# if: ${{ (github.ref == 'refs/heads/main') && startsWith(needs.build-bootstrapper.outputs.bootstrapper-name, 'bootstrapper-') }}
# uses: ./.github/workflows/build-coreos.yml
# with:
# bootstrapper-name: ${{ needs.build-bootstrapper.outputs.bootstrapper-name }}
# secrets:
# CI_GITHUB_REPOSITORY: ${{ secrets.CI_GITHUB_REPOSITORY }}
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
# BUCKET_NAME: ${{ secrets.BUCKET_NAME }}
# PUBLIC_BUCKET_NAME: ${{ secrets.PUBLIC_BUCKET_NAME }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}

29
.github/workflows/build-cli.yml vendored
View File

@ -1,29 +0,0 @@
# Right now this workflow is only used as a test. We want to see that a commit does not break the build. The resulting artifact is not used currently.
name: Build CLI
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build-cli:
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Build cli
uses: ./.github/actions/build_cli
with:
cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}

86
.github/workflows/build-coreos-debug.yml vendored
View File

@ -1,86 +0,0 @@
name: Build and Upload CoreOS debug image
env:
REGISTRY: ghcr.io
AZ_CLI_VERSION: 2.37.0
on:
workflow_dispatch:
jobs:
build-coreos-debug:
name: "Build CoreOS debug image using customized COSA"
runs-on: [self-hosted, linux, nested-virt]
permissions:
contents: read
packages: read
defaults:
run:
shell: bash
env:
working-directory: ${{ github.workspace }}/image
SHELL: /bin/bash
GOPATH: /home/github-actions-runner-user/go
GOCACHE: /home/github-actions-runner-user/.cache/go-build
GOMODCACHE: /home/github-actions-runner-user/.cache/go-mod
steps:
- name: Checkout
id: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
with:
submodules: recursive
token: ${{ secrets.CI_GITHUB_REPOSITORY }}
- name: Log in to the Container registry
id: docker-login
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: "Install azure CLI"
run: |
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
sudo apt-get install -y --allow-downgrades "azure-cli=${AZ_CLI_VERSION}-1~$(lsb_release -sc)"
wget -q https://aka.ms/downloadazcopy-v10-linux -O azcopy.tar.gz
tar --strip-components 1 -xf azcopy.tar.gz
rm azcopy.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
- name: Login to Azure
uses: azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Setup Go environment
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a
with:
go-version: "1.18"
- name: Install dependencies
run: sudo apt-get update && sudo apt-get install -y pkg-config libcryptsetup12 libcryptsetup-dev
- name: "Compile debugd"
run: GOCACHE=/home/github-actions-runner-user/.cache/go-build GOPATH=/home/github-actions-runner-user/go GOPRIVATE=github.com/edgelesssys GOMODCACHE=/home/github-actions-runner-user/.cache/go-mod go build -o constellation-debugd debugd.go
working-directory: ${{ github.workspace }}/debugd/debugd/cmd/debugd
- name: "Compile disk-mapper"
run: |
mkdir -p ${{ github.workspace }}/build
GOCACHE=/home/github-actions-runner-user/.cache/go-build GOPATH=/home/github-actions-runner-user/go GOPRIVATE=github.com/edgelesssys GOMODCACHE=/home/github-actions-runner-user/.cache/go-mod go build -o ${{ github.workspace }}/build/disk-mapper -ldflags "-s -w"
working-directory: ${{ github.workspace }}/state/cmd
- name: "Store GH token to be mounted by cosa"
run: echo "machine github.com login api password ${{ secrets.CI_GITHUB_REPOSITORY }}" > /tmp/.netrc
- name: "Set image timestamp"
run: |
TIMESTAMP=$(date +%s)
echo "TIMESTAMP=${TIMESTAMP}" >> $GITHUB_ENV
echo "IMAGE_TIMESTAMP=constellation-coreos-debugd-${TIMESTAMP}" >> $GITHUB_ENV
echo "IMAGE_VERSION=0.0.${TIMESTAMP}" >> $GITHUB_ENV
- name: "Build and Upload"
run: >
make -j$(nproc) CONTAINER_ENGINE=docker NETRC=/tmp/.netrc GCP_IMAGE_NAME="${{ env.IMAGE_TIMESTAMP }}" GCP_IMAGE_FAMILY="constellation-debug" AZURE_IMAGE_NAME="${{ env.IMAGE_TIMESTAMP }}"
AZURE_IMAGE_DEFINITION="constellation-coreos-debugd" AZURE_IMAGE_VERSION="${{env.IMAGE_VERSION }}" DOWNLOAD_BOOTSTRAPPER=n BOOTSTRAPPER_BINARY="${{ github.workspace }}/debugd/debugd/cmd/debugd/constellation-debugd"
image-gcp image-azure upload-gcp upload-azure
working-directory: ${{ env.working-directory }}

151
.github/workflows/build-coreos.yml vendored
View File

@ -1,49 +1,25 @@
name: Build and Upload CoreOS name: Build and Upload CoreOS image
env:
REGISTRY: ghcr.io
AZ_CLI_VERSION: 2.37.0
on: on:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
bootstrapper-name: coreOSConfigBranch:
description: bootstrapper name description: 'Branch of CoreOS config repo to build from'
required: true default: 'constellation'
type: string required: false
debug:
workflow_call: description: 'Build debug image'
inputs: type: boolean
bootstrapper-name: default: false
required: true
type: string
secrets:
CI_GITHUB_REPOSITORY:
required: true
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
AWS_DEFAULT_REGION:
required: true
BUCKET_NAME:
required: true
PUBLIC_BUCKET_NAME:
required: true
AZURE_CREDENTIALS:
required: true required: true
jobs: jobs:
build-coreos: build-coreos-image:
name: "Build CoreOS using customized COSA" name: 'Build CoreOS using customized COSA'
runs-on: [self-hosted, linux, nested-virt] runs-on: [self-hosted, linux, nested-virt]
permissions: permissions:
contents: read contents: read
packages: read packages: read
defaults:
run:
shell: bash
env: env:
working-directory: ${{ github.workspace }}/image
SHELL: /bin/bash SHELL: /bin/bash
steps: steps:
- name: Checkout - name: Checkout
@ -53,18 +29,44 @@ jobs:
submodules: recursive submodules: recursive
token: ${{ secrets.CI_GITHUB_REPOSITORY }} token: ${{ secrets.CI_GITHUB_REPOSITORY }}
- name: Build bootstrapper
id: build-bootstrapper
if: ${{ inputs.debug == false }}
uses: ./.github/actions/build_bootstrapper
with:
outputPath: ${{ github.workspace }}/build/bootstrapper
- name: Build debugd
id: build-debugd
if: ${{ inputs.debug == true }}
uses: ./.github/actions/build_debugd
with:
outputPath: ${{ github.workspace }}/build/bootstrapper
- name: Build disk-mapper
id: build-disk-mapper
uses: ./.github/actions/build_disk_mapper
with:
outputPath: ${{ github.workspace }}/build/disk-mapper
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Log in to the Container registry - name: Log in to the Container registry
id: docker-login id: docker-login
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
with: with:
registry: ${{ env.REGISTRY }} registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: "Install azure CLI" - name: Install Azure CLI
id: install-azure-cli
shell: bash
run: | run: |
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
sudo apt-get install -y --allow-downgrades "azure-cli=${AZ_CLI_VERSION}-1~$(lsb_release -sc)" sudo apt-get install -y --allow-downgrades "azure-cli=2.37.0-1~$(lsb_release -sc)"
wget -q https://aka.ms/downloadazcopy-v10-linux -O azcopy.tar.gz wget -q https://aka.ms/downloadazcopy-v10-linux -O azcopy.tar.gz
tar --strip-components 1 -xf azcopy.tar.gz tar --strip-components 1 -xf azcopy.tar.gz
rm azcopy.tar.gz rm azcopy.tar.gz
@ -75,33 +77,56 @@ jobs:
with: with:
creds: ${{ secrets.AZURE_CREDENTIALS }} creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Setup Go environment - name: Store GH token to be mounted by cosa
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a id: store-gh-token
with: shell: bash
go-version: "1.18"
- name: Install dependencies
run: sudo apt-get update && sudo apt-get install -y pkg-config libcryptsetup12 libcryptsetup-dev
- name: "Compile disk-mapper"
run: |
mkdir -p ${{ github.workspace }}/build
GOCACHE=/home/github-actions-runner-user/.cache/go-build GOPATH=/home/github-actions-runner-user/go GOPRIVATE=github.com/edgelesssys GOMODCACHE=/home/github-actions-runner-user/.cache/go-mod go build -o ${{ github.workspace }}/build/disk-mapper -ldflags "-s -w"
working-directory: ${{ github.workspace }}/state/cmd
- name: "Store GH token to be mounted by cosa"
run: echo "machine github.com login api password ${{ secrets.CI_GITHUB_REPOSITORY }}" > /tmp/.netrc run: echo "machine github.com login api password ${{ secrets.CI_GITHUB_REPOSITORY }}" > /tmp/.netrc
- name: "Set image timestamp" # Make sure to set valid names for GCP and Azure
# Azure
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
#
# GCP
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
- name: Configure input variables
id: configure-variables
shell: bash
run: | run: |
TIMESTAMP=$(date +%s) timestamp=${{ steps.version.outputs.timestamp }}
echo "TIMESTAMP=${TIMESTAMP}" >> $GITHUB_ENV semver=${{ steps.version.outputs.semanticVersion }}
echo "IMAGE_TIMESTAMP=constellation-coreos-${TIMESTAMP}" >> $GITHUB_ENV pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "IMAGE_VERSION=0.0.${TIMESTAMP}" >> $GITHUB_ENV echo "azureImageName=constellation-${pseudover//./-}" >> $GITHUB_ENV
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.buildDebug == false) }}" = true ]
then
echo "gcpImageName=constellation-${semver//./-}" >> $GITHUB_ENV
echo "gcpImageFamily=constellation" >> $GITHUB_ENV
echo "azureGalleryName=Constellation" >> $GITHUB_ENV
echo "azureImageDefinition=constellation" >> $GITHUB_ENV
echo "azureImageVersion=${semver:1}" >> $GITHUB_ENV
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.buildDebug == true) }}" = true ]
then
echo "gcpImageName=constellation-debug-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
echo "gcpImageFamily=constellation-debug-${semver//./-}" >> $GITHUB_ENV
echo "azureGalleryName=Constellation_Debug" >> $GITHUB_ENV
echo "azureImageDefinition=${semver}" >> $GITHUB_ENV
echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
else
echo "gcpImageName=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
echo "gcpImageFamily=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
echo "azureGalleryName=Constellation_Testing" >> $GITHUB_ENV
echo "azureImageDefinition=${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
fi
- name: "Build and Upload" - name: Build and Upload
run: > id: build-and-upload
make -j$(nproc) CONTAINER_ENGINE=docker NETRC=/tmp/.netrc GCP_IMAGE_NAME="${{ env.IMAGE_TIMESTAMP }}" AZURE_IMAGE_NAME="${{ env.IMAGE_TIMESTAMP }}" shell: bash {0}
AZURE_IMAGE_DEFINITION="constellation-coreos" AZURE_IMAGE_VERSION="${{env.IMAGE_VERSION }}" DOWNLOAD_BOOTSTRAPPER=y BOOTSTRAPPER_URL="https://${{ secrets.PUBLIC_BUCKET_NAME }}.s3.us-east-2.amazonaws.com/bootstrapper/${{ inputs.bootstrapper-name }}" run: |
make -j$(nproc) CONTAINER_ENGINE=docker NETRC=/tmp/.netrc \
COSA_INIT_BRANCH="${{ inputs.coreOSConfigBranch }}" \
GCP_IMAGE_NAME="${{ env.gcpImageName }}" GCP_IMAGE_FAMILY="${{ env.gcpImageFamily }}" \
AZURE_IMAGE_DEFINITION="${{ env.azureImageDefinition }}" AZURE_IMAGE_VERSION="${{ env.azureImageVersion }}" AZURE_GALLERY_NAME="${{ env.azureGalleryName }}" AZURE_IMAGE_NAME="${{ env.azureImageName }}"\
image-gcp image-azure upload-gcp upload-azure image-gcp image-azure upload-gcp upload-azure
working-directory: ${{ env.working-directory }} working-directory: ${{ github.workspace }}/image

5
.github/workflows/build-joinservice-image.yml vendored
View File

@ -14,11 +14,6 @@ on:
- "internal/grpc/**" - "internal/grpc/**"
- "internal/oid/**" - "internal/oid/**"
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs: jobs:
build-join-service: build-join-service:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/build-kms-image.yml vendored
View File

@ -13,11 +13,6 @@ on:
- "internal/constants/**" - "internal/constants/**"
- "internal/file/**" - "internal/file/**"
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs: jobs:
build-kms-server: build-kms-server:
runs-on: ubuntu-latest runs-on: ubuntu-latest

2
.github/workflows/test-integration.yml vendored
View File

@ -10,7 +10,7 @@ on:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed. # Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs: jobs:
integration-test: integration-test:

2
.github/workflows/test-lint.yml vendored
View File

@ -14,7 +14,7 @@ permissions:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed. # Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs: jobs:
golangci: golangci:

2
.github/workflows/test-shellcheck.yml vendored
View File

@ -8,7 +8,7 @@ on:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed. # Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs: jobs:
shellcheck: shellcheck:

2
.github/workflows/test-unittest.yml vendored
View File

@ -10,7 +10,7 @@ on:
# Abort runs of *this* workflow, if a new commit with the same ref is pushed. # Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs: jobs:
test: test:

11
debugd/README.md
View File

@ -68,17 +68,20 @@ With `cdbg` and `yq` installed in your path:
For GCP, run the following command to get a list of all constellation debug images, sorted by their creation date: For GCP, run the following command to get a list of all constellation debug images, sorted by their creation date:
```shell ```shell
gcloud compute images list --filter="name~'constellation-coreos-debugd.+'" --sort-by=creationTimestamp --project constellation-images gcloud compute images list --filter="family~'constellation-debug-v.+'" --sort-by=creationTimestamp --project constellation-images
``` ```
Choose the newest debugd image with the naming scheme `constellation-coreos-debugd-<timestamp>`. The images are grouped by the Constellation release they were built for.
Choose the newest debugd image for your release with the naming scheme `constellation-<commit-timestamp>`.
### debugd Azure Image ### debugd Azure Image
For Azure, run the following command to get a list of all constellation debugd images, sorted by their creation date: Azure debug images are grouped by the Constellation release they were built for.
Run the following command to get a list of all constellation debugd images for release v1.5.0, sorted by their creation date:
```shell ```shell
az sig image-version list --resource-group constellation-images --gallery-name Constellation --gallery-image-definition constellation-coreos-debugd --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table RELEASE=v1.5.0
az sig image-version list --resource-group constellation-images --gallery-name Constellation_Debug --gallery-image-definition ${RELEASE} --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table
``` ```
Choose the newest debugd image and copy the full URI. Choose the newest debugd image and copy the full URI.

23
hack/pseudo-version/internal/git/git.go
View File

@ -3,6 +3,7 @@ package git
import ( import (
"errors" "errors"
"regexp" "regexp"
"strings"
"time" "time"
git "github.com/go-git/go-git/v5" git "github.com/go-git/go-git/v5"
@ -77,6 +78,28 @@ func (g *Git) FirstParentWithVersionTag() (revision string, versionTag string, e
return revision, versionTag, nil return revision, versionTag, nil
} }
// ParsedBranchName returns the name of the current branch.
// Special characters are replaced with "-", and the name is lowercased and trimmed to 49 characters.
// This makes sure that the branch name is usable as a GCP image name.
func (g *Git) ParsedBranchName() (string, error) {
commitRef, err := g.repo.Head()
if err != nil {
return "", err
}
rxp, err := regexp.Compile("[^a-zA-Z0-9-]+")
if err != nil {
return "", err
}
branch := strings.ToLower(rxp.ReplaceAllString(commitRef.Name().Short(), "-"))
if len(branch) > 49 {
branch = branch[:49]
}
return strings.TrimSuffix(branch, "-"), nil
}
// tagsByRevisionHash returns a map from revision hash to a list of associated tags. // tagsByRevisionHash returns a map from revision hash to a list of associated tags.
func (g *Git) tagsByRevisionHash() (map[string][]string, error) { func (g *Git) tagsByRevisionHash() (map[string][]string, error) {
tags := make(map[string][]string) tags := make(map[string][]string)

18
hack/pseudo-version/pseudo-version.go
View File

@ -13,6 +13,9 @@ import (
) )
func main() { func main() {
printSemVer := flag.Bool("semantic-version", false, "Only print semantic version")
printTimestamp := flag.Bool("print-timestamp", false, "Only print timestamp")
printBranch := flag.Bool("print-branch", false, "Only print branch name")
major := flag.String("major", "v0", "Optional major version") major := flag.String("major", "v0", "Optional major version")
base := flag.String("base", "", "Optional base version") base := flag.String("base", "", "Optional base version")
revisionTimestamp := flag.String("time", "", "Optional revision time") revisionTimestamp := flag.String("time", "", "Optional revision time")
@ -26,6 +29,11 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to initialize git client") log.With(zap.Error(err)).Fatalf("Failed to initialize git client")
} }
branch, err := gitc.ParsedBranchName()
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to get branch name")
}
if *base == "" { if *base == "" {
_, versionTag, err := gitc.FirstParentWithVersionTag() _, versionTag, err := gitc.FirstParentWithVersionTag()
if err != nil { if err != nil {
@ -57,5 +65,15 @@ func main() {
} }
version := module.PseudoVersion(*major, *base, headTime, *revision) version := module.PseudoVersion(*major, *base, headTime, *revision)
switch {
case *printSemVer:
fmt.Println(*base)
case *printTimestamp:
fmt.Println(headTime.Format("20060102150405"))
case *printBranch:
fmt.Println(branch)
default:
fmt.Println(version) fmt.Println(version)
} }
}