Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-20 07:25:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into fix/aws/snp-firmware-upgrade

Browse Source
This commit is contained in:
Moritz Sanft 2024-11-29 14:28:54 +01:00 committed by GitHub
commit a914dffe15
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1098 changed files with 67364 additions and 19695 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.bazelrc
View File

@ -1,9 +1,3 @@
# Sadly, some Bazel rules we depend on have no support for bzlmod yet
# Here is an (incomplete) list of rules known to not support bzlmod.
# Please extend this list as you find more.
# - rules_nixpkgs: https://github.com/tweag/rules_nixpkgs/issues/181
common --noenable_bzlmod
# Import bazelrc presets
import %workspace%/bazel/bazelrc/bazel7.bazelrc
import %workspace%/bazel/bazelrc/convenience.bazelrc

2
.bazelversion
View File

@ -1 +1 @@
7.1.0
7.3.2

13
.github/actions/artifact_delete/delete_artifact.sh vendored
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# get_artifact_id retrieves the artifact id of
# an artifact that was generated by a workflow.
@ -9,7 +9,7 @@ function get_artifact_id {
-H "X-GitHub-Api-Version: 2022-11-28" \
--paginate \
"/repos/edgelesssys/constellation/actions/runs/$1/artifacts" --jq ".artifacts |= map(select(.name==\"$2\")) | .artifacts[0].id" || exit 1)"
echo "$artifact_id"
echo "$artifact_id" | tr -d "\n"
}
# delete_artifact_by_id deletes an artifact by its artifact id.
@ -25,14 +25,7 @@ function delete_artifact_by_id {
workflow_id="$1"
artifact_name="$2"
if [[ -z $workflow_id ]]; then
echo "[X] No workflow id provided."
echo "Usage: delete_artifact.sh <WORKFLOW_ID> <ARTIFACT_NAME>"
exit 1
fi
if [[ -z $artifact_name ]]; then
echo "[X] No artifact name provided."
if [[ -z $workflow_id ]] || [[ -z $artifact_name ]]; then
echo "Usage: delete_artifact.sh <WORKFLOW_ID> <ARTIFACT_NAME>"
exit 1
fi

4
.github/actions/artifact_download/action.yml vendored
View File

@ -28,7 +28,7 @@ runs:
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Download the artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}
@ -37,4 +37,4 @@ runs:
shell: bash
run: |
mkdir -p ${{ inputs.path }}
7zz x -p'${{ inputs.encryptionSecret }}' -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z
7zz x -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

14
.github/actions/artifact_upload/action.yml vendored
View File

@ -36,6 +36,7 @@ runs:
- name: Create archive
shell: bash
run: |
set -euo pipefail
shopt -s extglob
paths="${{ inputs.path }}"
paths=${paths%$'\n'} # Remove trailing newline
@ -47,6 +48,7 @@ runs:
something_exists=true
fi
done
# Create an archive if files exist.
# Don't create an archive file if no files are found
# and warn.
@ -55,15 +57,19 @@ runs:
echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
exit 0
fi
for target in ${paths}
do
pushd "$(dirname "${target}")" || exit 1
7zz a -p'${{ inputs.encryptionSecret }}' -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
popd || exit 1
if compgen -G "${target}" > /dev/null
then
pushd "$(dirname "${target}")"
7zz a -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
popd
fi
done
- name: Upload archive as artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}/archive.7z

2
.github/actions/build_cli/action.yml vendored
View File

@ -79,7 +79,7 @@ runs:
# once it has the functionality
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Install Rekor
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

4
.github/actions/build_micro_service/action.yml vendored
View File

@ -42,7 +42,7 @@ runs:
- name: Docker metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/${{ github.repository }}/${{ inputs.name }}
@ -62,7 +62,7 @@ runs:
- name: Build and push container image
id: build-micro-service
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: .
file: ${{ inputs.dockerfile }}

5
.github/actions/cdbg_deploy/action.yml vendored
View File

@ -91,6 +91,11 @@ runs:
shell: bash
run: |
echo "::group::cdbg deploy"
on_error() {
echo "::error::cdbg deploy failed"
}
trap on_error ERR
chmod +x $GITHUB_WORKSPACE/build/cdbg
cdbg deploy \
--bootstrapper "${{ github.workspace }}/build/bootstrapper" \

9
.github/actions/constellation_create/action.yml vendored
View File

@ -192,6 +192,13 @@ runs:
run: |
echo "flag=--force" | tee -a $GITHUB_OUTPUT
- name: Set conformance flag
id: set-conformance-flag
if: inputs.test == 'sonobuoy conformance'
shell: bash
run: |
echo "flag=--conformance" | tee -a $GITHUB_OUTPUT
- name: Constellation apply (Terraform)
id: constellation-apply-terraform
if: inputs.clusterCreation == 'terraform'
@ -204,7 +211,7 @@ runs:
if: inputs.clusterCreation != 'terraform'
shell: bash
run: |
constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }}
constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }} ${{ steps.set-conformance-flag.outputs.flag }}
- name: Get kubeconfig
id: get-kubeconfig

11
.github/actions/constellation_iam_create/action.yml vendored
View File

@ -27,6 +27,9 @@ inputs:
#
# Azure specific inputs
#
azureSubscriptionID:
description: "Azure subscription ID to deploy Constellation in."
required: true
azureRegion:
description: "Azure region to deploy Constellation in."
required: false
@ -76,13 +79,19 @@ runs:
shell: bash
if: inputs.cloudProvider == 'azure'
run: |
extraFlags=""
if [[ $(constellation iam create azure --help | grep -c -- --subscriptionID) -ne 0 ]]; then
extraFlags="--subscriptionID=${{ inputs.azureSubscriptionID }}"
fi
constellation iam create azure \
--region="${{ inputs.azureRegion }}" \
--resourceGroup="${{ inputs.namePrefix }}-rg" \
--servicePrincipal="${{ inputs.namePrefix }}-sp" \
--update-config \
--tf-log=DEBUG \
--yes
--yes ${extraFlags}
- name: Constellation iam create gcp
shell: bash

2
.github/actions/container_registry_login/action.yml vendored
View File

@ -17,7 +17,7 @@ runs:
steps:
- name: Use docker for logging in
if: runner.os != 'macOS'
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}

2
.github/actions/container_sbom/action.yml vendored
View File

@ -19,7 +19,7 @@ runs:
steps:
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype

20
.github/actions/download_release_binaries/action.yml vendored
View File

@ -5,51 +5,51 @@ runs:
using: "composite"
steps:
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation-linux-arm64
- name: Download CLI binaries windows-amd64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation-windows-amd64
- name: Download Terraform module
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: terraform-module
- name: Download Terraform provider binary darwin-amd64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: terraform-provider-constellation-darwin-amd64
- name: Download Terraform provider binary darwin-arm64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: terraform-provider-constellation-darwin-arm64
- name: Download Terraform provider binary linux-amd64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: terraform-provider-constellation-linux-amd64
- name: Download Terraform provider binary linux-arm64
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: terraform-provider-constellation-linux-arm64

8
.github/actions/e2e_attestationconfigapi/action.yml vendored
View File

@ -2,9 +2,9 @@ name: E2E Attestationconfig API Test
description: "Test the attestationconfig CLI is functional."
inputs:
csp:
description: "Cloud provider to run tests against"
default: "azure"
attestationVariant:
description: "attestation variant to run tests against"
default: "azure-sev-snp"
cosignPrivateKey:
description: "Cosign private key"
required: true
@ -30,4 +30,4 @@ runs:
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.csp }}
bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.attestationVariant }}

79
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -5,7 +5,6 @@ inputs:
cloudProvider:
description: "Which cloud provider to use."
required: true
# TODO: Create different report depending on the attestation variant
attestationVariant:
description: "Which attestation variant to use."
required: true
@ -33,7 +32,7 @@ runs:
steps:
- name: Setup python
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: "3.10"
@ -49,25 +48,25 @@ runs:
install kubestr /usr/local/bin
- name: Checkout k8s-bench-suite
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
repository: "edgelesssys/k8s-bench-suite"
ref: 67c64c854841165b778979375444da1c02e02210
path: k8s-bench-suite
- name: Run FIO benchmark without caching in Azure
if: inputs.cloudProvider == 'azure'
- name: Run FIO benchmark
shell: bash
env:
KUBECONFIG: ${{ inputs.kubeconfig }}
run: |
if [[ "${{ inputs.cloudProvider }}" == "azure" ]]
then
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: encrypted-rwo-no-cache
name: fio-benchmark
allowVolumeExpansion: true
allowedTopologies: []
mountOptions: []
@ -78,34 +77,47 @@ runs:
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF
mkdir -p out
kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-rwo-no-cache -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
fi
- name: Run FIO benchmark
if: inputs.cloudProvider == 'gcp'
shell: bash
env:
KUBECONFIG: ${{ inputs.kubeconfig }}
run: |
if [[ "${{ inputs.cloudProvider }}" == "gcp" ]]
then
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: encrypted-balanced-rwo
name: fio-benchmark
provisioner: gcp.csi.confidential.cloud
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
type: pd-balanced
EOF
fi
if [[ "${{ inputs.cloudProvider }}" == "aws" ]]
then
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fio-benchmark
parameters:
type: gp3
provisioner: aws.csi.confidential.cloud
allowVolumeExpansion: true
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF
fi
mkdir -p out
kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-balanced-rwo -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
kubestr fio -e "out/fio-constellation-${{ inputs.attestationVariant }}.json" -o json -s fio-benchmark -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
- name: Upload raw FIO benchmark results
if: (!env.ACT)
uses: ./.github/actions/artifact_upload
with:
path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
path: "out/fio-constellation-${{ inputs.attestationVariant }}.json"
name: "fio-constellation-${{ inputs.artifactNameSuffix }}.json"
encryptionSecret: ${{ inputs.encryptionSecret }}
@ -115,19 +127,19 @@ runs:
KUBECONFIG: ${{ inputs.kubeconfig }}
TERM: xterm-256color
run: |
workers="$(kubectl get nodes -o name | grep worker)"
workers="$(kubectl get nodes -o name -l '!node-role.kubernetes.io/control-plane')"
echo -e "Found workers:\n$workers"
server="$(echo "$workers" | tail +1 | head -1 | cut -d '/' -f2)"
echo "Server: $server"
client="$(echo "$workers" | tail +2 | head -1 | cut -d '/' -f2)"
echo "Client: $client"
k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.cloudProvider }}.json" -o json --server-node "$server" --client-node "$client"
k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.attestationVariant }}.json" -o json --server-node "$server" --client-node "$client"
- name: Upload raw knb benchmark results
if: (!env.ACT)
uses: ./.github/actions/artifact_upload
with:
path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
path: "out/knb-constellation-${{ inputs.attestationVariant }}.json"
name: "knb-constellation-${{ inputs.artifactNameSuffix }}.json"
encryptionSecret: ${{ inputs.encryptionSecret }}
@ -139,6 +151,7 @@ runs:
# Working directory containing the previous results as JSON and to contain the graphs
BDIR: benchmarks
CSP: ${{ inputs.cloudProvider }}
ATTESTATION_VARIANT: ${{ inputs.attestationVariant }}
run: |
mkdir -p benchmarks
python .github/actions/e2e_benchmark/evaluate/parse.py
@ -148,7 +161,7 @@ runs:
uses: ./.github/actions/artifact_upload
with:
path: >
benchmarks/constellation-${{ inputs.cloudProvider }}.json
benchmarks/constellation-${{ inputs.attestationVariant }}.json
name: "benchmarks-${{ inputs.artifactNameSuffix }}"
encryptionSecret: ${{ inputs.encryptionSecret }}
@ -166,12 +179,10 @@ runs:
- name: Get previous benchmark records from S3
shell: bash
env:
CSP: ${{ inputs.cloudProvider }}
run: |
aws s3 cp --recursive ${S3_PATH} ./ --no-progress
if [[ -f constellation-${CSP}.json ]]; then
mv constellation-${CSP}.json benchmarks/constellation-${CSP}-previous.json
if aws s3 cp "${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json" ./ --no-progress
then
mv "constellation-${{ inputs.attestationVariant }}.json" "benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json"
else
echo "::warning::Couldn't retrieve previous benchmark records from s3"
fi
@ -180,15 +191,15 @@ runs:
shell: bash
env:
# Paths to benchmark results as JSON of the previous run and the current run
PREV_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}-previous.json
CURR_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}.json
PREV_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json
CURR_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}.json
run: |
if [[ -f "$PREV_BENCH" ]]; then
# Fails if the results are outside the threshold range
python .github/actions/e2e_benchmark/evaluate/compare.py >> $GITHUB_STEP_SUMMARY
fi
- name: Upload benchmark results to opensearch
- name: Upload benchmark results to OpenSearch
if: (!env.ACT)
shell: bash
env:
@ -198,14 +209,12 @@ runs:
run: |
curl -XPOST \
-u "${OPENSEARCH_USER}:${OPENSEARCH_PWD}" \
"${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.cloudProvider }}-$(date '+%Y')"/_doc \
--data-binary @benchmarks/constellation-${{ inputs.cloudProvider }}.json \
"${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.attestationVariant }}-$(date '+%Y')"/_doc \
--data-binary @benchmarks/constellation-${{ inputs.attestationVariant }}.json \
-H 'Content-Type: application/json'
- name: Update benchmark records in S3
if: github.ref_name == 'main'
shell: bash
env:
CSP: ${{ inputs.cloudProvider }}
run: |
aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json
aws s3 cp benchmarks/constellation-${{ inputs.attestationVariant }}.json ${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json

10
.github/actions/e2e_benchmark/evaluate/compare.py vendored
View File

@ -94,18 +94,18 @@ class BenchmarkComparer:
raise ValueError('Failed reading benchmark file: {e}'.format(e=e))
try:
name = bench_curr['provider']
name = bench_curr['attestationVariant']
except KeyError:
raise ValueError(
'Current benchmark record file does not contain provider.')
'Current benchmark record file does not contain attestationVariant.')
try:
prev_name = bench_prev['provider']
prev_name = bench_prev['attestationVariant']
except KeyError:
raise ValueError(
'Previous benchmark record file does not contain provider.')
'Previous benchmark record file does not contain attestationVariant.')
if name != prev_name:
raise ValueError(
'Cloud providers of previous and current benchmark data do not match.')
'Cloud attestationVariants of previous and current benchmark data do not match.')
if 'fio' not in bench_prev.keys() or 'fio' not in bench_curr.keys():
raise ValueError('Benchmarks do not both contain fio records.')

19
.github/actions/e2e_benchmark/evaluate/parse.py vendored
View File

@ -7,7 +7,7 @@ from datetime import datetime
from evaluators import fio, knb
def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
def configure() -> Tuple[str, str, str, str, str | None, str, str, str, str]:
"""Read the benchmark data paths.
Expects ENV vars (required):
@ -25,27 +25,29 @@ def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
"""
base_path = os.environ.get('BENCH_RESULTS', None)
csp = os.environ.get('CSP', None)
attestation_variant = os.environ.get('ATTESTATION_VARIANT', None)
out_dir = os.environ.get('BDIR', None)
if not base_path or not csp or not out_dir:
if not base_path or not csp or not out_dir or not attestation_variant:
raise TypeError(
'ENV variables BENCH_RESULTS, CSP, BDIR are required.')
'ENV variables BENCH_RESULTS, CSP, BDIR, ATTESTATION_VARIANT are required.')
ext_provider_name = os.environ.get('EXT_NAME', None)
commit_hash = os.environ.get('GITHUB_SHA', 'N/A')
commit_ref = os.environ.get('GITHUB_REF_NAME', 'N/A')
actor = os.environ.get('GITHUB_ACTOR', 'N/A')
workflow = os.environ.get('GITHUB_WORKFLOW', 'N/A')
return base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
return base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
class BenchmarkParser:
def __init__(self, base_path, csp, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
def __init__(self, base_path, csp, attestation_variant, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
self.base_path = base_path
self.csp = csp
self.attestation_variant = attestation_variant
self.out_dir = out_dir
self.ext_provider_name = ext_provider_name
if not self.ext_provider_name:
self.ext_provider_name = f'constellation-{csp}'
self.ext_provider_name = f'constellation-{attestation_variant}'
self.commit_hash = commit_hash
self.commit_ref = commit_ref
self.actor = actor
@ -88,6 +90,7 @@ class BenchmarkParser:
},
'@timestamp': str(timestamp),
'provider': self.ext_provider_name,
'attestationVariant': self.attestation_variant,
'fio': {},
'knb': {}}
@ -101,8 +104,8 @@ class BenchmarkParser:
def main():
base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
p = BenchmarkParser(base_path, csp, out_dir, ext_provider_name,
base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
p = BenchmarkParser(base_path, csp, attestation_variant, out_dir, ext_provider_name,
commit_hash, commit_ref, actor, workflow)
p.parse()

2
.github/actions/e2e_benchmark/evaluate/requirements.txt vendored
View File

@ -1,3 +1,3 @@
numpy ==1.26.4
matplotlib ==3.8.3
Pillow ==10.2.0
Pillow ==10.3.0

2
.github/actions/e2e_benchmark/fio.ini vendored
View File

@ -7,7 +7,7 @@ size=10Gi
time_based=1
group_reporting
thread
cpus_allowed=1
cpus_allowed=0
[read_iops]

4
.github/actions/e2e_cleanup_timeframe/action.yml vendored
View File

@ -31,11 +31,13 @@ runs:
with:
service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Install 7zip
- name: Install tools
uses: ./.github/actions/setup_bazel_nix
with:
nixTools: |
_7zz
terraform
- name: Run cleanup
run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
shell: bash

21
.github/actions/e2e_mini/action.yml vendored
View File

@ -11,6 +11,9 @@ inputs:
azureTenantID:
description: "Azure tenant to use for login with OIDC"
required: true
azureIAMCredentials:
description: "Azure IAM credentials used for cleaning up resources"
required: true
registry:
description: "Container registry to use"
required: true
@ -22,7 +25,7 @@ runs:
using: "composite"
steps:
- name: Install terraform
uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_wrapper: false
@ -38,9 +41,25 @@ runs:
- name: MiniConstellation E2E
shell: bash
id: e2e-test
env:
ARM_CLIENT_ID: ${{ inputs.azureClientID }}
ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
ARM_TENANT_ID: ${{ inputs.azureTenantID }}
run: |
bazel run --test_timeout=14400 //e2e/miniconstellation:push_remote_test
- name: Log in to azure
# only log in if e2e test failed or if the run was cancelled
if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ inputs.azureIAMCredentials }}
- name: Clean up after failure
shell: bash
# clean up if e2e test failed or if the run was cancelled
if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
run: |
echo "[*] Deleting resource group ${{ steps.e2e-test.outputs.rgname }}"
az group delete -y --resource-group "${{ steps.e2e-test.outputs.rgname }}"

8
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -48,6 +48,12 @@ runs:
sonobuoy results *_sonobuoy_*.tar.gz
sonobuoy results *_sonobuoy_*.tar.gz --mode detailed | jq 'select(.status!="passed")' | jq 'select(.status!="skipped")' || true
- name: Cleanup sonobuoy deployment
env:
KUBECONFIG: ${{ inputs.kubeconfig }}
shell: bash
run: sonobuoy delete --wait
- name: Upload test results
if: always() && !env.ACT
uses: ./.github/actions/artifact_upload
@ -64,7 +70,7 @@ runs:
- name: Publish test results
if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1
uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
with:
report_paths: "**/junit_01.xml"
fail_on_failure: true

17
.github/actions/e2e_test/action.yml vendored
View File

@ -46,6 +46,9 @@ inputs:
description: "AWS OpenSearch User to upload the benchmark results."
awsOpenSearchPwd:
description: "AWS OpenSearch Password to upload the benchmark results."
azureSubscriptionID:
description: "Azure subscription ID to deploy Constellation in."
required: true
azureClusterCreateCredentials:
description: "Azure credentials authorized to create a Constellation cluster."
required: true
@ -53,7 +56,7 @@ inputs:
description: "Azure credentials authorized to create an IAM configuration."
required: true
test:
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
required: true
sonobuoyTestSuiteCmd:
description: "The sonobuoy test suite to run."
@ -103,7 +106,7 @@ runs:
using: "composite"
steps:
- name: Check input
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
shell: bash
run: |
echo "::error::Invalid input for test field: ${{ inputs.test }}"
@ -249,6 +252,7 @@ runs:
attestationVariant: ${{ inputs.attestationVariant }}
namePrefix: ${{ steps.create-prefix.outputs.prefix }}
awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region }}
gcpProjectID: ${{ inputs.gcpProject }}
gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
@ -348,6 +352,15 @@ runs:
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run sonobuoy conformance
if: inputs.test == 'sonobuoy conformance'
uses: ./.github/actions/e2e_sonobuoy
with:
sonobuoyTestSuiteCmd: "--plugin e2e --mode certified-conformance"
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run autoscaling test
if: inputs.test == 'autoscaling'
uses: ./.github/actions/e2e_autoscaling

30
.github/actions/e2e_verify/action.yml vendored
View File

@ -68,9 +68,9 @@ runs:
case "${{ inputs.attestationVariant }}"
in
"azure-sev-snp"|"aws-sev-snp"|"gcp-sev-snp")
"azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp")
echo "Extracting TCB versions for API update"
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json"
;;
*)
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
@ -88,22 +88,24 @@ runs:
aws-region: eu-central-1
- name: Upload extracted TCBs
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
shell: bash
env:
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
run: |
reports=(snp-report-*.json)
if [ -z ${#reports[@]} ]; then
exit 1
fi
reports=attestation-report-*.json
attestationVariant=${{ inputs.attestationVariant }}
cloudProvider=${attestationVariant%%-*}
for file in "${reports[@]}"; do
path=$(realpath "${file}")
cat "${path}"
bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"
# bazel run changes the working directory
# convert the relative paths to absolute paths to avoid issues
absolute_reports=""
for report in ${reports}; do
absolute_reports="${absolute_reports} $(realpath "${report}")"
done
report=$(bazel run //internal/api/attestationconfigapi/cli -- compare ${{ inputs.attestationVariant }} ${absolute_reports})
path=$(realpath "${report}")
cat "${path}"
bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.attestationVariant }} attestation-report "${path}"

6
.github/actions/find_latest_image/action.yml vendored
View File

@ -26,13 +26,13 @@ runs:
steps:
- name: Checkout head
if: inputs.imageVersion == '' && inputs.git-ref == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.imageVersion == '' && inputs.git-ref != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.git-ref }}
@ -43,6 +43,8 @@ runs:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1
- uses: ./.github/actions/setup_bazel_nix
- name: Find latest image
id: find-latest-image
if: inputs.imageVersion == ''

2
.github/actions/gcpccm_vers_to_build/findvers.sh vendored
View File

@ -82,4 +82,4 @@ for major in "${allMajorVersions[@]}"; do
done
# Print one elem per line | quote elems | create array | remove empty elems and print compact.
printf '%s' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'
printf '%s\n' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'

2
.github/actions/login_azure/action.yml vendored
View File

@ -10,6 +10,6 @@ runs:
# As described at:
# https://github.com/Azure/login#configure-deployment-credentials
- name: Login to Azure
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
creds: ${{ inputs.azure_credentials }}

6
.github/actions/login_gcp/action.yml vendored
View File

@ -20,11 +20,11 @@ runs:
echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
- name: Authorize GCP access
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
service_account: ${{ inputs.service_account }}
# Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2

27
.github/actions/notify_teams/README.md vendored Normal file
View File

@ -0,0 +1,27 @@
# notify Teams action
This action is used to send a message to our Teams channel in case of a failure in the CI/CD pipeline.
The action will automatically choose an engineer to assign to the issue and tag them in the message.
Engineers are identified by their GitHub username and bound to a Microsoft Teams ID in `.attachments[0].content.msteams.entities`.
To add a new engineer, add a new entry to the entity list in the format:
```json
{
"type": "mention",
"text": "${github_username}",
"mentioned": {
"id": "${msteams_id}",
"name": "${name}"
}
}
```
Where `${github_username}` is the GitHub username of the engineer, `${msteams_id}` is the Microsoft Teams ID of the engineer, and `${name}` is the name of the engineer.
To find the Microsoft Teams ID use the following command:
```bash
az ad user show --id ${email} --query id
```
Where `${email}` is the email address of the engineer.

2
.github/actions/notify_teams/action.yml vendored
View File

@ -25,7 +25,7 @@ runs:
continue-on-error: true
shell: bash
run: |
cp .github/teams_payload_template.json teams_payload.json
cp .github/actions/notify_teams/teams_payload_template.json teams_payload.json
# Add workflow name to the notification
yq -oj -iP '.attachments[0].content.body[0].columns[1].items[0].text = "${{ inputs.title }}"' teams_payload.json

8
.github/teams_payload_template.json → .github/actions/notify_teams/teams_payload_template.json vendored
View File

@ -1,5 +1,5 @@
{
"type": "message",
"type": "AdaptiveCard",
"attachments": [
{
"contentType": "application/vnd.microsoft.card.adaptive",
@ -61,10 +61,10 @@
},
{
"type": "mention",
"text": "<at>malt3</at>",
"text": "<at>burgerdev</at>",
"mentioned": {
"id": "3012fe21-cff7-499d-88cf-48cf12f2e90c",
"name": "Malte Poll"
"id": "c9efc581-58ca-4da6-93ce-79f69f89deeb",
"name": "Markus Rudy"
}
}
]

2
.github/actions/pick_assignee/action.yml vendored
View File

@ -15,8 +15,6 @@ runs:
run: |
possibleAssignees=(
"elchead"
"malt3"
"3u13r"
"daniel-weisse"
"msanft"
"burgerdev"

4
.github/actions/publish_helmchart/action.yml vendored
View File

@ -13,7 +13,7 @@ runs:
using: "composite"
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: edgelesssys/helm
ref: main
@ -29,7 +29,7 @@ runs:
echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
- name: Create pull request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
path: helm
branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"

12
.github/actions/select_image/action.yml vendored
View File

@ -3,15 +3,15 @@ description: Resolve string presets and shortpaths to shortpaths only
inputs:
osImage:
description: "Shortpath or main-debug or release-stable"
description: "Shortpath, main-debug, main-nightly, or release-stable"
required: true
outputs:
osImage:
description: "Shortpath of for input string, original input if that was already a shortpath"
description: "Shortpath of input string, original input if that was already a shortpath"
value: ${{ steps.set-output.outputs.osImage }}
isDebugImage:
description: "Input represents a debug image or not"
description: "Input is a debug image or not"
value: ${{ steps.set-output.outputs.isDebugImage }}
runs:
@ -27,7 +27,7 @@ runs:
id: input-is-preset
shell: bash
run: |
if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/main/stream/nightly/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
echo "result=true" | tee -a "$GITHUB_OUTPUT"
else
echo "result=false" | tee -a "$GITHUB_OUTPUT"
@ -43,6 +43,10 @@ runs:
echo "ref=$(echo $REFSTREAM | cut -d/ -f2)" | tee -a "$GITHUB_OUTPUT"
echo "stream=$(echo $REFSTREAM | cut -d/ -f4)" | tee -a "$GITHUB_OUTPUT"
- name: Setup Bazel & Nix
if: steps.input-is-preset.outputs.result == 'true'
uses: ./.github/actions/setup_bazel_nix
- name: Find latest image
if: steps.input-is-preset.outputs.result == 'true'
id: find-latest-image

4
.github/actions/setup_bazel_nix/action.yml vendored
View File

@ -113,7 +113,9 @@ runs:
- name: Install nix
if: steps.check_inputs.outputs.nixPreinstalled == 'false'
uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
install_url: "https://releases.nixos.org/nix/nix-2.25.2/install"
- name: Set $USER if not set
shell: bash

9
.github/actions/terraform_apply/action.yml vendored
View File

@ -26,10 +26,9 @@ runs:
"gcpSEVES")
attestationVariant="gcp-sev-es"
;;
# TODO(msanft): Enable once stable GCP SEV-SNP images exist.
# "gcpSEVSNP")
# attestationVariant="gcp-sev-snp"
# ;;
"gcpSEVSNP")
attestationVariant="gcp-sev-snp"
;;
*)
echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
exit 1
@ -45,7 +44,7 @@ runs:
}
random = {
source = "hashicorp/random"
version = "3.6.0"
version = "3.6.2"
}
}
}

4
.github/actions/upload_terraform_module/action.yml vendored
View File

@ -15,7 +15,7 @@ runs:
zip -r terraform-module.zip terraform-module
- name: Upload artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: terraform-module
path: terraform-module.zip
@ -23,4 +23,4 @@ runs:
- name: Cleanup Terraform module dir
shell: bash
run: |
rm -f terraform-module terraform-module.zip
rm -rf terraform-module terraform-module.zip

21
.github/actions/versionsapi/Dockerfile vendored
View File

@ -1,21 +0,0 @@
FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 as builder
# Download project root dependencies
WORKDIR /workspace
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
COPY . .
# Build
WORKDIR /workspace/internal/api/versionsapi/cli
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o versionsapi .
FROM scratch as release
COPY --from=builder /workspace/internal/api/versionsapi/cli/versionsapi .
CMD ["/notIntendedToBeExecuted"]

9
.github/actions/versionsapi/action.yml vendored
View File

@ -52,19 +52,12 @@ outputs:
runs:
using: composite
steps:
- name: Get versionsapi binary
shell: bash
# TODO: This should probably be `bazel run`.
run: |
containerID=$(docker create "ghcr.io/edgelesssys/constellation/versionsapi-ci-cli:latest")
docker cp ${containerID}:/versionsapi .
- name: Run versionsapi
id: run
shell: bash
run: |
out=$(
./versionsapi \
bazel run //internal/api/versionsapi/cli:cli -- \
${{ inputs.command }} \
${{ inputs.ref != '' && format('--ref="{0}"', inputs.ref) || '' }} \
${{ inputs.stream != '' && format('--stream="{0}"', inputs.stream) || '' }} \

12
.github/workflows/assign_reviewer.yml vendored
View File

@ -2,7 +2,13 @@ name: Assign Reviewer
on:
pull_request:
types: ["labeled"]
types:
- opened
- reopened
- edited
- synchronize
- review_request_removed
- labeled
permissions:
pull-requests: write
@ -10,9 +16,9 @@ permissions:
jobs:
assign_reviewer:
runs-on: ubuntu-latest
if: github.event.label.name == 'dependencies' && github.event.pull_request.user.login == 'app/renovate'
if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' && github.event.pull_request.user.login == 'renovate[bot]'
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Pick assignee
id: pick-assignee
uses: ./.github/actions/pick_assignee

16
.github/workflows/aws-snp-launchmeasurement.yml vendored
View File

@ -8,26 +8,20 @@ on:
jobs:
run:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.head_ref }}
path: constellation
- name: Install necessary tools
run: |
sudo apt-get update
sudo apt-get install -y python3 python3-pip
sudo python3 -m pip install --user --require-hashes -r constellation/.github/workflows/aws-snp-launchmeasurements-requirements.txt
- name: Install Nix
uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
- name: Download Firmware release
id: download-firmware
uses: robinraju/release-downloader@c39a3b234af58f0cf85888573d361fb6fa281534 # v1.10
uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
with:
repository: aws/uefi
latest: true
@ -50,7 +44,7 @@ jobs:
echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
popd || exit 1
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: virtee/sev-snp-measure-go.git
ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8

106
.github/workflows/aws-snp-launchmeasurements-requirements.txt vendored
View File

@ -1,106 +0,0 @@
#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
# pip-compile --generate-hashes --output-file=aws-snp-launchmeasurements-requirements.txt input.txt
#
cffi==1.16.0 \
--hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \
--hash=sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a \
--hash=sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417 \
--hash=sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab \
--hash=sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520 \
--hash=sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36 \
--hash=sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743 \
--hash=sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8 \
--hash=sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed \
--hash=sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684 \
--hash=sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56 \
--hash=sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324 \
--hash=sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d \
--hash=sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235 \
--hash=sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e \
--hash=sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088 \
--hash=sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000 \
--hash=sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7 \
--hash=sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e \
--hash=sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673 \
--hash=sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c \
--hash=sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe \
--hash=sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2 \
--hash=sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098 \
--hash=sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8 \
--hash=sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a \
--hash=sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0 \
--hash=sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b \
--hash=sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896 \
--hash=sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e \
--hash=sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9 \
--hash=sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2 \
--hash=sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b \
--hash=sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6 \
--hash=sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404 \
--hash=sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f \
--hash=sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0 \
--hash=sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4 \
--hash=sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc \
--hash=sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936 \
--hash=sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba \
--hash=sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872 \
--hash=sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb \
--hash=sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614 \
--hash=sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1 \
--hash=sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d \
--hash=sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969 \
--hash=sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b \
--hash=sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4 \
--hash=sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627 \
--hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \
--hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357
# via cryptography
cryptography==42.0.4 \
--hash=sha256:01911714117642a3f1792c7f376db572aadadbafcd8d75bb527166009c9f1d1b \
--hash=sha256:0e89f7b84f421c56e7ff69f11c441ebda73b8a8e6488d322ef71746224c20fce \
--hash=sha256:12d341bd42cdb7d4937b0cabbdf2a94f949413ac4504904d0cdbdce4a22cbf88 \
--hash=sha256:15a1fb843c48b4a604663fa30af60818cd28f895572386e5f9b8a665874c26e7 \
--hash=sha256:1cdcdbd117681c88d717437ada72bdd5be9de117f96e3f4d50dab3f59fd9ab20 \
--hash=sha256:1df6fcbf60560d2113b5ed90f072dc0b108d64750d4cbd46a21ec882c7aefce9 \
--hash=sha256:3c6048f217533d89f2f8f4f0fe3044bf0b2090453b7b73d0b77db47b80af8dff \
--hash=sha256:3e970a2119507d0b104f0a8e281521ad28fc26f2820687b3436b8c9a5fcf20d1 \
--hash=sha256:44a64043f743485925d3bcac548d05df0f9bb445c5fcca6681889c7c3ab12764 \
--hash=sha256:4e36685cb634af55e0677d435d425043967ac2f3790ec652b2b88ad03b85c27b \
--hash=sha256:5f8907fcf57392cd917892ae83708761c6ff3c37a8e835d7246ff0ad251d9298 \
--hash=sha256:69b22ab6506a3fe483d67d1ed878e1602bdd5912a134e6202c1ec672233241c1 \
--hash=sha256:6bfadd884e7280df24d26f2186e4e07556a05d37393b0f220a840b083dc6a824 \
--hash=sha256:6d0fbe73728c44ca3a241eff9aefe6496ab2656d6e7a4ea2459865f2e8613257 \
--hash=sha256:6ffb03d419edcab93b4b19c22ee80c007fb2d708429cecebf1dd3258956a563a \
--hash=sha256:810bcf151caefc03e51a3d61e53335cd5c7316c0a105cc695f0959f2c638b129 \
--hash=sha256:831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb \
--hash=sha256:887623fe0d70f48ab3f5e4dbf234986b1329a64c066d719432d0698522749929 \
--hash=sha256:a0298bdc6e98ca21382afe914c642620370ce0470a01e1bef6dd9b5354c36854 \
--hash=sha256:a1327f280c824ff7885bdeef8578f74690e9079267c1c8bd7dc5cc5aa065ae52 \
--hash=sha256:c1f25b252d2c87088abc8bbc4f1ecbf7c919e05508a7e8628e6875c40bc70923 \
--hash=sha256:c3a5cbc620e1e17009f30dd34cb0d85c987afd21c41a74352d1719be33380885 \
--hash=sha256:ce8613beaffc7c14f091497346ef117c1798c202b01153a8cc7b8e2ebaaf41c0 \
--hash=sha256:d2a27aca5597c8a71abbe10209184e1a8e91c1fd470b5070a2ea60cafec35bcd \
--hash=sha256:dad9c385ba8ee025bb0d856714f71d7840020fe176ae0229de618f14dae7a6e2 \
--hash=sha256:db4b65b02f59035037fde0998974d84244a64c3265bdef32a827ab9b63d61b18 \
--hash=sha256:e09469a2cec88fb7b078e16d4adec594414397e8879a4341c6ace96013463d5b \
--hash=sha256:e53dc41cda40b248ebc40b83b31516487f7db95ab8ceac1f042626bc43a2f992 \
--hash=sha256:f1e85a178384bf19e36779d91ff35c7617c885da487d689b05c1366f9933ad74 \
--hash=sha256:f47be41843200f7faec0683ad751e5ef11b9a56a220d57f300376cd8aba81660 \
--hash=sha256:fb0cef872d8193e487fc6bdb08559c3aa41b659a7d9be48b2e10747f47863925 \
--hash=sha256:ffc73996c4fca3d2b6c1c8c12bfd3ad00def8621da24f547626bf06441400449
# via sev-snp-measure
pycparser==2.21 \
--hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \
--hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206
# via cffi
sev-snp-measure==0.0.9 \
--hash=sha256:32ac67a0db6b639186116d8806a730aac4743584e6ca810c65e8fc57b875f87d \
--hash=sha256:a1796822e15430c2db7749d1da269819b8cec1330600bb5589ed0ed61400dc41
# via -r input.txt
types-cryptography==3.3.23.2 \
--hash=sha256:09cc53f273dd4d8c29fa7ad11fefd9b734126d467960162397bc5e3e604dea75 \
--hash=sha256:b965d548f148f8e87f353ccf2b7bd92719fdf6c845ff7cedf2abb393a0643e4f
# via sev-snp-measure

2
.github/workflows/build-binaries.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
runs-on: [arc-runner-set]
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

22
.github/workflows/build-ccm-gcp.yml vendored
View File

@ -13,30 +13,30 @@ on:
jobs:
find-ccm-versions:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
versions: ${{ steps.find-versions.outputs.versions }}
latest: ${{ steps.find-latest.outputs.latest }}
steps:
- name: Checkout Constellation
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout kubernetes/cloud-provider-gcp
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: "kubernetes/cloud-provider-gcp"
path: "cloud-provider-gcp"
fetch-depth: 0
- name: Setup Go environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22.3"
go-version: "1.23.2"
cache: false
- name: Install Crane
run: |
go install github.com/google/go-containerregistry/cmd/crane@latest
go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2
- name: Find versions
id: find-versions
@ -54,7 +54,7 @@ jobs:
build-ccm-gcp:
# matrix cannot handle empty lists
if: needs.find-ccm-versions.outputs.versions != '[]'
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
@ -65,10 +65,10 @@ jobs:
version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
steps:
- name: Checkout Constellation
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout kubernetes/cloud-provider-gcp
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: "kubernetes/cloud-provider-gcp"
path: "cloud-provider-gcp"
@ -76,7 +76,7 @@ jobs:
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/edgelesssys/cloud-provider-gcp
@ -113,7 +113,7 @@ jobs:
- name: Build and push container image
id: build
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: ./cloud-provider-gcp
push: ${{ github.ref_name == 'main' }}

10
.github/workflows/build-gcp-guest-agent.yml vendored
View File

@ -10,7 +10,7 @@ env:
jobs:
build-gcp-guest-agent:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
@ -69,7 +69,7 @@ jobs:
- name: Checkout GoogleCloudPlatform/guest-agent
if: steps.needs-build.outputs.out == 'true'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: "GoogleCloudPlatform/guest-agent"
ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:
- name: Checkout Constellation
if: steps.needs-build.outputs.out == 'true'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: "constellation"
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -85,7 +85,7 @@ jobs:
- name: Docker meta
id: meta
if: steps.needs-build.outputs.out == 'true'
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@ -114,7 +114,7 @@ jobs:
- name: Build and push container image
if: steps.needs-build.outputs.out == 'true'
id: build
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: ./guest-agent
file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile

4
.github/workflows/build-libvirt-container.yml vendored
View File

@ -13,13 +13,13 @@ on:
jobs:
build-container:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup bazel
uses: ./.github/actions/setup_bazel_nix

4
.github/workflows/build-logcollector-images.yml vendored
View File

@ -13,14 +13,14 @@ on:
jobs:
build-logcollector-debugd-images:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

33
.github/workflows/build-os-image-scheduled.yml vendored
View File

@ -4,15 +4,15 @@ on:
workflow_dispatch:
schedule:
- cron: "0 21 * * 2" # At 21:00 on Tuesday.
- cron: "10 21 * * 2" # At 21:10 on Tuesday.
- cron: "20 21 * * 2" # At 21:20 on Tuesday.
- cron: "40 21 * * 2" # At 21:40 on Tuesday.
- cron: "0 21 * * 4" # At 21:00 on Thursday.
- cron: "10 21 * * 4" # At 21:10 on Thursday.
- cron: "20 21 * * 4" # At 21:20 on Thursday.
- cron: "40 21 * * 4" # At 21:40 on Thursday.
jobs:
stream:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
stream: ${{ steps.stream.outputs.stream }}
steps:
@ -28,10 +28,10 @@ jobs:
"0 21 * * 4" | "0 21 * * 2")
echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
;;
"10 21 * * 4" | "10 21 * * 2")
"20 21 * * 4" | "20 21 * * 2")
echo "stream=console" | tee -a "$GITHUB_OUTPUT"
;;
"20 21 * * 4" | "20 21 * * 2")
"40 21 * * 4" | "40 21 * * 2")
echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
;;
*)
@ -54,22 +54,20 @@ jobs:
update-code:
# On nightly stream only.
if: |
github.event_name == 'workflow_dispatch' ||
github.event.schedule == '20 21 * * 4' ||
github.event.schedule == '20 21 * * 2'
needs: build-image
runs-on: ubuntu-22.04
if: needs.stream.outputs.stream == 'nightly'
needs: ["build-image", "stream"]
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
- name: Setup Go environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22.3"
go-version: "1.23.2"
cache: false
- name: Determine version
@ -99,7 +97,7 @@ jobs:
run: rm -f internal/attestation/measurements/measurement-generator/generate
- name: Create pull request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
branch: "image/automated/update-measurements-${{ github.run_number }}"
base: main
@ -111,6 +109,7 @@ jobs:
It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
commit-message: "image: update measurements and image version"
committer: edgelessci <edgelessci@users.noreply.github.com>
author: edgelessci <edgelessci@users.noreply.github.com>
labels: no changelog
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
@ -118,10 +117,10 @@ jobs:
notify-failure:
if: failure()
needs: [ "stream", "build-image", "update-code" ]
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.head_ref }}

6
.github/workflows/build-os-image.yml vendored
View File

@ -47,7 +47,7 @@ on:
jobs:
build-settings:
name: "Determine build settings"
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
ref: ${{ steps.ref.outputs.ref }}
stream: ${{ steps.stream.outputs.stream }}
@ -59,7 +59,7 @@ jobs:
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -138,7 +138,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}

32
.github/workflows/build-versionsapi-ci-image.yml vendored
View File

@ -1,32 +0,0 @@
name: Build and upload versionsapi CI image
on:
workflow_dispatch:
push:
branches:
- main
paths:
- "internal/api/versionsapi/**"
- ".github/workflows/build-versionsapi-ci-image.yml"
- ".github/actions/versionsapi/**"
- "go.mod"
jobs:
build-versionsapi-ci-cli:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Build and upload container image
uses: ./.github/actions/build_micro_service
with:
name: versionsapi-ci-cli
dockerfile: .github/actions/versionsapi/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }}

6
.github/workflows/check-links.yml vendored
View File

@ -17,15 +17,15 @@ on:
jobs:
linkChecker:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Link Checker
uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 # v2.1.0
with:
args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
fail: true

12
.github/workflows/codeql.yml vendored
View File

@ -17,7 +17,7 @@ on:
jobs:
codeql:
name: CodeQL
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
# Force CodeQL to run the extraction on the files compiled by our custom
# build command, as opposed to letting the autobuilder figure it out.
@ -34,17 +34,17 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Go environment
if: matrix.language == 'go'
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22.3"
go-version: "1.23.2"
cache: false
- name: Initialize CodeQL
uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
languages: ${{ matrix.language }}
@ -63,6 +63,6 @@ jobs:
echo "::endgroup::"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
category: "/language:${{ matrix.language }}"

12
.github/workflows/docs-vale.yml vendored
View File

@ -13,15 +13,19 @@ on:
jobs:
vale:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
# Work around https://github.com/errata-ai/vale-action/issues/128.
- run: |
venv="$HOME/.local/share/venv"
python3 -m venv "$venv"
echo "$venv/bin" >> "$GITHUB_PATH"
- name: Vale
uses: errata-ai/vale-action@38bf078c328061f59879b347ca344a718a736018 # tag=reviewdog
uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
with:
files: docs/docs
fail_on_error: true

62
.github/workflows/draft-release.yml vendored
View File

@ -50,7 +50,7 @@ on:
jobs:
build-cli:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
@ -72,7 +72,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -92,7 +92,7 @@ jobs:
cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload CLI as artifact (unix)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if : ${{ matrix.os != 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -101,7 +101,7 @@ jobs:
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
- name: Upload CLI as artifact (windows)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if : ${{ matrix.os == 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -110,7 +110,7 @@ jobs:
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
build-terraform-provider:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
@ -133,7 +133,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -149,7 +149,7 @@ jobs:
targetArch: ${{ matrix.arch }}
- name: Upload Terraform Provider Binary as artifact (unix)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if : ${{ matrix.os != 'windows' }}
with:
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -157,7 +157,7 @@ jobs:
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
- name: Upload Terraform Provider Binary as artifact (windows)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if : ${{ matrix.os == 'windows' }}
with:
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -165,11 +165,11 @@ jobs:
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
upload-terraform-module:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -177,7 +177,7 @@ jobs:
uses: ./.github/actions/upload_terraform_module
push-containers:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: inputs.pushContainers
permissions:
actions: read
@ -187,7 +187,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -208,7 +208,7 @@ jobs:
run: bazel run //bazel/release:push
provenance-subjects:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
needs:
- build-cli
- signed-sbom
@ -219,7 +219,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -227,7 +227,7 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation.spdx.sbom
@ -252,16 +252,16 @@ jobs:
echo provenance-subjects="${HASHESB64}" >> "$GITHUB_OUTPUT"
signed-sbom:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: constellation.spdx.sbom
path: constellation.spdx.sbom
- name: Upload Constellation CLI SBOM's signature
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: constellation.spdx.sbom.sig
path: constellation.spdx.sbom.sig
@ -321,7 +321,7 @@ jobs:
base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
provenance-verify:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
SLSA_VERIFIER_VERSION: "2.5.1"
needs:
@ -332,7 +332,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -340,12 +340,12 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation.spdx.sbom
- name: Download provenance
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ needs.provenance.outputs.provenance-name }}
@ -395,7 +395,7 @@ jobs:
release:
permissions:
contents: write
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
needs:
- build-cli
- provenance
@ -405,7 +405,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -418,17 +418,17 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation.spdx.sbom
- name: Download Constellation CLI SBOM's signature
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation.spdx.sbom.sig
- name: Download Constellation provenance
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ needs.provenance.outputs.provenance-name }}
@ -472,7 +472,7 @@ jobs:
- name: Create release with artifacts
id: create-release
# GitHub endorsed release project. See: https://github.com/actions/create-release
uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
with:
draft: true
generate_release_notes: true
@ -487,7 +487,7 @@ jobs:
terraform-module.zip
- name: Create Terraform provider release with artifcats
uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
with:
draft: true
generate_release_notes: false

8
.github/workflows/e2e-attestationconfigapi.yml vendored
View File

@ -17,8 +17,8 @@ jobs:
fail-fast: false
max-parallel: 1
matrix:
csp: ["azure", "aws", "gcp"]
runs-on: ubuntu-22.04
attestationVariant: ["azure-sev-snp", "azure-tdx", "aws-sev-snp", "gcp-sev-snp"]
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -26,7 +26,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# Don't trigger in forks, use head on pull requests, use default otherwise.
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
@ -36,4 +36,4 @@ jobs:
with:
cosignPrivateKey: ${{ secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_DEV_PASSWORD }}
csp: ${{ matrix.csp }}
attestationVariant: ${{ matrix.attestationVariant }}

2
.github/workflows/e2e-cleanup-weekly.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Cleanup
uses: ./.github/actions/e2e_cleanup_timeframe

7
.github/workflows/e2e-mini.yml vendored
View File

@ -20,7 +20,7 @@ on:
jobs:
e2e-mini:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
environment: e2e
permissions:
id-token: write
@ -29,12 +29,12 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}
- name: Azure login OIDC
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@ -46,5 +46,6 @@ jobs:
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }}

22
.github/workflows/e2e-test-daily.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
matrix:
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
name: Find latest image
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -21,7 +21,7 @@ jobs:
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -49,13 +49,7 @@ jobs:
attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
test: ["sonobuoy quick"]
exclude:
# TODO(v2.18 msanft): Remove exclude rule for GCP SEV-SNP stable once images exist.
- kubernetesVersion: "1.28"
attestationVariant: "gcp-sev-snp"
refStream: "ref/release/stream/stable/?"
test: "sonobuoy quick"
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
checks: write
@ -65,7 +59,7 @@ jobs:
needs: [find-latest-image]
steps:
- name: Check out repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -96,6 +90,7 @@ jobs:
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
kubernetesVersion: ${{ matrix.kubernetesVersion }}
test: ${{ matrix.test }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
@ -155,7 +150,7 @@ jobs:
e2e-mini:
name: Run miniconstellation E2E test
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
environment: e2e
permissions:
id-token: write
@ -164,12 +159,12 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Azure login OIDC
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@ -181,6 +176,7 @@ jobs:
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/e2e-test-internal-lb.yml vendored
View File

@ -22,9 +22,9 @@ on:
description: "Architecture of the runner that executes the CLI"
type: choice
options:
- "ubuntu-22.04"
- "ubuntu-24.04"
- "macos-12"
default: "ubuntu-22.04"
default: "ubuntu-24.04"
test:
description: "The test to run."
type: choice

4
.github/workflows/e2e-test-marketplace-image.yml vendored
View File

@ -22,9 +22,9 @@ on:
description: "Architecture of the runner that executes the CLI"
type: choice
options:
- "ubuntu-22.04"
- "ubuntu-24.04"
- "macos-12"
default: "ubuntu-22.04"
default: "ubuntu-24.04"
test:
description: "The test to run."
type: choice

33
.github/workflows/e2e-test-provider-example.yml vendored
View File

@ -63,7 +63,7 @@ on:
jobs:
provider-example-test:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -71,7 +71,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -306,6 +306,19 @@ jobs:
cat >> _override.tf <<EOF
locals {
instance_type = "Standard_DC4es_v5"
subscription_id = "$(az account show --query id --output tsv)"
}
EOF
cat _override.tf
- name: Create Azure SEV-SNP Terraform overrides
if: inputs.attestationVariant == 'azure-sev-snp'
working-directory: ${{ github.workspace }}/cluster
shell: bash
run: |
cat >> _override.tf <<EOF
locals {
subscription_id = "$(az account show --query id --output tsv)"
}
EOF
cat _override.tf
@ -324,12 +337,12 @@ jobs:
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
terraform init
if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
terraform apply -target module.azure_iam -auto-approve
terraform apply -target module.azure_infrastructure -auto-approve
timeout 1h terraform apply -target module.azure_iam -auto-approve
timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
terraform apply -target constellation_cluster.azure_example -auto-approve
timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
else
terraform apply -auto-approve
timeout 1h terraform apply -auto-approve
fi
- name: Cleanup Terraform Cluster on failure
@ -340,7 +353,7 @@ jobs:
shell: bash
run: |
terraform init
terraform destroy -auto-approve
terraform destroy -auto-approve -lock=false
- name: Add Provider to local Terraform registry # needed if release version was used before
if: inputs.providerVersion != ''
@ -394,7 +407,7 @@ jobs:
shell: bash
run: |
terraform init --upgrade
terraform apply -auto-approve
timeout 1h terraform apply -auto-approve
- name: Assert upgrade successful
working-directory: ${{ github.workspace }}/cluster
@ -462,11 +475,11 @@ jobs:
shell: bash
run: |
terraform init
terraform destroy -auto-approve
terraform destroy -auto-approve -lock=false
- name: Notify about failure
if: |
failure() &&
(failure() || cancelled()) &&
github.ref == 'refs/heads/main' &&
github.event_name == 'schedule'
continue-on-error: true

228
.github/workflows/e2e-test-release.yml vendored
View File

@ -47,241 +47,256 @@ jobs:
# sonobuoy full test on all k8s versions
- test: "sonobuoy full"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
kubernetes-version: "v1.29"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
kubernetes-version: "v1.29"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
kubernetes-version: "v1.29"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
kubernetes-version: "v1.29"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
kubernetes-version: "v1.29"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# verify test on latest k8s version
- test: "verify"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# recover test on latest k8s version
- test: "recover"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# lb test on latest k8s version
- test: "lb"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# autoscaling test on latest k8s version
- test: "autoscaling"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# perf-bench test on latest k8s version, not supported on AWS
# perf-bench test on latest k8s version
- test: "perf-bench"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "perf-bench"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "perf-bench"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "perf-bench"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
- test: "perf-bench"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
kubernetes-version: "v1.30"
runner: "ubuntu-24.04"
clusterCreation: "cli"
# malicious join test on latest k8s version
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
runner: "ubuntu-24.04"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
runner: "ubuntu-24.04"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
runner: "ubuntu-24.04"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
runner: "ubuntu-24.04"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
runner: "ubuntu-24.04"
#
# Tests on macOS runner
@ -290,11 +305,11 @@ jobs:
# TODO(3u13r): Update verify test to work on MacOS runners
# - test: "verify"
# attestationVariant: "azure-sev-snp"
# kubernetes-version: "v1.29"
# kubernetes-version: "v1.30"
# runner: "macos-12"
- test: "recover"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
runner: "macos-12"
clusterCreation: "cli"
runs-on: ${{ matrix.runner }}
@ -311,7 +326,7 @@ jobs:
run: brew install coreutils kubectl bash
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ inputs.ref || github.head_ref }}
@ -327,7 +342,7 @@ jobs:
- name: Set up gcloud CLI (macOS)
if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
- name: Run E2E test
id: e2e_test
@ -349,6 +364,7 @@ jobs:
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: ${{ matrix.test }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
@ -393,8 +409,8 @@ jobs:
fail-fast: false
max-parallel: 1
matrix:
fromVersion: ["v2.16.2"]
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
fromVersion: ["v2.19.3"]
attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
name: Run upgrade tests
secrets: inherit
permissions:

4
.github/workflows/e2e-test-terraform-provider.yml vendored
View File

@ -22,9 +22,9 @@ on:
description: "Architecture of the runner that executes the CLI"
type: choice
options:
- "ubuntu-22.04"
- "ubuntu-24.04"
- "macos-12"
default: "ubuntu-22.04"
default: "ubuntu-24.04"
test:
description: "The test to run."
type: choice

152
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
matrix:
refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
name: Find latest image
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -22,7 +22,7 @@ jobs:
image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -55,80 +55,87 @@ jobs:
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# Sonobuoy conformance test
- test: "sonobuoy conformance"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# Sonobuoy quick test on all but the latest k8s versions
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.27"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.27"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.27"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.27"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.27"
kubernetes-version: "v1.28"
clusterCreation: "cli"
@ -136,139 +143,143 @@ jobs:
- test: "verify"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "aws-sev-snp"
refStream: "ref/main/stream/debug/?"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# recover test on latest k8s version
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# lb test on latest k8s version
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# autoscaling test on latest k8s version
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# perf-bench test on latest k8s version, not supported on AWS
# perf-bench test on latest k8s version
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
refStream: "ref/main/stream/nightly/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
refStream: "ref/main/stream/nightly/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
refStream: "ref/main/stream/nightly/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/nightly/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.30"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/nightly/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.30"
clusterCreation: "cli"
# TODO: check what needs to be done for perf-bench on Azure TDX
#- test: "perf-bench"
# refStream: "ref/main/stream/debug/?"
# attestationVariant: "azure-tdx"
# kubernetes-version: "v1.29"
# clusterCreation: "cli"
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
kubernetes-version: "v1.30"
clusterCreation: "cli"
#
@ -279,31 +290,30 @@ jobs:
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
# TODO(msanft): Enable once stable GCP SEV-SNP images exist.
# - test: "verify"
# refStream: "ref/release/stream/stable/?"
# attestationVariant: "gcp-sev-snp"
# kubernetes-version: "v1.28"
# clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
kubernetes-version: "v1.29"
clusterCreation: "cli"
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
checks: write
@ -313,7 +323,7 @@ jobs:
needs: [find-latest-image]
steps:
- name: Check out repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -335,7 +345,7 @@ jobs:
controlNodesCount: "3"
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
attestationVariant: ${{ matrix.attestationVariant }}
osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || matrix.refStream == 'ref/main/stream/nightly/?' && needs.find-latest-image.outputs.image-main-nightly || needs.find-latest-image.outputs.image-main-debug }}
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
kubernetesVersion: ${{ matrix.kubernetes-version }}
@ -347,6 +357,7 @@ jobs:
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: ${{ matrix.test }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
@ -409,8 +420,8 @@ jobs:
fail-fast: false
max-parallel: 1
matrix:
fromVersion: ["v2.16.2"]
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
fromVersion: ["v2.19.3"]
attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
name: Run upgrade tests
secrets: inherit
permissions:
@ -428,7 +439,7 @@ jobs:
e2e-mini:
name: Run miniconstellation E2E test
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
environment: e2e
permissions:
id-token: write
@ -437,12 +448,12 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Azure login OIDC
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@ -454,6 +465,7 @@ jobs:
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }}
@ -487,7 +499,7 @@ jobs:
strategy:
fail-fast: false
matrix:
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
permissions:
id-token: write
contents: read

26
.github/workflows/e2e-test.yml vendored
View File

@ -22,15 +22,16 @@ on:
description: "Architecture of the runner that executes the CLI"
type: choice
options:
- "ubuntu-22.04"
- "ubuntu-24.04"
- "macos-12"
default: "ubuntu-22.04"
default: "ubuntu-24.04"
test:
description: "The test to run."
description: "The test to run. The conformance test is only supported for clusterCreation=cli."
type: choice
options:
- "sonobuoy quick"
- "sonobuoy full"
- "sonobuoy conformance"
- "autoscaling"
- "lb"
- "perf-bench"
@ -42,7 +43,7 @@ on:
required: true
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
default: "1.28"
default: "1.29"
required: true
cliVersion:
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@ -82,7 +83,7 @@ on:
type: string
required: true
test:
description: "The test to run."
description: "The test to run. The conformance test is only supported for clusterCreation=cli."
type: string
required: true
kubernetesVersion:
@ -128,7 +129,7 @@ on:
jobs:
generate-input-parameters:
name: Generate input parameters
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -164,7 +165,7 @@ jobs:
find-latest-image:
name: Select image
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -174,13 +175,13 @@ jobs:
steps:
- name: Checkout head
if: inputs.git-ref == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.git-ref != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.git-ref }}
@ -211,19 +212,19 @@ jobs:
- name: Checkout head
if: inputs.git-ref == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.git-ref != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.git-ref }}
- name: Set up gcloud CLI (macOS)
if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
- name: Run manual E2E test
id: e2e_test
@ -246,6 +247,7 @@ jobs:
osImage: ${{ needs.find-latest-image.outputs.image }}
cliVersion: ${{ inputs.cliVersion }}
isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io

129
.github/workflows/e2e-upgrade.yml vendored
View File

@ -22,6 +22,10 @@ on:
description: CLI version to create a new cluster with. This has to be a released version, e.g., 'v2.1.3'.
type: string
required: true
fromKubernetes:
description: Kubernetes version for the origin cluster, empty for origin target's default version.
type: string
required: false
gitRef:
description: Ref to build upgrading CLI on, empty for HEAD.
type: string
@ -32,11 +36,11 @@ on:
type: string
required: false
toKubernetes:
description: Kubernetes version to target for the upgrade, empty for target's default version.
description: Kubernetes version to target for the upgrade, empty for upgrade target's default version.
type: string
required: false
toMicroservices:
description: Microservice version to target for the upgrade, empty for target's default version.
description: Microservice version to target for the upgrade, empty for upgrade target's default version.
type: string
required: false
simulatedTargetVersion:
@ -60,6 +64,10 @@ on:
description: CLI version to create a new cluster with. This has to be a released version, e.g., 'v2.1.3'.
type: string
required: true
fromKubernetes:
description: Kubernetes version for the origin cluster, empty for origin target's default version.
type: string
required: false
gitRef:
description: Ref to build upgrading CLI on.
type: string
@ -90,7 +98,7 @@ on:
jobs:
generate-input-parameters:
name: Generate input parameters
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -124,60 +132,9 @@ jobs:
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
build-target-cli:
name: Build upgrade target version CLI
runs-on: ubuntu-22.04
permissions:
id-token: write
checks: write
contents: read
packages: write
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
- name: Setup Bazel & Nix
uses: ./.github/actions/setup_bazel_nix
- name: Log in to the Container registry
uses: ./.github/actions/container_registry_login
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Simulate patch upgrade
if: inputs.simulatedTargetVersion != ''
run: |
echo ${{ inputs.simulatedTargetVersion }} > version.txt
- name: Build CLI
uses: ./.github/actions/build_cli
with:
enterpriseCLI: true
outputPath: "build/constellation"
push: true
- name: Upload CLI binary
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build/constellation
create-cluster:
name: Create upgrade origin version cluster
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
checks: write
@ -190,14 +147,14 @@ jobs:
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
@ -215,11 +172,13 @@ jobs:
osImage: ${{ inputs.fromVersion }}
isDebugImage: "false"
cliVersion: ${{ inputs.fromVersion }}
kubernetesVersion: ${{ inputs.fromKubernetes }}
regionZone: ${{ inputs.regionZone }}
gcpProject: constellation-e2e
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: "upgrade"
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
@ -261,7 +220,7 @@ jobs:
e2e-upgrade:
name: Run upgrade test
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
checks: write
@ -269,19 +228,18 @@ jobs:
packages: write
needs:
- generate-input-parameters
- build-target-cli
- create-cluster
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
@ -289,6 +247,32 @@ jobs:
- name: Setup Bazel & Nix
uses: ./.github/actions/setup_bazel_nix
- name: Log in to the Container registry
uses: ./.github/actions/container_registry_login
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# applying the version manipulation here so that the upgrade test tool is also on the simulated target version
- name: Simulate patch upgrade
if: inputs.simulatedTargetVersion != ''
run: |
echo ${{ inputs.simulatedTargetVersion }} > version.txt
- name: Build CLI
uses: ./.github/actions/build_cli
with:
enterpriseCLI: true
outputPath: "build/constellation"
push: true
- name: Upload CLI binary # is needed for the cleanup step
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build/constellation
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
@ -325,11 +309,6 @@ jobs:
with:
azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Download CLI
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build
- name: Download Working Directory (Pre-test)
uses: ./.github/actions/artifact_download
@ -394,15 +373,9 @@ jobs:
echo "K8s target: $KUBERNETES"
echo "Microservice target: $MICROSERVICES"
if [[ -n ${MICROSERVICES} ]]; then
MICROSERVICES_FLAG="--target-microservices=$MICROSERVICES"
fi
if [[ -n ${KUBERNETES} ]]; then
KUBERNETES_FLAG="--target-kubernetes=$KUBERNETES"
fi
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
CLI=$(realpath ./build/constellation)
bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" --target-kubernetes "$KUBERNETES" --target-microservices "$MICROSERVICES" --cli "$CLI"
- name: Remove Terraform plugin cache
if: always()
@ -426,7 +399,7 @@ jobs:
clean-up:
name: Clean up resources
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
checks: write
@ -438,20 +411,20 @@ jobs:
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
- name: Download CLI
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build

16
.github/workflows/e2e-windows.yml vendored
View File

@ -13,7 +13,7 @@ on:
jobs:
build-cli:
name: Build Windows CLI
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
checks: write
@ -21,7 +21,7 @@ jobs:
packages: write
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -45,7 +45,7 @@ jobs:
push: true
- name: Upload CLI artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
path: build/constellation.exe
name: "constell-exe"
@ -56,12 +56,12 @@ jobs:
needs: build-cli
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download CLI artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "constell-exe"
@ -84,7 +84,7 @@ jobs:
$rgName = "e2e-win-${{ github.run_id }}-${{ github.run_attempt }}-$uid"
"rgName=$($rgName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
.\constellation.exe config generate azure -t "workflow=${{ github.run_id }}"
.\constellation.exe iam create azure --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
.\constellation.exe iam create azure --subscriptionID=${{ secrets.AZURE_SUBSCRIPTION_ID }} --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
- name: Login to Azure (Cluster service principal)
uses: ./.github/actions/login_azure
@ -178,7 +178,7 @@ jobs:
notify-failure:
name: Notify about failure
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
needs: e2e-test
if: |
failure() &&
@ -186,7 +186,7 @@ jobs:
inputs.scheduled
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

19
.github/workflows/on-release.yml vendored
View File

@ -15,7 +15,7 @@ on:
jobs:
complete-release-branch-transaction:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: write
@ -26,7 +26,7 @@ jobs:
WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # fetch all history
@ -44,12 +44,12 @@ jobs:
git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"
update:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Override latest
if: github.event.inputs.latest == 'true'
@ -117,13 +117,13 @@ jobs:
add-image-version-to-versionsapi,
add-cli-version-to-versionsapi,
]
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Remove temporary branch
run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@ -131,13 +131,13 @@ jobs:
mirror-gcp-mpi:
name: "Mirror GCP Marketplace Image"
needs: [add-image-version-to-versionsapi]
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ./.github/actions/setup_bazel_nix
@ -159,9 +159,8 @@ jobs:
id: fetch-reference
shell: bash
run: |
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-snp") | .reference' info.json)
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"

6
.github/workflows/purge-main.yml vendored
View File

@ -10,7 +10,7 @@ on:
jobs:
find-version:
name: Delete version from main ref
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
version: ${{ steps.find.outputs.version }}
permissions:
@ -18,7 +18,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.head_ref }}
@ -47,6 +47,8 @@ jobs:
;;
esac
- uses: ./.github/actions/setup_bazel_nix
- name: List versions
id: list
uses: ./.github/actions/versionsapi

79
.github/workflows/release-publish.yml vendored Normal file
View File

@ -0,0 +1,79 @@
name: 'Release: on-publish'
on:
release:
types:
- published
workflow_dispatch:
inputs:
tag:
description: 'Semantic version tag of the release (vX.Y.Z).'
required: true
jobs:
post-release-actions:
runs-on: ubuntu-24.04
permissions:
issues: write
env:
FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
GH_TOKEN: ${{ github.token }}
steps:
- name: Mark milestone as complete
run: |
milestones=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/constellation/milestones)
current_milestone=$(echo "${milestones}" | jq -r ".[] | select(.title == \"${FULL_VERSION}\")")
echo "current milestone: ${current_milestone}"
if [[ -z "${current_milestone}" ]]; then
echo "milestone ${FULL_VERSION} does not exist, nothing to do..."
exit 0
fi
current_milestone_state=$(echo "${current_milestone}" | jq -r '.state')
echo "current milestone state: ${current_milestone_state}"
if [[ "${current_milestone_state}" != "open" ]]; then
echo "milestone ${FULL_VERSION} is already closed, nothing to do..."
exit 0
fi
milestone_number=$(echo "${current_milestone}" | jq -r '.number')
echo "milestone number: ${milestone_number}"
if [[ -z "${milestone_number}" ]]; then
echo "failed parsing milestone number"
exit 1
fi
gh api \
--method PATCH \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/edgelesssys/constellation/milestones/${milestone_number}" \
-f state=closed
- name: Create next milestone
run: |
WITHOUT_V=${FULL_VERSION#v}
PART_MAJOR=${WITHOUT_V%%.*}
PART_MINOR=${WITHOUT_V#*.}
PART_MINOR=${PART_MINOR%%.*}
NEXT_MINOR=v${PART_MAJOR}.$((PART_MINOR + 1)).0
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/constellation/milestones |
jq -r '.[].title' | \
grep -xqF "${NEXT_MINOR}" && exit 0
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/constellation/milestones \
-f title="${NEXT_MINOR}" \
-f state='open' \
-f "due_on=$(date -d '2 months' +'%Y-%m-%dT00:00:00Z')"

73
.github/workflows/release.yml vendored
View File

@ -19,7 +19,7 @@ concurrency:
jobs:
verify-inputs:
name: Verify inputs
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
FULL_VERSION: ${{ inputs.version }}
outputs:
@ -33,7 +33,7 @@ jobs:
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Working branch
run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -72,10 +72,9 @@ jobs:
echo "WORKING_BRANCH=${WORKING_BRANCH}"
} | tee -a "$GITHUB_OUTPUT"
docs:
name: Create docs release (from main)
runs-on: ubuntu-22.04
if: inputs.kind == 'minor'
update-main-branch:
name: Update main branch with release changes
runs-on: ubuntu-24.04
needs: verify-inputs
permissions:
contents: write
@ -85,36 +84,61 @@ jobs:
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: main
- name: Configure git
run: |
git config --global user.name "edgelessci"
git config --global user.email "edgelessci@users.noreply.github.com"
- name: Create docs release
if: inputs.kind == 'minor'
working-directory: docs
run: |
npm install
npm ci
npm run docusaurus docs:version "${MAJOR_MINOR}"
git add .
git commit -am "docs: release ${MAJOR_MINOR}"
# Clean up auxiliary files, so next steps run on a clean tree
git clean -fdx :/
- name: Update version.txt
if: inputs.kind == 'minor'
run: |
pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
echo "${pre_release_version}" > version.txt
git add version.txt
git commit -m "chore: update version.txt to ${pre_release_version}"
- name: Update CI for new version
run: |
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
- name: Create docs pull request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
branch: ${{ env.BRANCH }}
base: main
title: "docs: add release ${{ env.VERSION }}"
title: "Post ${{ env.VERSION }} release updates to main"
body: |
:robot: *This is an automated PR.* :robot:
The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
It releases a new version of the documentation.
commit-message: "docs: add release ${{ env.VERSION }}"
commit-message: "chore: update CI for ${{ env.VERSION }}"
committer: edgelessci <edgelessci@users.noreply.github.com>
author: edgelessci <edgelessci@users.noreply.github.com>
labels: no changelog
assignees: ${{ github.actor }}
reviewers: ${{ github.actor }}
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
check-working-branch:
name: Check temporary working branch
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
needs: verify-inputs
permissions:
contents: write
@ -123,7 +147,7 @@ jobs:
WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -152,7 +176,7 @@ jobs:
update-versions:
name: Update container image versions
needs: [verify-inputs, check-working-branch]
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: write
packages: read
@ -161,7 +185,7 @@ jobs:
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -220,20 +244,20 @@ jobs:
needs: [verify-inputs, os-image]
permissions:
contents: write
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
VERSION: ${{ inputs.version }}
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
- name: Setup Go environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22.3"
go-version: "1.23.2"
cache: true
- name: Build generateMeasurements tool
@ -250,8 +274,12 @@ jobs:
run: |
git config --global user.name "edgelessci"
git config --global user.email "edgelessci@users.noreply.github.com"
git commit -m "attestation: hardcode measurements for ${VERSION}"
git push
if git diff-index --quiet HEAD --; then
echo "No changes to commit"
else
git commit -m "attestation: hardcode measurements for ${VERSION}"
git push
fi
draft-release:
name: Draft release (CLI)
@ -278,6 +306,7 @@ jobs:
packages: write
id-token: write
contents: read
actions: write
secrets: inherit
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

74
.github/workflows/reproducible-builds.yml vendored
View File

@ -1,8 +1,9 @@
# Verify that Constellation builds are reproducible.
#
# The build-* jobs' matrix has two dimensions: a list of targets to build and
# a list of runners to build on. The produced binaries and OS images are
# expected to be bit-for-bit identical, regardless of the chosen build runner.
# The build-* jobs' matrix has three dimensions: a list of targets to build, a
# list of runners to build on and a method of installing dependencies. The
# produced binaries and OS images are expected to be bit-for-bit identical,
# without any dependencies on the runtime setup details.
#
# The compare-* jobs only have the target dimension. They obtain the built
# targets from all runners and check that there are no diffs between them.
@ -24,19 +25,38 @@ jobs:
- "cli_enterprise_linux_amd64"
- "cli_enterprise_linux_arm64"
- "cli_enterprise_windows_amd64"
runner: ["ubuntu-22.04", "ubuntu-20.04"]
runner:
- "ubuntu-24.04"
- "ubuntu-22.04"
deps:
- conventional
- eccentric
env:
bazel_target: "//cli:${{ matrix.target }}"
binary: "${{ matrix.target }}-${{ matrix.runner }}"
binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
- name: Setup dependencies
uses: ./.github/actions/setup_bazel_nix
if: matrix.deps == 'conventional'
- name: Setup dependencies (eccentric)
if: matrix.deps == 'eccentric'
run: |
version=$(cat .bazelversion)
mkdir -p "$HOME/.local/bin"
curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$version/bazel-$version-linux-x86_64"
chmod a+x "$HOME/.local/bin/bazel"
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v0.26.3/nix-installer-x86_64-linux # renovate:github-release
chmod a+x "$HOME/.local/bin/nix-installer"
"$HOME/.local/bin/nix-installer" install --no-confirm
- name: Build
shell: bash
@ -57,15 +77,15 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
path: "${{ env.binary }}.sha256"
build-osimages:
@ -77,14 +97,26 @@ jobs:
- "aws_aws-nitro-tpm_console"
- "qemu_qemu-vtpm_debug"
- "gcp_gcp-sev-snp_nightly"
runner: ["ubuntu-22.04", "ubuntu-20.04"]
runner: ["ubuntu-24.04", "ubuntu-22.04"]
env:
bazel_target: "//image/system:${{ matrix.target }}"
binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
runs-on: ${{ matrix.runner }}
steps:
- name: Remove security hardening features
if: matrix.runner == 'ubuntu-24.04'
shell: bash
run: |
# Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
# This command fails with a non-zero error code even though it unloads the apparmor profiles.
# https://gitlab.com/apparmor/apparmor/-/issues/403
sudo aa-teardown || true
sudo apt-get remove -y apparmor
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -110,13 +142,13 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}.sha256"
@ -132,14 +164,14 @@ jobs:
- "cli_enterprise_linux_amd64"
- "cli_enterprise_linux_arm64"
- "cli_enterprise_windows_amd64"
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download binaries
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: "binaries-${{ matrix.target }}-*"
merge-multiple: true
@ -166,14 +198,14 @@ jobs:
- "aws_aws-nitro-tpm_console"
- "qemu_qemu-vtpm_debug"
- "gcp_gcp-sev-snp_nightly"
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download os images
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: "osimages-${{ matrix.target }}-*"
merge-multiple: true

10
.github/workflows/scorecard.yml vendored
View File

@ -9,7 +9,7 @@ on:
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
@ -18,25 +18,25 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
sarif_file: results.sarif

6
.github/workflows/sync-terraform-docs.yml vendored
View File

@ -18,14 +18,14 @@ jobs:
pull-requests: write
steps:
- name: Checkout constellation repo
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
fetch-depth: 0
path: constellation
- name: Checkout terraform-provider-constellation repo
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: edgelesssys/terraform-provider-constellation
ref: main
@ -40,7 +40,7 @@ jobs:
- name: Create pull request
id: create-pull-request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
path: terraform-provider-constellation
branch: "feat/docs/update"

4
.github/workflows/test-integration.yml vendored
View File

@ -20,12 +20,12 @@ on:
jobs:
integration-test:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
CTEST_OUTPUT_ON_FAILURE: True
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

8
.github/workflows/test-operator-codegen.yml vendored
View File

@ -18,17 +18,17 @@ on:
jobs:
govulncheck:
name: check-codegen
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22.3"
go-version: "1.23.2"
cache: true
- name: Run code generation

4
.github/workflows/test-tfsec.yml vendored
View File

@ -17,13 +17,13 @@ on:
jobs:
tfsec:
name: tfsec
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

11
.github/workflows/test-tidy.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
# No token available for forks, so we can't push changes
@ -51,7 +51,9 @@ jobs:
- name: Run Bazel tidy
shell: bash
run: bazel run //:tidy
run: |
bazel run //:tidy
bazel mod deps --lockfile_mode=update
- name: Check if untidy
id: untidy
@ -96,10 +98,11 @@ jobs:
exit 0
fi
# Use quadruple backticks to escape triple backticks in diff'ed files.
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
\`\`\`diff
\`\`\`\`diff
${diff}
\`\`\`
\`\`\`\`
EOF
if [[ "${{ steps.untidy.outputs.untidy }}" == "true" ]] &&

2
.github/workflows/test-unittest.yml vendored
View File

@ -30,7 +30,7 @@ jobs:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
fetch-depth: 0

9
.github/workflows/update-rpms.yml vendored
View File

@ -7,13 +7,15 @@ on:
jobs:
update-rpms:
runs-on: "ubuntu-22.04"
runs-on: "ubuntu-24.04"
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
- name: Assume AWS role to upload Bazel dependencies to S3
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
@ -37,7 +39,7 @@ jobs:
fi
- name: Create pull request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
branch: "image/automated/update-rpms-${{ github.run_number }}"
base: main
@ -49,6 +51,7 @@ jobs:
It updates the locked rpm packages that form the Constellation OS images.
commit-message: "image: update locked rpms"
committer: edgelessci <edgelessci@users.noreply.github.com>
author: edgelessci <edgelessci@users.noreply.github.com>
labels: dependencies
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}

6
.github/workflows/versionsapi.yml vendored
View File

@ -106,7 +106,7 @@ concurrency:
jobs:
versionsapi:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
@ -115,7 +115,7 @@ jobs:
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -180,6 +180,8 @@ jobs:
with:
service_account: "image-deleter@constellation-images.iam.gserviceaccount.com"
- uses: ./.github/actions/setup_bazel_nix
- name: Execute versionsapi CLI
id: run
uses: ./.github/actions/versionsapi

4
.lychee.toml
View File

@ -33,6 +33,10 @@ exclude = [
'^https://portal\.azure\.com/',
# The Wireguard website sproadically returns 500.
'^https://www\.wireguard\.com/',
# venturebeat detects our link checker
'^https://venturebeat\.com/',
# dev-docs reference the internal wiki
'^https://github\.com/edgelesssys/wiki',
]
# Exclude these filesystem paths from getting checked.

5
3rdparty/bazel/com_github_google_go_tpm_tools/com_github_google_go_tpm_tools.need vendored
View File

@ -8,10 +8,7 @@ go_library(
"internal_cross.go",
],
cgo = True,
cdeps = select({
"@//bazel/settings:tpm_simulator_enabled": ["//simulator/ms-tpm-20-ref:ms_tpm_20_ref"],
"//conditions:default": ["@//3rdparty/bazel/com_github_google_go_tpm_tools/placeholder:ms_tpm_20_ref_disabled"],
}),
cdeps = ["//simulator/ms-tpm-20-ref:ms_tpm_20_ref"],
copts = [
"-fno-sanitize=all", # relax sanitizer checks for this test-only dependency
],

6
3rdparty/bazel/com_github_google_go_tpm_tools/com_github_google_go_tpm_tools.orig vendored
View File

@ -73,9 +73,15 @@ go_library(
"@io_bazel_rules_go//go/platform:openbsd": [
"-fstack-protector-all",
],
"@io_bazel_rules_go//go/platform:osx": [
"-fstack-protector-all",
],
"@io_bazel_rules_go//go/platform:plan9": [
"-fstack-protector-all",
],
"@io_bazel_rules_go//go/platform:qnx": [
"-fstack-protector-all",
],
"@io_bazel_rules_go//go/platform:solaris": [
"-fstack-protector-all",
],

14
3rdparty/bazel/com_github_google_go_tpm_tools/com_github_google_go_tpm_tools.patch vendored
View File

@ -1,6 +1,6 @@
--- simulator/internal/BUILD.bazel
+++ simulator/internal/BUILD.bazel
@@ -4,83 +4,17 @@
@@ -4,89 +4,14 @@ go_library(
name = "internal",
srcs = [
"doc.go",
@ -17,10 +17,8 @@
- "-L/usr/local/opt/openssl/lib",
- ],
- "//conditions:default": [],
+ cdeps = select({
+ "@//bazel/settings:tpm_simulator_enabled": ["//simulator/ms-tpm-20-ref:ms_tpm_20_ref"],
+ "//conditions:default": ["@//3rdparty/bazel/com_github_google_go_tpm_tools/placeholder:ms_tpm_20_ref_disabled"],
}),
- }),
+ cdeps = ["//simulator/ms-tpm-20-ref:ms_tpm_20_ref"],
copts = [
- "-DALG_SHA512=ALG_YES",
- "-DCERTIFYX509_DEBUG=NO",
@ -76,9 +74,15 @@
- "@io_bazel_rules_go//go/platform:openbsd": [
- "-fstack-protector-all",
- ],
- "@io_bazel_rules_go//go/platform:osx": [
- "-fstack-protector-all",
- ],
- "@io_bazel_rules_go//go/platform:plan9": [
- "-fstack-protector-all",
- ],
- "@io_bazel_rules_go//go/platform:qnx": [
- "-fstack-protector-all",
- ],
- "@io_bazel_rules_go//go/platform:solaris": [
- "-fstack-protector-all",
- ],

6
3rdparty/bazel/com_github_google_go_tpm_tools/ms_tpm_20_ref.need vendored
View File

@ -229,8 +229,10 @@ cc_library(
],
deps = [
":ms_tpm_20_ref_google_samples",
"@//nix/cc:org_openssl",
],
] + select({
"@io_bazel_rules_go//go/platform:linux_arm64": ["@@org_openssl_aarch64-linux//:org_openssl"],
"@io_bazel_rules_go//go/platform:linux_amd64": ["@@org_openssl_x86_64-linux//:org_openssl"],
}),
target_compatible_with = [
"@platforms//os:linux",
]

12
3rdparty/bazel/com_github_google_go_tpm_tools/ms_tpm_20_ref.patch vendored
View File

@ -1,6 +1,6 @@
--- simulator/ms-tpm-20-ref/BUILD.bazel
+++ simulator/ms-tpm-20-ref/BUILD.bazel
@@ -0,0 +1,512 @@
@@ -0,0 +1,516 @@
+cc_library(
+ name = "ms_tpm_20_ref",
+ visibility = ["//visibility:public"],
@ -229,10 +229,14 @@
+ ],
+ deps = [
+ ":ms_tpm_20_ref_google_samples",
+ "@//nix/cc:org_openssl",
+ ],
+ ] + select({
+ "@io_bazel_rules_go//go/platform:darwin_arm64": ["@@org_openssl_aarch64-darwin//:org_openssl"],
+ "@io_bazel_rules_go//go/platform:darwin_amd64": ["@@org_openssl_x86_64-darwin//:org_openssl"],
+ "@io_bazel_rules_go//go/platform:linux_arm64": ["@@org_openssl_aarch64-linux//:org_openssl"],
+ "@io_bazel_rules_go//go/platform:linux_amd64": ["@@org_openssl_x86_64-linux//:org_openssl"],
+ }),
+ target_compatible_with = [
+ "@platforms//os:linux",
+ "@@platforms//os:linux",
+ ],
+)
+

12
3rdparty/bazel/com_github_google_go_tpm_tools/placeholder/BUILD.bazel vendored
View File

@ -1,12 +0,0 @@
load("@rules_cc//cc:defs.bzl", "cc_library")
cc_library(
name = "ms_tpm_20_ref_disabled",
srcs = ["ms_tpm_20_disabled.c"],
hdrs = [
"Platform.h",
"Tpm.h",
],
includes = ["."],
visibility = ["//visibility:public"],
)

22
3rdparty/bazel/com_github_google_go_tpm_tools/placeholder/Platform.h vendored
View File

@ -1,22 +0,0 @@
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
extern int g_inFailureMode;
typedef union {
uint16_t size;
uint8_t *buffer;
} TPM2B, TPM2B_SEED;
typedef struct
{
TPM2B_SEED EPSeed;
TPM2B_SEED SPSeed;
TPM2B_SEED PPSeed;
} PERSISTENT_DATA;
extern PERSISTENT_DATA gp;
void _plat__Reset(bool forceManufacture);
void _plat__RunCommand(uint32_t requestSize, unsigned char *request,
uint32_t *responseSize, unsigned char **response);

27
3rdparty/bazel/com_github_google_go_tpm_tools/placeholder/Tpm.h vendored
View File

@ -1,27 +0,0 @@
#undef TRUE
#define TRUE 1
#undef FALSE
#define FALSE 0
#undef YES
#define YES 1
#undef NO
#define NO 0
#undef SET
#define SET 1
#undef CLEAR
#define CLEAR 0
#ifndef MAX_RESPONSE_SIZE
#define MAX_RESPONSE_SIZE 4096
#endif
#ifndef EPSeed
#define EPSeed 1
#endif
#ifndef SPSeed
#define SPSeed 1
#endif
#ifndef PPSeed
#define PPSeed 1
#endif
#define NV_SYNC_PERSISTENT(x)

9
3rdparty/bazel/com_github_google_go_tpm_tools/placeholder/ms_tpm_20_disabled.c vendored
View File

@ -1,9 +0,0 @@
#include "Platform.h"
#include "Tpm.h"
int g_inFailureMode = 0;
void _plat__Reset(bool forceManufacture) {}
void _plat__RunCommand(uint32_t requestSize, unsigned char *request,
uint32_t *responseSize, unsigned char **response) {}

6
3rdparty/bazel/com_github_martinjungblut_go_cryptsetup/com_github_martinjungblut_go_cryptsetup.patch vendored
View File

@ -4,9 +4,9 @@
"plain.go",
],
cgo = True,
+ cdeps = [
+ "@//nix/cc:cryptsetup",
+ ],
+ cdeps = select({
+ "@io_bazel_rules_go//go/platform:linux_amd64": ["@@cryptsetup_x86_64-linux//:cryptsetup"],
+ }),
importpath = "github.com/martinjungblut/go-cryptsetup",
visibility = ["//visibility:public"],
)

8
3rdparty/bazel/com_github_medik8s_node_maintainance_operator/source.bzl vendored
View File

@ -6,10 +6,10 @@ def node_maintainance_operator_deps():
http_archive(
name = "com_github_medik8s_node_maintainance_operator",
urls = [
"https://cdn.confidential.cloud/constellation/cas/sha256/df5ea2f9d982dd78770f2549333fd40aaf40e50a28deec9d7892f83cf9d1bdb2",
"https://github.com/medik8s/node-maintenance-operator/archive/refs/tags/v0.15.0.tar.gz",
"https://cdn.confidential.cloud/constellation/cas/sha256/6ccc7f152e5c595ab24eaadcda77870101eccc482694dc6f0d93be2528406ae2",
"https://github.com/medik8s/node-maintenance-operator/archive/refs/tags/v0.17.0.tar.gz",
],
strip_prefix = "node-maintenance-operator-0.15.0",
strip_prefix = "node-maintenance-operator-0.17.0",
build_file_content = """
api_v1beta1 = glob(["api/v1beta1/*.go"])
filegroup(
@ -19,5 +19,5 @@ filegroup(
)
""",
type = "tar.gz",
sha256 = "df5ea2f9d982dd78770f2549333fd40aaf40e50a28deec9d7892f83cf9d1bdb2",
sha256 = "6ccc7f152e5c595ab24eaadcda77870101eccc482694dc6f0d93be2528406ae2",
)

16
3rdparty/bazel/org_golang/go_tls_max_handshake_size.patch vendored
View File

@ -1,11 +1,11 @@
--- src/crypto/tls/common.go
+++ src/crypto/tls/common.go
@@ -62,7 +62,7 @@
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
maxCiphertextTLS13 = 16384 + 256 // maximum ciphertext length in TLS 1.3
recordHeaderLen = 5 // record header length
- maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
+ maxHandshake = 262144 // maximum handshake we support (protocol max is 16 MB)
maxUselessRecords = 16 // maximum number of consecutive non-advancing records
@@ -64,7 +64,7 @@ const (
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
maxCiphertextTLS13 = 16384 + 256 // maximum ciphertext length in TLS 1.3
recordHeaderLen = 5 // record header length
- maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
+ maxHandshake = 262144 // maximum handshake we support (protocol max is 16 MB)
maxHandshakeCertificateMsg = 262144 // maximum certificate message size (256 KiB)
maxUselessRecords = 16 // maximum number of consecutive non-advancing records
)

2
3rdparty/bazel/org_libvirt_go_libvirt/go_libvirt.patch vendored
View File

@ -5,7 +5,7 @@
"typedparams.go",
],
+ cdeps = [
+ "@//nix/cc:libvirt",
+ "@@libvirt_x86_64-linux//:libvirt",
+ ],
cgo = True,
importpath = "libvirt.org/go/libvirt",

2
3rdparty/gcp-guest-agent/Dockerfile vendored
View File

@ -1,4 +1,4 @@
FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 as build
FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 as build
# Install packages
RUN apt-get update && apt-get install -y \

2
BUILD.bazel
View File

@ -1,5 +1,5 @@
exports_files([
"WORKSPACE.bazel",
"WORKSPACE.bzlmod",
])
alias(

31
CODEOWNERS
View File

@ -1,7 +1,7 @@
# keep-sorted start
.golangci.yml @katexochen
/3rdparty/gcp-guest-agent @malt3
/bazel @malt3
/3rdparty/gcp-guest-agent @3u13r
/bazel @burgerdev
/bazel/ci @katexochen
/bazel/sh @katexochen
/bootstrapper @3u13r
@ -10,58 +10,57 @@
/cli/internal/libvirt @daniel-weisse
/cli/internal/terraform @elchead
/csi @daniel-weisse
/debugd @malt3
/debugd @daniel-weisse
/disk-mapper @daniel-weisse
/docs @thomasten
/e2e @3u13r
/hack/azure-snp-report-verify @derpsteb
/hack/bazel-deps-mirror @malt3
/hack/bazel-deps-mirror @burgerdev
/hack/cli-k8s-compatibility @derpsteb
/hack/clidocgen @thomasten
/hack/fetch-broken-e2e @katexochen
/hack/gocoverage @katexochen
/hack/oci-pin @malt3
/hack/oci-pin @burgerdev
/hack/qemu-metadata-api @daniel-weisse
/hack/remove-tf-providers @katexochen
/hack/terraform @3u13r
/hack/tools @katexochen
/hack/versioninfogen @daniel-weisse
/image @malt3
/image @msanft
/internal/api @derpsteb
/internal/atls @thomasten
/internal/attestation @daniel-weisse
/internal/cloud @3u13r
/internal/compatibility @derpsteb
/internal/config @derpsteb
/internal/constellation/featureset @malt3
/internal/constellation/helm @derpsteb
/internal/constellation/featureset @thomasten
/internal/constellation/helm @burgerdev
/internal/constellation/kubecmd @daniel-weisse
/internal/constellation/state @elchead
/internal/containerimage @malt3
/internal/containerimage @burgerdev
/internal/crypto @thomasten
/internal/cryptsetup @daniel-weisse
/internal/file @daniel-weisse
/internal/grpc @thomasten
/internal/imagefetcher @malt3
/internal/imagefetcher @msanft
/internal/installer @3u13r
/internal/kms @daniel-weisse
/internal/kubernetes @malt3
/internal/kubernetes @3u13r
/internal/license @thomasten
/internal/logger @daniel-weisse
/internal/nodestate @daniel-weisse
/internal/osimage @malt3
/internal/osimage @msanft
/internal/retry @katexochen
/internal/semver @derpsteb
/internal/sigstore @elchead
/internal/staticupload @malt3
/internal/staticupload @msanft
/internal/versions @3u13r
/joinservice @daniel-weisse
/keyservice @daniel-weisse
/measurement-reader @daniel-weisse
/operators @malt3
/rpm @malt3
/operators @3u13r
/terraform-provider-constellation @msanft @elchead
/tools @malt3
/tools @burgerdev
/upgrade-agent @3u13r
/verify @daniel-weisse
# keep-sorted end

208
MODULE.bazel Normal file
View File

@ -0,0 +1,208 @@
module(name = "constellation")
bazel_dep(name = "aspect_bazel_lib", version = "2.9.4")
bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
bazel_lib.yq()
use_repo(bazel_lib, "jq_toolchains")
use_repo(bazel_lib, "yq_toolchains")
bazel_dep(name = "bazel_skylib", version = "1.7.1")
bazel_dep(name = "gazelle", version = "0.39.1")
bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1")
bazel_dep(name = "rules_cc", version = "0.1.0")
bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go")
bazel_dep(name = "rules_pkg", version = "0.10.1")
bazel_dep(name = "rules_proto", version = "6.0.2")
bazel_dep(name = "rules_python", version = "0.40.0")
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
go_sdk.download(
name = "go_sdk",
patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
version = "1.23.2",
)
python = use_extension("@rules_python//python/extensions:python.bzl", "python")
python.toolchain(
ignore_root_user_error = True,
python_version = "3.11",
)
# the use_repo rule needs to list all top-level go dependencies
# update automatically using `bazel mod tidy`.
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_work = "//:go.work")
use_repo(
go_deps,
"cat_dario_mergo",
"com_github_aws_aws_sdk_go",
"com_github_aws_aws_sdk_go_v2",
"com_github_aws_aws_sdk_go_v2_config",
"com_github_aws_aws_sdk_go_v2_credentials",
"com_github_aws_aws_sdk_go_v2_feature_ec2_imds",
"com_github_aws_aws_sdk_go_v2_feature_s3_manager",
"com_github_aws_aws_sdk_go_v2_service_autoscaling",
"com_github_aws_aws_sdk_go_v2_service_cloudfront",
"com_github_aws_aws_sdk_go_v2_service_ec2",
"com_github_aws_aws_sdk_go_v2_service_elasticloadbalancingv2",
"com_github_aws_aws_sdk_go_v2_service_resourcegroupstaggingapi",
"com_github_aws_aws_sdk_go_v2_service_s3",
"com_github_aws_aws_sdk_go_v2_service_secretsmanager",
"com_github_aws_smithy_go",
"com_github_azure_azure_sdk_for_go",
"com_github_azure_azure_sdk_for_go_sdk_azcore",
"com_github_azure_azure_sdk_for_go_sdk_azidentity",
"com_github_azure_azure_sdk_for_go_sdk_resourcemanager_compute_armcompute_v6",
"com_github_azure_azure_sdk_for_go_sdk_resourcemanager_network_armnetwork_v6",
"com_github_azure_azure_sdk_for_go_sdk_security_keyvault_azsecrets",
"com_github_azure_azure_sdk_for_go_sdk_storage_azblob",
"com_github_bazelbuild_buildtools",
"com_github_burntsushi_toml",
"com_github_coreos_go_systemd_v22",
"com_github_docker_docker",
"com_github_edgelesssys_go_azguestattestation",
"com_github_edgelesssys_go_tdx_qpl",
"com_github_foxboron_go_uefi",
"com_github_fsnotify_fsnotify",
"com_github_go_playground_locales",
"com_github_go_playground_universal_translator",
"com_github_go_playground_validator_v10",
"com_github_golang_jwt_jwt_v5",
"com_github_google_go_licenses",
"com_github_google_go_sev_guest",
"com_github_google_go_tdx_guest",
"com_github_google_go_tpm",
"com_github_google_go_tpm_tools",
"com_github_google_keep_sorted",
"com_github_google_uuid",
"com_github_googleapis_gax_go_v2",
"com_github_gophercloud_gophercloud_v2",
"com_github_gophercloud_utils_v2",
"com_github_grpc_ecosystem_go_grpc_middleware_v2",
"com_github_hashicorp_go_kms_wrapping_v2",
"com_github_hashicorp_go_kms_wrapping_wrappers_awskms_v2",
"com_github_hashicorp_go_kms_wrapping_wrappers_azurekeyvault_v2",
"com_github_hashicorp_go_kms_wrapping_wrappers_gcpckms_v2",
"com_github_hashicorp_go_version",
"com_github_hashicorp_hc_install",
"com_github_hashicorp_hcl_v2",
"com_github_hashicorp_terraform_exec",
"com_github_hashicorp_terraform_json",
"com_github_hashicorp_terraform_plugin_framework",
"com_github_hashicorp_terraform_plugin_framework_validators",
"com_github_hashicorp_terraform_plugin_go",
"com_github_hashicorp_terraform_plugin_log",
"com_github_hashicorp_terraform_plugin_testing",
"com_github_hexops_gotextdiff",
"com_github_katexochen_sh_v3",
"com_github_martinjungblut_go_cryptsetup",
"com_github_mattn_go_isatty",
"com_github_mitchellh_go_homedir",
"com_github_onsi_ginkgo_v2",
"com_github_onsi_gomega",
"com_github_pkg_errors",
"com_github_regclient_regclient",
"com_github_rogpeppe_go_internal",
"com_github_samber_slog_multi",
"com_github_schollz_progressbar_v3",
"com_github_secure_systems_lab_go_securesystemslib",
"com_github_siderolabs_talos_pkg_machinery",
"com_github_sigstore_rekor",
"com_github_sigstore_sigstore",
"com_github_spf13_afero",
"com_github_spf13_cobra",
"com_github_spf13_pflag",
"com_github_stretchr_testify",
"com_github_tink_crypto_tink_go_v2",
"com_github_vincent_petithory_dataurl",
"com_google_cloud_go_compute",
"com_google_cloud_go_compute_metadata",
"com_google_cloud_go_kms",
"com_google_cloud_go_secretmanager",
"com_google_cloud_go_storage",
"in_gopkg_yaml_v3",
"io_etcd_go_etcd_api_v3",
"io_etcd_go_etcd_client_pkg_v3",
"io_etcd_go_etcd_client_v3",
"io_k8s_api",
"io_k8s_apiextensions_apiserver",
"io_k8s_apimachinery",
"io_k8s_apiserver",
"io_k8s_client_go",
"io_k8s_cluster_bootstrap",
"io_k8s_kubelet",
"io_k8s_kubernetes",
"io_k8s_mount_utils",
"io_k8s_sigs_controller_runtime",
"io_k8s_sigs_yaml",
"io_k8s_utils",
"org_golang_google_api",
"org_golang_google_grpc",
"org_golang_google_protobuf",
"org_golang_x_crypto",
"org_golang_x_exp",
"org_golang_x_mod",
"org_golang_x_sys",
"org_golang_x_text",
"org_golang_x_tools",
"org_golang_x_vuln",
"org_libvirt_go_libvirt",
"org_uber_go_goleak",
"sh_helm_helm_v3",
)
go_deps_with_disabled_proto_generation = [
"go.etcd.io/etcd/api/v3",
"k8s.io/apiserver",
"github.com/hashicorp/go-plugin",
]
[
go_deps.gazelle_override(
directives = [
"gazelle:go_generate_proto false",
],
path = path,
)
for path in go_deps_with_disabled_proto_generation
]
go_deps.module_override(
patches = [
"//3rdparty/bazel/com_github_martinjungblut_go_cryptsetup:com_github_martinjungblut_go_cryptsetup.patch",
],
path = "github.com/martinjungblut/go-cryptsetup",
)
go_deps.module_override(
patches = [
"//3rdparty/bazel/org_libvirt_go_libvirt:go_libvirt.patch",
],
path = "libvirt.org/go/libvirt",
)
go_deps.module_override(
patches = [
"//3rdparty/bazel/com_github_cloudflare_circl:math_fp448_BUILD_bazel.patch",
"//3rdparty/bazel/com_github_cloudflare_circl:math_fp25519_BUILD_bazel.patch",
"//3rdparty/bazel/com_github_cloudflare_circl:dh_x448_BUILD_bazel.patch",
"//3rdparty/bazel/com_github_cloudflare_circl:dh_x25519_BUILD_bazel.patch",
],
path = "github.com/cloudflare/circl",
)
go_deps.module_override(
patches = [
"//3rdparty/bazel/com_github_google_go_tpm_tools:com_github_google_go_tpm_tools.patch",
"//3rdparty/bazel/com_github_google_go_tpm_tools:ms_tpm_20_ref.patch",
"//3rdparty/bazel/com_github_google_go_tpm_tools:include.patch",
],
path = "github.com/google/go-tpm-tools",
)
# TODO(msanft):
# Remove once https://github.com/cncf/xds/issues/104 is resolved
go_deps.gazelle_override(
build_file_generation = "on",
path = "github.com/cncf/xds/go",
)

3662
MODULE.bazel.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More