Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: encrypt artifacts (#2567)

Browse Source
This commit is contained in:
miampf 2023-12-20 14:17:49 +00:00 committed by GitHub
parent 0e84c6cc3e
commit a429ca50e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 224 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
.github/actions/artifact_download/action.yml vendored Normal file
View File

@ -0,0 +1,39 @@
name: Download artifact
description: Download and decrypt an artifact.
inputs:
name:
description: 'The name of the artifact.'
required: true
path:
description: 'Download to a specified path.'
required: false
default: ./
encryption-secret:
description: 'The secret to use for decrypting the artifact.'
required: true
runs:
using: "composite"
steps:
- name: Install unzip
uses: ./.github/actions/setup_bazel_nix
with:
nixTools: |
unzip
- name: Create temporary directory
id: tempdir
shell: bash
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Download the artifact
uses: actions/download-artifact@v3
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}
- name: Decrypt and unzip archive
shell: bash
run: |
unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip

60
.github/actions/artifact_upload/action.yml vendored Normal file
View File

@ -0,0 +1,60 @@
name: Upload artifact
description: Upload an encrypted zip archive as a github artifact.
inputs:
path:
description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.'
required: true
name:
description: 'The name of the artifact.'
required: true
retention-days:
description: 'How long the artifact should be retained for.'
default: 60
encryption-secret:
description: 'The secret to use for encrypting the files.'
required: true
runs:
using: "composite"
steps:
- name: Install zip
uses: ./.github/actions/setup_bazel_nix
with:
nixTools: |
zip
- name: Create temporary directory
id: tempdir
shell: bash
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Create archive
shell: bash
run: |
shopt -s extglob
# Check if any file matches the given pattern(s).
something_exists=false
for pattern in ${{ inputs.path }}; do
if compgen -G $pattern > /dev/null; then
something_exists=true
fi
done
# Create an archive if files exist.
# Don't create an archive file if no files are found
# and warn.
if $something_exists; then
zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }}
else
echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded."
fi
- name: Upload archive as artifact
uses: actions/upload-artifact@v3
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}/archive.zip
retention-days: ${{ inputs.retention-days }}
if-no-files-found: ignore

11
.github/actions/constellation_create/action.yml vendored
View File

@ -59,6 +59,9 @@ inputs:
force:
description: "Set the force-flag on apply to ignore version mismatches."
required: false
encryption-secret:
description: "The secret to use for encrypting the artifact."
required: true
outputs:
kubeconfig:
@ -259,9 +262,9 @@ runs:
- name: Upload boot logs
if: always() && !env.ACT
continue-on-error: true
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: serial-logs-${{ inputs.artifactNameSuffix }}
path: |
*.log
!terraform.log
path: >
!(terraform).log
encryption-secret: ${{ inputs.encryption-secret }}

34
.github/actions/download_release_binaries/action.yml vendored
View File

@ -1,55 +1,69 @@
name: Download release binaries
description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline."
inputs:
encryption-secret:
description: 'The secret to use for decrypting the artifact.'
required: true
runs:
using: "composite"
steps:
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation-darwin-amd64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation-darwin-arm64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation-linux-amd64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation-linux-arm64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download CLI binaries windows-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation-windows-amd64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download Terraform module
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: terraform-module
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download Terraform provider binary darwin-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: terraform-provider-constellation-darwin-amd64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download Terraform provider binary darwin-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: terraform-provider-constellation-darwin-arm64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download Terraform provider binary linux-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: terraform-provider-constellation-linux-amd64
encryption-secret: ${{ inputs.encryption-secret }}
- name: Download Terraform provider binary linux-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: terraform-provider-constellation-linux-arm64
encryption-secret: ${{ inputs.encryption-secret }}

14
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -17,6 +17,9 @@ inputs:
awsOpenSearchPwd:
description: "AWS OpenSearch Password to upload the results."
required: false
encryption-secret:
description: 'The secret to use for encrypting the artifact.'
required: true
runs:
using: "composite"
@ -93,10 +96,11 @@ runs:
- name: Upload raw FIO benchmark results
if: (!env.ACT)
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
name: "fio-constellation-${{ inputs.cloudProvider }}.json"
encryption-secret: ${{ inputs.encryption-secret }}
- name: Run knb benchmark
shell: bash
@ -114,10 +118,11 @@ runs:
- name: Upload raw knb benchmark results
if: (!env.ACT)
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
name: "knb-constellation-${{ inputs.cloudProvider }}.json"
encryption-secret: ${{ inputs.encryption-secret }}
- name: Assume AWS role to retrieve and update benchmarks in S3
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -166,11 +171,12 @@ runs:
- name: Upload benchmark results to action run
if: (!env.ACT)
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
path: |
path: >
benchmarks/constellation-${{ inputs.cloudProvider }}.json
name: "benchmarks"
encryption-secret: ${{ inputs.encryption-secret }}
- name: Upload benchmark results to opensearch
if: (!env.ACT)

6
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -11,6 +11,9 @@ inputs:
kubeconfig:
description: "The kubeconfig of the cluster to test."
required: true
encryption-secret:
description: 'The secret to use for encrypting the artifact.'
required: true
runs:
using: "composite"
@ -44,10 +47,11 @@ runs:
- name: Upload test results
if: always() && !env.ACT
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
path: "*_sonobuoy_*.tar.gz"
encryption-secret: ${{ inputs.encryption-secret }}
# Only works on "sonobuoy full" tests (e2e plugin)
- name: Extract test results

7
.github/actions/e2e_test/action.yml vendored
View File

@ -86,6 +86,9 @@ inputs:
force:
description: "Set the force-flag on apply to ignore version mismatches."
required: false
encryption-secret:
description: 'The secret to use for decrypting the artifact.'
required: true
outputs:
kubeconfig:
@ -296,6 +299,7 @@ runs:
clusterCreation: ${{ inputs.clusterCreation }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Deploy log- and metrics-collection (Kubernetes)
id: deploy-logcollection
@ -330,6 +334,7 @@ runs:
sonobuoyTestSuiteCmd: "--mode quick"
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryption-secret: ${{ inputs.encryption-secret }}
- name: Run sonobuoy full test
if: inputs.test == 'sonobuoy full'
@ -339,6 +344,7 @@ runs:
sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryption-secret: ${{ inputs.encryption-secret }}
- name: Run autoscaling test
if: inputs.test == 'autoscaling'
@ -361,6 +367,7 @@ runs:
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
encryption-secret: ${{ inputs.encryption-secret }}
- name: Run constellation verify test
if: inputs.test == 'verify'

8
.github/actions/upload_terraform_module/action.yml vendored
View File

@ -1,5 +1,10 @@
name: Upload Terraform infrastructure module
description: "Upload the Terraform infrastructure module as an artifact."
inputs:
encryption-secret:
description: 'The secret to use for encrypting the artifact.'
required: true
runs:
using: "composite"
@ -15,10 +20,11 @@ runs:
zip -r terraform-module.zip terraform-module
- name: Upload artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
uses: ./.github/actions/artifact_upload
with:
name: terraform-module
path: terraform-module.zip
encryption-secret: ${{ inputs.encryption-secret }}
- name: Cleanup Terraform module dir
shell: bash

32
.github/workflows/build-os-image.yml vendored
View File

@ -178,25 +178,28 @@ jobs:
echo "::endgroup::"
- name: Upload raw OS image as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload individual OS parts as artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: |
path: >
${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload sbom info as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: ./.github/actions/artifact_upload
with:
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.rpmdb }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-os-image:
name: "Upload OS image to CSP"
@ -241,10 +244,11 @@ jobs:
useCache: "false"
- name: Download OS image artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install tools
shell: bash
@ -353,10 +357,11 @@ jobs:
echo "::endgroup::"
- name: Upload image lookup table as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: lookup-table
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
calculate-pcrs:
name: "Calculate PCRs"
@ -390,9 +395,10 @@ jobs:
ref: ${{ inputs.ref || github.head_ref }}
- name: Download OS image artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: ./.github/actions/setup_bazel_nix
with:
@ -535,10 +541,11 @@ jobs:
echo "::endgroup::"
- name: Upload expected measurements as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: measurements
path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-pcrs:
name: "Sign & upload PCRs"
@ -558,9 +565,10 @@ jobs:
useCache: "false"
- name: Download measurements
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: measurements
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -639,11 +647,12 @@ jobs:
aws-region: eu-central-1
- name: Download sbom
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
# downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition
name: sbom-qemu-qemu-vtpm
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload SBOMs to S3
shell: bash
@ -671,9 +680,10 @@ jobs:
useCache: "false"
- name: Download image lookup table
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
uses: ./.github/actions/artifact_download
with:
name: lookup-table
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1

30
.github/workflows/draft-release.yml vendored
View File

@ -96,7 +96,7 @@ jobs:
if : ${{ matrix.os != 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
path: |
path: >
build/constellation-${{ matrix.os }}-${{ matrix.arch }}
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
@ -105,7 +105,7 @@ jobs:
if : ${{ matrix.os == 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
path: |
path: >
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
@ -175,6 +175,8 @@ jobs:
- name: Upload Terraform infrastructure module
uses: ./.github/actions/upload_terraform_module
with:
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
push-containers:
runs-on: ubuntu-22.04
@ -225,11 +227,14 @@ jobs:
- name: Download release binaries
uses: ./.github/actions/download_release_binaries
with:
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download CLI SBOM
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Generate provenance subjects
id: provenance-subjects
@ -338,16 +343,20 @@ jobs:
- name: Download release binaries
uses: ./.github/actions/download_release_binaries
with:
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download CLI SBOM
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: ${{ needs.provenance.outputs.provenance-name }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install slsa-verifier
run: |
@ -416,21 +425,26 @@ jobs:
- name: Download binaries
uses: ./.github/actions/download_release_binaries
with:
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download CLI SBOM
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation CLI SBOM's signature
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom.sig
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: ${{ needs.provenance.outputs.provenance-name }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Rename provenance file
run: |

1
.github/workflows/e2e-test-daily.yml vendored
View File

@ -91,6 +91,7 @@ jobs:
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
clusterCreation: "cli"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

1
.github/workflows/e2e-test-release.yml vendored
View File

@ -265,6 +265,7 @@ jobs:
clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

1
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -305,6 +305,7 @@ jobs:
clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

1
.github/workflows/e2e-test.yml vendored
View File

@ -246,6 +246,7 @@ jobs:
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

6
.github/workflows/e2e-upgrade.yml vendored
View File

@ -183,6 +183,7 @@ jobs:
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
clusterCreation: "cli"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Build CLI
uses: ./.github/actions/build_cli
@ -275,13 +276,14 @@ jobs:
- name: Always upload logs
if: always()
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: upgrade-logs
path: |
path: >
node-operator.logs
node-maintenance-operator.logs
constellation-version.yaml
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

6
.github/workflows/e2e-windows.yml vendored
View File

@ -34,10 +34,11 @@ jobs:
enterpriseCLI: true
- name: Upload CLI artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
name: "constell-exe"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
e2e-test:
name: E2E Test Windows
@ -50,9 +51,10 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download CLI artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: "constell-exe"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Check CLI version
shell: pwsh

12
.github/workflows/reproducible-builds.yml vendored
View File

@ -53,16 +53,18 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: "binaries-${{ matrix.target }}"
path: "${{ env.binary }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload hash artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: "sha256sums"
path: "${{ env.binary }}.sha256"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
build-osimages:
strategy:
@ -134,9 +136,10 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Download binaries
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: "binaries-${{ matrix.target }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Hash
shell: bash
@ -163,9 +166,10 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Download os images
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: ./.github/actions/artifact_download
with:
name: "osimages-${{ matrix.target }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Hash
shell: bash

3
.github/workflows/scorecard.yml vendored
View File

@ -30,11 +30,12 @@ jobs:
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: ./.github/actions/artifact_upload
with:
name: SARIF file
path: results.sarif
retention-days: 5
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1