Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: fix artifact upload in image build pipeline (#2765)

Browse Source 
* Fix parameter expansion when uploading multiple files
* On download, ensure target directory exists
* Rename encryption-secret -> encryptionSecret
* Remove incorrect secret access from e2e test action
* Add missing checkout action to workflows using our download action
* Fix spacing
* Fix upload action uploading whole directory structure instead of target files
* Explicitly give write permissions to Azure disk image, since permissions are no longer dropped on upload

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-12-21 19:28:18 +01:00 committed by GitHub
parent 66c0b581b2
commit 8c1972c335
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 109 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/actions/artifact_download/action.yml vendored
View File

@ -9,7 +9,7 @@ inputs:
description: 'Download to a specified path.' description: 'Download to a specified path.'
required: false required: false
default: ./ default: ./
encryption-secret: encryptionSecret:
description: 'The secret to use for decrypting the artifact.' description: 'The secret to use for decrypting the artifact.'
required: true required: true
@ -36,4 +36,5 @@ runs:
- name: Decrypt and unzip archive - name: Decrypt and unzip archive
shell: bash shell: bash
run: | run: |
unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip mkdir -p ${{ inputs.path }}
unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip

27
.github/actions/artifact_upload/action.yml vendored
View File

@ -3,7 +3,7 @@ description: Upload an encrypted zip archive as a github artifact.
inputs: inputs:
path: path:
description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.' description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.'
required: true required: true
name: name:
description: 'The name of the artifact.' description: 'The name of the artifact.'
@ -11,7 +11,7 @@ inputs:
retention-days: retention-days:
description: 'How long the artifact should be retained for.' description: 'How long the artifact should be retained for.'
default: 60 default: 60
encryption-secret: encryptionSecret:
description: 'The secret to use for encrypting the files.' description: 'The secret to use for encrypting the files.'
required: true required: true
@ -34,10 +34,14 @@ runs:
run: | run: |
shopt -s extglob shopt -s extglob
paths="${{ inputs.path }}"
paths=${paths%$'\n'} # Remove trailing newline
# Check if any file matches the given pattern(s). # Check if any file matches the given pattern(s).
something_exists=false something_exists=false
for pattern in ${{ inputs.path }}; do for pattern in ${paths}
if compgen -G $pattern > /dev/null; then do
if compgen -G "${pattern}" > /dev/null; then
something_exists=true something_exists=true
fi fi
done done
@ -45,12 +49,19 @@ runs:
# Create an archive if files exist. # Create an archive if files exist.
# Don't create an archive file if no files are found # Don't create an archive file if no files are found
# and warn. # and warn.
if $something_exists; then if ! ${something_exists}
zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }} then
else echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded." exit 0
fi fi
for target in ${paths}
do
pushd "$(dirname "${target}")" || exit 1
zip -e -P '${{ inputs.encryptionSecret }}' -r "${{ steps.tempdir.outputs.directory }}/archive.zip" "$(basename "${target}")"
popd || exit 1
done
- name: Upload archive as artifact - name: Upload archive as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:

4
.github/actions/constellation_create/action.yml vendored
View File

@ -59,7 +59,7 @@ inputs:
force: force:
description: "Set the force-flag on apply to ignore version mismatches." description: "Set the force-flag on apply to ignore version mismatches."
required: false required: false
encryption-secret: encryptionSecret:
description: "The secret to use for encrypting the artifact." description: "The secret to use for encrypting the artifact."
required: true required: true
@ -267,4 +267,4 @@ runs:
name: serial-logs-${{ inputs.artifactNameSuffix }} name: serial-logs-${{ inputs.artifactNameSuffix }}
path: > path: >
!(terraform).log !(terraform).log
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}

8
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -17,7 +17,7 @@ inputs:
awsOpenSearchPwd: awsOpenSearchPwd:
description: "AWS OpenSearch Password to upload the results." description: "AWS OpenSearch Password to upload the results."
required: false required: false
encryption-secret: encryptionSecret:
description: 'The secret to use for encrypting the artifact.' description: 'The secret to use for encrypting the artifact.'
required: true required: true
@ -100,7 +100,7 @@ runs:
with: with:
path: "out/fio-constellation-${{ inputs.cloudProvider }}.json" path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
name: "fio-constellation-${{ inputs.cloudProvider }}.json" name: "fio-constellation-${{ inputs.cloudProvider }}.json"
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run knb benchmark - name: Run knb benchmark
shell: bash shell: bash
@ -122,7 +122,7 @@ runs:
with: with:
path: "out/knb-constellation-${{ inputs.cloudProvider }}.json" path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
name: "knb-constellation-${{ inputs.cloudProvider }}.json" name: "knb-constellation-${{ inputs.cloudProvider }}.json"
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Assume AWS role to retrieve and update benchmarks in S3 - name: Assume AWS role to retrieve and update benchmarks in S3
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -176,7 +176,7 @@ runs:
path: > path: >
benchmarks/constellation-${{ inputs.cloudProvider }}.json benchmarks/constellation-${{ inputs.cloudProvider }}.json
name: "benchmarks" name: "benchmarks"
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Upload benchmark results to opensearch - name: Upload benchmark results to opensearch
if: (!env.ACT) if: (!env.ACT)

4
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -11,7 +11,7 @@ inputs:
kubeconfig: kubeconfig:
description: "The kubeconfig of the cluster to test." description: "The kubeconfig of the cluster to test."
required: true required: true
encryption-secret: encryptionSecret:
description: 'The secret to use for encrypting the artifact.' description: 'The secret to use for encrypting the artifact.'
required: true required: true
@ -51,7 +51,7 @@ runs:
with: with:
name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz" name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
path: "*_sonobuoy_*.tar.gz" path: "*_sonobuoy_*.tar.gz"
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
# Only works on "sonobuoy full" tests (e2e plugin) # Only works on "sonobuoy full" tests (e2e plugin)
- name: Extract test results - name: Extract test results

10
.github/actions/e2e_test/action.yml vendored
View File

@ -86,7 +86,7 @@ inputs:
force: force:
description: "Set the force-flag on apply to ignore version mismatches." description: "Set the force-flag on apply to ignore version mismatches."
required: false required: false
encryption-secret: encryptionSecret:
description: 'The secret to use for decrypting the artifact.' description: 'The secret to use for decrypting the artifact.'
required: true required: true
@ -299,7 +299,7 @@ runs:
clusterCreation: ${{ inputs.clusterCreation }} clusterCreation: ${{ inputs.clusterCreation }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }} force: ${{ inputs.force }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Deploy log- and metrics-collection (Kubernetes) - name: Deploy log- and metrics-collection (Kubernetes)
id: deploy-logcollection id: deploy-logcollection
@ -334,7 +334,7 @@ runs:
sonobuoyTestSuiteCmd: "--mode quick" sonobuoyTestSuiteCmd: "--mode quick"
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run sonobuoy full test - name: Run sonobuoy full test
if: inputs.test == 'sonobuoy full' if: inputs.test == 'sonobuoy full'
@ -344,7 +344,7 @@ runs:
sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml' sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run autoscaling test - name: Run autoscaling test
if: inputs.test == 'autoscaling' if: inputs.test == 'autoscaling'
@ -367,7 +367,7 @@ runs:
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }} awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }} awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }} awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run constellation verify test - name: Run constellation verify test
if: inputs.test == 'verify' if: inputs.test == 'verify'

4
.github/actions/upload_terraform_module/action.yml vendored
View File

@ -1,7 +1,7 @@
name: Upload Terraform infrastructure module name: Upload Terraform infrastructure module
description: "Upload the Terraform infrastructure module as an artifact." description: "Upload the Terraform infrastructure module as an artifact."
inputs: inputs:
encryption-secret: encryptionSecret:
description: 'The secret to use for encrypting the artifact.' description: 'The secret to use for encrypting the artifact.'
required: true required: true
@ -24,7 +24,7 @@ runs:
with: with:
name: terraform-module name: terraform-module
path: terraform-module.zip path: terraform-module.zip
encryption-secret: ${{ inputs.encryption-secret }} encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Cleanup Terraform module dir - name: Cleanup Terraform module dir
shell: bash shell: bash

32
.github/workflows/build-os-image.yml vendored
View File

@ -182,7 +182,7 @@ jobs:
with: with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.image-dir }}/constellation.raw path: ${{ steps.build.outputs.image-dir }}/constellation.raw
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload individual OS parts as artifacts - name: Upload individual OS parts as artifacts
uses: ./.github/actions/artifact_upload uses: ./.github/actions/artifact_upload
@ -192,14 +192,14 @@ jobs:
${{ steps.build.outputs.image-dir }}/constellation.efi ${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd ${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload sbom info as artifact - name: Upload sbom info as artifact
uses: ./.github/actions/artifact_upload uses: ./.github/actions/artifact_upload
with: with:
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.rpmdb }} path: ${{ steps.build.outputs.rpmdb }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-os-image: upload-os-image:
name: "Upload OS image to CSP" name: "Upload OS image to CSP"
@ -248,7 +248,7 @@ jobs:
with: with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install tools - name: Install tools
shell: bash shell: bash
@ -316,6 +316,7 @@ jobs:
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
run: | run: |
echo "::group::Upload Azure image" echo "::group::Upload Azure image"
chmod +w "${RAW_IMAGE_PATH}"
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
bazel run //image/upload -- image azure \ bazel run //image/upload -- image azure \
--verbose \ --verbose \
@ -361,7 +362,7 @@ jobs:
with: with:
name: lookup-table name: lookup-table
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
calculate-pcrs: calculate-pcrs:
name: "Calculate PCRs" name: "Calculate PCRs"
@ -398,7 +399,7 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: ./.github/actions/setup_bazel_nix - uses: ./.github/actions/setup_bazel_nix
with: with:
@ -545,7 +546,7 @@ jobs:
with: with:
name: measurements name: measurements
path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-pcrs: upload-pcrs:
name: "Sign & upload PCRs" name: "Sign & upload PCRs"
@ -568,7 +569,7 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: measurements name: measurements
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -640,6 +641,10 @@ jobs:
contents: read contents: read
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with: with:
@ -652,7 +657,7 @@ jobs:
# downloading / using only the QEMU manifest is fine # downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition # since the images only differ in the ESP partition
name: sbom-qemu-qemu-vtpm name: sbom-qemu-qemu-vtpm
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload SBOMs to S3 - name: Upload SBOMs to S3
shell: bash shell: bash
@ -683,7 +688,7 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: lookup-table name: lookup-table
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -693,12 +698,7 @@ jobs:
- name: Upload lookup table to S3 - name: Upload lookup table to S3
shell: bash shell: bash
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json run: bazel run //image/upload -- info --verbose image-upload*.json
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Create CLI compatibility information artifact - name: Create CLI compatibility information artifact
shell: bash shell: bash

14
.github/workflows/draft-release.yml vendored
View File

@ -176,7 +176,7 @@ jobs:
- name: Upload Terraform infrastructure module - name: Upload Terraform infrastructure module
uses: ./.github/actions/upload_terraform_module uses: ./.github/actions/upload_terraform_module
with: with:
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
push-containers: push-containers:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -232,7 +232,7 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: constellation.spdx.sbom name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Generate provenance subjects - name: Generate provenance subjects
id: provenance-subjects id: provenance-subjects
@ -346,13 +346,13 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: constellation.spdx.sbom name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download provenance - name: Download provenance
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: ${{ needs.provenance.outputs.provenance-name }} name: ${{ needs.provenance.outputs.provenance-name }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install slsa-verifier - name: Install slsa-verifier
run: | run: |
@ -426,19 +426,19 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: constellation.spdx.sbom name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation CLI SBOM's signature - name: Download Constellation CLI SBOM's signature
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: constellation.spdx.sbom.sig name: constellation.spdx.sbom.sig
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation provenance - name: Download Constellation provenance
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: ${{ needs.provenance.outputs.provenance-name }} name: ${{ needs.provenance.outputs.provenance-name }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Rename provenance file - name: Rename provenance file
run: | run: |

2
.github/workflows/e2e-test-daily.yml vendored
View File

@ -91,7 +91,7 @@ jobs:
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
clusterCreation: "cli" clusterCreation: "cli"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

2
.github/workflows/e2e-test-release.yml vendored
View File

@ -265,7 +265,7 @@ jobs:
clusterCreation: ${{ matrix.clusterCreation }} clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

2
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -305,7 +305,7 @@ jobs:
clusterCreation: ${{ matrix.clusterCreation }} clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

2
.github/workflows/e2e-test.yml vendored
View File

@ -246,7 +246,7 @@ jobs:
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }} force: ${{ inputs.force }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

4
.github/workflows/e2e-upgrade.yml vendored
View File

@ -183,7 +183,7 @@ jobs:
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
clusterCreation: "cli" clusterCreation: "cli"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Build CLI - name: Build CLI
uses: ./.github/actions/build_cli uses: ./.github/actions/build_cli
@ -283,7 +283,7 @@ jobs:
node-operator.logs node-operator.logs
node-maintenance-operator.logs node-maintenance-operator.logs
constellation-version.yaml constellation-version.yaml
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

4
.github/workflows/e2e-windows.yml vendored
View File

@ -38,7 +38,7 @@ jobs:
with: with:
path: "bazel-bin/cli/cli_enterprise_windows_amd64" path: "bazel-bin/cli/cli_enterprise_windows_amd64"
name: "constell-exe" name: "constell-exe"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
e2e-test: e2e-test:
name: E2E Test Windows name: E2E Test Windows
@ -54,7 +54,7 @@ jobs:
uses: ./.github/actions/artifact_download uses: ./.github/actions/artifact_download
with: with:
name: "constell-exe" name: "constell-exe"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Check CLI version - name: Check CLI version
shell: pwsh shell: pwsh

72
.github/workflows/reproducible-builds.yml vendored
View File

@ -57,14 +57,14 @@ jobs:
with: with:
name: "binaries-${{ matrix.target }}" name: "binaries-${{ matrix.target }}"
path: "${{ env.binary }}" path: "${{ env.binary }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload hash artifact - name: Upload hash artifact
uses: ./.github/actions/artifact_upload uses: ./.github/actions/artifact_upload
with: with:
name: "sha256sums" name: "sha256sums"
path: "${{ env.binary }}.sha256" path: "${{ env.binary }}.sha256"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
build-osimages: build-osimages:
strategy: strategy:
@ -135,23 +135,27 @@ jobs:
- "cli_enterprise_windows_amd64" - "cli_enterprise_windows_amd64"
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Download binaries - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
uses: ./.github/actions/artifact_download with:
with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
name: "binaries-${{ matrix.target }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Hash - name: Download binaries
shell: bash uses: ./.github/actions/artifact_download
if: runner.os == 'Linux' with:
run: sha256sum cli_enterprise* name: "binaries-${{ matrix.target }}"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Compare binaries - name: Hash
shell: bash shell: bash
run: | if: runner.os == 'Linux'
# shellcheck disable=SC2207,SC2116 run: sha256sum cli_enterprise*
list=($(echo "cli_enterprise*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" - name: Compare binaries
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "cli_enterprise*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
compare-osimages: compare-osimages:
needs: build-osimages needs: build-osimages
@ -165,20 +169,24 @@ jobs:
- "gcp_gcp-sev-snp_nightly" - "gcp_gcp-sev-snp_nightly"
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Download os images - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
uses: ./.github/actions/artifact_download with:
with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
name: "osimages-${{ matrix.target }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Hash - name: Download os images
shell: bash uses: ./.github/actions/artifact_download
if: runner.os == 'Linux' with:
run: sha256sum osimage-* name: "osimages-${{ matrix.target }}"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Compare os images - name: Hash
shell: bash shell: bash
run: | if: runner.os == 'Linux'
# shellcheck disable=SC2207,SC2116 run: sha256sum osimage-*
list=($(echo "osimage-*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" - name: Compare os images
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "osimage-*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"

2
.github/workflows/scorecard.yml vendored
View File

@ -35,7 +35,7 @@ jobs:
name: SARIF file name: SARIF file
path: results.sarif path: results.sarif
retention-days: 5 retention-days: 5
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload to code-scanning - name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1