mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 15:09:39 -05:00
ci: fix artifact upload in image build pipeline (#2765)
* Fix parameter expansion when uploading multiple files * On download, ensure target directory exists * Rename encryption-secret -> encryptionSecret * Remove incorrect secret access from e2e test action * Add missing checkout action to workflows using our download action * Fix spacing * Fix upload action uploading whole directory structure instead of target files * Explicitly give write permissions to Azure disk image, since permissions are no longer dropped on upload --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
66c0b581b2
commit
8c1972c335
5
.github/actions/artifact_download/action.yml
vendored
5
.github/actions/artifact_download/action.yml
vendored
@ -9,7 +9,7 @@ inputs:
|
||||
description: 'Download to a specified path.'
|
||||
required: false
|
||||
default: ./
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: 'The secret to use for decrypting the artifact.'
|
||||
required: true
|
||||
|
||||
@ -36,4 +36,5 @@ runs:
|
||||
- name: Decrypt and unzip archive
|
||||
shell: bash
|
||||
run: |
|
||||
unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
|
||||
mkdir -p ${{ inputs.path }}
|
||||
unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
|
||||
|
27
.github/actions/artifact_upload/action.yml
vendored
27
.github/actions/artifact_upload/action.yml
vendored
@ -3,7 +3,7 @@ description: Upload an encrypted zip archive as a github artifact.
|
||||
|
||||
inputs:
|
||||
path:
|
||||
description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.'
|
||||
description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.'
|
||||
required: true
|
||||
name:
|
||||
description: 'The name of the artifact.'
|
||||
@ -11,7 +11,7 @@ inputs:
|
||||
retention-days:
|
||||
description: 'How long the artifact should be retained for.'
|
||||
default: 60
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: 'The secret to use for encrypting the files.'
|
||||
required: true
|
||||
|
||||
@ -34,10 +34,14 @@ runs:
|
||||
run: |
|
||||
shopt -s extglob
|
||||
|
||||
paths="${{ inputs.path }}"
|
||||
paths=${paths%$'\n'} # Remove trailing newline
|
||||
|
||||
# Check if any file matches the given pattern(s).
|
||||
something_exists=false
|
||||
for pattern in ${{ inputs.path }}; do
|
||||
if compgen -G $pattern > /dev/null; then
|
||||
for pattern in ${paths}
|
||||
do
|
||||
if compgen -G "${pattern}" > /dev/null; then
|
||||
something_exists=true
|
||||
fi
|
||||
done
|
||||
@ -45,12 +49,19 @@ runs:
|
||||
# Create an archive if files exist.
|
||||
# Don't create an archive file if no files are found
|
||||
# and warn.
|
||||
if $something_exists; then
|
||||
zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }}
|
||||
else
|
||||
echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded."
|
||||
if ! ${something_exists}
|
||||
then
|
||||
echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for target in ${paths}
|
||||
do
|
||||
pushd "$(dirname "${target}")" || exit 1
|
||||
zip -e -P '${{ inputs.encryptionSecret }}' -r "${{ steps.tempdir.outputs.directory }}/archive.zip" "$(basename "${target}")"
|
||||
popd || exit 1
|
||||
done
|
||||
|
||||
- name: Upload archive as artifact
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
|
@ -59,7 +59,7 @@ inputs:
|
||||
force:
|
||||
description: "Set the force-flag on apply to ignore version mismatches."
|
||||
required: false
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: "The secret to use for encrypting the artifact."
|
||||
required: true
|
||||
|
||||
@ -267,4 +267,4 @@ runs:
|
||||
name: serial-logs-${{ inputs.artifactNameSuffix }}
|
||||
path: >
|
||||
!(terraform).log
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
8
.github/actions/e2e_benchmark/action.yml
vendored
8
.github/actions/e2e_benchmark/action.yml
vendored
@ -17,7 +17,7 @@ inputs:
|
||||
awsOpenSearchPwd:
|
||||
description: "AWS OpenSearch Password to upload the results."
|
||||
required: false
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: 'The secret to use for encrypting the artifact.'
|
||||
required: true
|
||||
|
||||
@ -100,7 +100,7 @@ runs:
|
||||
with:
|
||||
path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
|
||||
name: "fio-constellation-${{ inputs.cloudProvider }}.json"
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Run knb benchmark
|
||||
shell: bash
|
||||
@ -122,7 +122,7 @@ runs:
|
||||
with:
|
||||
path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
|
||||
name: "knb-constellation-${{ inputs.cloudProvider }}.json"
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Assume AWS role to retrieve and update benchmarks in S3
|
||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||
@ -176,7 +176,7 @@ runs:
|
||||
path: >
|
||||
benchmarks/constellation-${{ inputs.cloudProvider }}.json
|
||||
name: "benchmarks"
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Upload benchmark results to opensearch
|
||||
if: (!env.ACT)
|
||||
|
4
.github/actions/e2e_sonobuoy/action.yml
vendored
4
.github/actions/e2e_sonobuoy/action.yml
vendored
@ -11,7 +11,7 @@ inputs:
|
||||
kubeconfig:
|
||||
description: "The kubeconfig of the cluster to test."
|
||||
required: true
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: 'The secret to use for encrypting the artifact.'
|
||||
required: true
|
||||
|
||||
@ -51,7 +51,7 @@ runs:
|
||||
with:
|
||||
name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
|
||||
path: "*_sonobuoy_*.tar.gz"
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
# Only works on "sonobuoy full" tests (e2e plugin)
|
||||
- name: Extract test results
|
||||
|
10
.github/actions/e2e_test/action.yml
vendored
10
.github/actions/e2e_test/action.yml
vendored
@ -86,7 +86,7 @@ inputs:
|
||||
force:
|
||||
description: "Set the force-flag on apply to ignore version mismatches."
|
||||
required: false
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: 'The secret to use for decrypting the artifact.'
|
||||
required: true
|
||||
|
||||
@ -299,7 +299,7 @@ runs:
|
||||
clusterCreation: ${{ inputs.clusterCreation }}
|
||||
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
|
||||
force: ${{ inputs.force }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Deploy log- and metrics-collection (Kubernetes)
|
||||
id: deploy-logcollection
|
||||
@ -334,7 +334,7 @@ runs:
|
||||
sonobuoyTestSuiteCmd: "--mode quick"
|
||||
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
||||
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Run sonobuoy full test
|
||||
if: inputs.test == 'sonobuoy full'
|
||||
@ -344,7 +344,7 @@ runs:
|
||||
sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
|
||||
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
||||
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Run autoscaling test
|
||||
if: inputs.test == 'autoscaling'
|
||||
@ -367,7 +367,7 @@ runs:
|
||||
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
|
||||
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
|
||||
awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Run constellation verify test
|
||||
if: inputs.test == 'verify'
|
||||
|
@ -1,7 +1,7 @@
|
||||
name: Upload Terraform infrastructure module
|
||||
description: "Upload the Terraform infrastructure module as an artifact."
|
||||
inputs:
|
||||
encryption-secret:
|
||||
encryptionSecret:
|
||||
description: 'The secret to use for encrypting the artifact.'
|
||||
required: true
|
||||
|
||||
@ -24,7 +24,7 @@ runs:
|
||||
with:
|
||||
name: terraform-module
|
||||
path: terraform-module.zip
|
||||
encryption-secret: ${{ inputs.encryption-secret }}
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Cleanup Terraform module dir
|
||||
shell: bash
|
||||
|
32
.github/workflows/build-os-image.yml
vendored
32
.github/workflows/build-os-image.yml
vendored
@ -182,7 +182,7 @@ jobs:
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload individual OS parts as artifacts
|
||||
uses: ./.github/actions/artifact_upload
|
||||
@ -192,14 +192,14 @@ jobs:
|
||||
${{ steps.build.outputs.image-dir }}/constellation.efi
|
||||
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
||||
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload sbom info as artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
with:
|
||||
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ steps.build.outputs.rpmdb }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
upload-os-image:
|
||||
name: "Upload OS image to CSP"
|
||||
@ -248,7 +248,7 @@ jobs:
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Install tools
|
||||
shell: bash
|
||||
@ -316,6 +316,7 @@ jobs:
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
run: |
|
||||
echo "::group::Upload Azure image"
|
||||
chmod +w "${RAW_IMAGE_PATH}"
|
||||
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||||
bazel run //image/upload -- image azure \
|
||||
--verbose \
|
||||
@ -361,7 +362,7 @@ jobs:
|
||||
with:
|
||||
name: lookup-table
|
||||
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
calculate-pcrs:
|
||||
name: "Calculate PCRs"
|
||||
@ -398,7 +399,7 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- uses: ./.github/actions/setup_bazel_nix
|
||||
with:
|
||||
@ -545,7 +546,7 @@ jobs:
|
||||
with:
|
||||
name: measurements
|
||||
path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
upload-pcrs:
|
||||
name: "Sign & upload PCRs"
|
||||
@ -568,7 +569,7 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: measurements
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||
@ -640,6 +641,10 @@ jobs:
|
||||
contents: read
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||
with:
|
||||
@ -652,7 +657,7 @@ jobs:
|
||||
# downloading / using only the QEMU manifest is fine
|
||||
# since the images only differ in the ESP partition
|
||||
name: sbom-qemu-qemu-vtpm
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload SBOMs to S3
|
||||
shell: bash
|
||||
@ -683,7 +688,7 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: lookup-table
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||
@ -693,12 +698,7 @@ jobs:
|
||||
|
||||
- name: Upload lookup table to S3
|
||||
shell: bash
|
||||
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
run: bazel run //image/upload -- info --verbose image-upload*.json
|
||||
|
||||
- name: Create CLI compatibility information artifact
|
||||
shell: bash
|
||||
|
14
.github/workflows/draft-release.yml
vendored
14
.github/workflows/draft-release.yml
vendored
@ -176,7 +176,7 @@ jobs:
|
||||
- name: Upload Terraform infrastructure module
|
||||
uses: ./.github/actions/upload_terraform_module
|
||||
with:
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
push-containers:
|
||||
runs-on: ubuntu-22.04
|
||||
@ -232,7 +232,7 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Generate provenance subjects
|
||||
id: provenance-subjects
|
||||
@ -346,13 +346,13 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Download provenance
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Install slsa-verifier
|
||||
run: |
|
||||
@ -426,19 +426,19 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Download Constellation CLI SBOM's signature
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: constellation.spdx.sbom.sig
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Download Constellation provenance
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Rename provenance file
|
||||
run: |
|
||||
|
2
.github/workflows/e2e-test-daily.yml
vendored
2
.github/workflows/e2e-test-daily.yml
vendored
@ -91,7 +91,7 @@ jobs:
|
||||
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
|
||||
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
|
||||
clusterCreation: "cli"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
|
2
.github/workflows/e2e-test-release.yml
vendored
2
.github/workflows/e2e-test-release.yml
vendored
@ -265,7 +265,7 @@ jobs:
|
||||
clusterCreation: ${{ matrix.clusterCreation }}
|
||||
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
|
||||
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
|
2
.github/workflows/e2e-test-weekly.yml
vendored
2
.github/workflows/e2e-test-weekly.yml
vendored
@ -305,7 +305,7 @@ jobs:
|
||||
clusterCreation: ${{ matrix.clusterCreation }}
|
||||
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
|
||||
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
|
2
.github/workflows/e2e-test.yml
vendored
2
.github/workflows/e2e-test.yml
vendored
@ -246,7 +246,7 @@ jobs:
|
||||
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
|
||||
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
|
||||
force: ${{ inputs.force }}
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
|
4
.github/workflows/e2e-upgrade.yml
vendored
4
.github/workflows/e2e-upgrade.yml
vendored
@ -183,7 +183,7 @@ jobs:
|
||||
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
|
||||
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
|
||||
clusterCreation: "cli"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Build CLI
|
||||
uses: ./.github/actions/build_cli
|
||||
@ -283,7 +283,7 @@ jobs:
|
||||
node-operator.logs
|
||||
node-maintenance-operator.logs
|
||||
constellation-version.yaml
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
|
4
.github/workflows/e2e-windows.yml
vendored
4
.github/workflows/e2e-windows.yml
vendored
@ -38,7 +38,7 @@ jobs:
|
||||
with:
|
||||
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
|
||||
name: "constell-exe"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
e2e-test:
|
||||
name: E2E Test Windows
|
||||
@ -54,7 +54,7 @@ jobs:
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: "constell-exe"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Check CLI version
|
||||
shell: pwsh
|
||||
|
72
.github/workflows/reproducible-builds.yml
vendored
72
.github/workflows/reproducible-builds.yml
vendored
@ -57,14 +57,14 @@ jobs:
|
||||
with:
|
||||
name: "binaries-${{ matrix.target }}"
|
||||
path: "${{ env.binary }}"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload hash artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
with:
|
||||
name: "sha256sums"
|
||||
path: "${{ env.binary }}.sha256"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
build-osimages:
|
||||
strategy:
|
||||
@ -135,23 +135,27 @@ jobs:
|
||||
- "cli_enterprise_windows_amd64"
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Download binaries
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: "binaries-${{ matrix.target }}"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Hash
|
||||
shell: bash
|
||||
if: runner.os == 'Linux'
|
||||
run: sha256sum cli_enterprise*
|
||||
- name: Download binaries
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: "binaries-${{ matrix.target }}"
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Compare binaries
|
||||
shell: bash
|
||||
run: |
|
||||
# shellcheck disable=SC2207,SC2116
|
||||
list=($(echo "cli_enterprise*"))
|
||||
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|
||||
- name: Hash
|
||||
shell: bash
|
||||
if: runner.os == 'Linux'
|
||||
run: sha256sum cli_enterprise*
|
||||
|
||||
- name: Compare binaries
|
||||
shell: bash
|
||||
run: |
|
||||
# shellcheck disable=SC2207,SC2116
|
||||
list=($(echo "cli_enterprise*"))
|
||||
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|
||||
|
||||
compare-osimages:
|
||||
needs: build-osimages
|
||||
@ -165,20 +169,24 @@ jobs:
|
||||
- "gcp_gcp-sev-snp_nightly"
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Download os images
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: "osimages-${{ matrix.target }}"
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Hash
|
||||
shell: bash
|
||||
if: runner.os == 'Linux'
|
||||
run: sha256sum osimage-*
|
||||
- name: Download os images
|
||||
uses: ./.github/actions/artifact_download
|
||||
with:
|
||||
name: "osimages-${{ matrix.target }}"
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Compare os images
|
||||
shell: bash
|
||||
run: |
|
||||
# shellcheck disable=SC2207,SC2116
|
||||
list=($(echo "osimage-*"))
|
||||
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|
||||
- name: Hash
|
||||
shell: bash
|
||||
if: runner.os == 'Linux'
|
||||
run: sha256sum osimage-*
|
||||
|
||||
- name: Compare os images
|
||||
shell: bash
|
||||
run: |
|
||||
# shellcheck disable=SC2207,SC2116
|
||||
list=($(echo "osimage-*"))
|
||||
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|
||||
|
2
.github/workflows/scorecard.yml
vendored
2
.github/workflows/scorecard.yml
vendored
@ -35,7 +35,7 @@ jobs:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload to code-scanning
|
||||
uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
|
||||
|
Loading…
Reference in New Issue
Block a user