fix path problems

.github/actions/build_ko/action.yml

@@ -8,6 +8,10 @@ inputs:
     description: "Name of the registry to use"
     required: false
     default: "ghcr.io"
+  pseudoVersion:
+    description: "Check if pseudo-version should be generated"
+    default: "false"
+    required: true
   koConfig:
     description: "Path to the .ko.yaml config file"
     required: false
@@ -23,6 +27,8 @@ inputs:
     required: true
   generateKoSBOM:
     description: "Generate unsigned ko SBOM"
+    required: false
+    default: "false"
 
 outputs:
   container_full:
@@ -41,6 +47,7 @@ runs:
   using: "composite"
   steps:
     - name: Determine pseudo version
+      if: ${{ inputs.pseudoVersion == 'true' }}
       id: pseudo-version
       uses: ./.github/actions/pseudo_version
 
@@ -59,6 +66,11 @@ runs:
         tags=""
         sbom=""
 
+        ls -lahR ${{ github.workspace}}
+        stat ${{ inputs.koTarget }}
+        echo PWD=$(pwd) # is erased?!
+        pwd
+
         if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then
           tags="latest"
         else:

.github/actions/build_micro_service_ko/action.yml

@@ -8,9 +8,9 @@ inputs:
     description: "Path to the .ko.yaml config file"
     default: ".ko.yaml"
     required: false
-  constellationPath:
+  pseudoVersion:
-    description: "Path to the root of the Constellation repo"
+    description: "Check if pseudo-version should be generated"
-    #default: "TEST_MICRO_SERVICE_"
+    default: "false"
     required: true
   koTarget:
     description: "Go package to build with ko"
@@ -40,7 +40,8 @@ runs:
   using: "composite"
   steps:
     - name: Determine pseudo version
-      id: pseudo-version
+      #if: ${{ inputs.pseudoVersion == 'true' }}
+      if: ${{ failure() }}
       uses: ./.github/actions/pseudo_version
       with:
         constellationPath: ${{ inputs.constellationPath }}
@@ -51,6 +52,7 @@ runs:
       with:
         name: ${{ inputs.name }}
         koConfig: ${{ inputs.koConfig }}
+        pseudoVersion: ${{ inputs.pseudoVersion }}
         koTarget: ${{ inputs.koTarget }}
         githubToken: ${{ inputs.GITHUB_TOKEN }}
         pushTag: ci-test

.github/actions/pseudo_version/action.yml

@@ -1,10 +1,5 @@
 name: Determine pseudo version
 description: "Determine go-like pseudo version to use as container image tag."
-inputs:
-  constellationPath:
-    description: "Path to Constellation repository root"
-    #default: "."
-    required: true
 
 outputs:
   pseudoVersion:
@@ -30,30 +25,24 @@ runs:
     - name: get pseudo version
       id: pseudo-version
       run: |
-        ln -s ${{ inputs.constellationPath }}/.git .git
         if $(git rev-parse --is-shallow-repository); then
           git fetch --prune --unshallow --tags -v
         else
           git fetch --tags -v
         fi
-        rm .git
-
-        pseudoVersionPath=${{ inputs.constellationPath }}/hack/pseudo-version
         homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)"
-
         export GOCACHE=${homedir}/.cache/go-build
         export GOPATH=${homedir}/go
         export GOMODCACHE=${homedir}/.cache/go-mod
-
+        pseudoVersion=$(go run .)
-        pseudoVersion=$(go run $pseudoVersionPath)
+        semanticVersion=$(go run . -semantic-version)
-        semanticVersion=$(go run $pseudoVersionPath -semantic-version)
+        timestamp=$(go run . -print-timestamp)
-        timestamp=$(go run $pseudoVersionPath -print-timestamp)
+        branchName=$(go run . -print-branch)
-        branchName=$(go run $pseudoVersionPath -print-branch)
+        releaseVersion=$(go run . -print-release-branch)
-        releaseVersion=$(go run $pseudoVersionPath -print-release-branch)
-
         echo "pseudoVersion=${pseudoVersion}" >> $GITHUB_OUTPUT
         echo "semanticVersion=${semanticVersion}" >> $GITHUB_OUTPUT
         echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT
         echo "branchName=${branchName}" >> $GITHUB_OUTPUT
         echo "releaseVersion=${releaseVersion}" >> $GITHUB_OUTPUT
+      working-directory: hack/pseudo-version
       shell: bash

.github/actions/pseudo_version_ko/action.yaml

@@ -0,0 +1,58 @@
+name: Determine pseudo version
+description: "Determine go-like pseudo version to use as container image tag."
+inputs:
+  constellationPath:
+    description: "Path to Constellation repository root"
+    #default: "."
+    required: true
+
+outputs:
+  pseudoVersion:
+    description: "Pseudo version based on the current HEAD"
+    value: ${{ steps.pseudo-version.outputs.pseudoVersion }}
+  semanticVersion:
+    description: "Semantic version based on the current HEAD"
+    value: ${{ steps.pseudo-version.outputs.semanticVersion }}
+  releaseVersion:
+    description: "Release version based on branch name"
+    value: ${{ steps.pseudo-version.outputs.releaseVersion }}
+  timestamp:
+    description: "Commit timestamp based on the current HEAD"
+    value: ${{ steps.pseudo-version.outputs.timestamp }}
+  branchName:
+    description: "Branch name"
+    value: ${{ steps.pseudo-version.outputs.branchName }}
+
+# Linux runner only (homedir trick does not work on macOS, required for private runner)
+runs:
+  using: "composite"
+  steps:
+    - name: get pseudo version
+      id: pseudo-version
+      run: |
+        if $(git rev-parse --is-shallow-repository); then
+          git fetch --prune --unshallow --tags -v
+        else
+          git fetch --tags -v
+        fi
+
+        pseudoVersionPath=${{ inputs.constellationPath }}/hack/pseudo-version
+        homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)"
+
+        export GOCACHE=${homedir}/.cache/go-build
+        export GOPATH=${homedir}/go
+        export GOMODCACHE=${homedir}/.cache/go-mod
+
+        pseudoVersion=$(go run $pseudoVersionPath)
+        semanticVersion=$(go run $pseudoVersionPath -semantic-version)
+        timestamp=$(go run $pseudoVersionPath -print-timestamp)
+        branchName=$(go run $pseudoVersionPath -print-branch)
+        releaseVersion=$(go run $pseudoVersionPath -print-release-branch)
+
+        echo "pseudoVersion=${pseudoVersion}" >> $GITHUB_OUTPUT
+        echo "semanticVersion=${semanticVersion}" >> $GITHUB_OUTPUT
+        echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT
+        echo "branchName=${branchName}" >> $GITHUB_OUTPUT
+        echo "releaseVersion=${releaseVersion}" >> $GITHUB_OUTPUT
+      shell: bash
+      working-directory: ./hack/pseudo-version

.github/workflows/build-gcp-guest-agent-ko-redo.yml

@@ -0,0 +1,66 @@
+name: Build and Upload GCP guest-agent container (KO)
+env:
+  REGISTRY: ghcr.io
+  KO_DATA_PATH: /etc/default/
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "release/**"
+      - "feat/reproducible-builds-ko"
+
+jobs:
+  build-gcp-guest-agent:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        version: ["20220927.00"]
+        include:
+          - version: "20220927.00"
+            latest: true
+    steps:
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Determine pseudo-version
+        id: pseudo-version
+        uses: ./.github/actions/pseudo_version
+
+      - name: Remove constellation
+        run: |
+          cp ./3rdparty/gcp-guest-agent/instance_configs.cfg /tmp/instance_configs.cfg
+          cp -r .github/ -r ../
+          cp .ko.yaml ../.ko.yaml
+          rm -rf constellation
+
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          repository: "GoogleCloudPlatform/guest-agent"
+          ref: refs/tags/${{ matrix.version }}
+
+      - name: Prepare hardcoded configuration file
+        id: prepare-config
+        run: |
+          mkdir -p koData
+          cp /tmp/instance_configs.cfg koData/
+          cp -r ../.github/ .github/
+          cp ../.ko.yaml .ko.yaml
+
+      - name: Build and upload gcp guest service container image
+        id: build-and-upload
+        # assumes that we are currently in the root of the repo
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: gcp-guest-agent
+          koTarget: ./google_guest_agent
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          pseudoVersion: "false"
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

.github/workflows/build-gcp-guest-agent-ko.yml

@@ -9,7 +9,6 @@ on:
     branches:
       - main
       - "release/**"
-      - "feat/reproducible-builds-ko"
 
 jobs:
   build-gcp-guest-agent:

.github/workflows/build-qemu-metada-api-ko.yaml

@@ -0,0 +1,38 @@
+name: Build and upload qemu-metadata-api image (KO)
+env:
+  REGISTRY: ghcr.io
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-join-service-ko:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image: ${{ steps.build-and-upload.outputs.image }}
+      digest: ${{ steps.build-and-upload.outputs.digest }}
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+        with:
+          go-version: "1.19.3"
+
+      - name: Build and upload join service container image
+        id: build-and-upload
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: joinservice
+          koTarget: ./joinservice/cmd
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

.ko.yaml

@@ -1,7 +1,8 @@
 defaltBaseImage: distroless.dev/static:latest@sha256:d624beaae60b10ec342896b1470421eb473549cb3ac3bf1c6ec074d8b460b4fc
 
 baseImageOverrides:
-  github.com/edgelesssys/constellation/v2/operators/constellation-node-operator ghcr.io/edgelesssys/alpine-base-user-65532
+  github.com/edgelesssys/constellation/operators/constellation-node-operator/v2: ghcr.io/edgelesssys/apko-alpine-base-user-65532
+  github.com/edgelesssys/constellation/v2/hack/qemu-metadata-api: ghcr.io/edgelesssys/apko-alpine-qemu-metadata-api
 
 builds:
 - id: kms
@@ -61,3 +62,17 @@ builds:
   - -s -w -buildid=''
   - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}
   - -extldflags "-static"
+
+- id: qemu-metadata-api
+  dir: .
+  main: ./hack/qemu-metadata-api/
+  env:
+  - CGO_ENABLED=0
+  - GOOS=linux
+  - GOARCH=amd64
+  flags:
+  - -trimpath
+  - -buildvcs=false
+  - -a
+  ldflags:
+  - -s -w -buildid=''