bazel: update kernel to 6.6.87 (#3771)

* deps: update golangci/golangci-lint to v2.1.2

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>

.bazelignore

@@ -0,0 +1,2 @@
+.direnv
+build

.bazelrc

@@ -1,5 +1,5 @@
 # Import bazelrc presets
-import %workspace%/bazel/bazelrc/bazel6.bazelrc
+import %workspace%/bazel/bazelrc/bazel7.bazelrc
 import %workspace%/bazel/bazelrc/convenience.bazelrc
 import %workspace%/bazel/bazelrc/correctness.bazelrc
 import %workspace%/bazel/bazelrc/debug.bazelrc
@@ -32,7 +32,7 @@ test --test_tag_filters=-integration
 # enable all tests (including integration)
 test:integration --test_tag_filters= --@io_bazel_rules_go//go/config:tags=integration
 # enable only integration tests
-test:integration-only --test_tag_filters=+integration --@io_bazel_rules_go//go/config:tags=integration
+test:integration-only --test_tag_filters=+integration --@io_bazel_rules_go//go/config:tags=integration,enterprise
 
 # bazel configs to explicitly target a platform
 common:host --platforms @local_config_platform//:host
@@ -48,15 +48,6 @@ common --crosstool_top=@local_config_cc//:toolchain
 # bazel config to explicitly disable stamping (hide version information at build time)
 common:nostamp --nostamp --workspace_status_command=
 
-# bazel config to use (buildbuddy) remote cache
-common:remote_cache --bes_results_url=https://app.buildbuddy.io/invocation/
-common:remote_cache --bes_backend=grpcs://remote.buildbuddy.io
-common:remote_cache --remote_cache=grpcs://remote.buildbuddy.io
-common:remote_cache --remote_timeout=3600
-common:remote_cache --experimental_remote_build_event_upload=minimal
-common:remote_cache --nolegacy_important_outputs
-common:remote_cache_readonly --noremote_upload_local_results # Uploads logs & artifacts without writing to cache
-
 common:build_barn_rbe_ubuntu_22_04 --remote_timeout=3600
 common:build_barn_rbe_ubuntu_22_04 --remote_executor=grpc://frontend.buildbarn:8980 # this maps to the kubernetes internal buildbarn/frontend service
 common:build_barn_rbe_ubuntu_22_04 --extra_execution_platforms=//bazel/rbe:ubuntu-act-22-04-platform

.bazelversion

@@ -1 +1 @@
-6.4.0
+7.6.0

.envrc

@@ -0,0 +1 @@
+use flake

.github/actions/artifact_delete/action.yml

@@ -0,0 +1,17 @@
+name: Delete artifact
+description: Delete an artifact by name
+
+inputs:
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  workflowID:
+    description: 'The ID of the workflow.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Delete artifact
+      shell: bash
+      run: ./.github/actions/artifact_delete/delete_artifact.sh ${{ inputs.workflowID }} ${{ inputs.name }}

.github/actions/artifact_delete/delete_artifact.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# get_artifact_id retrieves the artifact id of
+# an artifact that was generated by a workflow.
+# $1 should be the workflow run id. $2 should be the artifact name.
+function get_artifact_id {
+  artifact_id="$(gh api \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    --paginate \
+    "/repos/edgelesssys/constellation/actions/runs/$1/artifacts" --jq ".artifacts |= map(select(.name==\"$2\")) | .artifacts[0].id" || exit 1)"
+  echo "$artifact_id" | tr -d "\n"
+}
+
+# delete_artifact_by_id deletes an artifact by its artifact id.
+# $1 should be the id of the artifact.
+function delete_artifact_by_id {
+  gh api \
+    --method DELETE \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/edgelesssys/constellation/actions/artifacts/$1" || exit 1
+}
+
+workflow_id="$1"
+artifact_name="$2"
+
+if [[ -z $workflow_id ]] || [[ -z $artifact_name ]]; then
+  echo "Usage: delete_artifact.sh <WORKFLOW_ID> <ARTIFACT_NAME>"
+  exit 1
+fi
+
+echo "[*] retrieving artifact ID"
+artifact_id="$(get_artifact_id "$workflow_id" "$artifact_name")"
+
+echo "[*] deleting artifact with ID $artifact_id"
+delete_artifact_by_id "$artifact_id"

.github/actions/artifact_download/action.yml

@@ -0,0 +1,40 @@
+name: Download artifact
+description: Download and decrypt an artifact.
+
+inputs:
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  path:
+    description: 'Download to a specified path.'
+    required: false
+    default: ./
+  encryptionSecret:
+    description: 'The secret to use for decrypting the artifact.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install 7zip
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Download the artifact
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}
+
+    - name: Decrypt and unzip archive
+      shell: bash
+      run: |
+        mkdir -p ${{ inputs.path }}
+        7zz x -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

.github/actions/artifact_upload/action.yml

@@ -0,0 +1,78 @@
+name: Upload artifact
+description: Upload an encrypted zip archive as a github artifact.
+
+inputs:
+  path:
+    description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.'
+    required: true
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  retention-days:
+    description: 'How long the artifact should be retained for.'
+    default: 60
+  encryptionSecret:
+    description: 'The secret to use for encrypting the files.'
+    required: true
+  overwrite:
+    description: 'Overwrite an artifact with the same name.'
+    default: false
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install 7zip
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Create archive
+      shell: bash
+      run: |
+        set -euo pipefail
+        shopt -s extglob
+        paths="${{ inputs.path }}"
+        paths=${paths%$'\n'} # Remove trailing newline
+        # Check if any file matches the given pattern(s).
+        something_exists=false
+        for pattern in ${paths}
+        do
+          if compgen -G "${pattern}" > /dev/null; then
+            something_exists=true
+          fi
+        done
+
+        # Create an archive if files exist.
+        # Don't create an archive file if no files are found
+        # and warn.
+        if ! ${something_exists}
+        then
+          echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
+          exit 0
+        fi
+
+        for target in ${paths}
+        do
+          if compgen -G "${target}" > /dev/null
+          then
+            pushd "$(dirname "${target}")"
+            7zz a -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
+            popd
+          fi
+        done
+
+    - name: Upload archive as artifact
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
+        retention-days: ${{ inputs.retention-days }}
+        if-no-files-found: ignore
+        overwrite: ${{ inputs.overwrite }}

.github/actions/build_cli/action.yml

@@ -79,7 +79,7 @@ runs:
     # once it has the functionality
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Install Rekor
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
@@ -104,7 +104,7 @@ runs:
       run: |
         echo "$COSIGN_PUBLIC_KEY" > cosign.pub
         # Enabling experimental mode also publishes signature to Rekor
-        COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
+        COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
         # Verify - As documentation & check
         # Local Signature (input: artifact, key, signature)
         cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}"

.github/actions/build_micro_service/action.yml

@@ -42,7 +42,7 @@ runs:
 
     - name: Docker metadata
       id: meta
-      uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
       with:
         images: |
           ghcr.io/${{ github.repository }}/${{ inputs.name }}
@@ -62,7 +62,7 @@ runs:
 
     - name: Build and push container image
       id: build-micro-service
-      uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
       with:
         context: .
         file: ${{ inputs.dockerfile }}

.github/actions/cdbg_deploy/action.yml

@@ -14,6 +14,9 @@ inputs:
   cloudProvider:
     description: "The cloud provider to use."
     required: true
+  attestationVariant:
+    description: "Attestation variant of the cluster."
+    required: false
   kubernetesVersion:
     description: "Kubernetes version to create the cluster from."
     required: true
@@ -21,7 +24,7 @@ inputs:
     description: "The refStream of the image the test runs on."
     required: true
   clusterCreation:
-    description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
     default: "cli"
 
 runs:
@@ -37,8 +40,15 @@ runs:
       if: inputs.cloudProvider == 'azure'
       shell: bash
       run: |
-        UAMI=$(yq eval ".provider.azure.userAssignedIdentity | upcase" constellation-conf.yaml)
-        PRINCIPAL_ID=$(az identity list | yq ".[] | select(.id | test(\"(?i)$UAMI\"; \"g\")) | .principalId")
+        UAMI=$(yq eval ".provider.azure.userAssignedIdentity" constellation-conf.yaml)
+        PRINCIPAL_ID=$(az identity show --ids "$UAMI" | yq ".principalId")
+        if [ -z "$PRINCIPAL_ID" ]; then
+          echo "::error::PRINCIPAL_ID for \"$UAMI\" not found"
+          echo "::group::Available identities"
+          az identity list | yq ".[].id"
+          echo "::endgroup::"
+          exit 1
+        fi
         az role assignment create --role "Key Vault Secrets User" \
           --assignee "$PRINCIPAL_ID" \
           --scope /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.KeyVault/vaults/opensearch-creds
@@ -51,7 +61,7 @@ runs:
 
     - name: Login to AWS (IAM service principal)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
@@ -70,7 +80,7 @@ runs:
 
     - name: Login to AWS (Cluster service principal)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1
@@ -81,6 +91,11 @@ runs:
       shell: bash
       run: |
         echo "::group::cdbg deploy"
+        on_error() {
+          echo "::error::cdbg deploy failed"
+        }
+        trap on_error ERR
+        
         chmod +x $GITHUB_WORKSPACE/build/cdbg
         cdbg deploy \
           --bootstrapper "${{ github.workspace }}/build/bootstrapper" \
@@ -98,6 +113,7 @@ runs:
           --info logcollect.github.ref-stream="${{ inputs.refStream }}" \
           --info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
           --info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \
+          --info logcollect.github.attestation-variant="${{ inputs.attestationVariant }}" \
           --info logcollect.deployment-type="debugd" \
           --verbosity=-1 \
           --force

.github/actions/check_measurements_reproducibility/action.yml

@@ -0,0 +1,64 @@
+name: Check measurements reproducibility
+description: Check if the measurements of a given release are reproducible.
+
+inputs:
+  version:
+    type: string
+    description: The version of the measurements that are downloaded from the CDN.
+    required: true
+  ref:
+    type: string
+    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ inputs.ref }}
+        path: ./release
+
+    - name: Set up bazel
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        useCache: "false"
+        nixTools: |
+          systemdUkify
+          jq
+          jd-diff-patch
+          moreutils
+
+    - name: Allow unrestricted user namespaces
+      shell: bash
+      run: |
+        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+
+    - name: Build images
+      id: build-images
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Build required binaries
+        pushd release
+        bazel build //image/system:stable
+        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
+        popd
+
+    - name: Download measurements
+      shell: bash
+      run: |
+        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
+
+    - name: Cleanup release measurements and generate our own
+      shell: bash
+      run: |
+        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
+
+    - name: Compare measurements
+      shell: bash
+      run: |
+        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"

.github/actions/check_measurements_reproducibility/compare_measurements.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# no -e since we need to collect errors later
+# no -u since it interferes with checking associative arrays
+set -o pipefail
+shopt -s extglob
+
+declare -A errors
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  echo "Their measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_their-measurements.json
+  echo "Own measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_own-measurements.json
+
+  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
+  if [[ -n $diff ]]; then
+    errors["$attestationVariant"]="$diff"
+  fi
+done
+
+for attestationVariant in "${!errors[@]}"; do
+  echo "Failed to reproduce measurements for $attestationVariant:"
+  echo "${errors["$attestationVariant"]}" | ts "  "
+done
+
+if [[ ${#errors[@]} -ne 0 ]]; then
+  exit 1
+fi

.github/actions/check_measurements_reproducibility/create_measurements.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s extglob
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  csp="$(echo "$dirname" | cut -d_ -f1)"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  # This jq filter selects the measurements for the correct CSP and attestation variant
+  # and then removes all `warnOnly: true` measurements.
+  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
+    '
+      .list.[]
+      | select(
+        .attestationVariant == $attestation_variant
+        and (.csp | ascii_downcase) == $csp
+      )
+      | .measurements
+      | to_entries
+      | map(select(.value.warnOnly | not))
+      | from_entries
+      | del(.[] .warnOnly)
+  ' \
+    measurements.json > "$attestationVariant"_their-measurements.json
+
+  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
+done

.github/actions/constellation_create/action.yml

@@ -11,6 +11,9 @@ inputs:
   cloudProvider:
     description: "Either 'gcp', 'aws' or 'azure'."
     required: true
+  attestationVariant:
+    description: "Attestation variant to use."
+    required: true
   machineType:
     description: "Machine type of VM to spawn."
     required: false
@@ -51,7 +54,7 @@ inputs:
     description: "Whether to use an internal load balancer for the control plane"
     required: false
   clusterCreation:
-    description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
+    description: "How to create infrastructure for the e2e test. One of [cli, terraform]."
     default: "cli"
   marketplaceImageVersion:
     description: "Marketplace OS image version. Used instead of osImage."
@@ -59,6 +62,9 @@ inputs:
   force:
     description: "Set the force-flag on apply to ignore version mismatches."
     required: false
+  encryptionSecret:
+    description: "The secret to use for encrypting the artifact."
+    required: true
 
 outputs:
   kubeconfig:
@@ -80,7 +86,7 @@ runs:
       if: inputs.azureSNPEnforcementPolicy != ''
       shell: bash
       run: |
-        if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
+        if [[ ${{ inputs.attestationVariant }} != 'azure-sev-snp' ]]; then
           echo "SNP enforcement policy is only supported for Azure"
           exit 1
         fi
@@ -103,6 +109,13 @@ runs:
         yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml
         echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT"
 
+    - name: Set marketplace image flag (AWS)
+      if: inputs.marketplaceImageVersion != '' && inputs.cloudProvider == 'aws'
+      shell: bash
+      run: |
+        yq eval -i "(.provider.aws.useMarketplaceImage) = true" constellation-conf.yaml
+        yq eval -i "(.image) = \"${{ inputs.marketplaceImageVersion }}\"" constellation-conf.yaml
+
     - name: Set marketplace image flag (Azure)
       if: inputs.marketplaceImageVersion != '' && inputs.cloudProvider == 'azure'
       shell: bash
@@ -110,6 +123,13 @@ runs:
         yq eval -i "(.provider.azure.useMarketplaceImage) = true" constellation-conf.yaml
         yq eval -i "(.image) = \"${{ inputs.marketplaceImageVersion }}\"" constellation-conf.yaml
 
+    - name: Set marketplace image flag (GCP)
+      if: inputs.marketplaceImageVersion != '' && inputs.cloudProvider == 'gcp'
+      shell: bash
+      run: |
+        yq eval -i "(.provider.gcp.useMarketplaceImage) = true" constellation-conf.yaml
+        yq eval -i "(.image) = \"${{ inputs.marketplaceImageVersion }}\"" constellation-conf.yaml
+
     - name: Update measurements for non-stable images
       if: inputs.fetchMeasurements
       shell: bash
@@ -148,27 +168,16 @@ runs:
         sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true
 
     - name: Constellation create (CLI)
-      if : inputs.clusterCreation != 'self-managed'
       shell: bash
       run: |
-        # TODO(v2.14): Remove workaround for CLIs not supporting apply command
-        cmd='apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s'
-        if constellation --help | grep -q create; then
-          cmd=create
-        fi
-        constellation $cmd -y --debug --tf-log=DEBUG
-
-    - name: Constellation create (self-managed)
-      if : inputs.clusterCreation == 'self-managed'
-      uses: ./.github/actions/self_managed_create
-      with:
-        cloudProvider: ${{ inputs.cloudProvider }}
+        constellation apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s -y --debug --tf-log=DEBUG
 
     - name: Cdbg deploy
       if: inputs.isDebugImage == 'true'
       uses: ./.github/actions/cdbg_deploy
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         test: ${{ inputs.test }}
         azureClusterCreateCredentials: ${{ inputs.azureClusterCreateCredentials }}
         azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }}
@@ -183,6 +192,13 @@ runs:
       run: |
         echo "flag=--force" | tee -a $GITHUB_OUTPUT
 
+    - name: Set conformance flag
+      id: set-conformance-flag
+      if: inputs.test == 'sonobuoy conformance'
+      shell: bash
+      run: |
+        echo "flag=--conformance" | tee -a $GITHUB_OUTPUT
+
     - name: Constellation apply (Terraform)
       id: constellation-apply-terraform
       if: inputs.clusterCreation == 'terraform'
@@ -195,7 +211,7 @@ runs:
       if: inputs.clusterCreation != 'terraform'
       shell: bash
       run: |
-        constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }}
+        constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }} ${{ steps.set-conformance-flag.outputs.flag }}
 
     - name: Get kubeconfig
       id: get-kubeconfig
@@ -208,29 +224,9 @@ runs:
       env:
         KUBECONFIG: "${{ steps.get-kubeconfig.outputs.KUBECONFIG }}"
         JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join
-      run: |
-        echo "::group::Wait for nodes"
-        NODES_COUNT=$((${{ inputs.controlNodesCount }} + ${{ inputs.workerNodesCount }}))
-        JOINWAIT=0
-        until [[ "$(kubectl get nodes -o json | jq '.items | length')" == "${NODES_COUNT}" ]] || [[ $JOINWAIT -gt $JOINTIMEOUT ]];
-        do
-            echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined.. waiting.."
-            JOINWAIT=$((JOINWAIT+30))
-            sleep 30
-        done
-        if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then
-            echo "Timed out waiting for nodes to join"
-            exit 1
-        fi
-        echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined"
-        if ! kubectl wait --for=condition=ready --all nodes --timeout=20m; then
-          kubectl get pods -n kube-system
-          kubectl get events -n kube-system
-          echo "::error::kubectl wait timed out before all nodes became ready"
-          echo "::endgroup::"
-          exit 1
-        fi
-        echo "::endgroup::"
+        CONTROL_NODES_COUNT: "${{ inputs.controlNodesCount }}"
+        WORKER_NODES_COUNT: "${{ inputs.workerNodesCount }}"
+      run: ./.github/actions/constellation_create/wait-for-nodes.sh
 
     - name: Download boot logs
       if: always()
@@ -259,9 +255,32 @@ runs:
     - name: Upload boot logs
       if: always() && !env.ACT
       continue-on-error: true
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
-        name: serial-logs-${{ inputs.artifactNameSuffix }}
+        name: debug-logs-${{ inputs.artifactNameSuffix }}
         path: |
           *.log
-          !terraform.log
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Prepare terraform state folders
+      if: always()
+      shell: bash
+      run: |
+        mkdir to-zip
+        cp -r constellation-terraform to-zip
+        # constellation-iam-terraform is optional
+        if [ -d constellation-iam-terraform ]; then
+          cp -r constellation-iam-terraform to-zip
+        fi
+        rm -f to-zip/constellation-terraform/plan.zip
+        rm -rf to-zip/*/.terraform
+
+    - name: Upload terraform state
+      if: always()
+      uses: ./.github/actions/artifact_upload
+      with:
+        name: terraform-state-${{ inputs.artifactNameSuffix }}
+        path: >
+          to-zip/constellation-terraform
+          to-zip/constellation-iam-terraform
+        encryptionSecret: ${{ inputs.encryptionSecret }}

.github/actions/constellation_create/aws-logs.sh

@@ -25,20 +25,20 @@ workerInstances=$(
     yq eval '.Reservations[].Instances[].InstanceId' -
 )
 
-echo "Fetching logs from control planes"
+for flag in "" "--latest"; do
+  echo "Fetching ${flag} logs from control planes"
+  for instance in ${controlInstances}; do
+    printf "Fetching for %s\n" "${instance}"
+    aws ec2 get-console-output "${flag}" --region "${1}" --instance-id "${instance}" |
+      jq -r .'Output' |
+      tail -n +2 > "control-plane-${instance}${flag}.log"
+  done
 
-for instance in ${controlInstances}; do
-  printf "Fetching for %s\n" "${instance}"
-  aws ec2 get-console-output --region "${1}" --instance-id "${instance}" |
-    jq -r .'Output' |
-    tail -n +2 > control-plane-"${instance}".log
-done
-
-echo "Fetching logs from worker nodes"
-
-for instance in ${workerInstances}; do
-  printf "Fetching for %s\n" "${instance}"
-  aws ec2 get-console-output --region "${1}" --instance-id "${instance}" |
-    jq -r .'Output' |
-    tail -n +2 > worker-"${instance}".log
+  echo "Fetching ${flag} logs from worker nodes"
+  for instance in ${workerInstances}; do
+    printf "Fetching for %s\n" "${instance}"
+    aws ec2 get-console-output "${flag}" --region "${1}" --instance-id "${instance}" |
+      jq -r .'Output' |
+      tail -n +2 > "worker-${instance}${flag}.log"
+  done
 done

.github/actions/constellation_create/wait-for-nodes.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# We don't want to abort the script if there's a transient error in kubectl.
+set +e
+set -uo pipefail
+
+NODES_COUNT=$((CONTROL_NODES_COUNT + WORKER_NODES_COUNT))
+JOINWAIT=0
+
+# Reports how many nodes are registered and fulfill condition=ready.
+num_nodes_ready() {
+  kubectl get nodes -o json |
+    jq '.items | map(select(.status.conditions[] | .type == "Ready" and .status == "True")) | length'
+}
+
+# Reports how many API server pods are ready.
+num_apiservers_ready() {
+  kubectl get pods -n kube-system -l component=kube-apiserver -o json |
+    jq '.items | map(select(.status.conditions[] | .type == "Ready" and .status == "True")) | length'
+}
+
+# Prints node joining progress.
+report_join_progress() {
+  echo -n "nodes_joined=$(kubectl get nodes -o json | jq '.items | length')/${NODES_COUNT} "
+  echo -n "nodes_ready=$(num_nodes_ready)/${NODES_COUNT} "
+  echo "api_servers_ready=$(num_apiservers_ready)/${CONTROL_NODES_COUNT} ..."
+}
+
+# Indicates by exit code whether the cluster is ready, i.e. all nodes and API servers are ready.
+cluster_ready() {
+  [[ "$(num_nodes_ready)" == "${NODES_COUNT}" && "$(num_apiservers_ready)" == "${CONTROL_NODES_COUNT}" ]]
+}
+
+echo "::group::Wait for nodes"
+until cluster_ready || [[ ${JOINWAIT} -gt ${JOINTIMEOUT} ]]; do
+  report_join_progress
+  JOINWAIT=$((JOINWAIT + 30))
+  sleep 30
+done
+report_join_progress
+if [[ ${JOINWAIT} -gt ${JOINTIMEOUT} ]]; then
+  set -x
+  kubectl get nodes -o wide
+  kubectl get pods -n kube-system -o wide
+  kubectl get events -n kube-system
+  set +x
+  echo "::error::timeout reached before all nodes became ready"
+  echo "::endgroup::"
+  exit 1
+fi
+echo "::endgroup::"

.github/actions/constellation_destroy/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: "The kubeconfig for the cluster."
     required: true
   clusterCreation:
-    description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
     default: "cli"
   gcpClusterDeleteServiceAccount:
     description: "Service account with permissions to delete a Constellation cluster on GCP."
@@ -24,6 +24,7 @@ runs:
     - name: Delete persistent volumes
       if: inputs.kubeconfig != ''
       shell: bash
+      continue-on-error: true
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         PV_DELETION_TIMEOUT: "120" # 2 minutes timeout for pv deletion
@@ -34,6 +35,14 @@ runs:
         # Scrap namespaces that contain PVCs
         for namespace in `kubectl get namespace --no-headers=true -o custom-columns=":metadata.name"`; do
           if [[ `kubectl get pvc -n $namespace --no-headers=true -o custom-columns=":metadata.name" | wc -l` -gt 0 ]]; then
+            if [[ "${namespace}" == "default" ]]; then
+              kubectl delete all --all --namespace "default" --wait
+              continue
+            fi
+            if [[ "${namespace}" == "kube-system" ]]; then
+              kubectl delete pvc --all --namespace "kube-system" --wait
+              continue
+            fi
             kubectl delete namespace $namespace --wait
           fi
         done
@@ -58,7 +67,7 @@ runs:
 
     - name: Login to AWS (Cluster role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1
@@ -72,18 +81,6 @@ runs:
         azure_credentials: ${{ inputs.azureClusterDeleteCredentials }}
 
     - name: Constellation terminate
-      if: inputs.clusterCreation != 'self-managed'
       shell: bash
       run: |
         constellation terminate --yes --tf-log=DEBUG
-
-    - name: Constellation terminate (self-managed)
-      if: inputs.clusterCreation == 'self-managed'
-      shell: bash
-      working-directory: ${{ github.workspace }}/e2e-infra
-      run: |
-        terraform init
-        terraform destroy -auto-approve
-
-        rm -f ${{ github.workspace }}/constellation-state.yaml
-        rm -f ${{ github.workspace }}/constellation-admin.conf

.github/actions/constellation_iam_create/action.yml

@@ -5,12 +5,19 @@ inputs:
   cloudProvider:
     description: "Either 'aws', 'azure' or 'gcp'."
     required: true
+  attestationVariant:
+    description: "The attestation variant to use."
+    required: true
   kubernetesVersion:
     description: "Kubernetes version to create the cluster from."
     required: false
   namePrefix:
     description: "Name prefix to use for resources."
     required: true
+  additionalTags:
+    description: "Additional resource tags that will be written into the constellation configuration."
+    default: ""
+    required: false
   #
   # AWS specific inputs
   #
@@ -20,6 +27,9 @@ inputs:
   #
   # Azure specific inputs
   #
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureRegion:
     description: "Azure region to deploy Constellation in."
     required: false
@@ -32,6 +42,15 @@ inputs:
   gcpZone:
     description: "The GCP zone to deploy Constellation in."
     required: false
+  #
+  # STACKIT specific inputs
+  #
+  stackitZone:
+    description: "The STACKIT zone to deploy Constellation in."
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false
 
 runs:
   using: "composite"
@@ -45,8 +64,14 @@ runs:
           kubernetesFlag="--kubernetes=${{ inputs.kubernetesVersion }}"
         fi
 
+        # TODO(v2.17): Remove this fallback and always use --tags flag
+        tagsFlag=""
+        if constellation config generate --help | grep -q -- --tags; then
+          tagsFlag="--tags=\"${{ inputs.additionalTags }}\""
+        fi
+
         echo "flag=--update-config" | tee -a "$GITHUB_OUTPUT"
-        constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag}
+        constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} --attestation ${{ inputs.attestationVariant }} ${tagsFlag}
 
     - name: Constellation iam create aws
       shell: bash
@@ -63,14 +88,21 @@ runs:
       shell: bash
       if: inputs.cloudProvider == 'azure'
       run: |
+        extraFlags=""
+
+        if [[ $(constellation iam create azure --help | grep -c -- --subscriptionID) -ne 0 ]]; then
+          extraFlags="--subscriptionID=${{ inputs.azureSubscriptionID }}"
+        fi
+
         constellation iam create azure \
           --region="${{ inputs.azureRegion }}" \
           --resourceGroup="${{ inputs.namePrefix }}-rg" \
           --servicePrincipal="${{ inputs.namePrefix }}-sp" \
           --update-config \
           --tf-log=DEBUG \
-          --yes
+          --yes ${extraFlags}
 
+    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
     - name: Constellation iam create gcp
       shell: bash
       if: inputs.cloudProvider == 'gcp'
@@ -82,3 +114,13 @@ runs:
           --update-config \
           --tf-log=DEBUG \
           --yes
+
+    - name: Set STACKIT-specific configuration
+      shell: bash
+      if: inputs.cloudProvider == 'stackit'
+      env:
+        STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
+      run: |
+        yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
+        yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
+        yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml

.github/actions/constellation_iam_destroy/action.yml

@@ -23,7 +23,7 @@ runs:
 
     - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1

.github/actions/container_registry_login/action.yml

@@ -17,7 +17,7 @@ runs:
   steps:
     - name: Use docker for logging in
       if: runner.os != 'macOS'
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}

.github/actions/container_sbom/action.yml

@@ -19,7 +19,7 @@ runs:
   steps:
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Download Syft & Grype
       uses: ./.github/actions/install_syft_grype

.github/actions/deploy_logcollection/action.yml

@@ -20,6 +20,9 @@ inputs:
   provider:
     description: "The CSP of the cluster."
     required: true
+  attestationVariant:
+    description: "Attestation variant of the cluster."
+    required: false
   isDebugImage:
     description: "Whether the cluster is a debug cluster / uses a debug image."
     required: true
@@ -30,7 +33,7 @@ inputs:
     description: "Kubernetes version of the cluster"
     required: false
   clusterCreation:
-    description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
     default: "cli"
 
 runs:
@@ -58,14 +61,15 @@ runs:
          --fields github.ref-stream="${{ inputs.refStream }}" \
          --fields github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
          --fields github.cluster-creation="${{ inputs.clusterCreation }}" \
+         --fields github.attestation-variant="${{ inputs.attestationVariant }}" \
          --fields deployment-type="k8s"
 
     # Make sure that helm is installed
     # This is not always the case, e.g. on MacOS runners
     - name: Install Helm
-      uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
       with:
-        version: latest
+        version: v3.9.0
 
     - name: Deploy Logstash
       id: deploy-logstash
@@ -90,17 +94,3 @@ runs:
         helm repo update
         helm install filebeat elastic/filebeat \
           --wait --timeout=1200s --values values.yml
-
-    - name: Deploy Metricbeat
-      id: deploy-metricbeat
-      shell: bash
-      working-directory: ./metricbeat
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: |
-        helm repo add elastic https://helm.elastic.co
-        helm repo update
-        helm install metricbeat-k8s elastic/metricbeat \
-          --wait --timeout=1200s --values values-control-plane.yml
-        helm install metricbeat-system elastic/metricbeat \
-          --wait --timeout=1200s --values values-all-nodes.yml

.github/actions/download_release_binaries/action.yml

@@ -5,51 +5,51 @@ runs:
   using: "composite"
   steps:
     - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-darwin-amd64
 
     - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-darwin-arm64
 
     - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-linux-amd64
 
     - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-linux-arm64
 
     - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-windows-amd64
 
     - name: Download Terraform module
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-module
 
     - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-darwin-amd64
 
     - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-darwin-arm64
 
     - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-linux-amd64
 
     - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-linux-arm64

.github/actions/e2e_attestationconfigapi/action.yml

@@ -2,12 +2,9 @@ name: E2E Attestationconfig API Test
 description: "Test the attestationconfig CLI is functional."
 
 inputs:
-  csp:
-    description: "Cloud provider to run tests against"
-    default: "azure"
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
-    required: true
+  attestationVariant:
+    description: "attestation variant to run tests against"
+    default: "azure-sev-snp"
   cosignPrivateKey:
     description: "Cosign private key"
     required: true
@@ -20,12 +17,9 @@ runs:
   steps:
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
 
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
         aws-region: eu-west-1
@@ -36,4 +30,4 @@ runs:
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
       run: |
-        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.csp }}
+        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.attestationVariant }}

.github/actions/e2e_autoscaling/action.yml

@@ -82,7 +82,30 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
         worker_count=${{ steps.worker_count.outputs.worker_count }}
-        kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))
+
+        cat <<EOF | kubectl apply -f -
+        kind: Deployment
+        apiVersion: apps/v1
+        metadata:
+          name: nginx
+          namespace: default
+        spec:
+          replicas: $(( 110 * (worker_count + 1) + 55 ))
+          strategy:
+            rollingUpdate:
+              maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
+          selector:
+            matchLabels:
+              app: nginx
+          template:
+            metadata:
+              labels:
+                app: nginx
+            spec:
+              containers:
+              - name: nginx
+                image: nginx
+        EOF
 
     - name: Wait for autoscaling and check result
       shell: bash

.github/actions/e2e_benchmark/.gitignore

@@ -0,0 +1,2 @@
+benchmarks/
+out/

.github/actions/e2e_benchmark/action.yml

@@ -5,6 +5,9 @@ inputs:
   cloudProvider:
     description: "Which cloud provider to use."
     required: true
+  attestationVariant:
+    description: "Which attestation variant to use."
+    required: true
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
@@ -17,15 +20,21 @@ inputs:
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the results."
     required: false
+  artifactNameSuffix:
+    description: "Suffix for artifact naming."
+    required: true
+  encryptionSecret:
+    description: 'The secret to use for encrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
 
   steps:
     - name: Setup python
-      uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
-        python-version: "3.10"
+        python-version: "3.13"
 
     - name: Install kubestr
       shell: bash
@@ -39,25 +48,25 @@ runs:
         install kubestr /usr/local/bin
 
     - name: Checkout k8s-bench-suite
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
         repository: "edgelesssys/k8s-bench-suite"
         ref: 67c64c854841165b778979375444da1c02e02210
         path: k8s-bench-suite
 
-
-    - name: Run FIO benchmark without caching in Azure
-      if: inputs.cloudProvider == 'azure'
+    - name: Run FIO benchmark
       shell: bash
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
+        if [[ "${{ inputs.cloudProvider }}" == "azure" ]]
+        then
         cat <<EOF | kubectl apply -f -
         apiVersion: storage.k8s.io/v1
         kind: StorageClass
         metadata:
-          name: encrypted-rwo-no-cache
+          name: fio-benchmark
         allowVolumeExpansion: true
         allowedTopologies: []
         mountOptions: []
@@ -68,35 +77,49 @@ runs:
         reclaimPolicy: Delete
         volumeBindingMode: Immediate
         EOF
-        mkdir -p out
-        kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-rwo-no-cache -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
+        fi
 
-    - name: Run FIO benchmark
-      if: inputs.cloudProvider == 'gcp'
-      shell: bash
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: |
+        if [[ "${{ inputs.cloudProvider }}" == "gcp" ]]
+        then
         cat <<EOF | kubectl apply -f -
         apiVersion: storage.k8s.io/v1
         kind: StorageClass
         metadata:
-          name: encrypted-balanced-rwo
+          name: fio-benchmark
         provisioner: gcp.csi.confidential.cloud
         volumeBindingMode: Immediate
         allowVolumeExpansion: true
         parameters:
           type: pd-balanced
         EOF
+        fi
+
+        if [[ "${{ inputs.cloudProvider }}" == "aws" ]]
+        then
+        cat <<EOF | kubectl apply -f -
+        apiVersion: storage.k8s.io/v1
+        kind: StorageClass
+        metadata:
+          name: fio-benchmark
+        parameters:
+          type: gp3
+        provisioner: aws.csi.confidential.cloud
+        allowVolumeExpansion: true
+        reclaimPolicy: Delete
+        volumeBindingMode: Immediate
+        EOF
+        fi
+
         mkdir -p out
-        kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-balanced-rwo -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
+        kubestr fio -e "out/fio-constellation-${{ inputs.attestationVariant }}.json" -o json -s fio-benchmark -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
 
     - name: Upload raw FIO benchmark results
       if: (!env.ACT)
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
-        path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
-        name: "fio-constellation-${{ inputs.cloudProvider }}.json"
+        path: "out/fio-constellation-${{ inputs.attestationVariant }}.json"
+        name: "fio-constellation-${{ inputs.artifactNameSuffix }}.json"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Run knb benchmark
       shell: bash
@@ -104,23 +127,46 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         TERM: xterm-256color
       run: |
-        workers="$(kubectl get nodes -o name | grep worker)"
+        workers="$(kubectl get nodes -o name -l '!node-role.kubernetes.io/control-plane')"
         echo -e "Found workers:\n$workers"
         server="$(echo "$workers" | tail +1 | head -1 | cut -d '/' -f2)"
         echo "Server: $server"
         client="$(echo "$workers" | tail +2 | head -1 | cut -d '/' -f2)"
         echo "Client: $client"
-        k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.cloudProvider }}.json" -o json --server-node "$server" --client-node "$client"
+        k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.attestationVariant }}.json" -o json --server-node "$server" --client-node "$client"
 
     - name: Upload raw knb benchmark results
       if: (!env.ACT)
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
-        path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
-        name: "knb-constellation-${{ inputs.cloudProvider }}.json"
+        path: "out/knb-constellation-${{ inputs.attestationVariant }}.json"
+        name: "knb-constellation-${{ inputs.artifactNameSuffix }}.json"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Parse results, create diagrams and post the progression summary
+      shell: bash
+      env:
+        # Original result directory
+        BENCH_RESULTS: out/
+        # Working directory containing the previous results as JSON and to contain the graphs
+        BDIR: benchmarks
+        CSP: ${{ inputs.cloudProvider }}
+        ATTESTATION_VARIANT: ${{ inputs.attestationVariant }}
+      run: |
+        mkdir -p benchmarks
+        python .github/actions/e2e_benchmark/evaluate/parse.py
+
+    - name: Upload benchmark results to action run
+      if: (!env.ACT)
+      uses: ./.github/actions/artifact_upload
+      with:
+        path: >
+          benchmarks/constellation-${{ inputs.attestationVariant }}.json
+        name: "benchmarks-${{ inputs.artifactNameSuffix }}"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
         aws-region: us-east-2
@@ -133,46 +179,27 @@ runs:
 
     - name: Get previous benchmark records from S3
       shell: bash
-      env:
-        CSP: ${{ inputs.cloudProvider }}
       run: |
-        mkdir -p benchmarks
-        aws s3 cp --recursive ${S3_PATH} benchmarks --no-progress
-        if [[ -f benchmarks/constellation-${CSP}.json ]]; then
-          mv benchmarks/constellation-${CSP}.json benchmarks/constellation-${CSP}-previous.json
+        if aws s3 cp "${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json" ./ --no-progress
+        then
+          mv "constellation-${{ inputs.attestationVariant }}.json" "benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json"
         else
             echo "::warning::Couldn't retrieve previous benchmark records from s3"
         fi
 
-    - name: Parse results, create diagrams and post the progression summary
+    - name: Compare results
       shell: bash
       env:
-        # Original result directory
-        BENCH_RESULTS: out/
-        # Working directory containing the previous results as JSON and to contain the graphs
-        BDIR: benchmarks
         # Paths to benchmark results as JSON of the previous run and the current run
-        PREV_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}-previous.json
-        CURR_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}.json
-        CSP: ${{ inputs.cloudProvider }}
+        PREV_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json
+        CURR_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}.json
       run: |
-        python .github/actions/e2e_benchmark/evaluate/parse.py
-        export BENCHMARK_SUCCESS=true
         if [[ -f "$PREV_BENCH" ]]; then
-          # Sets $BENCHMARK_SUCCESS=false if delta is bigger than defined in compare.py
+          # Fails if the results are outside the threshold range
           python .github/actions/e2e_benchmark/evaluate/compare.py >> $GITHUB_STEP_SUMMARY
         fi
-        echo BENCHMARK_SUCCESS=$BENCHMARK_SUCCESS >> $GITHUB_ENV
 
-    - name: Upload benchmark results to action run
-      if: (!env.ACT)
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-      with:
-        path: |
-          benchmarks/constellation-${{ inputs.cloudProvider }}.json
-        name: "benchmarks"
-
-    - name: Upload benchmark results to opensearch
+    - name: Upload benchmark results to OpenSearch
       if: (!env.ACT)
       shell: bash
       env:
@@ -182,24 +209,12 @@ runs:
       run: |
         curl -XPOST \
             -u "${OPENSEARCH_USER}:${OPENSEARCH_PWD}" \
-            "${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.cloudProvider }}-$(date '+%Y')"/_doc \
-            --data-binary @benchmarks/constellation-${{ inputs.cloudProvider }}.json \
+            "${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.attestationVariant }}-$(date '+%Y')"/_doc \
+            --data-binary @benchmarks/constellation-${{ inputs.attestationVariant }}.json \
             -H 'Content-Type: application/json'
 
     - name: Update benchmark records in S3
       if: github.ref_name == 'main'
       shell: bash
-      env:
-        CSP: ${{ inputs.cloudProvider }}
       run: |
-        aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json
-
-    - name: Check performance comparison result
-      shell: bash
-      run: |
-        if [[ $BENCHMARK_SUCCESS == true ]] ; then
-          echo "Benchmark successful, all metrics in the expected range."
-        else
-          echo "::error::Benchmark failed, some metrics are outside of the expected range."
-          exit 1
-        fi
+        aws s3 cp benchmarks/constellation-${{ inputs.attestationVariant }}.json ${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json

.github/actions/e2e_benchmark/evaluate/compare.py

@@ -40,12 +40,15 @@ API_UNIT_STR = "ms"
 
 # List of allowed deviation
 ALLOWED_RATIO_DELTA = {
-    'iops': 0.7,
-    'bw_kbytes': 0.7,
-    'tcp_bw_mbit': 0.7,
-    'udp_bw_mbit': 0.7,
+    'iops': 0.8,
+    'bw_kbytes': 0.8,
+    'tcp_bw_mbit': 0.8,
+    'udp_bw_mbit': 0.8,
 }
 
+# Track failed comparison status
+failed = False
+
 
 def is_bigger_better(bench_suite: str) -> bool:
     return bench_suite in BIGGER_BETTER
@@ -91,18 +94,18 @@ class BenchmarkComparer:
             raise ValueError('Failed reading benchmark file: {e}'.format(e=e))
 
         try:
-            name = bench_curr['provider']
+            name = bench_curr['attestationVariant']
         except KeyError:
             raise ValueError(
-                'Current benchmark record file does not contain provider.')
+                'Current benchmark record file does not contain attestationVariant.')
         try:
-            prev_name = bench_prev['provider']
+            prev_name = bench_prev['attestationVariant']
         except KeyError:
             raise ValueError(
-                'Previous benchmark record file does not contain provider.')
+                'Previous benchmark record file does not contain attestationVariant.')
         if name != prev_name:
             raise ValueError(
-                'Cloud providers of previous and current benchmark data do not match.')
+                'Cloud attestationVariants of previous and current benchmark data do not match.')
 
         if 'fio' not in bench_prev.keys() or 'fio' not in bench_curr.keys():
             raise ValueError('Benchmarks do not both contain fio records.')
@@ -171,7 +174,8 @@ class BenchmarkComparer:
 
 
 def set_failed() -> None:
-    os.environ['COMPARISON_SUCCESS'] = str(False)
+    global failed
+    failed = True
 
 
 def main():
@@ -179,6 +183,8 @@ def main():
     c = BenchmarkComparer(path_prev, path_curr)
     output = c.compare()
     print(output)
+    if failed:
+        exit(1)
 
 
 if __name__ == '__main__':

.github/actions/e2e_benchmark/evaluate/parse.py

@@ -7,7 +7,7 @@ from datetime import datetime
 from evaluators import fio, knb
 
 
-def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
+def configure() -> Tuple[str, str, str, str, str | None, str, str, str, str]:
     """Read the benchmark data paths.
 
     Expects ENV vars (required):
@@ -25,27 +25,29 @@ def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
     """
     base_path = os.environ.get('BENCH_RESULTS', None)
     csp = os.environ.get('CSP', None)
+    attestation_variant = os.environ.get('ATTESTATION_VARIANT', None)
     out_dir = os.environ.get('BDIR', None)
-    if not base_path or not csp or not out_dir:
+    if not base_path or not csp or not out_dir or not attestation_variant:
         raise TypeError(
-            'ENV variables BENCH_RESULTS, CSP, BDIR are required.')
+            'ENV variables BENCH_RESULTS, CSP, BDIR, ATTESTATION_VARIANT are required.')
 
     ext_provider_name = os.environ.get('EXT_NAME', None)
     commit_hash = os.environ.get('GITHUB_SHA', 'N/A')
     commit_ref = os.environ.get('GITHUB_REF_NAME', 'N/A')
     actor = os.environ.get('GITHUB_ACTOR', 'N/A')
     workflow = os.environ.get('GITHUB_WORKFLOW', 'N/A')
-    return base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
+    return base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
 
 
 class BenchmarkParser:
-    def __init__(self, base_path, csp, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
+    def __init__(self, base_path, csp, attestation_variant, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
         self.base_path = base_path
         self.csp = csp
+        self.attestation_variant = attestation_variant
         self.out_dir = out_dir
         self.ext_provider_name = ext_provider_name
         if not self.ext_provider_name:
-            self.ext_provider_name = f'constellation-{csp}'
+            self.ext_provider_name = f'constellation-{attestation_variant}'
         self.commit_hash = commit_hash
         self.commit_ref = commit_ref
         self.actor = actor
@@ -88,6 +90,7 @@ class BenchmarkParser:
         },
             '@timestamp': str(timestamp),
             'provider': self.ext_provider_name,
+            'attestationVariant': self.attestation_variant,
             'fio': {},
             'knb': {}}
 
@@ -101,8 +104,8 @@ class BenchmarkParser:
 
 
 def main():
-    base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
-    p = BenchmarkParser(base_path, csp, out_dir, ext_provider_name,
+    base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
+    p = BenchmarkParser(base_path, csp, attestation_variant, out_dir, ext_provider_name,
                         commit_hash, commit_ref, actor, workflow)
     p.parse()
 

.github/actions/e2e_benchmark/evaluate/requirements.txt

@@ -1,3 +1,3 @@
-numpy ==1.24.3
-matplotlib ==3.7.1
-Pillow ==10.0.1
+numpy ==2.2.4
+matplotlib ==3.10.1
+Pillow ==11.2.1

.github/actions/e2e_benchmark/fio.ini

@@ -7,7 +7,7 @@ size=10Gi
 time_based=1
 group_reporting
 thread
-cpus_allowed=1
+cpus_allowed=0
 
 
 [read_iops]

.github/actions/e2e_cleanup_timeframe/action.yml

@@ -0,0 +1,62 @@
+name: E2E cleanup over timeframe
+description: Clean up old terraform resources of E2E tests
+
+inputs:
+  ghToken:
+    description:  'The github token that is used with the github CLI.'
+    required: true
+  encryptionSecret:
+    description: 'The secret to use for decrypting the artifacts.'
+    required: true
+  azure_credentials:
+    description: "Credentials authorized to create Constellation on Azure."
+    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Authenticate AWS
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
+        aws-region: eu-central-1
+
+    - name: Authenticate Azure
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azure_credentials }}
+
+    - name: Authenticate GCP
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+    - name: Login to OpenStack
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{ inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
+    - name: Install tools
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+          terraform
+
+    - name: Run cleanup
+      run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.ghToken }}
+        ENCRYPTION_SECRET: ${{ inputs.encryptionSecret }}

.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date.
+function get_e2e_test_ids_on_date {
+  ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)"
+  echo "${ids}"
+}
+
+# download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID.
+function download_tfstate_artifact {
+  gh run download "$1" -p "terraform-state-*" -R edgelesssys/constellation > /dev/null
+}
+
+# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder.
+function delete_resources {
+  if [[ -d "$1/constellation-terraform" ]]; then
+    cd "$1/constellation-terraform" || exit 1
+    terraform init > /dev/null || exit 1 # first, install plugins
+    terraform destroy -auto-approve || exit 1
+    cd ../../ || exit 1
+  fi
+}
+
+# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder.
+function delete_iam_config {
+  if [[ -d "$1/constellation-iam-terraform" ]]; then
+    cd "$1/constellation-iam-terraform" || exit 1
+    terraform init > /dev/null || exit 1 # first, install plugins
+    terraform destroy -auto-approve || exit 1
+    cd ../../ || exit 1
+  fi
+}
+
+# check if the password for artifact decryption was given
+if [[ -z ${ENCRYPTION_SECRET} ]]; then
+  echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret."
+  exit 1
+fi
+
+artifact_pwd=${ENCRYPTION_SECRET}
+
+shopt -s nullglob
+
+start_date=$(date "+%Y-%m-%d")
+end_date=$(date --date "-7 day" "+%Y-%m-%d")
+dates_to_clean=()
+
+# get all dates of the last week
+while [[ ${end_date} != "${start_date}" ]]; do
+  dates_to_clean+=("${end_date}")
+  end_date=$(date --date "${end_date} +1 day" "+%Y-%m-%d")
+done
+
+echo "[*] retrieving run IDs for cleanup"
+database_ids=()
+for d in "${dates_to_clean[@]}"; do
+  echo "    retrieving run IDs from $d"
+  mapfile -td " " tmp < <(get_e2e_test_ids_on_date "$d")
+  database_ids+=("${tmp[*]}")
+done
+
+# cleanup database_ids
+mapfile -t database_ids < <(echo "${database_ids[@]}")
+mapfile -td " " database_ids < <(echo "${database_ids[@]}")
+
+echo "[*] downloading terraform state artifacts"
+for id in "${database_ids[@]}"; do
+  if [[ ${id} == *[^[:space:]]* ]]; then
+    echo "    downloading from workflow ${id}"
+    download_tfstate_artifact "${id}"
+  fi
+done
+
+echo "[*] extracting artifacts"
+for directory in ./terraform-state-*; do
+  echo "    extracting ${directory}"
+
+  # extract and decrypt the artifact
+  7zz x -t7z -p"${artifact_pwd}" -o"${directory}" "${directory}/archive.7z" > /dev/null || exit 1
+done
+
+# create terraform caching directory
+mkdir "${HOME}/tf_plugin_cache"
+export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache"
+echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}"
+
+echo "[*] deleting resources"
+for directory in ./terraform-state-*; do
+  echo "    deleting resources in ${directory}"
+  delete_resources "${directory}"
+  echo "    deleting IAM configuration in ${directory}"
+  delete_iam_config "${directory}"
+  echo "    deleting directory ${directory}"
+  rm -rf "${directory}"
+done
+
+exit 0

.github/actions/e2e_emergency_ssh/action.yml

@@ -0,0 +1,68 @@
+name: Emergency ssh
+description: "Verify that an emergency ssh connection can be established."
+
+inputs:
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test emergency ssh
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        set -euo pipefail
+
+        # Activate emergency ssh access to the cluster
+        pushd ./constellation-terraform
+        echo "emergency_ssh = true" >> terraform.tfvars
+        terraform apply -auto-approve
+        lb="$(terraform output -raw loadbalancer_address)"
+        popd
+
+        # write ssh config
+        cat > ssh_config <<EOF
+        Host $lb
+          ProxyJump none
+
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile=/dev/null
+          IdentityFile ./access-key
+          PreferredAuthentications publickey
+          CertificateFile=constellation_cert.pub
+          User root
+          ProxyJump $lb
+        EOF
+
+        for i in {1..26}; do
+          if [[ "$i" -eq 26 ]]; then
+            echo "Port 22 never became reachable"
+            exit 1
+          fi
+          echo "Waiting until port 22 is reachable: $i/25"
+          if nc -z -w 25 "$lb" 22; then
+            break
+          fi
+        done
+
+        # generate and try keypair
+        ssh-keygen -t ecdsa -q -N "" -f ./access-key
+        constellation ssh --debug --key ./access-key.pub
+        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
+        for ip in $internalIPs; do
+          for i in {1..26}; do
+            if [[ "$i" -eq 26 ]]; then
+              echo "Failed to connect to $ip over $lb"
+              exit 1
+            fi
+            echo "Trying connection to $ip over $lb: $i/25"
+            if ssh -F ssh_config -o BatchMode=yes $ip true; then
+              echo "Connected to $ip successfully"
+              break
+            fi
+          done
+        done

.github/actions/e2e_lb/action.yml

@@ -5,6 +5,9 @@ inputs:
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
+  cloudProvider:
+    description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere."
+    required: false
 
 runs:
   using: "composite"
@@ -18,7 +21,25 @@ runs:
       run: |
         kubectl apply -f ns.yml
         kubectl apply -f lb.yml
-        bazel run //e2e/internal/lb:lb_test
+        bazel run --test_timeout=14400 //e2e/internal/lb:lb_test
+
+    - name: Test AWS Ingress
+      if: inputs.cloudProvider == 'aws'
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      working-directory: ./.github/actions/e2e_lb
+      run: |
+        kubectl apply -f aws-ingress.yml
+        kubectl wait -n lb-test ing/whoami --for=jsonpath='{.status.loadBalancer.ingress}' --timeout=5m
+        host=$(kubectl get -n lb-test ingress whoami -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+        for i in $(seq 30); do
+          curl --silent --fail --connect-timeout 5 --output /dev/null http://$host && exit 0
+          sleep 10
+        done
+        echo "::error::Ingress did not become ready in the alloted time."
+        kubectl describe ing -n lb-test
+        exit 1
 
     - name: Delete deployment
       if: always()
@@ -28,4 +49,5 @@ runs:
       working-directory: ./.github/actions/e2e_lb
       run: |
         kubectl delete -f lb.yml
+        kubectl delete --ignore-not-found -f aws-ingress.yml
         kubectl delete -f ns.yml --timeout=5m

.github/actions/e2e_lb/aws-ingress.yml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami-internal
+  namespace: lb-test
+spec:
+  selector:
+    app: whoami
+  ports:
+    - port: 80
+      targetPort: 80
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: lb-test
+  name: whoami
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: instance
+spec:
+  ingressClassName: alb
+  rules:
+    - http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: whoami-internal
+              port:
+                number: 80

.github/actions/e2e_malicious_join/action.yml

@@ -5,6 +5,9 @@ inputs:
   cloudProvider:
     description: "The cloud provider the test runs on."
     required: true
+  attestationVariant:
+    description: "The attestation variant used in the cluster."
+    required: true
   kubeconfig:
     description: "The kubeconfig file for the cluster."
     required: true
@@ -29,12 +32,12 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       working-directory: e2e/malicious-join
       run: |
-        bazel run //e2e/malicious-join:stamp_and_push
+        bazel run --test_timeout=14400 //e2e/malicious-join:stamp_and_push
         yq eval -i "(.spec.template.spec.containers[0].command) = \
           [ \"/malicious-join_bin\", \
           \"--js-endpoint=join-service.kube-system:9090\", \
           \"--csp=${{ inputs.cloudProvider }}\", \
-          \"--variant=default\" ]" stamped_job.yaml
+          \"--variant=${{ inputs.attestationVariant }}\" ]" stamped_job.yaml
 
         kubectl create ns malicious-join
         kubectl apply -n malicious-join -f stamped_job.yaml

.github/actions/e2e_mini/action.yml

@@ -11,8 +11,8 @@ inputs:
   azureTenantID:
     description: "Azure tenant to use for login with OIDC"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
+  azureIAMCredentials:
+    description: "Azure IAM credentials used for cleaning up resources"
     required: true
   registry:
     description: "Container registry to use"
@@ -25,15 +25,12 @@ runs:
   using: "composite"
   steps:
     - name: Install terraform
-      uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
         terraform_wrapper: false
 
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
 
     - name: Log in to the Container registry
       uses: ./.github/actions/container_registry_login
@@ -44,9 +41,25 @@ runs:
 
     - name: MiniConstellation E2E
       shell: bash
+      id: e2e-test
       env:
         ARM_CLIENT_ID: ${{ inputs.azureClientID }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
         ARM_TENANT_ID: ${{ inputs.azureTenantID }}
       run: |
-        bazel run //e2e/miniconstellation:push_remote_test
+        bazel run --test_timeout=14400 //e2e/miniconstellation:push_remote_test
+
+    - name: Log in to azure
+      # only log in if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureIAMCredentials }}
+
+    - name: Clean up after failure
+      shell: bash
+      # clean up if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      run: |
+        echo "[*] Deleting resource group ${{ steps.e2e-test.outputs.rgname }}"
+        az group delete -y --resource-group "${{ steps.e2e-test.outputs.rgname }}"

.github/actions/e2e_s3proxy/action.yml

@@ -11,9 +11,6 @@ inputs:
   s3SecretKey:
     description: "Secret key for s3proxy"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key"
-    required: true
   githubToken:
     description: "GitHub token"
     required: true
@@ -23,9 +20,6 @@ runs:
   steps:
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
 
     - name: Get pseudoversion
       id: pseudoversion
@@ -46,7 +40,9 @@ runs:
       shell: bash
       run: |
         bazel run //bazel/release:s3proxy_push
-        echo s3proxyImage=$(cat ./bazel-bin/bazel/release/s3proxy_tag.txt) | tee -a "$GITHUB_OUTPUT"
+        bazel build //bazel/release:s3proxy_tag.txt
+        tagpath=$(bazel cquery --output=files //bazel/release:s3proxy_tag.txt)
+        echo s3proxyImage=$(cat "${tagpath}") | tee -a "$GITHUB_OUTPUT"
 
     - name: Setup s3proxy
       shell: bash
@@ -64,6 +60,6 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         ACCESS_KEY: ${{ inputs.s3AccessKey }}
         SECRET_KEY: ${{ inputs.s3SecretKey }}
-        IMAGE: "ghcr.io/edgelesssys/mint:v1.99.0@sha256:96a059733087ec0bcf2c808406a626da2ffefe8e7c7cac786907b1b35b892234" # renovate:mint-fork
+        IMAGE: "ghcr.io/edgelesssys/mint:v2.0.0@sha256:cf82f029ca77fd4ade4fb36f19945f44e58b1d03c1acb930d95ae7ec75a25c22" # renovate:mint-fork
       run: |
         ./s3proxy/e2e/deploy.sh "$IMAGE"

.github/actions/e2e_sonobuoy/action.yml

@@ -11,6 +11,9 @@ inputs:
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
+  encryptionSecret:
+    description: 'The secret to use for encrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
@@ -18,7 +21,7 @@ runs:
     - name: Install sonobuoy
       shell: bash
       env:
-        SONOBUOY_VER: "0.56.17"
+        SONOBUOY_VER: "0.57.1"
       run: |
         HOSTOS="$(go env GOOS)"
         HOSTARCH="$(go env GOARCH)"
@@ -40,14 +43,24 @@ runs:
       shell: bash
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: sonobuoy retrieve --kubeconfig constellation-admin.conf
+      run: |
+        sonobuoy retrieve --kubeconfig constellation-admin.conf
+        sonobuoy results *_sonobuoy_*.tar.gz
+        sonobuoy results *_sonobuoy_*.tar.gz --mode detailed | jq 'select(.status!="passed")' | jq 'select(.status!="skipped")' || true
+
+    - name: Cleanup sonobuoy deployment
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      shell: bash
+      run: sonobuoy delete --wait
 
     - name: Upload test results
       if: always() && !env.ACT
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
         name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
         path: "*_sonobuoy_*.tar.gz"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     # Only works on "sonobuoy full" tests (e2e plugin)
     - name: Extract test results
@@ -57,7 +70,7 @@ runs:
 
     - name: Publish test results
       if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@150e2f992e4fad1379da2056d1d1c279f520e058 # v3.8.0
+      uses: mikepenz/action-junit-report@cf701569b05ccdd861a76b8607a66d76f6fd4857 # v5.5.1
       with:
         report_paths: "**/junit_01.xml"
         fail_on_failure: true

.github/actions/e2e_test/action.yml

@@ -11,6 +11,9 @@ inputs:
   cloudProvider:
     description: "Which cloud provider to use."
     required: true
+  attestationVariant:
+    description: "Which attestation variant to use."
+    required: true
   machineType:
     description: "VM machine type. Make sure it matches selected cloud provider!"
   osImage:
@@ -43,6 +46,9 @@ inputs:
     description: "AWS OpenSearch User to upload the benchmark results."
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the benchmark results."
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureClusterCreateCredentials:
     description: "Azure credentials authorized to create a Constellation cluster."
     required: true
@@ -50,12 +56,10 @@ inputs:
     description: "Azure credentials authorized to create an IAM configuration."
     required: true
   test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
     required: true
   sonobuoyTestSuiteCmd:
     description: "The sonobuoy test suite to run."
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
   registry:
     description: "Container registry to use"
     required: true
@@ -74,7 +78,7 @@ inputs:
   internalLoadBalancer:
     description: "Enable internal load balancer for the cluster."
   clusterCreation:
-    description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
+    description: "How to create infrastructure for the e2e test. One of [cli,, terraform]."
     default: "cli"
   s3AccessKey:
     description: "Access key for s3proxy"
@@ -86,6 +90,18 @@ inputs:
   force:
     description: "Set the force-flag on apply to ignore version mismatches."
     required: false
+  encryptionSecret:
+    description: "The secret to use for decrypting the artifact."
+    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false
 
 outputs:
   kubeconfig:
@@ -99,7 +115,7 @@ runs:
   using: "composite"
   steps:
     - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
       shell: bash
       run: |
         echo "::error::Invalid input for test field: ${{ inputs.test }}"
@@ -134,8 +150,7 @@ runs:
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
       with:
-        useCache: ${{ inputs.buildBuddyApiKey != '' }}
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
+        nixTools: terraform
 
     - name: Log in to the Container registry
       uses: ./.github/actions/container_registry_login
@@ -163,8 +178,6 @@ runs:
         echo "$(pwd)" >> $GITHUB_PATH
         export PATH="$PATH:$(pwd)"
         constellation version
-        # Do not spam license server from pipeline
-        sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
 
     - name: Build Terraform provider binary
       if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == ''
@@ -214,7 +227,7 @@ runs:
 
     - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
@@ -227,30 +240,55 @@ runs:
       with:
         azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
 
+    - name: Login to OpenStack
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
     - name: Create prefix
       id: create-prefix
       shell: bash
       run: |
         uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
         uuid=${uuid%%-*}
+
+        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
+        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
+          uuid=${uuid:0:6}
+        fi
+
         echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
         echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
 
     - name: Pick a random Azure region
       id: pick-az-region
       uses: ./.github/actions/pick_azure_region
+      with:
+        attestationVariant: ${{ inputs.attestationVariant }}
 
-    - name: Create IAM configuration
+    - name: Create Constellation config and IAM
       id: constellation-iam-create
       uses: ./.github/actions/constellation_iam_create
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         namePrefix: ${{ steps.create-prefix.outputs.prefix }}
         awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
+        azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
         azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
         gcpProjectID: ${{ inputs.gcpProject }}
         gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
+        stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
+        stackitProjectID: ${{ inputs.stackitProjectID }}
         kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        additionalTags: "workflow=${{ github.run_id }}"
 
     - name: Login to GCP (Cluster service account)
       if: inputs.cloudProvider == 'gcp'
@@ -260,7 +298,7 @@ runs:
 
     - name: Login to AWS (Cluster role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1
@@ -278,6 +316,7 @@ runs:
       uses: ./.github/actions/constellation_create
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         workerNodesCount: ${{ inputs.workerNodesCount }}
         controlNodesCount: ${{ inputs.controlNodesCount }}
         machineType: ${{ inputs.machineType }}
@@ -296,6 +335,7 @@ runs:
         clusterCreation: ${{ inputs.clusterCreation }}
         marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
         force: ${{ inputs.force }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Deploy log- and metrics-collection (Kubernetes)
       id: deploy-logcollection
@@ -307,6 +347,7 @@ runs:
         opensearchPwd: ${{ inputs.awsOpenSearchPwd }}
         test: ${{ inputs.test }}
         provider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         isDebugImage: ${{ inputs.isDebugImage }}
         kubernetesVersion: ${{ inputs.kubernetesVersion }}
         refStream: ${{ inputs.refStream }}
@@ -319,7 +360,7 @@ runs:
       if: (inputs.test == 'nop') || (inputs.test == 'upgrade')
       shell: bash
       run: |
-        echo "::warning::This test has a nop payload. It doesn't run any tests."
+        echo "This test has a nop payload. It doesn't run any tests."
         echo "Sleeping for 30 seconds to allow logs to propagate to the log collection service."
         sleep 30
 
@@ -330,15 +371,26 @@ runs:
         sonobuoyTestSuiteCmd: "--mode quick"
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Run sonobuoy full test
       if: inputs.test == 'sonobuoy full'
       uses: ./.github/actions/e2e_sonobuoy
       with:
         # TODO(3u13r): Remove E2E_SKIP once AB#2174 is resolved
-        sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
+        sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol|Services should serve endpoints on same port and different protocols" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/102cd62a4091f80a795189f64ccc20738f931ef0/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/102cd62a4091f80a795189f64ccc20738f931ef0/cis-benchmarks/kube-bench-master-plugin.yaml'
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Run sonobuoy conformance
+      if: inputs.test == 'sonobuoy conformance'
+      uses: ./.github/actions/e2e_sonobuoy
+      with:
+        sonobuoyTestSuiteCmd: "--plugin e2e --mode certified-conformance"
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Run autoscaling test
       if: inputs.test == 'autoscaling'
@@ -351,22 +403,26 @@ runs:
       uses: ./.github/actions/e2e_lb
       with:
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        cloudProvider: ${{ inputs.cloudProvider }}
 
     - name: Run Performance Benchmark
       if: inputs.test == 'perf-bench'
       uses: ./.github/actions/e2e_benchmark
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
         awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
         awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
 
     - name: Run constellation verify test
       if: inputs.test == 'verify'
       uses: ./.github/actions/e2e_verify
       with:
-        cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         osImage: ${{ steps.constellation-create.outputs.osImageUsed }}
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         cosignPassword: ${{ inputs.cosignPassword }}
@@ -384,6 +440,7 @@ runs:
       uses: ./.github/actions/e2e_malicious_join
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         githubToken: ${{ inputs.githubToken }}
 
@@ -394,5 +451,10 @@ runs:
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         s3AccessKey: ${{ inputs.s3AccessKey }}
         s3SecretKey: ${{ inputs.s3SecretKey }}
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
         githubToken: ${{ inputs.githubToken }}
+    
+    - name: Run emergency ssh test
+      if: inputs.test == 'emergency ssh'
+      uses: ./.github/actions/e2e_emergency_ssh
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}

.github/actions/e2e_verify/action.yml

@@ -5,8 +5,8 @@ inputs:
   osImage:
     description: "The OS image used in the cluster."
     required: true
-  cloudProvider:
-    description: "The cloud provider used in the cluster."
+  attestationVariant:
+    description: "The attestation variant used in the cluster."
     required: true
   kubeconfig:
     description: "The kubeconfig file for the cluster."
@@ -66,43 +66,46 @@ runs:
           forwarderPID=$!
           sleep 5
 
-          # TODO(v2.15): Remove workaround since we don't need to support v2.13 anymore
-          if [[ ${{ inputs.cloudProvider }} == "azure" ]] || { [[ ${{ inputs.cloudProvider }} == "aws" ]] && ! constellation version | grep -q "v2.13."; }; then
-            echo "Extracting TCB versions for API update"
-            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
-          else
-            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
-          fi
+          case "${{ inputs.attestationVariant }}"
+          in
+            "azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp")
+              echo "Extracting TCB versions for API update"
+              constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json"
+              ;;
+            *)
+              constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
+              ;;
+          esac
 
           kill $forwarderPID
         done
 
     - name: Login to AWS
       if: github.ref_name == 'main'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
         aws-region: eu-central-1
 
     - name: Upload extracted TCBs
-      if: github.ref_name == 'main' && (inputs.cloudProvider == 'azure' || inputs.cloudProvider == 'aws')
+      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
       shell: bash
       env:
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
       run: |
-        if [[ ${{ inputs.cloudProvider }} == "aws" ]] && constellation version | grep -q "v2.13."; then
-          echo "Skipping TCB upload for AWS on CLI v2.13"
-          exit 0
-        fi
+        reports=attestation-report-*.json
 
-        reports=(snp-report-*.json)
-        if [ -z ${#reports[@]} ]; then
-            exit 1
-        fi
-
-        for file in "${reports[@]}"; do
-          path=$(realpath "${file}")
-          cat "${path}"
-          bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.cloudProvider }} snp-report "${path}"
+        # bazel run changes the working directory
+        # convert the relative paths to absolute paths to avoid issues
+        absolute_reports=""
+        for report in ${reports}; do
+          absolute_reports="${absolute_reports} $(realpath "${report}")"
         done
+
+        report=$(bazel run //internal/api/attestationconfigapi/cli -- compare ${{ inputs.attestationVariant }} ${absolute_reports})
+
+        path=$(realpath "${report}")
+        cat "${path}"
+
+        bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.attestationVariant }} attestation-report "${path}"

.github/actions/find_latest_image/action.yml

@@ -26,23 +26,25 @@ runs:
   steps:
     - name: Checkout head
       if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
     - name: Checkout ref
       if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ inputs.git-ref }}
 
     - name: Login to AWS
       if: inputs.imageVersion == ''
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1
 
+    - uses: ./.github/actions/setup_bazel_nix
+
     - name: Find latest image
       id: find-latest-image
       if: inputs.imageVersion == ''

.github/actions/gcpccm_vers_to_build/findvers.sh

@@ -82,4 +82,4 @@ for major in "${allMajorVersions[@]}"; do
 done
 
 # Print one elem per line | quote elems | create array | remove empty elems and print compact.
-printf '%s' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'
+printf '%s\n' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'

.github/actions/login_azure/action.yml

@@ -10,6 +10,6 @@ runs:
     # As described at:
     # https://github.com/Azure/login#configure-deployment-credentials
     - name: Login to Azure
-      uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
       with:
         creds: ${{ inputs.azure_credentials }}

.github/actions/login_gcp/action.yml

@@ -19,14 +19,12 @@ runs:
         echo "GCP_PROJECT=" >> "$GITHUB_ENV"
         echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
 
-    # As described at:
-    # https://github.com/google-github-actions/setup-gcloud#service-account-key-json
     - name: Authorize GCP access
-      uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
-        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
+        workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
         service_account: ${{ inputs.service_account }}
 
     # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
     - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4

.github/actions/login_openstack/action.yml

@@ -0,0 +1,16 @@
+name: OpenStack login
+description: "Login to OpenStack"
+inputs:
+  clouds_yaml:
+    description: "Credentials authorized to create Constellation on OpenStack."
+    required: true
+runs:
+  using: "composite"
+  steps:
+   - name: Login to OpenStack
+     env:
+       CLOUDS_YAML: ${{ inputs.clouds_yaml }}
+     shell: bash
+     run: |
+        mkdir -p ~/.config/openstack
+        echo "${CLOUDS_YAML}" > ~/.config/openstack/clouds.yaml

.github/actions/login_stackit/action.yml

@@ -0,0 +1,16 @@
+name: STACKIT login
+description: "Login to STACKIT"
+inputs:
+  serviceAccountToken:
+    description: "Credentials authorized to create Constellation on STACKIT."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Login to STACKIT
+      env:
+        UAT: ${{ inputs.serviceAccountToken }}
+      shell: bash
+      run: |
+          mkdir -p ~/.stackit
+          echo "${UAT}" > ~/.stackit/credentials.json

.github/actions/notify_e2e_failure/action.yml

@@ -11,6 +11,9 @@ inputs:
   provider:
     description: "CSP"
     required: true
+  attestationVariant:
+    description: "Attestation variant"
+    required: false
   refStream:
     description: "RefStream of the run"
     required: false
@@ -18,8 +21,8 @@ inputs:
     description: "Kubernetes version"
     required: false
   clusterCreation:
-    description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
-    default: "false"
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
+    required: false
 
 runs:
   using: "composite"
@@ -39,14 +42,47 @@ runs:
       run: |
         # TODO(katexochen): add job number when possible
         jobURL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-        # TODO(msanft): Add Self-managed param once logcollection is fixed.
-        opensearchURL="https://search-e2e-logs-y46renozy42lcojbvrt3qq7csm.eu-central-1.es.amazonaws.com/_dashboards/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))&_a=(columns:!(metadata.name,systemd.unit,kubernetes.pod_name,message),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'74517cf0-6442-11ed-acf1-47dda8fdfbbb',key:metadata.github.e2e-test-provider,negate:!f,params:(query:${{ inputs.provider }}),type:phrase),query:(match_phrase:(metadata.github.e2e-test-provider:${{ inputs.provider }}))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'74517cf0-6442-11ed-acf1-47dda8fdfbbb',key:metadata.github.run-id,negate:!f,params:(query:${{ github.run_id }}),type:phrase),query:(match_phrase:(metadata.github.run-id:${{ github.run_id }}))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'74517cf0-6442-11ed-acf1-47dda8fdfbbb',key:metadata.github.ref-stream.keyword,negate:!f,params:(query:'${{ inputs.refStream }}'),type:phrase),query:(match_phrase:(metadata.github.ref-stream.keyword:'${{ inputs.refStream }}'))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'74517cf0-6442-11ed-acf1-47dda8fdfbbb',key:metadata.github.kubernetes-version.keyword,negate:!f,params:(query:'${{ inputs.kubernetesVersion }}'),type:phrase),query:(match_phrase:(metadata.github.kubernetes-version.keyword:'${{ inputs.kubernetesVersion }}'))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'74517cf0-6442-11ed-acf1-47dda8fdfbbb',key:metadata.github.e2e-test-payload,negate:!f,params:(query:'${{ inputs.test }}'),type:phrase),query:(match_phrase:(metadata.github.e2e-test-payload:'${{ inputs.test }}')))),index:'74517cf0-6442-11ed-acf1-47dda8fdfbbb',interval:auto,query:(language:kuery,query:''),sort:!())"
+
+        # OpenSearch instance details
+        instance=search-e2e-logs-y46renozy42lcojbvrt3qq7csm
+        region=eu-central-1
+
+        # UUID of index "logs-*"
+        a="(metadata:(indexPattern:'9004ee20-77cc-11ee-b137-27c60b9ad4a4',view:discover))"
+
+        # Default window: last 7 days
+        g='(time:(from:now-7d,to:now))'
+
+        # Query construction
+        # Omit empty fields since OpenSearch will otherwise only display results where the field is empty
+        queryGen() {
+          key=$1
+          val=$2
+          if [[ -n "${val}" ]];  then
+            printf "(query:(match_phrase:(%s:'%s')))," "${key}" "${val}"
+          fi
+        }
+
+        e2eTestPayload=$(echo "${{ inputs.test }}" | jq -R -r @uri)
+
+        q=$(echo "(filters:!(
+          $(queryGen cloud.provider "${{ inputs.provider }}")
+          $(queryGen metadata.github.ref-stream "${{ inputs.refStream }}")
+          $(queryGen metadata.github.kubernetes-version "${{ inputs.kubernetesVersion }}")
+          $(queryGen metadata.github.attestation-variant "${{ inputs.attestationVariant }}")
+          $(queryGen metadata.github.cluster-creation "${{ inputs.clusterCreation }}")
+          $(queryGen metadata.github.e2e-test-payload "${e2eTestPayload}")
+          (query:(match_phrase:(metadata.github.run-id:${{ github.run_id }})))
+          ))" | tr -d "\t\n ")
+
+        # URL construction
+        opensearchURL="https://${instance}.${region}.es.amazonaws.com/_dashboards/app/data-explorer/discover/#?_a=${a}&_q=${q}&_g=${g}"
         cat << EOF > header.md
 
         ## Metadata
 
         * [Job URL](${jobURL})
-        * [OpenSearch URL](${opensearchURL// /%20})
+        * [OpenSearch URL](${opensearchURL})
 
         EOF
 
@@ -66,6 +102,7 @@ runs:
           workflow: ${{ github.workflow }}
           kubernetesVersion: ${{ inputs.kubernetesVersion }}
           cloudProvider: ${{ inputs.provider }}
+          attestationVariant: ${{ inputs.attestationVariant }}
           clusterCreation: ${{ inputs.clusterCreation }}
           test: ${{ inputs.test }}
           refStream: ${{ inputs.refStream }}

.github/actions/notify_stackit/action.yml

@@ -0,0 +1,19 @@
+name: Notify STACKIT
+description: "Notify STACKIT about test failure"
+inputs:
+  slackToken:
+    description: "Slack access token."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Notify STACKIT
+      env:
+        SLACK_TOKEN: ${{ inputs.slackToken }}
+      shell: bash
+      run: |
+          curl -X POST \
+            -H "Authorization: Bearer $SLACK_TOKEN" \
+            -H "Content-type: application/json; charset=utf-8" \
+            -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
+            https://slack.com/api/chat.postMessage

.github/actions/notify_teams/README.md

@@ -0,0 +1,27 @@
+# notify Teams action
+
+This action is used to send a message to our Teams channel in case of a failure in the CI/CD pipeline.
+The action will automatically choose an engineer to assign to the issue and tag them in the message.
+
+Engineers are identified by their GitHub username and bound to a Microsoft Teams ID in `.attachments[0].content.msteams.entities`.
+To add a new engineer, add a new entry to the entity list in the format:
+
+```json
+{
+  "type": "mention",
+  "text": "${github_username}",
+  "mentioned": {
+    "id": "${msteams_id}",
+    "name": "${name}"
+  }
+}
+```
+
+Where `${github_username}` is the GitHub username of the engineer, `${msteams_id}` is the Microsoft Teams ID of the engineer, and `${name}` is the name of the engineer.
+To find the Microsoft Teams ID use the following command:
+
+```bash
+az ad user show --id ${email} --query id
+```
+
+Where `${email}` is the email address of the engineer.

.github/actions/notify_teams/action.yml

@@ -25,7 +25,7 @@ runs:
       continue-on-error: true
       shell: bash
       run: |
-        cp .github/teams_payload_template.json teams_payload.json
+        cp .github/actions/notify_teams/teams_payload_template.json teams_payload.json
 
         # Add workflow name to the notification
         yq -oj -iP '.attachments[0].content.body[0].columns[1].items[0].text = "${{ inputs.title }}"' teams_payload.json

.github/actions/notify_teams/teams_payload_template.json

@@ -1,5 +1,5 @@
 {
-    "type": "message",
+    "type": "AdaptiveCard",
     "attachments": [
         {
             "contentType": "application/vnd.microsoft.card.adaptive",
@@ -61,10 +61,10 @@
                         },
                         {
                             "type": "mention",
-                            "text": "<at>malt3</at>",
+                            "text": "<at>burgerdev</at>",
                             "mentioned": {
-                                "id": "3012fe21-cff7-499d-88cf-48cf12f2e90c",
-                                "name": "Malte Poll"
+                                "id": "c9efc581-58ca-4da6-93ce-79f69f89deeb",
+                                "name": "Markus Rudy"
                             }
                         }
                     ]

.github/actions/pick_assignee/action.yml

@@ -15,11 +15,9 @@ runs:
       run: |
         possibleAssignees=(
           "elchead"
-          "malt3"
-          "3u13r"
           "daniel-weisse"
-          "derpsteb"
           "msanft"
+          "burgerdev"
         )
         assignee=${possibleAssignees[$RANDOM % ${#possibleAssignees[@]}]}
         echo "assignee=$assignee" | tee -a "$GITHUB_OUTPUT"

.github/actions/pick_azure_region/action.yml

@@ -1,6 +1,11 @@
 name: Pick an Azure region
 description: "Pick an Azure region"
 
+inputs:
+  attestationVariant:
+    description: "Attestation variant to use. Not all regions support all variants."
+    required: true
+
 outputs:
   region:
     description: "One of the supported Azure regions"
@@ -13,12 +18,25 @@ runs:
       id: pick-region
       shell: bash
       run: |
-        possibleRegions=(
+        possibleRegionsSNP=(
           "westus"
           "eastus"
           "northeurope"
           "westeurope"
           "southeastasia"
         )
+        possibleRegionsTDX=(
+          "centralus"
+          "eastus2"
+          "northeurope"
+          "westeurope"
+        )
+
+        if [[ "${{ inputs.attestationVariant }}" == "azure-tdx" ]]; then
+          possibleRegions=("${possibleRegionsTDX[@]}")
+        else
+          possibleRegions=("${possibleRegionsSNP[@]}")
+        fi
+
         region=${possibleRegions[$RANDOM % ${#possibleRegions[@]}]}
         echo "region=$region" | tee -a "$GITHUB_OUTPUT"

.github/actions/publish_helmchart/action.yml

@@ -13,7 +13,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: edgelesssys/helm
         ref: main
@@ -29,7 +29,7 @@ runs:
         echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
 
     - name: Create pull request
-      uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         path: helm
         branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"

.github/actions/select_image/action.yml

@@ -3,22 +3,22 @@ description: Resolve string presets and shortpaths to shortpaths only
 
 inputs:
   osImage:
-    description: "Shortpath or main-debug or release-stable"
+    description: "Shortpath, main-debug, main-nightly, or release-stable"
     required: true
 
 outputs:
   osImage:
-    description: "Shortpath of for input string, original input if that was already a shortpath"
+    description: "Shortpath of input string, original input if that was already a shortpath"
     value: ${{ steps.set-output.outputs.osImage }}
   isDebugImage:
-    description: "Input represents a debug image or not"
+    description: "Input is a debug image or not"
     value: ${{ steps.set-output.outputs.isDebugImage }}
 
 runs:
   using: "composite"
   steps:
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1
@@ -27,7 +27,7 @@ runs:
       id: input-is-preset
       shell: bash
       run: |
-        if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
+        if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/main/stream/nightly/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
           echo "result=true" | tee -a "$GITHUB_OUTPUT"
         else
           echo "result=false" | tee -a "$GITHUB_OUTPUT"
@@ -43,6 +43,10 @@ runs:
         echo "ref=$(echo $REFSTREAM | cut -d/ -f2)" | tee -a "$GITHUB_OUTPUT"
         echo "stream=$(echo $REFSTREAM | cut -d/ -f4)" | tee -a "$GITHUB_OUTPUT"
 
+    - name: Setup Bazel & Nix
+      if: steps.input-is-preset.outputs.result == 'true'
+      uses: ./.github/actions/setup_bazel_nix
+
     - name: Find latest image
       if: steps.input-is-preset.outputs.result == 'true'
       id: find-latest-image

.github/actions/self_managed_create/action.yml

@@ -1,110 +0,0 @@
-name: Self-managed infrastructure creation
-description: "Create the required infrastructure for a Constellation cluster manually."
-
-inputs:
-  cloudProvider:
-    description: "The cloud provider the test runs on."
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Copy Terraform configuration and Constellation config
-      shell: bash
-      working-directory:
-      run: |
-        cp -r ${{ github.workspace }}/terraform/infrastructure/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra
-        cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra
-
-    - name: Get CSP image reference
-      id: get_image
-      shell: bash
-      working-directory: ${{ github.workspace }}/e2e-infra
-      run: |
-        echo "image_ref=$(bazel run //hack/image-fetch:image-fetch)" >> $GITHUB_OUTPUT
-
-    - name: Write Terraform variables
-      shell: bash
-      working-directory: ${{ github.workspace }}/e2e-infra
-      run: |
-        echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars
-        echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars
-        echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars
-        echo "image_id = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars
-        echo "node_groups = {
-          control_plane_default = {
-            role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\"
-            zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\"
-            instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\"
-            disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\"
-            disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\"
-            initial_count = \"$(yq '.nodeGroups.control_plane_default.initialCount' constellation-conf.yaml)\"
-          }
-          worker_default = {
-            role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\"
-            zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\"
-            instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\"
-            disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\"
-            disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\"
-            initial_count = \"$(yq '.nodeGroups.worker_default.initialCount' constellation-conf.yaml)\"
-          }
-        }" >> terraform.tfvars
-        if [[ "${{ inputs.cloudProvider }}" == 'aws' ]]; then
-          echo "iam_instance_profile_name_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "iam_instance_profile_name_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
-        elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
-          echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "create_maa = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
-          echo "confidential_vm = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
-          echo "secure_boot = $(yq '.provider.azure.secureBoot' constellation-conf.yaml)" >> terraform.tfvars
-          echo "resource_group = \"$(yq '.provider.azure.resourceGroup' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "user_assigned_identity = \"$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)\"" >> terraform.tfvars
-        elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
-          echo "project = \"$(yq '.provider.gcp.project' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "region = \"$(yq '.provider.gcp.region' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "zone = \"$(yq '.provider.gcp.zone' constellation-conf.yaml)\"" >> terraform.tfvars
-        fi
-        terraform fmt terraform.tfvars
-        echo "Using Terraform variables:"
-        cat terraform.tfvars
-
-    - name: Apply Terraform configuration
-      shell: bash
-      working-directory: ${{ github.workspace }}/e2e-infra
-      run: |
-        terraform init
-        terraform apply -auto-approve
-
-    - name: Patch MAA Policy
-      shell: bash
-      working-directory: ${{ github.workspace }}/e2e-infra
-      if: inputs.cloudProvider == 'azure'
-      run: |
-        constellation maa-patch $(terraform output attestation_url | jq -r)
-
-    - name: Write outputs to state file
-      shell: bash
-      working-directory: ${{ github.workspace }}/e2e-infra
-      run: |
-        yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.initSecret =\"$(terraform output init_secret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_node | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.uid =\"$(terraform output uid | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.name =\"$(terraform output name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.apiServerCertSANs =$(terraform output -json api_server_cert_sans)" --inplace ${{ github.workspace }}/constellation-state.yaml
-        if [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
-          yq eval ".infrastructure.azure.resourceGroup =\"$(terraform output resource_group | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.azure.subscriptionID =\"$(terraform output subscription_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.azure.networkSecurityGroupName =\"$(terraform output network_security_group_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.azure.loadBalancerName =\"$(terraform output loadbalancer_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.azure.userAssignedIdentity =\"$(terraform output user_assigned_identity_client_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.azure.attestationURL =\"$(terraform output attestation_url | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
-          yq eval ".infrastructure.gcp.projectID =\"$(terraform output project | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pod | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        fi

.github/actions/setup_bazel_nix/action.yml

@@ -3,12 +3,9 @@ description: Setup Bazel and Nix for CI builds and tests
 
 inputs:
   useCache:
-    description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, 'rbe' to enable with remote execution, 'log' to disable cache but upload logs, and 'false' to disable."
+    description: "Cache Bazel artifacts. Use 'rbe' to enable with remote execution, and 'false' to disable."
     default: "false"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
-    required: false
   rbePlatform:
     description: "RBE platform to use. If empty, RBE will not be used."
     required: false
@@ -25,12 +22,8 @@ runs:
       shell: bash
       run: |
         echo "::group::Check inputs"
-        if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "rbe" && "${{ inputs.useCache }}" != "logs" && "${{ inputs.useCache }}" != "false" ]]; then
-          echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'."
-          exit 1
-        fi
-        if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" || "${{ inputs.useCache }}" == "logs" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then
-          echo "BuildBuddy API key is required when cache is enabled."
+        if [[ "${{ inputs.useCache }}" != "rbe" && "${{ inputs.useCache }}" != "false" ]]; then
+          echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'rbe', or 'false'."
           exit 1
         fi
         if [[ "${{ inputs.useCache }}" == "rbe" && -z "${{ inputs.rbePlatform }}" ]]; then
@@ -82,8 +75,14 @@ runs:
             echo "$RUNNER_ARCH not supported"
             exit 1
         fi
+        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
         echo "::endgroup::"
 
+    - name: Install current Bash on macOS
+      shell: bash
+      if: runner.os == 'macOS'
+      run: brew install bash
+
     - name: Prepare to install tools
       shell: bash
       run: |
@@ -115,7 +114,9 @@ runs:
 
     - name: Install nix
       if: steps.check_inputs.outputs.nixPreinstalled == 'false'
-      uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
+      with:
+        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
 
     - name: Set $USER if not set
       shell: bash
@@ -177,57 +178,6 @@ runs:
         EOF
         echo "::endgroup::"
 
-    - name: Configure Bazel (rw)
-      if: inputs.useCache == 'true' || inputs.useCache == 'readonly'
-      shell: bash
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        common --bes_results_url=https://app.buildbuddy.io/invocation/
-        common --bes_backend=grpcs://remote.buildbuddy.io
-        common --remote_cache=grpcs://remote.buildbuddy.io
-        common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        cquery --bes_results_url=
-        cquery --bes_backend=
-        cquery --remote_cache=
-        query --bes_results_url=
-        query --bes_backend=
-        query --remote_cache=
-        EOF
-        echo "::endgroup::"
-
-    - name: Configure Bazel (readonly)
-      if: inputs.useCache == 'readonly'
-      shell: bash
-      env:
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel (readonly)"
-        echo "common --remote_upload_local_results=false" >> "${WORKSPACE}/.bazeloverwriterc"
-        echo "::endgroup::"
-
-    - name: Configure Bazel (logs)
-      if: inputs.useCache == 'logs'
-      shell: bash
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        common --bes_results_url=https://app.buildbuddy.io/invocation/
-        common --bes_backend=grpcs://remote.buildbuddy.io
-        common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        cquery --bes_results_url=
-        cquery --bes_backend=
-        query --bes_results_url=
-        query --bes_backend=
-        EOF
-        echo "::endgroup::"
-
     - name: Configure Bazel (rbe)
       if: inputs.useCache == 'rbe'
       shell: bash
@@ -242,24 +192,6 @@ runs:
         common --repo_env=GOPROXY=http://goproxy:3000
         EOF
         echo "::endgroup::"
-    - name: Configure Bazel (rbe logs)
-      if: inputs.useCache == 'rbe' && inputs.buildBuddyApiKey != ''
-      shell: bash
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        common --bes_results_url=https://app.buildbuddy.io/invocation/
-        common --bes_backend=grpcs://remote.buildbuddy.io
-        common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        cquery --bes_results_url=
-        cquery --bes_backend=
-        query --bes_results_url=
-        query --bes_backend=
-        EOF
-        echo "::endgroup::"
 
     - name: Disable disk cache on GitHub Actions runners
       if: startsWith(runner.name , 'GitHub Actions')
@@ -276,6 +208,7 @@ runs:
       if: inputs.nixTools != ''
       shell: bash
       env:
+        NIXPKGS_ALLOW_UNFREE: 1
         tools: ${{ inputs.nixTools }}
         repository: ${{ github.repository }}
         gitSha: ${{ github.sha }}
@@ -288,7 +221,7 @@ runs:
         { tools, repository, rev }:
         let
           repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
-          nixpkgs = repoFlake.inputs.nixpkgsUnstable;
+          nixpkgs = repoFlake.inputs.nixpkgs;
           pkgs = import nixpkgs { system = builtins.currentSystem; };
           toolPkgs = map (p: pkgs.${p}) tools;
         in

.github/actions/terraform_apply/action.yml

@@ -20,9 +20,18 @@ runs:
           "azureSEVSNP")
             attestationVariant="azure-sev-snp"
             ;;
+          "azureTDX")
+            attestationVariant="azure-tdx"
+            ;;
           "gcpSEVES")
             attestationVariant="gcp-sev-es"
             ;;
+          "gcpSEVSNP")
+            attestationVariant="gcp-sev-snp"
+            ;;
+          "qemuVTPM")
+            attestationVariant="qemu-vtpm"
+            ;;
           *)
             echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
             exit 1
@@ -38,7 +47,7 @@ runs:
             }
             random = {
               source  = "hashicorp/random"
-              version = "3.6.0"
+              version = "3.7.1"
             }
           }
         }
@@ -83,6 +92,7 @@ runs:
           measurement_salt                   = random_bytes.measurement_salt.hex
           out_of_cluster_endpoint            = "$(yq '.infrastructure.clusterEndpoint' constellation-state.yaml)"
           in_cluster_endpoint                = "$(yq '.infrastructure.inClusterEndpoint' constellation-state.yaml)"
+          kubernetes_version                 = "$(yq '.kubernetesVersion' constellation-conf.yaml)"
           azure = {
             count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "azure" ? 1 : 0
             tenant_id                   = "$(yq '.provider.azure.tenant' constellation-conf.yaml)"
@@ -99,6 +109,16 @@ runs:
             project_id          = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
             service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
           }
+          openstack = {
+            cloud                      = "stackit"
+            clouds_yaml_path           = "~/.config/openstack/clouds.yaml"
+            floating_ip_pool_id        = "970ace5c-458f-484a-a660-0903bcfd91ad"
+            deploy_yawol_load_balancer = true
+            yawol_image_id             = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
+            yawol_flavor_id            = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
+            network_id                 = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
+            subnet_id                  = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
+          }
           network_config = {
             ip_cidr_node    = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
             ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"

.github/actions/update_tfstate/action.yml

@@ -0,0 +1,64 @@
+name: Update TFState
+description: "Update the terraform state artifact. We use this to either delete an artifact if the e2e test was cleaned up successfully or to update the artifact with the latest terraform state."
+
+inputs:
+  name:
+    description: "The name of the artifact that contains the tfstate."
+    required: true
+  runID:
+    description: "The ID of your current run (github.run_id)."
+    required: true
+  encryptionSecret:
+    description: "The encryption secret for the artifacts."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check if uploaded tfstate can be deleted
+      if: always()
+      shell: bash
+      run: |
+        if [[ ! -d constellation-terraform ]] && [[ ! -d constellation-iam-terraform ]]; then
+          echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV"
+        else
+          echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV"
+        fi
+
+    - name: Delete tfstate artifact if necessary
+      if: always() && env.DELETE_TF_STATE == 'true'
+      uses: ./.github/actions/artifact_delete
+      with:
+        name: ${{ inputs.name }}
+        workflowID: ${{ inputs.runID }}
+
+    - name: Prepare left over terraform state folders
+      if: always() && env.DELETE_TF_STATE == 'false'
+      shell: bash
+      run: |
+        rm -rf to-zip/*
+        mkdir -p to-zip
+
+        to_upload=""
+        if [[ -d constellation-terraform ]]; then
+          cp -r constellation-terraform to-zip
+          rm -f to-zip/constellation-terraform/plan.zip
+          rm -rf to-zip/constellation-terraform/.terraform
+          to_upload+="to-zip/constellation-terraform"
+        fi
+        if [[ -d constellation-iam-terraform ]]; then
+          cp -r constellation-iam-terraform to-zip
+          rm -rf to-zip/constellation-iam-terraform/.terraform
+          to_upload+=" to-zip/constellation-iam-terraform"
+        fi
+        echo "TO_UPLOAD=$to_upload" >> "$GITHUB_ENV"
+
+    - name: Update tfstate
+      if: always() && env.TO_UPLOAD != ''
+      uses: ./.github/actions/artifact_upload
+      with:
+        name: ${{ inputs.name }}
+        path: >
+          ${{ env.TO_UPLOAD }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+        overwrite: true

.github/actions/upload_terraform_module/action.yml

@@ -15,7 +15,7 @@ runs:
         zip -r terraform-module.zip terraform-module
 
     - name: Upload artifact
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: terraform-module
         path: terraform-module.zip
@@ -23,4 +23,4 @@ runs:
     - name: Cleanup Terraform module dir
       shell: bash
       run: |
-        rm -r terraform-module terraform-module.zip
+        rm -rf terraform-module terraform-module.zip

.github/actions/versionsapi/Dockerfile

@@ -1,23 +0,0 @@
-FROM golang:1.21.5@sha256:58e14a93348a3515c2becc54ebd35302128225169d166b7c6802451ab336c907 as builder
-
-# Download project root dependencies
-WORKDIR /workspace
-COPY go.mod go.mod
-COPY go.sum go.sum
-COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod
-COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-COPY . .
-
-# Build
-WORKDIR /workspace/internal/api/versionsapi/cli
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o versionsapi .
-
-FROM scratch as release
-
-COPY --from=builder /workspace/internal/api/versionsapi/cli/versionsapi .
-
-CMD ["/notIntendedToBeExecuted"]

.github/actions/versionsapi/action.yml

@@ -52,18 +52,12 @@ outputs:
 runs:
   using: composite
   steps:
-    - name: Get versionsapi binary
-      shell: bash
-      run: |
-        containerID=$(docker create "ghcr.io/edgelesssys/constellation/versionsapi-ci-cli:latest")
-        docker cp ${containerID}:/versionsapi .
-
     - name: Run versionsapi
       id: run
       shell: bash
       run: |
         out=$(
-          ./versionsapi \
+          bazel run //internal/api/versionsapi/cli:cli -- \
             ${{ inputs.command }} \
             ${{ inputs.ref != '' && format('--ref="{0}"', inputs.ref) || '' }} \
             ${{ inputs.stream != '' && format('--stream="{0}"', inputs.stream) || '' }} \

.github/pull_request_template.md

@@ -26,6 +26,7 @@ Feel free to edit, complete or extend this list while the PR is open.
 ### Checklist
 <!-- Remove items that do not apply. For completed items, change [ ] to [x], or check after submitting. -->
 <!-- more information in dev-docs/workflows/pull-request.md -->
+- [ ] Run the E2E tests that are relevant to this PR's changes
 - [ ] Update [docs](https://github.com/edgelesssys/constellation/tree/main/docs)
 - [ ] Add labels (e.g., for changelog category)
 - [ ] Is PR title adequate for changelog?

.github/workflows/assign_reviewer.yml

@@ -0,0 +1,36 @@
+name: Assign Reviewer
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+      - review_request_removed
+      - labeled
+
+permissions:
+  pull-requests: write
+
+jobs:
+  assign_reviewer:
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' &&  github.event.pull_request.user.login == 'renovate[bot]'
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Pick assignee
+      id: pick-assignee
+      uses: ./.github/actions/pick_assignee
+    - name: Assign reviewer
+      env:
+        GH_TOKEN: ${{ github.token }}
+        PR: ${{ github.event.pull_request.number }}
+        ASSIGNEE: ${{ steps.pick-assignee.outputs.assignee }}
+      run: |
+        gh api \
+          --method POST \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "/repos/edgelesssys/constellation/pulls/${PR}/requested_reviewers" \
+          -f "reviewers[]=${ASSIGNEE}"

.github/workflows/aws-snp-launchmeasurement.yml

@@ -8,26 +8,20 @@ on:
 
 jobs:
   run:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: Checkout repository
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
         path: constellation
 
-    - name: Install necessary tools
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y python3 python3-pip
-        sudo python3 -m pip install --user --require-hashes -r constellation/.github/workflows/aws-snp-launchmeasurements-requirements.txt
-
     - name: Install Nix
-      uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
 
     - name: Download Firmware release
       id: download-firmware
-      uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # tag=v1.8
+      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
       with:
         repository: aws/uefi
         latest: true
@@ -50,7 +44,7 @@ jobs:
         echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
         popd || exit 1
 
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: virtee/sev-snp-measure-go.git
         ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8

.github/workflows/aws-snp-launchmeasurements-requirements.txt

@@ -1,109 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile --generate-hashes --output-file=aws-snp-launchmeasurements-requirements.txt input.txt
-#
-cffi==1.15.1 \
-    --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \
-    --hash=sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef \
-    --hash=sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104 \
-    --hash=sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426 \
-    --hash=sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405 \
-    --hash=sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375 \
-    --hash=sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a \
-    --hash=sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e \
-    --hash=sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc \
-    --hash=sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf \
-    --hash=sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185 \
-    --hash=sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497 \
-    --hash=sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3 \
-    --hash=sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35 \
-    --hash=sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c \
-    --hash=sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83 \
-    --hash=sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21 \
-    --hash=sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca \
-    --hash=sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984 \
-    --hash=sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac \
-    --hash=sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd \
-    --hash=sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee \
-    --hash=sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a \
-    --hash=sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2 \
-    --hash=sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192 \
-    --hash=sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7 \
-    --hash=sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585 \
-    --hash=sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f \
-    --hash=sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e \
-    --hash=sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27 \
-    --hash=sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b \
-    --hash=sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e \
-    --hash=sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e \
-    --hash=sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d \
-    --hash=sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c \
-    --hash=sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415 \
-    --hash=sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82 \
-    --hash=sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02 \
-    --hash=sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314 \
-    --hash=sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325 \
-    --hash=sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c \
-    --hash=sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3 \
-    --hash=sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914 \
-    --hash=sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045 \
-    --hash=sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d \
-    --hash=sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9 \
-    --hash=sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5 \
-    --hash=sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2 \
-    --hash=sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c \
-    --hash=sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3 \
-    --hash=sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2 \
-    --hash=sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8 \
-    --hash=sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d \
-    --hash=sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d \
-    --hash=sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9 \
-    --hash=sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162 \
-    --hash=sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76 \
-    --hash=sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4 \
-    --hash=sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e \
-    --hash=sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9 \
-    --hash=sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6 \
-    --hash=sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b \
-    --hash=sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01 \
-    --hash=sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0
-    # via cryptography
-cryptography==41.0.4 \
-    --hash=sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67 \
-    --hash=sha256:047c4603aeb4bbd8db2756e38f5b8bd7e94318c047cfe4efeb5d715e08b49311 \
-    --hash=sha256:0d9409894f495d465fe6fda92cb70e8323e9648af912d5b9141d616df40a87b8 \
-    --hash=sha256:23a25c09dfd0d9f28da2352503b23e086f8e78096b9fd585d1d14eca01613e13 \
-    --hash=sha256:2ed09183922d66c4ec5fdaa59b4d14e105c084dd0febd27452de8f6f74704143 \
-    --hash=sha256:35c00f637cd0b9d5b6c6bd11b6c3359194a8eba9c46d4e875a3660e3b400005f \
-    --hash=sha256:37480760ae08065437e6573d14be973112c9e6dcaf5f11d00147ee74f37a3829 \
-    --hash=sha256:3b224890962a2d7b57cf5eeb16ccaafba6083f7b811829f00476309bce2fe0fd \
-    --hash=sha256:5a0f09cefded00e648a127048119f77bc2b2ec61e736660b5789e638f43cc397 \
-    --hash=sha256:5b72205a360f3b6176485a333256b9bcd48700fc755fef51c8e7e67c4b63e3ac \
-    --hash=sha256:7e53db173370dea832190870e975a1e09c86a879b613948f09eb49324218c14d \
-    --hash=sha256:7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a \
-    --hash=sha256:80907d3faa55dc5434a16579952ac6da800935cd98d14dbd62f6f042c7f5e839 \
-    --hash=sha256:86defa8d248c3fa029da68ce61fe735432b047e32179883bdb1e79ed9bb8195e \
-    --hash=sha256:8ac4f9ead4bbd0bc8ab2d318f97d85147167a488be0e08814a37eb2f439d5cf6 \
-    --hash=sha256:93530900d14c37a46ce3d6c9e6fd35dbe5f5601bf6b3a5c325c7bffc030344d9 \
-    --hash=sha256:9eeb77214afae972a00dee47382d2591abe77bdae166bda672fb1e24702a3860 \
-    --hash=sha256:b5f4dfe950ff0479f1f00eda09c18798d4f49b98f4e2006d644b3301682ebdca \
-    --hash=sha256:c3391bd8e6de35f6f1140e50aaeb3e2b3d6a9012536ca23ab0d9c35ec18c8a91 \
-    --hash=sha256:c880eba5175f4307129784eca96f4e70b88e57aa3f680aeba3bab0e980b0f37d \
-    --hash=sha256:cecfefa17042941f94ab54f769c8ce0fe14beff2694e9ac684176a2535bf9714 \
-    --hash=sha256:e40211b4923ba5a6dc9769eab704bdb3fbb58d56c5b336d30996c24fcf12aadb \
-    --hash=sha256:efc8ad4e6fc4f1752ebfb58aefece8b4e3c4cae940b0994d43649bdfce8d0d4f
-    # via sev-snp-measure
-pycparser==2.21 \
-    --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \
-    --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206
-    # via cffi
-sev-snp-measure==0.0.7 \
-    --hash=sha256:2625dab37898e9658b25b646d4a3bcceee1fb1b6b94d71bb7f59350faf3753ed \
-    --hash=sha256:503ce35ea7469f1751233c69820c329d38c6d61a09cb3eedbfd591a1438464a4
-    # via -r input.txt
-types-cryptography==3.3.23.2 \
-    --hash=sha256:09cc53f273dd4d8c29fa7ad11fefd9b734126d467960162397bc5e3e604dea75 \
-    --hash=sha256:b965d548f148f8e87f353ccf2b7bd92719fdf6c845ff7cedf2abb393a0643e4f
-    # via sev-snp-measure

.github/workflows/build-bazel-container.yml

@@ -1,57 +0,0 @@
-name: Build bazel dev container
-
-on:
-  push:
-    branches:
-       - "main"
-    paths:
-      - "bazel/container/**"
-      - ".github/workflows/build-bazel-container.yml"
-  workflow_dispatch:
-
-jobs:
-  build-container:
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-
-      - name: Determine version
-        id: version
-        working-directory: ./bazel/container
-        run: |
-          version=$(grep "ARG BAZEL_VERSION" Containerfile | cut -d= -f2)
-          echo "version=v${version}" | tee -a "$GITHUB_OUTPUT"
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
-        with:
-          images: |
-            ghcr.io/edgelesssys/bazel-container
-          flavor: |
-            latest=false
-          tags: |
-            type=raw,value=${{ steps.version.outputs.version }},enable=${{ github.ref_name == 'main' }}
-            type=raw,value=${{ github.ref_name }},enable=${{ github.ref_name != 'main' }}
-            type=sha,value=${{ github.sha }}
-            type=raw,value=latest,enable=${{ github.ref_name == 'main' }}
-
-      - name: Log in to the Container registry
-        uses: ./.github/actions/container_registry_login
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push container image
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-        with:
-          context: ./bazel/container
-          file: ./bazel/container/Containerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-binaries.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: [arc-runner-set]
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
@@ -31,7 +31,6 @@ jobs:
         with:
           useCache: "rbe"
           rbePlatform: "ubuntu-22.04"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Build all
         shell: bash

.github/workflows/build-ccm-gcp.yml

@@ -13,30 +13,30 @@ on:
 
 jobs:
   find-ccm-versions:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       versions: ${{ steps.find-versions.outputs.versions }}
       latest: ${{ steps.find-latest.outputs.latest }}
     steps:
       - name: Checkout Constellation
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "kubernetes/cloud-provider-gcp"
           path: "cloud-provider-gcp"
           fetch-depth: 0
 
       - name: Setup Go environment
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.21.5"
+          go-version: "1.24.2"
           cache: false
 
       - name: Install Crane
         run: |
-          go install github.com/google/go-containerregistry/cmd/crane@latest
+          go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2
 
       - name: Find versions
         id: find-versions
@@ -54,7 +54,7 @@ jobs:
   build-ccm-gcp:
     # matrix cannot handle empty lists
     if: needs.find-ccm-versions.outputs.versions != '[]'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -65,10 +65,10 @@ jobs:
         version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
     steps:
       - name: Checkout Constellation
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "kubernetes/cloud-provider-gcp"
           path: "cloud-provider-gcp"
@@ -76,7 +76,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             ghcr.io/edgelesssys/cloud-provider-gcp
@@ -113,7 +113,7 @@ jobs:
 
       - name: Build and push container image
         id: build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: ./cloud-provider-gcp
           push: ${{ github.ref_name == 'main' }}

.github/workflows/build-gcp-guest-agent.yml

@@ -10,7 +10,7 @@ env:
 
 jobs:
   build-gcp-guest-agent:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -69,7 +69,7 @@ jobs:
 
       - name: Checkout GoogleCloudPlatform/guest-agent
         if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "GoogleCloudPlatform/guest-agent"
           ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@@ -77,7 +77,7 @@ jobs:
 
       - name: Checkout Constellation
         if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: "constellation"
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@@ -85,7 +85,7 @@ jobs:
       - name: Docker meta
         id: meta
         if: steps.needs-build.outputs.out == 'true'
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@@ -114,7 +114,7 @@ jobs:
       - name: Build and push container image
         if: steps.needs-build.outputs.out == 'true'
         id: build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: ./guest-agent
           file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile

.github/workflows/build-libvirt-container.yml

@@ -13,18 +13,17 @@ on:
 
 jobs:
   build-container:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
         with:
-          useCache: "false"
           nixTools: |
             crane
             gzip

.github/workflows/build-logcollector-images.yml

@@ -13,14 +13,14 @@ on:
 
 jobs:
   build-logcollector-debugd-images:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
     steps:
       - name: Check out repository
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/build-os-image-scheduled.yml

@@ -4,15 +4,15 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 21 * * 2" # At 21:00 on Tuesday.
-    - cron: "10 21 * * 2" # At 21:10 on Tuesday.
     - cron: "20 21 * * 2" # At 21:20 on Tuesday.
+    - cron: "40 21 * * 2" # At 21:40 on Tuesday.
     - cron: "0 21 * * 4" # At 21:00 on Thursday.
-    - cron: "10 21 * * 4" # At 21:10 on Thursday.
     - cron: "20 21 * * 4" # At 21:20 on Thursday.
+    - cron: "40 21 * * 4" # At 21:40 on Thursday.
 
 jobs:
   stream:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       stream: ${{ steps.stream.outputs.stream }}
     steps:
@@ -28,10 +28,10 @@ jobs:
             "0 21 * * 4" | "0 21 * * 2")
               echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
               ;;
-            "10 21 * * 4" | "10 21 * * 2")
+            "20 21 * * 4" | "20 21 * * 2")
               echo "stream=console" | tee -a "$GITHUB_OUTPUT"
               ;;
-            "20 21 * * 4" | "20 21 * * 2")
+            "40 21 * * 4" | "40 21 * * 2")
               echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
               ;;
             *)
@@ -54,22 +54,20 @@ jobs:
 
   update-code:
     # On nightly stream only.
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      github.event.schedule == '20 21 * * 4' ||
-      github.event.schedule == '20 21 * * 2'
-    needs: build-image
-    runs-on: ubuntu-22.04
+    if: needs.stream.outputs.stream == 'nightly'
+    needs: ["build-image", "stream"]
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
+          token: ${{ secrets.CI_COMMIT_PUSH_PR }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.21.5"
+          go-version: "1.24.2"
           cache: false
 
       - name: Determine version
@@ -99,7 +97,7 @@ jobs:
         run: rm -f internal/attestation/measurements/measurement-generator/generate
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           branch: "image/automated/update-measurements-${{ github.run_number }}"
           base: main
@@ -111,6 +109,7 @@ jobs:
             It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
           commit-message: "image: update measurements and image version"
           committer: edgelessci <edgelessci@users.noreply.github.com>
+          author: edgelessci <edgelessci@users.noreply.github.com>
           labels: no changelog
           # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
           token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
@@ -118,10 +117,10 @@ jobs:
   notify-failure:
     if: failure()
     needs: [ "stream", "build-image", "update-code" ]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
 

.github/workflows/build-os-image.yml

@@ -47,7 +47,7 @@ on:
 jobs:
   build-settings:
     name: "Determine build settings"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       ref: ${{ steps.ref.outputs.ref }}
       stream: ${{ steps.stream.outputs.stream }}
@@ -59,7 +59,7 @@ jobs:
       cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -129,110 +129,16 @@ jobs:
             echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
           fi
 
-  make-os-image:
-    name: "Build OS using mkosi"
+  upload-os-image:
+    name: "Build OS using mkosi and upload it to CSPs"
     needs: [build-settings]
     runs-on: ubuntu-latest-8-cores
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - csp: aws
-            attestation_variant: aws-nitro-tpm
-          - csp: aws
-            attestation_variant: aws-sev-snp
-          - csp: azure
-            attestation_variant: azure-sev-snp
-          - csp: gcp
-            attestation_variant: gcp-sev-es
-          - csp: gcp
-            attestation_variant: gcp-sev-snp
-          - csp: qemu
-            attestation_variant: qemu-vtpm
-          - csp: openstack
-            attestation_variant: qemu-vtpm
-    steps:
-      - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
-      - uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "false"
-
-      - name: Build
-        id: build
-        shell: bash
-        working-directory: ${{ github.workspace }}/image
-        env:
-          TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
-        run: |
-          echo "::group::Build"
-          bazel build //image/base:rpmdb
-          bazel build "${TARGET}"
-          {
-            echo "image-dir=$(bazel cquery --output=files "$TARGET")"
-            echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
-          } | tee -a "$GITHUB_OUTPUT"
-          echo "::endgroup::"
-
-      - name: Upload raw OS image as artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: ${{ steps.build.outputs.image-dir }}/constellation.raw
-
-      - name: Upload individual OS parts as artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: |
-            ${{ steps.build.outputs.image-dir }}/constellation.efi
-            ${{ steps.build.outputs.image-dir }}/constellation.initrd
-            ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
-
-      - name: Upload sbom info as artifact
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        with:
-          name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: ${{ steps.build.outputs.rpmdb }}
-
-  upload-os-image:
-    name: "Upload OS image to CSP"
-    needs: [build-settings, make-os-image]
-    runs-on: ubuntu-22.04
     permissions:
       id-token: write
       contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - csp: aws
-            attestation_variant: aws-nitro-tpm
-          - csp: aws
-            attestation_variant: aws-sev-snp
-          - csp: azure
-            attestation_variant: azure-sev-snp
-          - csp: gcp
-            attestation_variant: gcp-sev-es
-          - csp: gcp
-            attestation_variant: gcp-sev-snp
-          - csp: qemu
-            attestation_variant: qemu-vtpm
-          - csp: openstack
-            attestation_variant: qemu-vtpm
-    env:
-      RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw
-      JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
-      AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
-      GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
-      SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
-      ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -240,466 +146,85 @@ jobs:
         with:
           useCache: "false"
 
-      - name: Download OS image artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
-
-      - name: Install tools
-        shell: bash
-        run: |
-          echo "::group::Install tools"
-          sudo apt-get update
-          sudo apt-get install -y \
-            pigz \
-            qemu-utils \
-            python3-pip
-          echo "::endgroup::"
-
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
           aws-region: eu-central-1
 
       - name: Login to Azure
-        if: matrix.csp == 'azure'
         uses: ./.github/actions/login_azure
         with:
           azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
       - name: Login to GCP
-        if: matrix.csp == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
           service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"
 
-      - name: Upload AWS image
-        if: matrix.csp == 'aws'
+      - name: Login to OpenStack
+        uses: ./.github/actions/login_openstack
+        with:
+          clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
+
+      - name: Allow unrestricted user namespaces
+        shell: bash
+        run: |
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+          
+      - name: Build and upload
+        id: build
         shell: bash
         working-directory: ${{ github.workspace }}/image
-        run: |
-          echo "::group::Upload AWS image"
-          bazel run //image/upload -- image aws \
-            --verbose \
-            --raw-image "${RAW_IMAGE_PATH}" \
-            --attestation-variant "${ATTESTATION_VARIANT}" \
-            --version "${SHORTNAME}" \
-            --out "${JSON_OUTPUT}"
-          echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
-          echo "::endgroup::"
-
-      - name: Upload GCP image
-        if: matrix.csp == 'gcp'
-        shell: bash
-        working-directory: ${{ github.workspace }}/image
-        run: |
-          echo "::group::Upload GCP image"
-          upload/pack.sh gcp "${RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
-          bazel run //image/upload -- image gcp \
-            --verbose \
-            --raw-image "${GCP_IMAGE_PATH}" \
-            --attestation-variant "${ATTESTATION_VARIANT}" \
-            --version "${SHORTNAME}" \
-            --out "${JSON_OUTPUT}"
-          echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
-          echo "::endgroup::"
-
-      - name: Upload Azure image
-        if: matrix.csp == 'azure'
-        shell: bash
-        working-directory: ${{ github.workspace }}/image
-        run: |
-          echo "::group::Upload Azure image"
-          upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
-          bazel run //image/upload -- image azure \
-            --verbose \
-            --raw-image "${AZURE_IMAGE_PATH}" \
-            --attestation-variant "${ATTESTATION_VARIANT}" \
-            --version "${SHORTNAME}" \
-            --out "${JSON_OUTPUT}"
-          echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
-          echo "::endgroup::"
-
-      - name: Upload OpenStack image
-        if: matrix.csp == 'openstack'
-        shell: bash
-        working-directory: ${{ github.workspace }}/image
-        run: |
-          echo "::group::Upload OpenStack image"
-          bazel run //image/upload -- image openstack \
-            --verbose \
-            --raw-image "${RAW_IMAGE_PATH}" \
-            --attestation-variant "${ATTESTATION_VARIANT}" \
-            --version "${SHORTNAME}" \
-            --out "${JSON_OUTPUT}"
-          echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
-          echo "::endgroup::"
-
-      - name: Upload QEMU image
-        if: matrix.csp == 'qemu'
-        shell: bash
-        working-directory: ${{ github.workspace }}/image
-        run: |
-          echo "::group::Upload QEMU image"
-          bazel run //image/upload -- image qemu \
-            --verbose \
-            --raw-image "${RAW_IMAGE_PATH}" \
-            --attestation-variant "${ATTESTATION_VARIANT}" \
-            --version "${SHORTNAME}" \
-            --out "${JSON_OUTPUT}"
-          echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
-          echo "::endgroup::"
-
-      - name: Upload image lookup table as artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: lookup-table
-          path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
-
-  calculate-pcrs:
-    name: "Calculate PCRs"
-    needs: [build-settings, make-os-image]
-    permissions:
-      id-token: write
-      contents: read
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - csp: aws
-            attestation_variant: aws-nitro-tpm
-          - csp: aws
-            attestation_variant: aws-sev-snp
-          - csp: azure
-            attestation_variant: azure-sev-snp
-          - csp: gcp
-            attestation_variant: gcp-sev-es
-          - csp: gcp
-            attestation_variant: gcp-sev-snp
-          - csp: qemu
-            attestation_variant: qemu-vtpm
-          - csp: openstack
-            attestation_variant: qemu-vtpm
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
-      - name: Download OS image artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-
-      - uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "false"
-
-      - name: Install dependencies
-        run: |
-          echo "::group::Install dependencies"
-          sudo apt-get update
-          sudo apt-get install -y systemd-container # for systemd-dissect
-          echo "::endgroup::"
-
-      - name: Calculate expected PCRs
-        working-directory: ${{ github.workspace }}/image/measured-boot
-        run: |
-          echo "::group::Calculate expected PCRs"
-          bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY"
-          echo "::endgroup::"
-
-      - name: Add static PCRs
-        run: |
-          case ${{ matrix.csp }} in
-            aws)
-              yq e '.csp = "AWS" |
-                .attestationVariant = "${{ matrix.attestation_variant }}" |
-                .measurements.0.warnOnly = true |
-                .measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" |
-                .measurements.2.warnOnly = true |
-                .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.3.warnOnly = true |
-                .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.4.warnOnly = false |
-                .measurements.6.warnOnly = true |
-                .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.8.warnOnly = false |
-                .measurements.9.warnOnly = false |
-                .measurements.11.warnOnly = false |
-                .measurements.12.warnOnly = false |
-                .measurements.13.warnOnly = false |
-                .measurements.14.warnOnly = true |
-                .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
-                .measurements.15.warnOnly = false' \
-                -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
-            ;;
-            azure)
-              yq e '.csp = "Azure" |
-                .attestationVariant = "${{ matrix.attestation_variant }}" |
-                .measurements.1.warnOnly = true |
-                .measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.2.warnOnly = true |
-                .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.3.warnOnly = true |
-                .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.4.warnOnly = false |
-                .measurements.8.warnOnly = false |
-                .measurements.9.warnOnly = false |
-                .measurements.11.warnOnly = false |
-                .measurements.12.warnOnly = false |
-                .measurements.13.warnOnly = false |
-                .measurements.14.warnOnly = true |
-                .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
-                .measurements.15.warnOnly = false' \
-                -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
-            ;;
-            gcp)
-              yq e '.csp = "GCP" |
-                .attestationVariant = "${{ matrix.attestation_variant }}" |
-                .measurements.1.warnOnly = true |
-                .measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" |
-                .measurements.2.warnOnly = true |
-                .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.3.warnOnly = true |
-                .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.4.warnOnly = false |
-                .measurements.6.warnOnly = true |
-                .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
-                .measurements.8.warnOnly = false |
-                .measurements.9.warnOnly = false |
-                .measurements.11.warnOnly = false |
-                .measurements.12.warnOnly = false |
-                .measurements.13.warnOnly = false |
-                .measurements.14.warnOnly = true |
-                .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
-                .measurements.15.warnOnly = false' \
-                -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
-            ;;
-            openstack)
-              yq e '.csp = "OpenStack" |
-                .attestationVariant = "${{ matrix.attestation_variant }}" |
-                .measurements.4.warnOnly = false |
-                .measurements.8.warnOnly = false |
-                .measurements.9.warnOnly = false |
-                .measurements.11.warnOnly = false |
-                .measurements.12.warnOnly = false |
-                .measurements.13.warnOnly = false |
-                .measurements.14.warnOnly = true |
-                .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
-                .measurements.15.warnOnly = false' \
-                -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
-            ;;
-            qemu)
-              yq e '.csp = "QEMU" |
-                .attestationVariant = "${{ matrix.attestation_variant }}" |
-                .measurements.4.warnOnly = false |
-                .measurements.8.warnOnly = false |
-                .measurements.9.warnOnly = false |
-                .measurements.11.warnOnly = false |
-                .measurements.12.warnOnly = false |
-                .measurements.13.warnOnly = false |
-                .measurements.14.warnOnly = true |
-                .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
-                .measurements.15.warnOnly = false' \
-                -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
-            ;;
-            *)
-              echo "Unknown CSP: ${{ matrix.csp }}"
-              exit 1
-            ;;
-          esac
-
-          # TODO (malt3): Calculate PCR from firmware blob.
-          # AWS SNP machines have a different expected value for PCR 0.
-          if [[ ${{ matrix.attestation_variant }} = "aws-sev-snp" ]]
-          then
-            yq e '.csp = "AWS" |
-                  .measurements.0.expected = "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"' \
-                  -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
-          fi
-
-      - name: Envelope measurements
-        shell: bash
-        run: |
-          echo "::group::Envelope measurements"
-          bazel run //image/upload -- measurements envelope \
-            --in "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
-            --out "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
-            --version "${{ needs.build-settings.outputs.imageNameShort }}" \
-            --csp "${{ matrix.csp }}" \
-            --attestation-variant "${{ matrix.attestation_variant }}"
-          echo "::endgroup::"
-
-      - name: Upload expected measurements as artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: measurements
-          path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
-
-  upload-pcrs:
-    name: "Sign & upload PCRs"
-    needs: [build-settings, calculate-pcrs]
-    permissions:
-      id-token: write
-      contents: read
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
-      - uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "false"
-
-      - name: Download measurements
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: measurements
-
-      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
-        with:
-          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
-          aws-region: eu-central-1
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
-
-      - name: Install Rekor
-        shell: bash
-        run: |
-          curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
-          sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
-          rm rekor-cli-linux-amd64
-
-      - name: Merge measurements
-        shell: bash
-        run: |
-          echo "::group::Merge measurements"
-          bazel run //image/upload -- measurements merge \
-            --out measurements.json \
-            pcrs-*.json
-          echo "::endgroup::"
-
-      - name: Sign measurements
-        if: inputs.stream != 'debug'
-        shell: bash
         env:
+          TARGET: //image/system:upload_${{ needs.build-settings.outputs.stream }}
+          REF: ${{ needs.build-settings.outputs.ref }}
+          STREAM: ${{ needs.build-settings.outputs.stream }}
+          SHORT_NAME: ${{ needs.build-settings.outputs.imageNameShort }}
           COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
           COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
         run: |
+          echo "::group::Build"
           echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
-          # Enabling experimental mode also publishes signature to Rekor
-          COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \
-            "${{ github.workspace }}/measurements.json" > "${{ github.workspace }}/measurements.json.sig"
-          # Verify - As documentation & check
-          # Local Signature (input: artifact, key, signature)
-          cosign verify-blob --key cosign.pub \
-            --signature "measurements.json.sig" \
-            "measurements.json"
-          # Transparency Log Signature (input: artifact, key)
-          uuid=$(rekor-cli search --artifact "${{ github.workspace }}/measurements.json" | tail -n 1)
-          sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
-          cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/measurements.json"
-
-      - name: Create stub signature file
-        if: inputs.stream == 'debug'
-        shell: bash
-        run: |
-          echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${{ github.workspace }}/measurements.json.sig"
-
-      - name: Upload measurements
-        shell: bash
-        run: |
-          echo "::group::Upload measurements"
-          bazel run //image/upload -- measurements upload \
-            --measurements measurements.json \
-            --signature measurements.json.sig
+          COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)"
+          export COSIGN_PUBLIC_KEY_PATH
+          opts=(
+            --ref "${REF}"
+            --upload-measurements
+          )
+          if [[ "${STREAM}" = "debug" ]]; then
+            opts+=(--fake-sign)
+          fi
+          bazel build //image/base:rpmdb
+          bazel run "${TARGET}" -- "${opts[@]}"
+          {
+            echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
+          } | tee -a "$GITHUB_OUTPUT"
+          echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY"
           echo "::endgroup::"
 
-  upload-sbom:
-    name: "Upload SBOM"
-    needs: [build-settings, make-os-image]
-    permissions:
-      id-token: write
-      contents: read
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
-        with:
-          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
-          aws-region: eu-central-1
-
-      - name: Download sbom
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          # downloading / using only the QEMU manifest is fine
-          # since the images only differ in the ESP partition
-          name: sbom-qemu-qemu-vtpm
-
-      - name: Upload SBOMs to S3
+      - name: Upload SBOM to S3
         shell: bash
+        env:
+          RPMDB: ${{ steps.build.outputs.rpmdb }}
         run: |
           aws s3 cp \
-          rpmdb.tar \
+            "${RPMDB}" \
             "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
             --no-progress
 
-  upload-artifacts:
-    name: "Upload image lookup table and CLI compatibility info"
-    runs-on: ubuntu-22.04
-    needs: [build-settings, upload-os-image]
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
-      - uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "false"
-
-      - name: Download image lookup table
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
-        with:
-          name: lookup-table
-
-      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
-        with:
-          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
-          aws-region: eu-central-1
-
-      - name: Upload lookup table to S3
-        shell: bash
-        run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
-
-      - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
       - name: Create CLI compatibility information artifact
         shell: bash
         run: |
           bazel run //hack/cli-k8s-compatibility -- \
             --ref=${{  needs.build-settings.outputs.ref }} \
             --stream=${{  needs.build-settings.outputs.stream }} \
-            --version=${{  needs.build-settings.outputs.imageVersion }} \
+            --version=${{  needs.build-settings.outputs.imageVersion }}
 
   add-image-version-to-versionsapi:
-    needs: [upload-artifacts, upload-pcrs, build-settings]
+    needs: [upload-os-image, build-settings]
     name: "Add image version to versionsapi"
     if: needs.build-settings.outputs.ref != '-'
     permissions:
@@ -715,7 +240,7 @@ jobs:
       add_latest: true
 
   add-cli-version-to-versionsapi:
-    needs: [upload-artifacts, build-settings, add-image-version-to-versionsapi]
+    needs: [upload-os-image, build-settings, add-image-version-to-versionsapi]
     name: "Add CLI version to versionsapi"
     if: needs.build-settings.outputs.ref != '-'
     permissions:

.github/workflows/build-versionsapi-ci-image.yml

@@ -1,31 +0,0 @@
-name: Build and upload versionsapi CI image
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - "internal/api/versionsapi/**"
-      - ".github/workflows/build-versionsapi-ci-image.yml"
-      - ".github/actions/versionsapi/**"
-
-jobs:
-  build-versionsapi-ci-cli:
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Check out repository
-        id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
-      - name: Build and upload container image
-        uses: ./.github/actions/build_micro_service
-        with:
-          name: versionsapi-ci-cli
-          dockerfile: .github/actions/versionsapi/Dockerfile
-          githubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/check-links.yml

@@ -17,17 +17,15 @@ on:
 
 jobs:
   linkChecker:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0
+        uses: lycheeverse/lychee-action@1d97d84f0bc547f7b25f4c2170d87d810dc2fb2c # v2.4.0
         with:
-          args: "--verbose --no-progress --max-concurrency 5 --exclude-path './internal/constellation/helm/charts/cilium' './**/*.md' './**/*.html'"
+          args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
           fail: true
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/check-measurements-reproducibility.yml

@@ -0,0 +1,25 @@
+name: Check measurements reproducibility
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        description: The version of the measurements that are downloaded from the CDN.
+        required: true
+      ref:
+        type: string
+        description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+        required: true
+
+jobs:
+  check-reproducibility:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ github.event.inputs.version }}
+          ref: ${{ github.event.inputs.ref }}

.github/workflows/codeql.yml

@@ -17,7 +17,7 @@ on:
 jobs:
   codeql:
     name: CodeQL
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       # Force CodeQL to run the extraction on the files compiled by our custom
       # build command, as opposed to letting the autobuilder figure it out.
@@ -34,17 +34,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Go environment
         if: matrix.language == 'go'
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.21.5"
+          go-version: "1.24.2"
           cache: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
+        uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           languages: ${{ matrix.language }}
 
@@ -63,6 +63,6 @@ jobs:
           echo "::endgroup::"
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
+        uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/docs-vale.yml

@@ -12,20 +12,21 @@ on:
       - "docs/**"
 
 jobs:
-  prose:
-    runs-on: ubuntu-22.04
+  vale:
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
+      # Work around https://github.com/errata-ai/vale-action/issues/128.
+      - run: |
+          venv="$HOME/.local/share/venv"
+          python3 -m venv "$venv"
+          echo "$venv/bin" >> "$GITHUB_PATH"
       - name: Vale
-        uses: errata-ai/vale-action@c4213d4de3d5f718b8497bd86161531c78992084 # tag=v2.0.1
+        uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
         with:
-          version: 2.17.0
           files: docs/docs
-        env:
-          # Required, set by GitHub actions automatically:
-          # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          fail_on_error: true
+          version: 3.9.3

.github/workflows/draft-release.yml

@@ -50,7 +50,7 @@ on:
 
 jobs:
   build-cli:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -72,7 +72,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -92,8 +92,8 @@ jobs:
           cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
       - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -101,8 +101,8 @@ jobs:
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
 
       - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -110,7 +110,7 @@ jobs:
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
 
   build-terraform-provider:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -133,7 +133,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -149,27 +149,27 @@ jobs:
           targetArch: ${{ matrix.arch }}
 
       - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
         with:
           name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
 
       - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
         with:
           name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
 
   upload-terraform-module:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -177,7 +177,7 @@ jobs:
         uses: ./.github/actions/upload_terraform_module
 
   push-containers:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: inputs.pushContainers
     permissions:
       actions: read
@@ -187,7 +187,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -208,7 +208,7 @@ jobs:
         run: bazel run //bazel/release:push
 
   provenance-subjects:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - build-cli
       - signed-sbom
@@ -219,7 +219,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -227,7 +227,7 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
@@ -252,16 +252,16 @@ jobs:
           echo provenance-subjects="${HASHESB64}" >> "$GITHUB_OUTPUT"
 
   signed-sbom:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
       - name: Download Syft & Grype
         uses: ./.github/actions/install_syft_grype
@@ -287,7 +287,7 @@ jobs:
       - name: Build signed SBOM
         run: |
           syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
+          cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
           grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none
         env:
           COSIGN_EXPERIMENTAL: 1
@@ -296,13 +296,13 @@ jobs:
           COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
       - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation.spdx.sbom
           path: constellation.spdx.sbom
 
       - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation.spdx.sbom.sig
           path: constellation.spdx.sbom.sig
@@ -316,14 +316,14 @@ jobs:
       - provenance-subjects
     # This must not be pinned to digest. See:
     # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
 
   provenance-verify:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
-      SLSA_VERIFIER_VERSION: "2.0.1"
+      SLSA_VERIFIER_VERSION: "2.7.0"
     needs:
       - build-cli
       - provenance
@@ -332,7 +332,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -340,12 +340,12 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
       - name: Download provenance
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
 
@@ -395,7 +395,7 @@ jobs:
   release:
     permissions:
       contents: write
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - build-cli
       - provenance
@@ -405,7 +405,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -418,17 +418,17 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
       - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom.sig
 
       - name: Download Constellation provenance
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
 
@@ -454,9 +454,10 @@ jobs:
             if [[ "${ext}" = "exe" ]]; then
               cp "${file}" "${folder_name}/terraform-provider-constellation_v${version}.exe"
             else
+              chmod 755 "${file}" # the upload artifact does not preserve file permissions (https://github.com/actions/upload-artifact/tree/main/?tab=readme-ov-file#permission-loss)
               cp "${file}" "${folder_name}/terraform-provider-constellation_v${version}"
             fi
-            zip -r "${folder_name}.zip" "${folder_name}"
+            (cd "${folder_name}" && zip "../${folder_name}.zip" ./*) # do not zip the folder itself
             rm -r "${folder_name}"
           done
 
@@ -471,7 +472,7 @@ jobs:
       - name: Create release with artifacts
         id: create-release
         # GitHub endorsed release project. See: https://github.com/actions/create-release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           draft: true
           generate_release_notes: true
@@ -486,7 +487,7 @@ jobs:
             terraform-module.zip
 
       - name: Create Terraform provider release with artifcats
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           draft: true
           generate_release_notes: false

.github/workflows/e2e-attestationconfigapi.yml

@@ -9,10 +9,7 @@ on:
     paths:
       - "internal/api/**"
       - ".github/workflows/e2e-attestationconfigapi.yml"
-  pull_request:
-    paths:
-      - "internal/api/**"
-      - ".github/workflows/e2e-attestationconfigapi.yml"
+      - "go.mod"
 
 jobs:
   e2e-api:
@@ -20,8 +17,8 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        csp: ["azure", "aws"]
-    runs-on: ubuntu-22.04
+        attestationVariant: ["azure-sev-snp", "azure-tdx", "aws-sev-snp", "gcp-sev-snp"]
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -29,7 +26,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # Don't trigger in forks, use head on pull requests, use default otherwise.
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
@@ -37,7 +34,6 @@ jobs:
       - name: Run Attestationconfig API E2E
         uses: ./.github/actions/e2e_attestationconfigapi
         with:
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           cosignPrivateKey: ${{ secrets.COSIGN_DEV_PRIVATE_KEY }}
           cosignPassword: ${{ secrets.COSIGN_DEV_PASSWORD }}
-          csp: ${{ matrix.csp }}
+          attestationVariant: ${{ matrix.attestationVariant }}

.github/workflows/e2e-cleanup-weekly.yml

@@ -0,0 +1,26 @@
+name: e2e weekly cleanup
+
+on:
+  schedule:
+    - cron: "0 0 * * 0" # At 00:00 every Sunday UTC
+  workflow_dispatch:
+
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Cleanup
+        uses: ./.github/actions/e2e_cleanup_timeframe
+        with:
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}

.github/workflows/e2e-mini.yml

@@ -20,7 +20,7 @@ on:
 
 jobs:
   e2e-mini:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: e2e
     permissions:
       id-token: write
@@ -29,12 +29,12 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}
 
       - name: Azure login OIDC
-        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -46,6 +46,6 @@ jobs:
           azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/e2e-test-daily.yml

@@ -12,7 +12,7 @@ jobs:
       matrix:
         refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
     name: Find latest image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -21,7 +21,7 @@ jobs:
       image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
@@ -45,31 +45,42 @@ jobs:
       fail-fast: false
       max-parallel: 5
       matrix:
-        kubernetesVersion: ["1.27"] # should be default
-        provider: ["gcp", "azure", "aws"]
+        kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor.
+        attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
         refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
-        test: ["sonobuoy full"]
-    runs-on: ubuntu-22.04
+        test: ["sonobuoy quick"]
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
       contents: read
       packages: write
+      actions: write
     needs: [find-latest-image]
     steps:
       - name: Check out repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
+      - name: Split attestationVariant
+        id: split-attestationVariant
+        shell: bash
+        run: |
+          attestationVariant="${{ matrix.attestationVariant }}"
+          cloudProvider="${attestationVariant%%-*}"
+
+          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
+
       - name: Run E2E test
         id: e2e_test
         uses: ./.github/actions/e2e_test
         with:
           workerNodesCount: "2"
           controlNodesCount: "3"
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+          attestationVariant: ${{ matrix.attestationVariant }}
           osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
           isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
           cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
@@ -79,7 +90,7 @@ jobs:
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           kubernetesVersion: ${{ matrix.kubernetesVersion }}
           test: ${{ matrix.test }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -91,6 +102,7 @@ jobs:
           awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
           awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
           clusterCreation: "cli"
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Always terminate cluster
         if: always()
@@ -98,7 +110,7 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           clusterCreation: "cli"
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
@@ -106,10 +118,20 @@ jobs:
         if: always()
         uses: ./.github/actions/constellation_iam_destroy
         with:
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
       - name: Notify about failure
         if: |
           failure() &&
@@ -122,12 +144,13 @@ jobs:
           refStream: ${{ matrix.refStream }}
           test: ${{ matrix.test }}
           kubernetesVersion: ${{ matrix.kubernetesVersion }}
-          provider: ${{ matrix.provider }}
+          provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+          attestationVariant: ${{ matrix.attestationVariant }}
           clusterCreation: "cli"
 
   e2e-mini:
     name: Run miniconstellation E2E test
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: e2e
     permissions:
       id-token: write
@@ -136,12 +159,12 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Azure login OIDC
-        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -153,7 +176,7 @@ jobs:
           azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}
 
@@ -166,5 +189,6 @@ jobs:
         uses: ./.github/actions/notify_e2e_failure
         with:
           projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
+          attestationVariant: "qemu-vtpm"
           test: "MiniConstellation"
           provider: "QEMU"

.github/workflows/e2e-test-internal-lb.yml

@@ -7,22 +7,24 @@ on:
         description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
         default: "3:2"
         type: string
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp"
-          - "azure"
-          - "aws"
-        default: "azure"
+          - "aws-sev-snp"
+          - "azure-sev-snp"
+          - "azure-tdx"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
+        default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
         description: "The test to run."
         type: choice
@@ -39,7 +41,6 @@ on:
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.27"
         required: true
       cliVersion:
         description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@@ -76,7 +77,7 @@ jobs:
     uses: ./.github/workflows/e2e-test.yml
     with:
       nodeCount: ${{ inputs.nodeCount }}
-      cloudProvider: ${{ inputs.cloudProvider }}
+      attestationVariant: ${{ inputs.attestationVariant }}
       runner: ${{ inputs.runner }}
       test: ${{ inputs.test }}
       kubernetesVersion: ${{ inputs.kubernetesVersion }}

.github/workflows/e2e-test-marketplace-image.yml

@@ -7,20 +7,24 @@ on:
         description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
         default: "3:2"
         type: string
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: choice
         options:
-          - "azure"
-        default: "azure"
+          - "aws-sev-snp"
+          - "azure-sev-snp"
+          - "azure-tdx"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
+        default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
         description: "The test to run."
         type: choice
@@ -37,7 +41,6 @@ on:
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.27"
         required: true
       cliVersion:
         description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@@ -74,7 +77,7 @@ jobs:
     uses: ./.github/workflows/e2e-test.yml
     with:
       nodeCount: ${{ inputs.nodeCount }}
-      cloudProvider: ${{ inputs.cloudProvider }}
+      attestationVariant: ${{ inputs.attestationVariant }}
       runner: ${{ inputs.runner }}
       test: ${{ inputs.test }}
       kubernetesVersion: ${{ inputs.kubernetesVersion }}

.github/workflows/e2e-test-provider-example.yml

@@ -0,0 +1,494 @@
+name: e2e test Terraform provider example
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref to checkout"
+      regionZone:
+        description: "Region or zone to create the cluster in. Leave empty for default region/zone."
+        type: string
+      image:
+        description: "OS Image version used in the cluster's VMs. If not set, the latest nightly image from main is used."
+        type: string
+      providerVersion:
+        description: "Constellation Terraform provider version to use (with v prefix). Empty value means build from source."
+        type: string
+      toImage:
+        description: Image (shortpath) the cluster is upgraded to, or empty for main/nightly.
+        type: string
+        required: false
+      toKubernetes:
+        description: Kubernetes version to target for the upgrade, empty for no upgrade.
+        type: string
+        required: false
+      attestationVariant:
+        description: "Attestation variant to use."
+        type: choice
+        options:
+          - "aws-sev-snp"
+          - "azure-sev-snp"
+          - "azure-tdx"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
+        default: "azure-sev-snp"
+        required: true
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref to checkout"
+      regionZone:
+        description: "Which zone to use."
+        type: string
+      image:
+        description: "OS Image version used in the cluster's VMs, as specified in the Constellation config. If not set, the latest nightly image from main is used."
+        type: string
+      providerVersion:
+        description: "Constellation Terraform provider version to use (with v prefix). Empty value means build from source."
+        type: string
+      toImage:
+        description: Image (shortpath) the cluster is upgraded to, or empty for main/nightly.
+        type: string
+        required: false
+      toKubernetes:
+        description: Kubernetes version to target for the upgrade, empty for target's default version.
+        type: string
+        required: false
+      attestationVariant:
+        description: "Attestation variant to use."
+        type: string
+        required: true
+
+jobs:
+  provider-example-test:
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.ref || github.head_ref }}
+
+      - name: Get Latest Image
+        id: find-latest-image
+        uses: ./.github/actions/find_latest_image
+        with:
+          git-ref: ${{ inputs.ref }}
+          imageVersion: ${{ inputs.image }}
+          ref: main
+          stream: nightly
+
+      - name: Determine cloudprovider from attestation variant
+        id: determine
+        shell: bash
+        run: |
+          attestationVariant="${{ inputs.attestationVariant }}"
+          cloudProvider="${attestationVariant%%-*}"
+
+          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Download CLI # needed to determine K8s version for release versions
+        if: inputs.providerVersion != ''
+        shell: bash
+        run: |
+          curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.providerVersion }}/constellation-linux-amd64
+          chmod u+x constellation
+          ./constellation version
+          mkdir -p ${{ github.workspace }}/release
+          cp ./constellation ${{ github.workspace }}/release
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          nixTools: terraform
+
+      - name: Create prefix
+        id: create-prefix
+        shell: bash
+        run: |
+          uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
+          uuid="${uuid%%-*}"
+          uuid="${uuid: -3}" # Final resource name must be no longer than 10 characters on AWS
+          echo "uuid=${uuid}" | tee -a "${GITHUB_OUTPUT}"
+          echo "prefix=e2e-${uuid}" | tee -a "${GITHUB_OUTPUT}"
+
+      - name: Build Constellation provider and CLI # CLI is needed for the upgrade assert and container push is needed for the microservice upgrade
+        working-directory: ${{ github.workspace }}
+        id: build
+        shell: bash
+        run: |
+          mkdir -p ${{ github.workspace }}/build
+          cd ${{ github.workspace }}/build
+          bazel run //:devbuild --cli_edition=enterprise
+
+          bazel build //bazel/settings:tag
+          repository_root=$(git rev-parse --show-toplevel)
+          out_rel=$(bazel cquery --output=files //bazel/settings:tag)
+          build_version=$(cat "$(realpath "${repository_root}/${out_rel}")")
+          echo "build_version=${build_version}" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Remove local Terraform registry # otherwise the local registry would be used instead of the public registry
+        if: inputs.providerVersion != ''
+        shell: bash
+        run: |
+          bazel build //bazel/settings:tag
+          repository_root=$(git rev-parse --show-toplevel)
+          out_rel=$(bazel cquery --output=files //bazel/settings:tag)
+          build_version=$(cat "$(realpath "${repository_root}/${out_rel}")")
+
+          terraform_provider_dir="${HOME}/.terraform.d/plugins/registry.terraform.io/edgelesssys/constellation/${build_version#v}/linux_amd64/"
+          rm -rf "${terraform_provider_dir}"
+
+      - name: Login to AWS (IAM + Cluster role)
+        if: steps.determine.outputs.cloudProvider == 'aws'
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
+          aws-region: eu-central-1
+          # extend token expiry to 6 hours to ensure constellation can terminate
+          role-duration-seconds: 21600
+
+      - name: Login to Azure (IAM + Cluster service principal)
+        if: steps.determine.outputs.cloudProvider == 'azure'
+        uses: ./.github/actions/login_azure
+        with:
+          azure_credentials: ${{ secrets.AZURE_E2E_TF_CREDENTIALS }}
+
+      - name: Login to GCP (IAM + Cluster service account)
+        if: steps.determine.outputs.cloudProvider == 'gcp'
+        uses: ./.github/actions/login_gcp
+        with:
+          service_account: "terraform-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Set Kubernetes version
+        id: kubernetes
+        run: |
+          set -e
+
+          # take the middle (2nd) supported Kubernetes version (default)
+          if [[ "${{ inputs.providerVersion }}" != "" ]]; then
+            cli_output=$(${{ github.workspace }}/release/constellation config kubernetes-versions)
+          else
+            cli_output=$(${{ github.workspace }}/build/constellation config kubernetes-versions)
+          fi
+          echo "version=$(echo "${cli_output}" | awk 'NR==3{print $1}')" | tee -a "${GITHUB_OUTPUT}"
+
+      - name: Common CSP Terraform overrides
+        working-directory: ${{ github.workspace }}
+        shell: bash
+        run: |
+          mkdir -p ${{ github.workspace }}/cluster
+          cd ${{ github.workspace }}/cluster
+          if [[ "${{ inputs.providerVersion }}" == "" ]]; then
+            prefixed_version=${{ steps.build.outputs.build_version }}
+          else
+            prefixed_version="${{ inputs.providerVersion }}"
+          fi
+          version=${prefixed_version#v} # remove v prefix
+
+          if [[ "${{ inputs.providerVersion }}" == "" ]]; then
+            iam_src="${{ github.workspace }}/terraform/infrastructure/iam/${{ steps.determine.outputs.cloudProvider }}"
+            infra_src="${{ github.workspace }}/terraform/infrastructure/${{ steps.determine.outputs.cloudProvider }}"
+          else
+            iam_src="https://github.com/edgelesssys/constellation/releases/download/${{ inputs.providerVersion }}/terraform-module.zip//terraform-module/iam/${{ steps.determine.outputs.cloudProvider }}"
+            infra_src="https://github.com/edgelesssys/constellation/releases/download/${{ inputs.providerVersion }}/terraform-module.zip//terraform-module/${{ steps.determine.outputs.cloudProvider }}"
+          fi
+
+          # by default use latest nightly image for devbuilds and release image otherwise
+          if [[ "${{ inputs.providerVersion }}" == "" ]]; then
+            if [[ "${{ inputs.image }}" == "" ]]; then
+              image_version="${{ steps.find-latest-image.outputs.image }}"
+            else
+              image_version="${{ inputs.image }}"
+            fi
+          else
+            if [[ "${{ inputs.image }}" == "" ]]; then
+              image_version="${prefixed_version}"
+            else
+              image_version="${{ inputs.image }}"
+            fi
+          fi
+
+          kubernetes_version="${{ steps.kubernetes.outputs.version }}"
+
+          cat > _override.tf <<EOF
+          terraform {
+            required_providers {
+              constellation = {
+                source  = "edgelesssys/constellation"
+                version = "${version}"
+              }
+            }
+          }
+
+          locals {
+            control_plane_count = 1
+            worker_count        = 1
+          }
+
+          locals {
+            name = "${{ steps.create-prefix.outputs.prefix }}"
+            image_version = "${image_version}"
+            microservice_version = "${prefixed_version}"
+            kubernetes_version = "${kubernetes_version}"
+            attestation_variant = "${{ inputs.attestationVariant }}"
+          }
+
+          module "${{ steps.determine.outputs.cloudProvider }}_iam" {
+            source = "${iam_src}"
+          }
+
+          module "${{ steps.determine.outputs.cloudProvider }}_infrastructure" {
+            source = "${infra_src}"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create GCP Terraform overrides
+        if: steps.determine.outputs.cloudProvider == 'gcp'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          region=$(echo ${{ inputs.regionZone || 'europe-west3-b' }} | rev | cut -c 3- | rev)
+
+          case "${{ inputs.attestationVariant }}" in
+            "gcp-sev-snp")
+              cc_tech="SEV_SNP"
+              ;;
+            *)
+              cc_tech="SEV"
+              ;;
+          esac
+
+          cat >> _override.tf <<EOF
+          locals {
+            project_id         = "constellation-e2e"
+            region = "${region}"
+            zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
+            cc_technology = "${cc_tech}"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create AWS Terraform overrides
+        if: steps.determine.outputs.cloudProvider == 'aws'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          region=$(echo ${{ inputs.regionZone || 'us-east-2c' }} | rev | cut -c 2- | rev)
+
+          cat >> _override.tf <<EOF
+          locals {
+            region = "${region}"
+            zone = "${{ inputs.regionZone || 'us-east-2c' }}"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create Azure TDX Terraform overrides
+        if: inputs.attestationVariant == 'azure-tdx'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          cat >> _override.tf <<EOF
+          locals {
+            instance_type = "Standard_DC4es_v5"
+            subscription_id = "$(az account show --query id --output tsv)"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create Azure SEV-SNP Terraform overrides
+        if: inputs.attestationVariant == 'azure-sev-snp'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          cat >> _override.tf <<EOF
+          locals {
+            subscription_id = "$(az account show --query id --output tsv)"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Copy example Terraform file
+        working-directory: ${{ github.workspace }}
+        shell: bash
+        run: |
+          cp ${{ github.workspace }}/terraform-provider-constellation/examples/full/${{ steps.determine.outputs.cloudProvider }}/main.tf ${{ github.workspace }}/cluster/main.tf
+
+      - name: Apply Terraform Cluster
+        id: apply_terraform
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
+          terraform init
+          if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
+            timeout 1h terraform apply -target module.azure_iam -auto-approve
+            timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
+            ${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
+            timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
+          else
+            timeout 1h terraform apply -auto-approve
+          fi
+
+      - name: Cleanup Terraform Cluster on failure
+        # cleanup here already on failure, because the subsequent TF overrides might make the TF config invalid and thus the destroy would fail later
+        # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
+        if: failure() && steps.apply_terraform.outcome != 'skipped'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          terraform init
+          terraform destroy -auto-approve -lock=false
+
+      - name: Add Provider to local Terraform registry # needed if release version was used before
+        if: inputs.providerVersion != ''
+        working-directory: ${{ github.workspace }}/build
+        shell: bash
+        run: |
+          bazel run //:devbuild --cli_edition=enterprise
+
+      - name: Update cluster configuration # for duplicate variable declaration, the last one is used
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          cat >> _override.tf <<EOF
+          locals {
+            image_version = "${{ inputs.toImage || steps.find-latest-image.outputs.image }}"
+          }
+          EOF
+
+          if [[ "${{ inputs.toKubernetes }}" != "" ]]; then
+          cat >> _override.tf <<EOF
+          resource "constellation_cluster" "${{ steps.determine.outputs.cloudProvider }}_example" {
+            kubernetes_version = "${{ inputs.toKubernetes }}"
+          }
+          EOF
+          fi
+
+          prefixed_version=${{ steps.build.outputs.build_version }}
+          version=${prefixed_version#v} # remove v prefix
+
+          # needs to be explicitly set to upgrade
+          cat >> _override.tf <<EOF
+          resource "constellation_cluster" "${{ steps.determine.outputs.cloudProvider }}_example" {
+            constellation_microservice_version = "${prefixed_version}"
+          }
+          EOF
+
+          cat >> _override.tf <<EOF
+          terraform {
+            required_providers {
+              constellation = {
+                source  = "edgelesssys/constellation"
+                version = "${version}"
+              }
+            }
+          }
+          EOF
+          cat _override.tf
+
+      - name: Upgrade Terraform Cluster
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          terraform init --upgrade
+          timeout 1h terraform apply -auto-approve
+
+      - name: Assert upgrade successful
+        working-directory: ${{ github.workspace }}/cluster
+        env:
+          IMAGE: ${{ inputs.toImage && inputs.toImage || steps.find-latest-image.outputs.image }}
+          KUBERNETES: ${{ inputs.toKubernetes }}
+          MICROSERVICES: ${{ steps.build.outputs.build_version }}
+          WORKERNODES: 1
+          CONTROLNODES: 1
+        run: |
+          terraform output -raw kubeconfig > constellation-admin.conf
+
+          if [[ -n "${MICROSERVICES}" ]]; then
+            MICROSERVICES_FLAG="--target-microservices=${MICROSERVICES}"
+          fi
+          if [[ -n "${KUBERNETES}" ]]; then
+            KUBERNETES_FLAG="--target-kubernetes=${KUBERNETES}"
+          fi
+          if [[ -n "${IMAGE}" ]]; then
+            IMAGE_FLAG="--target-image=${IMAGE}"
+          fi
+
+          # cfg must be in same dir as KUBECONFIG
+          ${{ github.workspace }}/build/constellation config generate "${{ steps.determine.outputs.cloudProvider }}" --attestation ${{ inputs.attestationVariant}}
+          # make cfg valid with fake data
+          # IMPORTANT: zone needs to be correct because it is used to resolve the CSP image ref
+          if [[ "${{ steps.determine.outputs.cloudProvider }}" == "azure" ]]; then
+            location="${{ inputs.regionZone || 'northeurope' }}"
+            yq e ".provider.azure.location = \"${location}\"" -i constellation-conf.yaml
+
+            yq e '.provider.azure.subscription = "123e4567-e89b-12d3-a456-426614174000"' -i constellation-conf.yaml
+            yq e '.provider.azure.tenant = "123e4567-e89b-12d3-a456-426614174001"' -i constellation-conf.yaml
+            yq e '.provider.azure.resourceGroup = "myResourceGroup"' -i constellation-conf.yaml
+            yq e '.provider.azure.userAssignedIdentity = "myIdentity"' -i constellation-conf.yaml
+          fi
+          if [[ "${{ steps.determine.outputs.cloudProvider }}" == "gcp" ]]; then
+            zone="${{ inputs.regionZone || 'europe-west3-b' }}"
+            region=$(echo "${zone}" | rev | cut -c 2- | rev)
+            yq e ".provider.gcp.region = \"${region}\"" -i constellation-conf.yaml
+            yq e ".provider.gcp.zone = \"${zone}\"" -i constellation-conf.yaml
+
+            yq e '.provider.gcp.project = "demo-gcp-project"' -i constellation-conf.yaml
+            yq e '.nodeGroups.control_plane_default.zone = "europe-west3-b"' -i constellation-conf.yaml
+            # Set the zone for worker_default node group to a fictional value
+            yq e '.nodeGroups.worker_default.zone = "europe-west3-b"' -i constellation-conf.yaml
+            yq e '.provider.gcp.serviceAccountKeyPath = "/path/to/your/service-account-key.json"' -i constellation-conf.yaml
+          fi
+          if [[ "${{ steps.determine.outputs.cloudProvider }}" == "aws" ]]; then
+            zone=${{ inputs.regionZone || 'us-east-2c' }}
+            region=$(echo "${zone}" | rev | cut -c 2- | rev)
+            yq e ".provider.aws.region = \"${region}\"" -i constellation-conf.yaml
+            yq e ".provider.aws.zone = \"${zone}\"" -i constellation-conf.yaml
+
+            yq e '.provider.aws.iamProfileControlPlane = "demoControlPlaneIAMProfile"' -i constellation-conf.yaml
+            yq e '.provider.aws.iamProfileWorkerNodes = "demoWorkerNodesIAMProfile"' -i constellation-conf.yaml
+            yq e '.nodeGroups.control_plane_default.zone = "eu-central-1a"' -i constellation-conf.yaml
+            yq e '.nodeGroups.worker_default.zone = "eu-central-1a"' -i constellation-conf.yaml
+          fi
+          KUBECONFIG=${{ github.workspace }}/cluster/constellation-admin.conf bazel run --test_timeout=14400 //e2e/provider-upgrade:provider-upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --cli "${{ github.workspace }}/build/constellation" "$IMAGE_FLAG" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
+
+      - name: Destroy Terraform Cluster
+        # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
+        if: always() && steps.apply_terraform.outcome != 'skipped'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          terraform init
+          terraform destroy -auto-approve -lock=false
+
+      - name: Notify about failure
+        if: |
+          (failure() || cancelled()) &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_e2e_failure
+        with:
+          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
+          test: "terraform-provider-example"
+          refStream: ${{ inputs.ref}}
+          provider: ${{ steps.determine.outputs.cloudProvider }}
+          kubernetesVersion: ${{ steps.kubernetes.outputs.version }}
+          clusterCreation: "terraform"
+          attestationVariant: ${{ inputs.attestationVariant }}

.github/workflows/e2e-test-release.yml

@@ -46,173 +46,271 @@ jobs:
 
           # sonobuoy full test on all k8s versions
           - test: "sonobuoy full"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "cli"
-
-
-          - test: "sonobuoy full"
-            provider: "gcp"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
-            provider: "azure"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
-            provider: "aws"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           - test: "sonobuoy full"
-            provider: "gcp"
-            kubernetes-version: "v1.26"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
-            provider: "azure"
-            kubernetes-version: "v1.26"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
-            provider: "aws"
-            kubernetes-version: "v1.26"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # verify test on latest k8s version
           - test: "verify"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "verify"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "verify"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "verify"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "verify"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # recover test on latest k8s version
           - test: "recover"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "recover"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "recover"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "recover"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "recover"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # lb test on latest k8s version
           - test: "lb"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "lb"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "lb"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "lb"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "lb"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # autoscaling test on latest k8s version
           - test: "autoscaling"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "autoscaling"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "autoscaling"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "autoscaling"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "autoscaling"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
-          # perf-bench test on latest k8s version, not supported on AWS
+          # perf-bench test on latest k8s version
           - test: "perf-bench"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "perf-bench"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
-
-          # self-managed infra test on latest k8s version
-          # runs Sonobuoy full test
-          - test: "sonobuoy full"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "self-managed"
-          - test: "sonobuoy full"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "self-managed"
-          - test: "sonobuoy full"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "self-managed"
 
           # s3proxy test on latest k8s version
           - test: "s3proxy"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
+          # malicious join test on latest k8s version
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+            runner: "ubuntu-24.04"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+            runner: "ubuntu-24.04"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+            runner: "ubuntu-24.04"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+            runner: "ubuntu-24.04"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+            runner: "ubuntu-24.04"
+
           #
           # Tests on macOS runner
           #
           # Skipping verify test on MacOS since the runner uses a different version of sed
           # TODO(3u13r): Update verify test to work on MacOS runners
           # - test: "verify"
-          #  provider: "azure"
-          #  kubernetes-version: "v1.28"
-          #  runner: "macos-12"
+          #  attestationVariant: "azure-sev-snp"
+          #  kubernetes-version: "v1.30"
+          #  runner: "macos-latest"
           - test: "recover"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            runner: "macos-12"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            runner: "macos-latest"
             clusterCreation: "cli"
     runs-on: ${{ matrix.runner }}
     permissions:
@@ -220,6 +318,7 @@ jobs:
       checks: write
       contents: read
       packages: write
+      actions: write
     steps:
       - name: Install the basics tools (macOS)
         if: runner.os == 'macOS'
@@ -227,14 +326,23 @@ jobs:
         run: brew install coreutils kubectl bash
 
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref || github.head_ref }}
 
+      - name: Split attestationVariant
+        id: split-attestationVariant
+        shell: bash
+        run: |
+          attestationVariant="${{ matrix.attestationVariant }}"
+          cloudProvider="${attestationVariant%%-*}"
+
+          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
+
       - name: Set up gcloud CLI (macOS)
-        if: matrix.provider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+        if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Run E2E test
         id: e2e_test
@@ -242,7 +350,8 @@ jobs:
         with:
           workerNodesCount: "2"
           controlNodesCount: "3"
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+          attestationVariant: ${{ matrix.attestationVariant }}
           cliVersion: ""
           kubernetesVersion: ${{ matrix.kubernetes-version }}
           osImage: ""
@@ -255,7 +364,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -265,6 +374,7 @@ jobs:
           clusterCreation: ${{ matrix.clusterCreation }}
           s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
           s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Always terminate cluster
         if: always()
@@ -272,7 +382,7 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           clusterCreation: ${{ matrix.clusterCreation }}
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
@@ -280,17 +390,27 @@ jobs:
         if: always()
         uses: ./.github/actions/constellation_iam_destroy
         with:
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
   e2e-upgrade:
     strategy:
       fail-fast: false
       max-parallel: 1
       matrix:
-        fromVersion: ["v2.13.0"]
-        cloudProvider: ["gcp", "azure", "aws"]
+        fromVersion: ["v2.22.0"]
+        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     name: Run upgrade tests
     secrets: inherit
     permissions:
@@ -298,10 +418,11 @@ jobs:
       contents: read
       checks: write
       packages: write
+      actions: write
     uses: ./.github/workflows/e2e-upgrade.yml
     with:
       fromVersion: ${{ matrix.fromVersion }}
       toImage: ${{ inputs.targetVersion }}
-      cloudProvider: ${{ matrix.cloudProvider }}
+      attestationVariant: ${{ matrix.attestationVariant }}
       nodeCount: '3:2'
       gitRef: ${{ inputs.ref || github.head_ref }}

.github/workflows/e2e-test-self-managed.yml

@@ -1,88 +0,0 @@
-name: e2e test self managed infrastructure
-
-on:
-  workflow_dispatch:
-    inputs:
-      nodeCount:
-        description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
-        default: "3:2"
-        type: string
-      cloudProvider:
-        description: "Which cloud provider to use."
-        type: choice
-        options:
-          - "gcp"
-          - "azure"
-          - "aws"
-        default: "azure"
-        required: true
-      runner:
-        description: "Architecture of the runner that executes the CLI"
-        type: choice
-        options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
-      test:
-        description: "The test to run."
-        type: choice
-        options:
-          - "sonobuoy quick"
-          - "sonobuoy full"
-          - "autoscaling"
-          - "lb"
-          - "perf-bench"
-          - "verify"
-          - "recover"
-          - "malicious join"
-          - "nop"
-        required: true
-      kubernetesVersion:
-        description: "Kubernetes version to create the cluster from."
-        default: "1.27"
-        required: true
-      cliVersion:
-        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
-        type: string
-        default: ""
-        required: false
-      imageVersion:
-        description: "Full name of OS image (CSP independent image version UID). Leave empty for latest debug image on main."
-        type: string
-        default: ""
-        required: false
-      machineType:
-        description: "Override VM machine type. Leave as 'default' or empty to use the default VM type for the selected cloud provider."
-        type: string
-        default: "default"
-        required: false
-      regionZone:
-        description: "Region or zone to create the cluster in. Leave empty for default region/zone."
-        type: string
-      git-ref:
-        description: "Git ref to checkout."
-        type: string
-        default: "head"
-        required: false
-
-jobs:
-  e2e-test:
-    permissions:
-      id-token: write
-      checks: write
-      contents: read
-      packages: write
-    secrets: inherit
-    uses: ./.github/workflows/e2e-test.yml
-    with:
-      nodeCount: ${{ inputs.nodeCount }}
-      cloudProvider: ${{ inputs.cloudProvider }}
-      runner: ${{ inputs.runner }}
-      test: ${{ inputs.test }}
-      kubernetesVersion: ${{ inputs.kubernetesVersion }}
-      cliVersion: ${{ inputs.cliVersion }}
-      imageVersion: ${{ inputs.imageVersion }}
-      machineType: ${{ inputs.machineType }}
-      regionZone: ${{ inputs.regionZone }}
-      git-ref: ${{ inputs.git-ref }}
-      clusterCreation: "self-managed"

.github/workflows/e2e-test-stackit.yml

@@ -0,0 +1,153 @@
+name: e2e test STACKIT
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Every day at midnight.
+
+jobs:
+  find-latest-image:
+    name: Find latest image
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Select relevant image
+        id: select-image-action
+        uses: ./.github/actions/select_image
+        with:
+          osImage: "ref/release/stream/stable/?"
+
+      - name: Relabel output
+        id: relabel-output
+        shell: bash
+        run: |
+          ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2)
+          stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4)
+
+          echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
+
+  e2e-stackit:
+    strategy:
+      fail-fast: false
+      max-parallel: 6
+      matrix:
+        kubernetesVersion: [ "1.29", "1.30", "1.31" ]
+        clusterCreation: [ "cli", "terraform" ]
+        test: [ "sonobuoy quick" ]
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
+      actions: write
+    needs: [find-latest-image]
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          nixTools: terraform
+
+      - name: Run E2E test
+        id: e2e_test
+        uses: ./.github/actions/e2e_test
+        with:
+          workerNodesCount: "1"
+          controlNodesCount: "1"
+          cloudProvider: stackit
+          attestationVariant: qemu-vtpm
+          osImage: ${{ needs.find-latest-image.outputs.image-release-stable }}
+          isDebugImage: false
+          cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }}
+          kubernetesVersion: ${{ matrix.kubernetesVersion }}
+          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
+          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
+          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
+          gcpProject: constellation-e2e
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+          test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          fetchMeasurements: false
+          clusterCreation: ${{ matrix.clusterCreation }}
+          s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
+          s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
+          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
+
+      - name: Always terminate cluster
+        if: always()
+        uses: ./.github/actions/constellation_destroy
+        with:
+          kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
+          clusterCreation: ${{ matrix.clusterCreation }}
+          cloudProvider: stackit
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Always delete IAM configuration
+        if: always()
+        uses: ./.github/actions/constellation_iam_destroy
+        with:
+          cloudProvider: stackit
+          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Notify about failure
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_e2e_failure
+        with:
+          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
+          refStream: "ref/release/stream/stable/?"
+          test: ${{ matrix.test }}
+          kubernetesVersion: ${{ matrix.kubernetesVersion }}
+          provider: stackit
+          attestationVariant: qemu-vtpm
+          clusterCreation: ${{ matrix.clusterCreation }}
+
+      - name: Notify STACKIT
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_stackit
+        with:
+          slackToken: ${{ secrets.SLACK_TOKEN }}

.github/workflows/e2e-test-terraform-provider.yml

@@ -7,22 +7,24 @@ on:
         description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
         default: "3:2"
         type: string
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp"
-          - "azure"
-          - "aws"
-        default: "azure"
+          - "aws-sev-snp"
+          - "azure-sev-snp"
+          - "azure-tdx"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
+        default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
         description: "The test to run."
         type: choice
@@ -39,7 +41,6 @@ on:
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.27"
         required: true
       releaseVersion:
         description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."
@@ -76,7 +77,7 @@ jobs:
     uses: ./.github/workflows/e2e-test.yml
     with:
       nodeCount: ${{ inputs.nodeCount }}
-      cloudProvider: ${{ inputs.cloudProvider }}
+      attestationVariant: ${{ inputs.attestationVariant }}
       runner: ${{ inputs.runner }}
       test: ${{ inputs.test }}
       kubernetesVersion: ${{ inputs.kubernetesVersion }}

.github/workflows/e2e-test-weekly.yml

@@ -10,9 +10,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
     name: Find latest image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -22,7 +22,7 @@ jobs:
       image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
@@ -51,192 +51,261 @@ jobs:
           # Tests on main-debug refStream
           #
 
-          # sonobuoy full test on all k8s versions
-          - test: "sonobuoy full"
+          # Emergency SSH test on latest k8s version
+          - test: "emergency ssh"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          - test: "sonobuoy full"
+          - test: "emergency ssh"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          - test: "sonobuoy full"
+          - test: "emergency ssh"
             refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.28"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
+          # Sonobuoy full test on latest k8s version
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.27"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.27"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.27"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
-          - test: "sonobuoy full"
+          # Sonobuoy conformance test
+          - test: "sonobuoy conformance"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.26"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          - test: "sonobuoy full"
+
+          # Sonobuoy quick test on all but the latest k8s versions
+          - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.26"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          - test: "sonobuoy full"
+          - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.26"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.29"
             clusterCreation: "cli"
 
           # verify test on latest k8s version
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
             azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
             clusterCreation: "cli"
           - test: "verify"
-            provider: "aws"
             refStream: "ref/main/stream/debug/?"
-            kubernetes-version: "v1.28"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "verify"
+            attestationVariant: "aws-sev-snp"
+            refStream: "ref/main/stream/debug/?"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # recover test on latest k8s version
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.28"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "recover"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "recover"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # lb test on latest k8s version
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.28"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "lb"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "lb"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # autoscaling test on latest k8s version
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.28"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "autoscaling"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "autoscaling"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
-          # perf-bench test on latest k8s version, not supported on AWS
+          # perf-bench test on latest k8s version
           - test: "perf-bench"
-            refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "perf-bench"
-            refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-
-          # malicious join test on latest k8s version
-          - test: "malicious join"
-            refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          - test: "malicious join"
-            refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          - test: "malicious join"
-            refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.28"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
-          # self-managed infra test on latest k8s version
-          # with Sonobuoy full
-          - test: "sonobuoy full"
-            refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            clusterCreation: "self-managed"
-          - test: "sonobuoy full"
-            refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            clusterCreation: "self-managed"
-          - test: "sonobuoy full"
-            provider: "aws"
-            refStream: "ref/main/stream/debug/?"
-            kubernetes-version: "v1.28"
-            clusterCreation: "self-managed"
-
-          - test: "sonobuoy full"
-            refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
-            clusterCreation: "terraform"
-          - test: "sonobuoy full"
-            refStream: "ref/main/stream/debug/?"
-            provider: "azure"
-            kubernetes-version: "v1.28"
-            clusterCreation: "terraform"
-          - test: "sonobuoy full"
-            refStream: "ref/main/stream/debug/?"
-            provider: "aws"
-            kubernetes-version: "v1.28"
-            clusterCreation: "terraform"
-
           # s3proxy test on latest k8s version
           - test: "s3proxy"
             refStream: "ref/main/stream/debug/?"
-            provider: "gcp"
-            kubernetes-version: "v1.28"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           #
@@ -246,42 +315,63 @@ jobs:
           # verify test on default k8s version
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
-            provider: "gcp"
-            kubernetes-version: "v1.27"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
-            provider: "azure"
-            kubernetes-version: "v1.27"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
-            provider: "aws"
-            kubernetes-version: "v1.27"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/release/stream/stable/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/release/stream/stable/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
       contents: read
       packages: write
+      actions: write
     needs: [find-latest-image]
     steps:
       - name: Check out repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
+      - name: Split attestationVariant
+        id: split-attestationVariant
+        shell: bash
+        run: |
+          attestationVariant="${{ matrix.attestationVariant }}"
+          cloudProvider="${attestationVariant%%-*}"
+
+          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
+
       - name: Run E2E test
         id: e2e_test
         uses: ./.github/actions/e2e_test
         with:
           workerNodesCount: "2"
           controlNodesCount: "3"
-          cloudProvider: ${{ matrix.provider }}
-          osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+          attestationVariant: ${{ matrix.attestationVariant }}
+          osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || matrix.refStream == 'ref/main/stream/nightly/?' && needs.find-latest-image.outputs.image-main-nightly || needs.find-latest-image.outputs.image-main-debug }}
           isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
           cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
           kubernetesVersion: ${{ matrix.kubernetes-version }}
@@ -293,7 +383,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -305,6 +395,7 @@ jobs:
           clusterCreation: ${{ matrix.clusterCreation }}
           s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
           s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Always terminate cluster
         if: always()
@@ -312,7 +403,7 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           clusterCreation: ${{ matrix.clusterCreation }}
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
@@ -320,10 +411,20 @@ jobs:
         if: always()
         uses: ./.github/actions/constellation_iam_destroy
         with:
-          cloudProvider: ${{ matrix.provider }}
+          cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
       - name: Notify about failure
         if: |
           failure() &&
@@ -336,7 +437,8 @@ jobs:
           refStream: ${{ matrix.refStream }}
           test: ${{ matrix.test }}
           kubernetesVersion: ${{ matrix.kubernetes-version }}
-          provider: ${{ matrix.provider }}
+          provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+          attestationVariant: ${{ matrix.attestationVariant }}
           clusterCreation: ${{ matrix.clusterCreation }}
 
   e2e-upgrade:
@@ -344,8 +446,8 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        fromVersion: ["v2.13.0"]
-        cloudProvider: ["gcp", "azure", "aws"]
+        fromVersion: ["v2.22.0"]
+        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     name: Run upgrade tests
     secrets: inherit
     permissions:
@@ -353,16 +455,17 @@ jobs:
       checks: write
       contents: read
       packages: write
+      actions: write
     uses: ./.github/workflows/e2e-upgrade.yml
     with:
       fromVersion: ${{ matrix.fromVersion }}
-      cloudProvider: ${{ matrix.cloudProvider }}
+      attestationVariant: ${{ matrix.attestationVariant }}
       nodeCount: '3:2'
       scheduled: ${{ github.event_name == 'schedule' }}
 
   e2e-mini:
     name: Run miniconstellation E2E test
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: e2e
     permissions:
       id-token: write
@@ -371,12 +474,12 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Azure login OIDC
-        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -388,7 +491,7 @@ jobs:
           azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}
 
@@ -403,6 +506,7 @@ jobs:
           projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
           test: "MiniConstellation"
           provider: "QEMU"
+          attestationVariant: "qemu-vtpm"
 
   e2e-windows:
     name: Run Windows E2E test
@@ -410,7 +514,23 @@ jobs:
       id-token: write
       contents: read
       packages: write
+      checks: write
     secrets: inherit
     uses: ./.github/workflows/e2e-windows.yml
     with:
       scheduled: ${{ github.event_name == 'schedule' }}
+
+  e2e-terraform-provider-example:
+    name: Run Terraform provider example E2E test
+    strategy:
+      fail-fast: false
+      matrix:
+        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+    secrets: inherit
+    uses: ./.github/workflows/e2e-test-provider-example.yml
+    with:
+      attestationVariant: ${{ matrix.attestationVariant }}

.github/workflows/e2e-test.yml

@@ -7,28 +7,32 @@ on:
         description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
         default: "3:2"
         type: string
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp"
-          - "azure"
-          - "aws"
-        default: "azure"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
+          - "azure-sev-snp"
+          - "azure-tdx"
+          - "aws-sev-snp"
+          - "stackit-qemu-vtpm"
+        default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
-        description: "The test to run."
+        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
         type: choice
         options:
           - "sonobuoy quick"
           - "sonobuoy full"
+          - "sonobuoy conformance"
           - "autoscaling"
           - "lb"
           - "perf-bench"
@@ -36,11 +40,12 @@ on:
           - "recover"
           - "malicious join"
           - "s3proxy"
+          - "emergency ssh"
           - "nop"
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.27"
+        default: "1.30"
         required: true
       cliVersion:
         description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@@ -71,8 +76,8 @@ on:
         description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
         default: "3:2"
         type: string
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: string
         required: true
       runner:
@@ -80,7 +85,7 @@ on:
         type: string
         required: true
       test:
-        description: "The test to run."
+        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
         type: string
         required: true
       kubernetesVersion:
@@ -113,7 +118,7 @@ on:
         type: boolean
         default: false
       clusterCreation:
-        description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
+        description: "How to create infrastructure for the e2e test. One of [cli, terraform]."
         type: string
         default: "cli"
       marketplaceImageVersion:
@@ -124,15 +129,17 @@ on:
         type: boolean
 
 jobs:
-  split-nodeCount:
-    name: Split nodeCount
-    runs-on: ubuntu-22.04
+  generate-input-parameters:
+    name: Generate input parameters
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
     outputs:
       workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
       controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
+      cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+      attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }}
     steps:
       - name: Split nodeCount
         id: split-nodeCount
@@ -150,9 +157,24 @@ jobs:
           echo "workerNodes=${workerNodes}" | tee -a "$GITHUB_OUTPUT"
           echo "controlPlaneNodes=${controlPlaneNodes}" | tee -a "$GITHUB_OUTPUT"
 
+      - name: Split attestationVariant
+        id: split-attestationVariant
+        shell: bash
+        run: |
+          attestationVariant="${{ inputs.attestationVariant }}"
+          cloudProvider="${attestationVariant%%-*}"
+
+          # special case for STACKIT, as there's no special attestation variant for it
+          if [[ "${cloudProvider}" == "stackit" ]]; then
+            attestationVariant="qemu-vtpm"
+          fi
+
+          echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT"
+          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
+
   find-latest-image:
     name: Select image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -162,13 +184,13 @@ jobs:
     steps:
       - name: Checkout head
         if: inputs.git-ref == 'head'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.git-ref != 'head'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.git-ref }}
 
@@ -188,7 +210,8 @@ jobs:
       checks: write
       contents: read
       packages: write
-    needs: [find-latest-image, split-nodeCount]
+      actions: write
+    needs: [find-latest-image, generate-input-parameters]
     if: always() && !cancelled()
     steps:
       - name: Install basic tools (macOS)
@@ -198,27 +221,28 @@ jobs:
 
       - name: Checkout head
         if: inputs.git-ref == 'head'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.git-ref != 'head'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.git-ref }}
 
       - name: Set up gcloud CLI (macOS)
-        if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+        if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Run manual E2E test
         id: e2e_test
         uses: ./.github/actions/e2e_test
         with:
-          workerNodesCount: ${{ needs.split-nodeCount.outputs.workerNodes }}
-          controlNodesCount: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }}
-          cloudProvider: ${{ inputs.cloudProvider }}
+          workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
+          controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
+          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
+          attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }}
           machineType: ${{ inputs.machineType }}
           regionZone: ${{ inputs.regionZone }}
           gcpProject: constellation-e2e
@@ -232,7 +256,7 @@ jobs:
           osImage: ${{ needs.find-latest-image.outputs.image }}
           cliVersion: ${{ inputs.cliVersion }}
           isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -246,6 +270,10 @@ jobs:
           s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
           marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
           force: ${{ inputs.force }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
+          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
 
       - name: Always terminate cluster
         if: always()
@@ -253,7 +281,7 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           clusterCreation: ${{ inputs.clusterCreation }}
-          cloudProvider: ${{ inputs.cloudProvider }}
+          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
           azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
@@ -261,6 +289,16 @@ jobs:
         if: always()
         uses: ./.github/actions/constellation_iam_destroy
         with:
-          cloudProvider: ${{ inputs.cloudProvider }}
+          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}

.github/workflows/e2e-upgrade.yml

@@ -3,14 +3,17 @@ name: e2e test upgrade
 on:
   workflow_dispatch:
     inputs:
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp"
-          - "azure"
-          - "aws"
-        default: "azure"
+          - "aws-sev-snp"
+          - "azure-sev-snp"
+          - "azure-tdx"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
+        default: "azure-sev-snp"
+        required: true
       nodeCount:
         description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
         default: "3:2"
@@ -19,6 +22,10 @@ on:
         description: CLI version to create a new cluster with. This has to be a released version, e.g., 'v2.1.3'.
         type: string
         required: true
+      fromKubernetes:
+        description: Kubernetes version for the origin cluster, empty for origin target's default version.
+        type: string
+        required: false
       gitRef:
         description: Ref to build upgrading CLI on, empty for HEAD.
         type: string
@@ -29,11 +36,11 @@ on:
         type: string
         required: false
       toKubernetes:
-        description: Kubernetes version to target for the upgrade, empty for target's default version.
+        description: Kubernetes version to target for the upgrade, empty for upgrade target's default version.
         type: string
         required: false
       toMicroservices:
-        description: Microservice version to target for the upgrade, empty for target's default version.
+        description: Microservice version to target for the upgrade, empty for upgrade target's default version.
         type: string
         required: false
       simulatedTargetVersion:
@@ -45,8 +52,8 @@ on:
         type: string
   workflow_call:
     inputs:
-      cloudProvider:
-        description: "Which cloud provider to use."
+      attestationVariant:
+        description: "Which attestation variant to use."
         type: string
         required: true
       nodeCount:
@@ -57,6 +64,10 @@ on:
         description: CLI version to create a new cluster with. This has to be a released version, e.g., 'v2.1.3'.
         type: string
         required: true
+      fromKubernetes:
+        description: Kubernetes version for the origin cluster, empty for origin target's default version.
+        type: string
+        required: false
       gitRef:
         description: Ref to build upgrading CLI on.
         type: string
@@ -85,15 +96,16 @@ on:
         required: false
 
 jobs:
-  split-nodeCount:
-    name: Split nodeCount
-    runs-on: ubuntu-22.04
+  generate-input-parameters:
+    name: Generate input parameters
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
     outputs:
       workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
       controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
+      cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
     steps:
       - name: Split nodeCount
         id: split-nodeCount
@@ -111,36 +123,158 @@ jobs:
           echo "workerNodes=${workerNodes}" | tee -a "$GITHUB_OUTPUT"
           echo "controlPlaneNodes=${controlPlaneNodes}" | tee -a "$GITHUB_OUTPUT"
 
-  e2e-upgrade:
-    runs-on: ubuntu-22.04
+      - name: Split attestationVariant
+        id: split-attestationVariant
+        shell: bash
+        run: |
+          attestationVariant="${{ inputs.attestationVariant }}"
+          cloudProvider="${attestationVariant%%-*}"
+
+          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
+
+  create-cluster:
+    name: Create upgrade origin version cluster
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
       contents: read
       packages: write
-    needs: [split-nodeCount]
+    needs: [generate-input-parameters]
+    outputs:
+      kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
+      e2e-name-prefix: ${{ steps.e2e_test.outputs.namePrefix }}
     steps:
       - name: Checkout
         if: inputs.gitRef == 'head'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.gitRef != 'head'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ inputs.gitRef }}
 
       - uses: ./.github/actions/setup_bazel_nix
+
+      - name: Create cluster with 'fromVersion' CLI.
+        id: e2e_test
+        uses: ./.github/actions/e2e_test
         with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
+          controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
+          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
+          attestationVariant: ${{ inputs.attestationVariant }}
+          osImage: ${{ inputs.fromVersion }}
+          isDebugImage: "false"
+          cliVersion: ${{ inputs.fromVersion }}
+          kubernetesVersion: ${{ inputs.fromKubernetes }}
+          regionZone: ${{ inputs.regionZone }}
+          gcpProject: constellation-e2e
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+          test: "upgrade"
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
+          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
+          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
+          clusterCreation: "cli"
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Remove Terraform plugin cache
+        if: always()
+        run: |
+          rm -rf constellation-terraform/.terraform
+          rm -rf constellation-iam-terraform/.terraform
+
+      - name: Upload Working Directory
+        if: always()
+        uses: ./.github/actions/artifact_upload
+        with:
+          name: constellation-pre-test-${{ inputs.attestationVariant }}
+          path: >
+            ${{ steps.e2e_test.outputs.kubeconfig }}
+            constellation-terraform
+            constellation-iam-terraform
+            constellation-conf.yaml
+            constellation-state.yaml
+            constellation-mastersecret.json
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Upload SA Key
+        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
+        uses: ./.github/actions/artifact_upload
+        with:
+          name: sa-key-${{ inputs.attestationVariant }}
+          path: >
+            gcpServiceAccountKey.json
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+  e2e-upgrade:
+    name: Run upgrade test
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
+    needs:
+      - generate-input-parameters
+      - create-cluster
+    steps:
+      - name: Checkout
+        if: inputs.gitRef == 'head'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Checkout ref
+        if: inputs.gitRef != 'head'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.gitRef }}
+
+      - name: Setup Bazel & Nix
+        uses: ./.github/actions/setup_bazel_nix
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # applying the version manipulation here so that the upgrade test tool is also on the simulated target version
+      - name: Simulate patch upgrade
+        if: inputs.simulatedTargetVersion != ''
+        run: |
+          echo ${{ inputs.simulatedTargetVersion }} > version.txt
+
+      - name: Build CLI
+        uses: ./.github/actions/build_cli
+        with:
+          enterpriseCLI: true
+          outputPath: "build/constellation"
+          push: true
+
+      - name: Upload CLI binary # is needed for the cleanup step
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: constellation-upgrade-${{ inputs.attestationVariant }}
+          path: build/constellation
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1
@@ -154,52 +288,15 @@ jobs:
           ref: main
           stream: nightly
 
-      - name: Simulate patch upgrade
-        if: inputs.simulatedTargetVersion != ''
-        run: |
-          echo ${{ inputs.simulatedTargetVersion }} > version.txt
-
-      - name: Create cluster with 'fromVersion' CLI.
-        id: e2e_test
-        uses: ./.github/actions/e2e_test
-        with:
-          workerNodesCount: ${{ needs.split-nodeCount.outputs.workerNodes }}
-          controlNodesCount: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }}
-          cloudProvider: ${{ inputs.cloudProvider }}
-          osImage: ${{ inputs.fromVersion }}
-          isDebugImage: "false"
-          cliVersion: ${{ inputs.fromVersion }}
-          regionZone: ${{ inputs.regionZone }}
-          gcpProject: constellation-e2e
-          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
-          test: "upgrade"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
-          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
-          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          registry: ghcr.io
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
-          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
-          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
-          clusterCreation: "cli"
-
-      - name: Build CLI
-        uses: ./.github/actions/build_cli
-        with:
-          enterpriseCLI: true
-          outputPath: "build/constellation"
-          push: true
-
       - name: Login to GCP (IAM service account)
-        if: inputs.cloudProvider == 'gcp'
+        if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
           service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Login to AWS (IAM role)
-        if: inputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
           aws-region: eu-central-1
@@ -207,11 +304,32 @@ jobs:
           role-duration-seconds: 21600
 
       - name: Login to Azure (IAM service principal)
-        if: inputs.cloudProvider == 'azure'
+        if: needs.generate-input-parameters.outputs.cloudProvider == 'azure'
         uses: ./.github/actions/login_azure
         with:
           azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
 
+
+      - name: Download Working Directory (Pre-test)
+        uses: ./.github/actions/artifact_download
+        with:
+          name: constellation-pre-test-${{ inputs.attestationVariant }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Download SA Key
+        if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
+        uses: ./.github/actions/artifact_download
+        with:
+          name: sa-key-${{ inputs.attestationVariant }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Make Constellation executable and add to PATH
+        if: always()
+        run: |
+          chmod +x build/constellation
+          export PATH="$PATH:build"
+          echo "build" >> "$GITHUB_PATH"
+
       - name: Migrate config
         id: constellation-config-migrate
         run: |
@@ -222,14 +340,14 @@ jobs:
         uses: ./.github/actions/constellation_iam_upgrade
 
       - name: Login to GCP (Cluster service account)
-        if: always() && inputs.cloudProvider == 'gcp'
+        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
           service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Login to AWS (Cluster role)
-        if: always() && inputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
           aws-region: eu-central-1
@@ -237,37 +355,105 @@ jobs:
           role-duration-seconds: 21600
 
       - name: Login to Azure (Cluster service principal)
-        if: always() && inputs.cloudProvider == 'azure'
+        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'azure'
         uses: ./.github/actions/login_azure
         with:
           azure_credentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
 
       - name: Run upgrade test
         env:
-          KUBECONFIG: ${{ steps.e2e_test.outputs.kubeconfig }}
+          KUBECONFIG: ${{ needs.create-cluster.outputs.kubeconfig }}
           IMAGE: ${{ inputs.toImage && inputs.toImage || steps.find-image.outputs.output }}
           KUBERNETES: ${{ inputs.toKubernetes }}
           MICROSERVICES: ${{ inputs.toMicroservices }}
-          WORKERNODES:  ${{ needs.split-nodeCount.outputs.workerNodes }}
-          CONTROLNODES: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }}
+          WORKERNODES: ${{ needs.generate-input-parameters.outputs.workerNodes }}
+          CONTROLNODES: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
         run: |
           echo "Image target: $IMAGE"
           echo "K8s target: $KUBERNETES"
           echo "Microservice target: $MICROSERVICES"
 
-          if [[ -n ${MICROSERVICES} ]]; then
-            MICROSERVICES_FLAG="--target-microservices=$MICROSERVICES"
-          fi
-          if [[ -n ${KUBERNETES} ]]; then
-            KUBERNETES_FLAG="--target-kubernetes=$KUBERNETES"
-          fi
+          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
+          CLI=$(realpath ./build/constellation)
+          bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" --target-kubernetes "$KUBERNETES" --target-microservices "$MICROSERVICES" --cli "$CLI"
 
-          bazel run //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
+      - name: Remove Terraform plugin cache
+        if: always()
+        run: |
+          rm -rf constellation-terraform/.terraform
+          rm -rf constellation-iam-terraform/.terraform
+
+      - name: Upload Working Directory
+        if: always()
+        uses: ./.github/actions/artifact_upload
+        with:
+          name: constellation-post-test-${{ inputs.attestationVariant }}
+          path: |
+            ${{ needs.create-cluster.outputs.kubeconfig }}
+            constellation-terraform
+            constellation-iam-terraform
+            constellation-conf.yaml
+            constellation-state.yaml
+            constellation-mastersecret.json
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+  clean-up:
+    name: Clean up resources
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
+      actions: write
+    if: always()
+    needs: [generate-input-parameters, create-cluster, e2e-upgrade]
+    steps:
+      - name: Checkout
+        if: inputs.gitRef == 'head'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Checkout ref
+        if: inputs.gitRef != 'head'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.gitRef }}
+
+      - name: Download CLI
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        with:
+          name: constellation-upgrade-${{ inputs.attestationVariant }}
+          path: build
+
+      - name: Download Working Directory (Pre-test)
+        if: always() && needs.e2e-upgrade.result != 'success'
+        uses: ./.github/actions/artifact_download
+        with:
+          name: constellation-pre-test-${{ inputs.attestationVariant }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Download Working Directory (Post-test)
+        if: always() && needs.e2e-upgrade.result == 'success'
+        uses: ./.github/actions/artifact_download
+        with:
+          name: constellation-post-test-${{ inputs.attestationVariant }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Make Constellation executable and add to PATH
+        if: always()
+        run: |
+          chmod +x build/constellation
+          export PATH="$PATH:build"
+          echo "build" >> "$GITHUB_PATH"
 
       - name: Always fetch logs
         if: always()
         env:
-          KUBECONFIG: ${{ steps.e2e_test.outputs.kubeconfig }}
+          KUBECONFIG: ${{ needs.create-cluster.outputs.kubeconfig }}
         run: |
           kubectl logs -n kube-system -l "app.kubernetes.io/name=constellation-operator" --tail=-1 > node-operator.logs
           kubectl logs -n kube-system -l "app.kubernetes.io/name=node-maintenance-operator" --tail=-1 > node-maintenance-operator.logs
@@ -275,21 +461,33 @@ jobs:
 
       - name: Always upload logs
         if: always()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: ./.github/actions/artifact_upload
         with:
-          name: upgrade-logs
-          path: |
+          name: upgrade-logs-${{ inputs.attestationVariant }}
+          path: >
             node-operator.logs
             node-maintenance-operator.logs
             constellation-version.yaml
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Prepare terraform state artifact upload
+        if: always()
+        shell: bash
+        run: |
+          mkdir -p to-zip
+          cp -r constellation-terraform to-zip
+          rm -f to-zip/constellation-terraform/plan.zip
+          rm -rf to-zip/constellation-terraform/.terraform
+          cp -r constellation-iam-terraform to-zip
+          rm -rf to-zip/constellation-iam-terraform/.terraform
 
       - name: Always terminate cluster
         if: always()
         uses: ./.github/actions/constellation_destroy
         with:
-          kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           clusterCreation: "cli"
-          cloudProvider: ${{ inputs.cloudProvider }}
+          kubeconfig: ${{ needs.create-cluster.outputs.kubeconfig }}
+          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
           azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
@@ -297,13 +495,24 @@ jobs:
         if: always()
         uses: ./.github/actions/constellation_iam_destroy
         with:
-          cloudProvider: ${{ inputs.cloudProvider }}
+          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ needs.create-cluster.outputs.e2e-name-prefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
       - name: Notify about failure
         if: |
-          failure() &&
+          always() &&
+          ( needs.create-cluster.result != 'success' || needs.e2e-upgrade.result != 'success' ) &&
           github.ref == 'refs/heads/main' &&
           inputs.scheduled
         continue-on-error: true
@@ -311,4 +520,5 @@ jobs:
         with:
           projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
           test: "upgrade"
-          provider: ${{ inputs.cloudProvider }}
+          provider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
+          attestationVariant: ${{ inputs.attestationVariant }}

.github/workflows/e2e-windows.yml

@@ -13,18 +13,27 @@ on:
 jobs:
   build-cli:
     name: Build Windows CLI
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
         with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build CLI
         uses: ./.github/actions/build_cli
@@ -32,33 +41,35 @@ jobs:
           targetOS: "windows"
           targetArch: "amd64"
           enterpriseCLI: true
+          outputPath: "build/constellation"
+          push: true
 
       - name: Upload CLI artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          path: "bazel-bin/cli/cli_enterprise_windows_amd64"
+          path: build/constellation.exe
           name: "constell-exe"
 
   e2e-test:
     name: E2E Test Windows
-    runs-on: windows-2022
+    runs-on: windows-2025
     needs: build-cli
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download CLI artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: "constell-exe"
 
       - name: Check CLI version
         shell: pwsh
         run: |
-          Move-Item -Path .\cli_enterprise_windows_amd64 -Destination .\constellation.exe
           .\constellation.exe version
+          Add-Content -Path $env:windir\System32\drivers\etc\hosts -Value "`n127.0.0.1`tlicense.confidential.cloud" -Force
 
       - name: Login to Azure (IAM service principal)
         uses: ./.github/actions/login_azure
@@ -66,25 +77,24 @@ jobs:
           azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
 
       - name: Create IAM configuration
+        id: iam-create
         shell: pwsh
         run: |
-          .\constellation.exe config generate azure
-          .\constellation.exe iam create azure --region=westus --resourceGroup=e2eWindoewsRG --servicePrincipal=e2eWindoewsSP --update-config --debug -y
+          $uid = Get-Random -Minimum 1000 -Maximum 9999
+          $rgName = "e2e-win-${{ github.run_id }}-${{ github.run_attempt }}-$uid"
+          "rgName=$($rgName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+          .\constellation.exe config generate azure -t "workflow=${{ github.run_id }}"
+          .\constellation.exe iam create azure --subscriptionID=${{ secrets.AZURE_SUBSCRIPTION_ID }} --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
 
       - name: Login to Azure (Cluster service principal)
         uses: ./.github/actions/login_azure
         with:
           azure_credentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
 
-      - name: Create cluster
+      - name: Apply config
         shell: pwsh
         run: |
-          .\constellation.exe create --debug -y
-
-      - name: Initialize cluster
-        shell: pwsh
-        run: |
-          .\constellation.exe apply --debug
+          .\constellation.exe apply --debug -y
 
       - name: Liveness probe
         shell: pwsh
@@ -100,24 +110,31 @@ jobs:
               Write-Host "Retry ${retryCount}: Checking node status..."
 
               $nodesOutput = & kubectl get nodes --kubeconfig "$PWD\constellation-admin.conf"
+              $status = $?
 
-              $lines = $nodesOutput -split "`r?`n" | Select-Object -Skip 1
+              $nodesOutput
 
-              $allNodesReady = $true
+              if ($status) {
+                  $lines = $nodesOutput -split "`r?`n" | Select-Object -Skip 1
 
-              foreach ($line in $lines) {
-                  $columns = $line -split '\s+' | Where-Object { $_ -ne '' }
+                  if ($lines.count -eq 4) {
+                      $allNodesReady = $true
 
-                  $nodeName = $columns[0]
-                  $status = $columns[1]
+                      foreach ($line in $lines) {
+                          $columns = $line -split '\s+' | Where-Object { $_ -ne '' }
 
-                  if ($status -ne "Ready") {
-                      Write-Host "Node $nodeName is not ready!"
-                      $allNodesReady = $false
+                          $nodeName = $columns[0]
+                          $status = $columns[1]
+
+                          if ($status -ne "Ready") {
+                              Write-Host "Node $nodeName is not ready!"
+                              $allNodesReady = $false
+                          }
+                      }
                   }
               }
 
-              if (-not $allNodesReady) {
+              if (-not $allNodesReady -and $retryCount -lt $maxRetries) {
                   Write-Host "Retrying in $retryIntervalSeconds seconds..."
                   Start-Sleep -Seconds $retryIntervalSeconds
               }
@@ -132,6 +149,7 @@ jobs:
           }
 
       - name: Terminate cluster
+        id: terminate-cluster
         if: always()
         shell: pwsh
         run: |
@@ -144,14 +162,23 @@ jobs:
           azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
 
       - name: Delete IAM configuration
+        id: delete-iam
         if: always()
         shell: pwsh
         run: |
           .\constellation.exe iam destroy --debug -y
 
+      - name: Clean up after failure
+        # run on a cleanup failure or if cancelled
+        if: (failure() && (steps.terminate-cluster.conclusion == 'failure' || steps.delete-iam.conclusion == 'failure')) || cancelled()
+        shell: pwsh
+        run: |
+          az group delete --name ${{ steps.iam-create.outputs.rgName }}-rg --yes
+          az group delete --name ${{ steps.iam-create.outputs.rgName }}-rg-identity --yes
+
   notify-failure:
     name: Notify about failure
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: e2e-test
     if: |
       failure() &&
@@ -159,15 +186,12 @@ jobs:
       inputs.scheduled
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Notify about failure
         continue-on-error: true
@@ -176,3 +200,4 @@ jobs:
           projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
           test: Windows E2E Test
           provider: Azure
+          attestationVariant: "azure-sev-snp"

.github/workflows/on-release.yml

@@ -15,10 +15,10 @@ on:
 
 jobs:
   complete-release-branch-transaction:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
-      contents: read
+      contents: write
     env:
       FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
     outputs:
@@ -26,17 +26,13 @@ jobs:
       WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # fetch all history
 
       - name: Determine branch names
         run: |
-          WITHOUT_V=${FULL_VERSION#v}
-          PART_MAJOR=${WITHOUT_V%%.*}
-          PART_MINOR=${WITHOUT_V#*.}
-          MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}
-          RELEASE_BRANCH="release/v${MAJOR_MINOR}"
+          RELEASE_BRANCH="release/${FULL_VERSION%.*}"
           WORKING_BRANCH="tmp/${FULL_VERSION}"
           echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
           echo "WORKING_BRANCH=${WORKING_BRANCH}" | tee -a "$GITHUB_ENV"
@@ -48,12 +44,12 @@ jobs:
           git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"
 
   update:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Override latest
         if: github.event.inputs.latest == 'true'
@@ -121,13 +117,62 @@ jobs:
         add-image-version-to-versionsapi,
         add-cli-version-to-versionsapi,
       ]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Remove temporary branch
+        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
+
+  mirror-gcp-mpi:
+    name: "Mirror GCP Marketplace Image"
+    needs: [add-image-version-to-versionsapi]
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Remove temporary branch
-        run: git push origin --delete "${WORKING_BRANCH}"
+      - uses: ./.github/actions/setup_bazel_nix
+
+      - name: Login to AWS
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
+          aws-region: eu-central-1
+
+      - name: Fetch latest release version
+        id: fetch-version
+        uses: ./.github/actions/versionsapi
+        with:
+          command: latest
+          stream: stable
+          ref: "-"
+
+      - name: Fetch GCP image reference
+        id: fetch-reference
+        shell: bash
+        run: |
+          aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
+          FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-snp") | .reference' info.json)
+          IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
+          echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Login to GCP
+        uses: ./.github/actions/login_gcp
+        with:
+          service_account: "mp-image-uploader@edgeless-systems-public.iam.gserviceaccount.com"
+
+      - name: Mirror
+        shell: bash
+        run: |
+          gcloud --project=edgeless-systems-public compute images create ${{ steps.fetch-reference.outputs.reference }} \
+            --source-image=${{ steps.fetch-reference.outputs.reference }} \
+            --source-image-project=constellation-images \
+            --licenses=projects/edgeless-systems-public/global/licenses/cloud-marketplace-c3d24830a0502e29-df1ebeb69c0ba664

.github/workflows/purge-main.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   find-version:
     name: Delete version from main ref
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       version: ${{ steps.find.outputs.version }}
     permissions:
@@ -18,12 +18,12 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1
@@ -47,6 +47,8 @@ jobs:
               ;;
           esac
 
+      - uses: ./.github/actions/setup_bazel_nix
+
       - name: List versions
         id: list
         uses: ./.github/actions/versionsapi