From 8c1972c3359e8340d26073e40a817d1b0a5c0e8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Thu, 21 Dec 2023 19:28:18 +0100 Subject: [PATCH] ci: fix artifact upload in image build pipeline (#2765) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix parameter expansion when uploading multiple files * On download, ensure target directory exists * Rename encryption-secret -> encryptionSecret * Remove incorrect secret access from e2e test action * Add missing checkout action to workflows using our download action * Fix spacing * Fix upload action uploading whole directory structure instead of target files * Explicitly give write permissions to Azure disk image, since permissions are no longer dropped on upload --------- Signed-off-by: Daniel Weiße --- .github/actions/artifact_download/action.yml | 5 +- .github/actions/artifact_upload/action.yml | 27 ++++--- .../actions/constellation_create/action.yml | 4 +- .github/actions/e2e_benchmark/action.yml | 8 +-- .github/actions/e2e_sonobuoy/action.yml | 4 +- .github/actions/e2e_test/action.yml | 10 +-- .../upload_terraform_module/action.yml | 4 +- .github/workflows/build-os-image.yml | 32 ++++----- .github/workflows/draft-release.yml | 14 ++-- .github/workflows/e2e-test-daily.yml | 2 +- .github/workflows/e2e-test-release.yml | 2 +- .github/workflows/e2e-test-weekly.yml | 2 +- .github/workflows/e2e-test.yml | 2 +- .github/workflows/e2e-upgrade.yml | 4 +- .github/workflows/e2e-windows.yml | 4 +- .github/workflows/reproducible-builds.yml | 72 ++++++++++--------- .github/workflows/scorecard.yml | 2 +- 17 files changed, 109 insertions(+), 89 deletions(-) diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml index 4ca96c369..5db482d3d 100644 --- a/.github/actions/artifact_download/action.yml +++ b/.github/actions/artifact_download/action.yml @@ -9,7 +9,7 @@ inputs: description: 'Download to a specified path.' required: false default: ./ - encryption-secret: + encryptionSecret: description: 'The secret to use for decrypting the artifact.' required: true @@ -36,4 +36,5 @@ runs: - name: Decrypt and unzip archive shell: bash run: | - unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip + mkdir -p ${{ inputs.path }} + unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml index d60b0a61f..8de9b113a 100644 --- a/.github/actions/artifact_upload/action.yml +++ b/.github/actions/artifact_upload/action.yml @@ -3,7 +3,7 @@ description: Upload an encrypted zip archive as a github artifact. inputs: path: - description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.' + description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.' required: true name: description: 'The name of the artifact.' @@ -11,7 +11,7 @@ inputs: retention-days: description: 'How long the artifact should be retained for.' default: 60 - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the files.' required: true @@ -34,10 +34,14 @@ runs: run: | shopt -s extglob + paths="${{ inputs.path }}" + paths=${paths%$'\n'} # Remove trailing newline + # Check if any file matches the given pattern(s). something_exists=false - for pattern in ${{ inputs.path }}; do - if compgen -G $pattern > /dev/null; then + for pattern in ${paths} + do + if compgen -G "${pattern}" > /dev/null; then something_exists=true fi done @@ -45,12 +49,19 @@ runs: # Create an archive if files exist. # Don't create an archive file if no files are found # and warn. - if $something_exists; then - zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }} - else - echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded." + if ! ${something_exists} + then + echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded." + exit 0 fi + for target in ${paths} + do + pushd "$(dirname "${target}")" || exit 1 + zip -e -P '${{ inputs.encryptionSecret }}' -r "${{ steps.tempdir.outputs.directory }}/archive.zip" "$(basename "${target}")" + popd || exit 1 + done + - name: Upload archive as artifact uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index cb264283b..e009803c9 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -59,7 +59,7 @@ inputs: force: description: "Set the force-flag on apply to ignore version mismatches." required: false - encryption-secret: + encryptionSecret: description: "The secret to use for encrypting the artifact." required: true @@ -267,4 +267,4 @@ runs: name: serial-logs-${{ inputs.artifactNameSuffix }} path: > !(terraform).log - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml index 1536c8ea2..88631a62a 100644 --- a/.github/actions/e2e_benchmark/action.yml +++ b/.github/actions/e2e_benchmark/action.yml @@ -17,7 +17,7 @@ inputs: awsOpenSearchPwd: description: "AWS OpenSearch Password to upload the results." required: false - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the artifact.' required: true @@ -100,7 +100,7 @@ runs: with: path: "out/fio-constellation-${{ inputs.cloudProvider }}.json" name: "fio-constellation-${{ inputs.cloudProvider }}.json" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run knb benchmark shell: bash @@ -122,7 +122,7 @@ runs: with: path: "out/knb-constellation-${{ inputs.cloudProvider }}.json" name: "knb-constellation-${{ inputs.cloudProvider }}.json" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Assume AWS role to retrieve and update benchmarks in S3 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -176,7 +176,7 @@ runs: path: > benchmarks/constellation-${{ inputs.cloudProvider }}.json name: "benchmarks" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Upload benchmark results to opensearch if: (!env.ACT) diff --git a/.github/actions/e2e_sonobuoy/action.yml b/.github/actions/e2e_sonobuoy/action.yml index 6d8a1905d..1628dadb8 100644 --- a/.github/actions/e2e_sonobuoy/action.yml +++ b/.github/actions/e2e_sonobuoy/action.yml @@ -11,7 +11,7 @@ inputs: kubeconfig: description: "The kubeconfig of the cluster to test." required: true - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the artifact.' required: true @@ -51,7 +51,7 @@ runs: with: name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz" path: "*_sonobuoy_*.tar.gz" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} # Only works on "sonobuoy full" tests (e2e plugin) - name: Extract test results diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index baed7cc74..c0b336fe5 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -86,7 +86,7 @@ inputs: force: description: "Set the force-flag on apply to ignore version mismatches." required: false - encryption-secret: + encryptionSecret: description: 'The secret to use for decrypting the artifact.' required: true @@ -299,7 +299,7 @@ runs: clusterCreation: ${{ inputs.clusterCreation }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Deploy log- and metrics-collection (Kubernetes) id: deploy-logcollection @@ -334,7 +334,7 @@ runs: sonobuoyTestSuiteCmd: "--mode quick" kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run sonobuoy full test if: inputs.test == 'sonobuoy full' @@ -344,7 +344,7 @@ runs: sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml' kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run autoscaling test if: inputs.test == 'autoscaling' @@ -367,7 +367,7 @@ runs: awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }} awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }} awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }} - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run constellation verify test if: inputs.test == 'verify' diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml index ab6a7794f..a2c78f565 100644 --- a/.github/actions/upload_terraform_module/action.yml +++ b/.github/actions/upload_terraform_module/action.yml @@ -1,7 +1,7 @@ name: Upload Terraform infrastructure module description: "Upload the Terraform infrastructure module as an artifact." inputs: - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the artifact.' required: true @@ -24,7 +24,7 @@ runs: with: name: terraform-module path: terraform-module.zip - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Cleanup Terraform module dir shell: bash diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 7150148c5..7ac1f75da 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -182,7 +182,7 @@ jobs: with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ steps.build.outputs.image-dir }}/constellation.raw - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload individual OS parts as artifacts uses: ./.github/actions/artifact_upload @@ -192,14 +192,14 @@ jobs: ${{ steps.build.outputs.image-dir }}/constellation.efi ${{ steps.build.outputs.image-dir }}/constellation.initrd ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload sbom info as artifact uses: ./.github/actions/artifact_upload with: name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ steps.build.outputs.rpmdb }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} upload-os-image: name: "Upload OS image to CSP" @@ -248,7 +248,7 @@ jobs: with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Install tools shell: bash @@ -316,6 +316,7 @@ jobs: working-directory: ${{ github.workspace }}/image run: | echo "::group::Upload Azure image" + chmod +w "${RAW_IMAGE_PATH}" upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" bazel run //image/upload -- image azure \ --verbose \ @@ -361,7 +362,7 @@ jobs: with: name: lookup-table path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} calculate-pcrs: name: "Calculate PCRs" @@ -398,7 +399,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - uses: ./.github/actions/setup_bazel_nix with: @@ -545,7 +546,7 @@ jobs: with: name: measurements path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} upload-pcrs: name: "Sign & upload PCRs" @@ -568,7 +569,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: measurements - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -640,6 +641,10 @@ jobs: contents: read runs-on: ubuntu-22.04 steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ inputs.ref || github.head_ref }} + - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -652,7 +657,7 @@ jobs: # downloading / using only the QEMU manifest is fine # since the images only differ in the ESP partition name: sbom-qemu-qemu-vtpm - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload SBOMs to S3 shell: bash @@ -683,7 +688,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: lookup-table - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -693,12 +698,7 @@ jobs: - name: Upload lookup table to S3 shell: bash - run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.ref || github.head_ref }} + run: bazel run //image/upload -- info --verbose image-upload*.json - name: Create CLI compatibility information artifact shell: bash diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 018d59d55..2a02c9815 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -176,7 +176,7 @@ jobs: - name: Upload Terraform infrastructure module uses: ./.github/actions/upload_terraform_module with: - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} push-containers: runs-on: ubuntu-22.04 @@ -232,7 +232,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Generate provenance subjects id: provenance-subjects @@ -346,13 +346,13 @@ jobs: uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download provenance uses: ./.github/actions/artifact_download with: name: ${{ needs.provenance.outputs.provenance-name }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Install slsa-verifier run: | @@ -426,19 +426,19 @@ jobs: uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download Constellation CLI SBOM's signature uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom.sig - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download Constellation provenance uses: ./.github/actions/artifact_download with: name: ${{ needs.provenance.outputs.provenance-name }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Rename provenance file run: | diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 72c29adc9..5d03095eb 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -91,7 +91,7 @@ jobs: awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} clusterCreation: "cli" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index a048922a5..a15994469 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -265,7 +265,7 @@ jobs: clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index d875f5691..c5706ad34 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -305,7 +305,7 @@ jobs: clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index d29872813..d2682a3bd 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -246,7 +246,7 @@ jobs: s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index a71c7d7a9..1a0311f7d 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -183,7 +183,7 @@ jobs: awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} clusterCreation: "cli" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Build CLI uses: ./.github/actions/build_cli @@ -283,7 +283,7 @@ jobs: node-operator.logs node-maintenance-operator.logs constellation-version.yaml - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-windows.yml b/.github/workflows/e2e-windows.yml index 4ce861c34..33bf4d41f 100644 --- a/.github/workflows/e2e-windows.yml +++ b/.github/workflows/e2e-windows.yml @@ -38,7 +38,7 @@ jobs: with: path: "bazel-bin/cli/cli_enterprise_windows_amd64" name: "constell-exe" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} e2e-test: name: E2E Test Windows @@ -54,7 +54,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: "constell-exe" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Check CLI version shell: pwsh diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index d27909069..f6a1c462c 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -57,14 +57,14 @@ jobs: with: name: "binaries-${{ matrix.target }}" path: "${{ env.binary }}" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload hash artifact uses: ./.github/actions/artifact_upload with: name: "sha256sums" path: "${{ env.binary }}.sha256" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} build-osimages: strategy: @@ -135,23 +135,27 @@ jobs: - "cli_enterprise_windows_amd64" runs-on: ubuntu-22.04 steps: - - name: Download binaries - uses: ./.github/actions/artifact_download - with: - name: "binaries-${{ matrix.target }}" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - name: Hash - shell: bash - if: runner.os == 'Linux' - run: sha256sum cli_enterprise* + - name: Download binaries + uses: ./.github/actions/artifact_download + with: + name: "binaries-${{ matrix.target }}" + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - - name: Compare binaries - shell: bash - run: | - # shellcheck disable=SC2207,SC2116 - list=($(echo "cli_enterprise*")) - diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" + - name: Hash + shell: bash + if: runner.os == 'Linux' + run: sha256sum cli_enterprise* + + - name: Compare binaries + shell: bash + run: | + # shellcheck disable=SC2207,SC2116 + list=($(echo "cli_enterprise*")) + diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" compare-osimages: needs: build-osimages @@ -165,20 +169,24 @@ jobs: - "gcp_gcp-sev-snp_nightly" runs-on: ubuntu-22.04 steps: - - name: Download os images - uses: ./.github/actions/artifact_download - with: - name: "osimages-${{ matrix.target }}" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - name: Hash - shell: bash - if: runner.os == 'Linux' - run: sha256sum osimage-* + - name: Download os images + uses: ./.github/actions/artifact_download + with: + name: "osimages-${{ matrix.target }}" + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - - name: Compare os images - shell: bash - run: | - # shellcheck disable=SC2207,SC2116 - list=($(echo "osimage-*")) - diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" + - name: Hash + shell: bash + if: runner.os == 'Linux' + run: sha256sum osimage-* + + - name: Compare os images + shell: bash + run: | + # shellcheck disable=SC2207,SC2116 + list=($(echo "osimage-*")) + diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 46cfd8b90..8a3fb4f96 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -35,7 +35,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1