mini-constellation: pin swtpm to v0.8.2 (#3756)

* mini-constellation: pin swtpm to v0.8.2
* containers: update libvirtd_base image

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

.bazelrc

@@ -1,9 +1,3 @@
-# Sadly, some Bazel rules we depend on have no support for bzlmod yet
-# Here is an (incomplete) list of rules known to not support bzlmod.
-# Please extend this list as you find more.
-# - rules_nixpkgs: https://github.com/tweag/rules_nixpkgs/issues/181
-common --noenable_bzlmod
-
 # Import bazelrc presets
 import %workspace%/bazel/bazelrc/bazel7.bazelrc
 import %workspace%/bazel/bazelrc/convenience.bazelrc
@@ -54,15 +48,6 @@ common --crosstool_top=@local_config_cc//:toolchain
 # bazel config to explicitly disable stamping (hide version information at build time)
 common:nostamp --nostamp --workspace_status_command=
 
-# bazel config to use (buildbuddy) remote cache
-common:remote_cache --bes_results_url=https://app.buildbuddy.io/invocation/
-common:remote_cache --bes_backend=grpcs://remote.buildbuddy.io
-common:remote_cache --remote_cache=grpcs://remote.buildbuddy.io
-common:remote_cache --remote_timeout=3600
-common:remote_cache --experimental_remote_build_event_upload=minimal
-common:remote_cache --nolegacy_important_outputs
-common:remote_cache_readonly --noremote_upload_local_results # Uploads logs & artifacts without writing to cache
-
 common:build_barn_rbe_ubuntu_22_04 --remote_timeout=3600
 common:build_barn_rbe_ubuntu_22_04 --remote_executor=grpc://frontend.buildbarn:8980 # this maps to the kubernetes internal buildbarn/frontend service
 common:build_barn_rbe_ubuntu_22_04 --extra_execution_platforms=//bazel/rbe:ubuntu-act-22-04-platform

.bazelversion

@@ -1 +1 @@
-7.0.0
+7.6.0

.github/actions/artifact_delete/action.yml

@@ -0,0 +1,17 @@
+name: Delete artifact
+description: Delete an artifact by name
+
+inputs:
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  workflowID:
+    description: 'The ID of the workflow.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Delete artifact
+      shell: bash
+      run: ./.github/actions/artifact_delete/delete_artifact.sh ${{ inputs.workflowID }} ${{ inputs.name }}

.github/actions/artifact_delete/delete_artifact.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# get_artifact_id retrieves the artifact id of
+# an artifact that was generated by a workflow.
+# $1 should be the workflow run id. $2 should be the artifact name.
+function get_artifact_id {
+  artifact_id="$(gh api \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    --paginate \
+    "/repos/edgelesssys/constellation/actions/runs/$1/artifacts" --jq ".artifacts |= map(select(.name==\"$2\")) | .artifacts[0].id" || exit 1)"
+  echo "$artifact_id" | tr -d "\n"
+}
+
+# delete_artifact_by_id deletes an artifact by its artifact id.
+# $1 should be the id of the artifact.
+function delete_artifact_by_id {
+  gh api \
+    --method DELETE \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/edgelesssys/constellation/actions/artifacts/$1" || exit 1
+}
+
+workflow_id="$1"
+artifact_name="$2"
+
+if [[ -z $workflow_id ]] || [[ -z $artifact_name ]]; then
+  echo "Usage: delete_artifact.sh <WORKFLOW_ID> <ARTIFACT_NAME>"
+  exit 1
+fi
+
+echo "[*] retrieving artifact ID"
+artifact_id="$(get_artifact_id "$workflow_id" "$artifact_name")"
+
+echo "[*] deleting artifact with ID $artifact_id"
+delete_artifact_by_id "$artifact_id"

.github/actions/artifact_download/action.yml

@@ -16,11 +16,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install unzip
+    - name: Install 7zip
       uses: ./.github/actions/setup_bazel_nix
       with:
         nixTools: |
-          unzip
+          _7zz
 
     - name: Create temporary directory
       id: tempdir
@@ -28,7 +28,7 @@ runs:
       run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
 
     - name: Download the artifact
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: ${{ inputs.name }}
         path: ${{ steps.tempdir.outputs.directory }}
@@ -37,4 +37,4 @@ runs:
       shell: bash
       run: |
         mkdir -p ${{ inputs.path }}
-        unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
+        7zz x -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

.github/actions/artifact_upload/action.yml

@@ -14,15 +14,19 @@ inputs:
   encryptionSecret:
     description: 'The secret to use for encrypting the files.'
     required: true
+  overwrite:
+    description: 'Overwrite an artifact with the same name.'
+    default: false
+    required: false
 
 runs:
   using: "composite"
   steps:
-    - name: Install zip
+    - name: Install 7zip
       uses: ./.github/actions/setup_bazel_nix
       with:
         nixTools: |
-          zip
+          _7zz
 
     - name: Create temporary directory
       id: tempdir
@@ -32,11 +36,10 @@ runs:
     - name: Create archive
       shell: bash
       run: |
+        set -euo pipefail
         shopt -s extglob
-
         paths="${{ inputs.path }}"
         paths=${paths%$'\n'} # Remove trailing newline
-
         # Check if any file matches the given pattern(s).
         something_exists=false
         for pattern in ${paths}
@@ -57,15 +60,19 @@ runs:
 
         for target in ${paths}
         do
-          pushd "$(dirname "${target}")" || exit 1
-          zip -e -P '${{ inputs.encryptionSecret }}' -r "${{ steps.tempdir.outputs.directory }}/archive.zip" "$(basename "${target}")"
-          popd || exit 1
+          if compgen -G "${target}" > /dev/null
+          then
+            pushd "$(dirname "${target}")"
+            7zz a -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
+            popd
+          fi
         done
 
     - name: Upload archive as artifact
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ inputs.name }}
-        path: ${{ steps.tempdir.outputs.directory }}/archive.zip
+        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
         retention-days: ${{ inputs.retention-days }}
         if-no-files-found: ignore
+        overwrite: ${{ inputs.overwrite }}

.github/actions/build_cli/action.yml

@@ -79,7 +79,7 @@ runs:
     # once it has the functionality
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Install Rekor
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

.github/actions/build_micro_service/action.yml

@@ -42,7 +42,7 @@ runs:
 
     - name: Docker metadata
       id: meta
-      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
       with:
         images: |
           ghcr.io/${{ github.repository }}/${{ inputs.name }}
@@ -62,7 +62,7 @@ runs:
 
     - name: Build and push container image
       id: build-micro-service
-      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
       with:
         context: .
         file: ${{ inputs.dockerfile }}

.github/actions/cdbg_deploy/action.yml

@@ -40,8 +40,15 @@ runs:
       if: inputs.cloudProvider == 'azure'
       shell: bash
       run: |
-        UAMI=$(yq eval ".provider.azure.userAssignedIdentity | upcase" constellation-conf.yaml)
-        PRINCIPAL_ID=$(az identity list | yq ".[] | select(.id | test(\"(?i)$UAMI\"; \"g\")) | .principalId")
+        UAMI=$(yq eval ".provider.azure.userAssignedIdentity" constellation-conf.yaml)
+        PRINCIPAL_ID=$(az identity show --ids "$UAMI" | yq ".principalId")
+        if [ -z "$PRINCIPAL_ID" ]; then
+          echo "::error::PRINCIPAL_ID for \"$UAMI\" not found"
+          echo "::group::Available identities"
+          az identity list | yq ".[].id"
+          echo "::endgroup::"
+          exit 1
+        fi
         az role assignment create --role "Key Vault Secrets User" \
           --assignee "$PRINCIPAL_ID" \
           --scope /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.KeyVault/vaults/opensearch-creds
@@ -54,7 +61,7 @@ runs:
 
     - name: Login to AWS (IAM service principal)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
@@ -73,7 +80,7 @@ runs:
 
     - name: Login to AWS (Cluster service principal)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1
@@ -84,6 +91,11 @@ runs:
       shell: bash
       run: |
         echo "::group::cdbg deploy"
+        on_error() {
+          echo "::error::cdbg deploy failed"
+        }
+        trap on_error ERR
+        
         chmod +x $GITHUB_WORKSPACE/build/cdbg
         cdbg deploy \
           --bootstrapper "${{ github.workspace }}/build/bootstrapper" \

.github/actions/check_measurements_reproducibility/action.yml

@@ -0,0 +1,64 @@
+name: Check measurements reproducibility
+description: Check if the measurements of a given release are reproducible.
+
+inputs:
+  version:
+    type: string
+    description: The version of the measurements that are downloaded from the CDN.
+    required: true
+  ref:
+    type: string
+    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ inputs.ref }}
+        path: ./release
+
+    - name: Set up bazel
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        useCache: "false"
+        nixTools: |
+          systemdUkify
+          jq
+          jd-diff-patch
+          moreutils
+
+    - name: Allow unrestricted user namespaces
+      shell: bash
+      run: |
+        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+
+    - name: Build images
+      id: build-images
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Build required binaries
+        pushd release
+        bazel build //image/system:stable
+        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
+        popd
+
+    - name: Download measurements
+      shell: bash
+      run: |
+        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
+
+    - name: Cleanup release measurements and generate our own
+      shell: bash
+      run: |
+        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
+
+    - name: Compare measurements
+      shell: bash
+      run: |
+        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"

.github/actions/check_measurements_reproducibility/compare_measurements.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# no -e since we need to collect errors later
+# no -u since it interferes with checking associative arrays
+set -o pipefail
+shopt -s extglob
+
+declare -A errors
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  echo "Their measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_their-measurements.json
+  echo "Own measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_own-measurements.json
+
+  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
+  if [[ -n $diff ]]; then
+    errors["$attestationVariant"]="$diff"
+  fi
+done
+
+for attestationVariant in "${!errors[@]}"; do
+  echo "Failed to reproduce measurements for $attestationVariant:"
+  echo "${errors["$attestationVariant"]}" | ts "  "
+done
+
+if [[ ${#errors[@]} -ne 0 ]]; then
+  exit 1
+fi

.github/actions/check_measurements_reproducibility/create_measurements.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s extglob
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  csp="$(echo "$dirname" | cut -d_ -f1)"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  # This jq filter selects the measurements for the correct CSP and attestation variant
+  # and then removes all `warnOnly: true` measurements.
+  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
+    '
+      .list.[]
+      | select(
+        .attestationVariant == $attestation_variant
+        and (.csp | ascii_downcase) == $csp
+      )
+      | .measurements
+      | to_entries
+      | map(select(.value.warnOnly | not))
+      | from_entries
+      | del(.[] .warnOnly)
+  ' \
+    measurements.json > "$attestationVariant"_their-measurements.json
+
+  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
+done

.github/actions/constellation_create/action.yml

@@ -192,6 +192,13 @@ runs:
       run: |
         echo "flag=--force" | tee -a $GITHUB_OUTPUT
 
+    - name: Set conformance flag
+      id: set-conformance-flag
+      if: inputs.test == 'sonobuoy conformance'
+      shell: bash
+      run: |
+        echo "flag=--conformance" | tee -a $GITHUB_OUTPUT
+
     - name: Constellation apply (Terraform)
       id: constellation-apply-terraform
       if: inputs.clusterCreation == 'terraform'
@@ -204,7 +211,7 @@ runs:
       if: inputs.clusterCreation != 'terraform'
       shell: bash
       run: |
-        constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }}
+        constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }} ${{ steps.set-conformance-flag.outputs.flag }}
 
     - name: Get kubeconfig
       id: get-kubeconfig
@@ -217,31 +224,9 @@ runs:
       env:
         KUBECONFIG: "${{ steps.get-kubeconfig.outputs.KUBECONFIG }}"
         JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join
-      run: |
-        echo "::group::Wait for nodes"
-        NODES_COUNT=$((${{ inputs.controlNodesCount }} + ${{ inputs.workerNodesCount }}))
-        JOINWAIT=0
-        until [[ "$(kubectl get nodes -o json | jq '.items | length')" == "${NODES_COUNT}" ]] || [[ $JOINWAIT -gt $JOINTIMEOUT ]];
-        do
-            echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined.. waiting.."
-            JOINWAIT=$((JOINWAIT+30))
-            sleep 30
-        done
-        if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then
-            kubectl get nodes -o wide
-            echo "::error::Timed out waiting for nodes to join"
-            echo "::endgroup::"
-            exit 1
-        fi
-        echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined"
-        if ! kubectl wait --for=condition=ready --all nodes --timeout=20m; then
-          kubectl get pods -n kube-system
-          kubectl get events -n kube-system
-          echo "::error::kubectl wait timed out before all nodes became ready"
-          echo "::endgroup::"
-          exit 1
-        fi
-        echo "::endgroup::"
+        CONTROL_NODES_COUNT: "${{ inputs.controlNodesCount }}"
+        WORKER_NODES_COUNT: "${{ inputs.workerNodesCount }}"
+      run: ./.github/actions/constellation_create/wait-for-nodes.sh
 
     - name: Download boot logs
       if: always()
@@ -272,9 +257,9 @@ runs:
       continue-on-error: true
       uses: ./.github/actions/artifact_upload
       with:
-        name: serial-logs-${{ inputs.artifactNameSuffix }}
-        path: >
-          !(terraform).log
+        name: debug-logs-${{ inputs.artifactNameSuffix }}
+        path: |
+          *.log
         encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Prepare terraform state folders
@@ -283,9 +268,12 @@ runs:
       run: |
         mkdir to-zip
         cp -r constellation-terraform to-zip
-        cp -r constellation-iam-terraform to-zip
-        rm to-zip/constellation-terraform/plan.zip
-        rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform
+        # constellation-iam-terraform is optional
+        if [ -d constellation-iam-terraform ]; then
+          cp -r constellation-iam-terraform to-zip
+        fi
+        rm -f to-zip/constellation-terraform/plan.zip
+        rm -rf to-zip/*/.terraform
 
     - name: Upload terraform state
       if: always()

.github/actions/constellation_create/wait-for-nodes.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# We don't want to abort the script if there's a transient error in kubectl.
+set +e
+set -uo pipefail
+
+NODES_COUNT=$((CONTROL_NODES_COUNT + WORKER_NODES_COUNT))
+JOINWAIT=0
+
+# Reports how many nodes are registered and fulfill condition=ready.
+num_nodes_ready() {
+  kubectl get nodes -o json |
+    jq '.items | map(select(.status.conditions[] | .type == "Ready" and .status == "True")) | length'
+}
+
+# Reports how many API server pods are ready.
+num_apiservers_ready() {
+  kubectl get pods -n kube-system -l component=kube-apiserver -o json |
+    jq '.items | map(select(.status.conditions[] | .type == "Ready" and .status == "True")) | length'
+}
+
+# Prints node joining progress.
+report_join_progress() {
+  echo -n "nodes_joined=$(kubectl get nodes -o json | jq '.items | length')/${NODES_COUNT} "
+  echo -n "nodes_ready=$(num_nodes_ready)/${NODES_COUNT} "
+  echo "api_servers_ready=$(num_apiservers_ready)/${CONTROL_NODES_COUNT} ..."
+}
+
+# Indicates by exit code whether the cluster is ready, i.e. all nodes and API servers are ready.
+cluster_ready() {
+  [[ "$(num_nodes_ready)" == "${NODES_COUNT}" && "$(num_apiservers_ready)" == "${CONTROL_NODES_COUNT}" ]]
+}
+
+echo "::group::Wait for nodes"
+until cluster_ready || [[ ${JOINWAIT} -gt ${JOINTIMEOUT} ]]; do
+  report_join_progress
+  JOINWAIT=$((JOINWAIT + 30))
+  sleep 30
+done
+report_join_progress
+if [[ ${JOINWAIT} -gt ${JOINTIMEOUT} ]]; then
+  set -x
+  kubectl get nodes -o wide
+  kubectl get pods -n kube-system -o wide
+  kubectl get events -n kube-system
+  set +x
+  echo "::error::timeout reached before all nodes became ready"
+  echo "::endgroup::"
+  exit 1
+fi
+echo "::endgroup::"

.github/actions/constellation_destroy/action.yml

@@ -24,6 +24,7 @@ runs:
     - name: Delete persistent volumes
       if: inputs.kubeconfig != ''
       shell: bash
+      continue-on-error: true
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         PV_DELETION_TIMEOUT: "120" # 2 minutes timeout for pv deletion
@@ -34,6 +35,14 @@ runs:
         # Scrap namespaces that contain PVCs
         for namespace in `kubectl get namespace --no-headers=true -o custom-columns=":metadata.name"`; do
           if [[ `kubectl get pvc -n $namespace --no-headers=true -o custom-columns=":metadata.name" | wc -l` -gt 0 ]]; then
+            if [[ "${namespace}" == "default" ]]; then
+              kubectl delete all --all --namespace "default" --wait
+              continue
+            fi
+            if [[ "${namespace}" == "kube-system" ]]; then
+              kubectl delete pvc --all --namespace "kube-system" --wait
+              continue
+            fi
             kubectl delete namespace $namespace --wait
           fi
         done
@@ -58,7 +67,7 @@ runs:
 
     - name: Login to AWS (Cluster role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1

.github/actions/constellation_iam_create/action.yml

@@ -14,6 +14,10 @@ inputs:
   namePrefix:
     description: "Name prefix to use for resources."
     required: true
+  additionalTags:
+    description: "Additional resource tags that will be written into the constellation configuration."
+    default: ""
+    required: false
   #
   # AWS specific inputs
   #
@@ -23,6 +27,9 @@ inputs:
   #
   # Azure specific inputs
   #
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureRegion:
     description: "Azure region to deploy Constellation in."
     required: false
@@ -35,6 +42,15 @@ inputs:
   gcpZone:
     description: "The GCP zone to deploy Constellation in."
     required: false
+  #
+  # STACKIT specific inputs
+  #
+  stackitZone:
+    description: "The STACKIT zone to deploy Constellation in."
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false
 
 runs:
   using: "composite"
@@ -48,8 +64,14 @@ runs:
           kubernetesFlag="--kubernetes=${{ inputs.kubernetesVersion }}"
         fi
 
+        # TODO(v2.17): Remove this fallback and always use --tags flag
+        tagsFlag=""
+        if constellation config generate --help | grep -q -- --tags; then
+          tagsFlag="--tags=\"${{ inputs.additionalTags }}\""
+        fi
+
         echo "flag=--update-config" | tee -a "$GITHUB_OUTPUT"
-        constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} --attestation ${{ inputs.attestationVariant }}
+        constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} --attestation ${{ inputs.attestationVariant }} ${tagsFlag}
 
     - name: Constellation iam create aws
       shell: bash
@@ -66,14 +88,21 @@ runs:
       shell: bash
       if: inputs.cloudProvider == 'azure'
       run: |
+        extraFlags=""
+
+        if [[ $(constellation iam create azure --help | grep -c -- --subscriptionID) -ne 0 ]]; then
+          extraFlags="--subscriptionID=${{ inputs.azureSubscriptionID }}"
+        fi
+
         constellation iam create azure \
           --region="${{ inputs.azureRegion }}" \
           --resourceGroup="${{ inputs.namePrefix }}-rg" \
           --servicePrincipal="${{ inputs.namePrefix }}-sp" \
           --update-config \
           --tf-log=DEBUG \
-          --yes
+          --yes ${extraFlags}
 
+    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
     - name: Constellation iam create gcp
       shell: bash
       if: inputs.cloudProvider == 'gcp'
@@ -85,3 +114,13 @@ runs:
           --update-config \
           --tf-log=DEBUG \
           --yes
+
+    - name: Set STACKIT-specific configuration
+      shell: bash
+      if: inputs.cloudProvider == 'stackit'
+      env:
+        STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
+      run: |
+        yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
+        yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
+        yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml

.github/actions/constellation_iam_destroy/action.yml

@@ -23,7 +23,7 @@ runs:
 
     - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1

.github/actions/container_registry_login/action.yml

@@ -17,7 +17,7 @@ runs:
   steps:
     - name: Use docker for logging in
       if: runner.os != 'macOS'
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}

.github/actions/container_sbom/action.yml

@@ -19,7 +19,7 @@ runs:
   steps:
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Download Syft & Grype
       uses: ./.github/actions/install_syft_grype

.github/actions/deploy_logcollection/action.yml

@@ -67,7 +67,7 @@ runs:
     # Make sure that helm is installed
     # This is not always the case, e.g. on MacOS runners
     - name: Install Helm
-      uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0
+      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
       with:
         version: v3.9.0
 

.github/actions/download_release_binaries/action.yml

@@ -5,51 +5,51 @@ runs:
   using: "composite"
   steps:
     - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-darwin-amd64
 
     - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-darwin-arm64
 
     - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-linux-amd64
 
     - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-linux-arm64
 
     - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-windows-amd64
 
     - name: Download Terraform module
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-module
 
     - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-darwin-amd64
 
     - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-darwin-arm64
 
     - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-linux-amd64
 
     - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-linux-arm64

.github/actions/e2e_attestationconfigapi/action.yml

@@ -2,12 +2,9 @@ name: E2E Attestationconfig API Test
 description: "Test the attestationconfig CLI is functional."
 
 inputs:
-  csp:
-    description: "Cloud provider to run tests against"
-    default: "azure"
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
-    required: true
+  attestationVariant:
+    description: "attestation variant to run tests against"
+    default: "azure-sev-snp"
   cosignPrivateKey:
     description: "Cosign private key"
     required: true
@@ -20,12 +17,9 @@ runs:
   steps:
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
 
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
         aws-region: eu-west-1
@@ -36,4 +30,4 @@ runs:
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
       run: |
-        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.csp }}
+        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.attestationVariant }}

.github/actions/e2e_autoscaling/action.yml

@@ -82,7 +82,30 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
         worker_count=${{ steps.worker_count.outputs.worker_count }}
-        kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))
+
+        cat <<EOF | kubectl apply -f -
+        kind: Deployment
+        apiVersion: apps/v1
+        metadata:
+          name: nginx
+          namespace: default
+        spec:
+          replicas: $(( 110 * (worker_count + 1) + 55 ))
+          strategy:
+            rollingUpdate:
+              maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
+          selector:
+            matchLabels:
+              app: nginx
+          template:
+            metadata:
+              labels:
+                app: nginx
+            spec:
+              containers:
+              - name: nginx
+                image: nginx
+        EOF
 
     - name: Wait for autoscaling and check result
       shell: bash

.github/actions/e2e_benchmark/action.yml

@@ -5,7 +5,6 @@ inputs:
   cloudProvider:
     description: "Which cloud provider to use."
     required: true
-  # TODO: Create different report depending on the attestation variant
   attestationVariant:
     description: "Which attestation variant to use."
     required: true
@@ -33,9 +32,9 @@ runs:
 
   steps:
     - name: Setup python
-      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
-        python-version: "3.10"
+        python-version: "3.13"
 
     - name: Install kubestr
       shell: bash
@@ -49,25 +48,25 @@ runs:
         install kubestr /usr/local/bin
 
     - name: Checkout k8s-bench-suite
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
         repository: "edgelesssys/k8s-bench-suite"
         ref: 67c64c854841165b778979375444da1c02e02210
         path: k8s-bench-suite
 
-
-    - name: Run FIO benchmark without caching in Azure
-      if: inputs.cloudProvider == 'azure'
+    - name: Run FIO benchmark
       shell: bash
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
+        if [[ "${{ inputs.cloudProvider }}" == "azure" ]]
+        then
         cat <<EOF | kubectl apply -f -
         apiVersion: storage.k8s.io/v1
         kind: StorageClass
         metadata:
-          name: encrypted-rwo-no-cache
+          name: fio-benchmark
         allowVolumeExpansion: true
         allowedTopologies: []
         mountOptions: []
@@ -78,34 +77,47 @@ runs:
         reclaimPolicy: Delete
         volumeBindingMode: Immediate
         EOF
-        mkdir -p out
-        kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-rwo-no-cache -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
+        fi
 
-    - name: Run FIO benchmark
-      if: inputs.cloudProvider == 'gcp'
-      shell: bash
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: |
+        if [[ "${{ inputs.cloudProvider }}" == "gcp" ]]
+        then
         cat <<EOF | kubectl apply -f -
         apiVersion: storage.k8s.io/v1
         kind: StorageClass
         metadata:
-          name: encrypted-balanced-rwo
+          name: fio-benchmark
         provisioner: gcp.csi.confidential.cloud
         volumeBindingMode: Immediate
         allowVolumeExpansion: true
         parameters:
           type: pd-balanced
         EOF
+        fi
+
+        if [[ "${{ inputs.cloudProvider }}" == "aws" ]]
+        then
+        cat <<EOF | kubectl apply -f -
+        apiVersion: storage.k8s.io/v1
+        kind: StorageClass
+        metadata:
+          name: fio-benchmark
+        parameters:
+          type: gp3
+        provisioner: aws.csi.confidential.cloud
+        allowVolumeExpansion: true
+        reclaimPolicy: Delete
+        volumeBindingMode: Immediate
+        EOF
+        fi
+
         mkdir -p out
-        kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-balanced-rwo -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
+        kubestr fio -e "out/fio-constellation-${{ inputs.attestationVariant }}.json" -o json -s fio-benchmark -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
 
     - name: Upload raw FIO benchmark results
       if: (!env.ACT)
       uses: ./.github/actions/artifact_upload
       with:
-        path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
+        path: "out/fio-constellation-${{ inputs.attestationVariant }}.json"
         name: "fio-constellation-${{ inputs.artifactNameSuffix }}.json"
         encryptionSecret: ${{ inputs.encryptionSecret }}
 
@@ -115,19 +127,19 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         TERM: xterm-256color
       run: |
-        workers="$(kubectl get nodes -o name | grep worker)"
+        workers="$(kubectl get nodes -o name -l '!node-role.kubernetes.io/control-plane')"
         echo -e "Found workers:\n$workers"
         server="$(echo "$workers" | tail +1 | head -1 | cut -d '/' -f2)"
         echo "Server: $server"
         client="$(echo "$workers" | tail +2 | head -1 | cut -d '/' -f2)"
         echo "Client: $client"
-        k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.cloudProvider }}.json" -o json --server-node "$server" --client-node "$client"
+        k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.attestationVariant }}.json" -o json --server-node "$server" --client-node "$client"
 
     - name: Upload raw knb benchmark results
       if: (!env.ACT)
       uses: ./.github/actions/artifact_upload
       with:
-        path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
+        path: "out/knb-constellation-${{ inputs.attestationVariant }}.json"
         name: "knb-constellation-${{ inputs.artifactNameSuffix }}.json"
         encryptionSecret: ${{ inputs.encryptionSecret }}
 
@@ -139,6 +151,7 @@ runs:
         # Working directory containing the previous results as JSON and to contain the graphs
         BDIR: benchmarks
         CSP: ${{ inputs.cloudProvider }}
+        ATTESTATION_VARIANT: ${{ inputs.attestationVariant }}
       run: |
         mkdir -p benchmarks
         python .github/actions/e2e_benchmark/evaluate/parse.py
@@ -148,12 +161,12 @@ runs:
       uses: ./.github/actions/artifact_upload
       with:
         path: >
-          benchmarks/constellation-${{ inputs.cloudProvider }}.json
+          benchmarks/constellation-${{ inputs.attestationVariant }}.json
         name: "benchmarks-${{ inputs.artifactNameSuffix }}"
         encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
         aws-region: us-east-2
@@ -166,12 +179,10 @@ runs:
 
     - name: Get previous benchmark records from S3
       shell: bash
-      env:
-        CSP: ${{ inputs.cloudProvider }}
       run: |
-        aws s3 cp --recursive ${S3_PATH} ./ --no-progress
-        if [[ -f constellation-${CSP}.json ]]; then
-          mv constellation-${CSP}.json benchmarks/constellation-${CSP}-previous.json
+        if aws s3 cp "${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json" ./ --no-progress
+        then
+          mv "constellation-${{ inputs.attestationVariant }}.json" "benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json"
         else
             echo "::warning::Couldn't retrieve previous benchmark records from s3"
         fi
@@ -180,15 +191,15 @@ runs:
       shell: bash
       env:
         # Paths to benchmark results as JSON of the previous run and the current run
-        PREV_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}-previous.json
-        CURR_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}.json
+        PREV_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json
+        CURR_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}.json
       run: |
         if [[ -f "$PREV_BENCH" ]]; then
           # Fails if the results are outside the threshold range
           python .github/actions/e2e_benchmark/evaluate/compare.py >> $GITHUB_STEP_SUMMARY
         fi
 
-    - name: Upload benchmark results to opensearch
+    - name: Upload benchmark results to OpenSearch
       if: (!env.ACT)
       shell: bash
       env:
@@ -198,14 +209,12 @@ runs:
       run: |
         curl -XPOST \
             -u "${OPENSEARCH_USER}:${OPENSEARCH_PWD}" \
-            "${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.cloudProvider }}-$(date '+%Y')"/_doc \
-            --data-binary @benchmarks/constellation-${{ inputs.cloudProvider }}.json \
+            "${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.attestationVariant }}-$(date '+%Y')"/_doc \
+            --data-binary @benchmarks/constellation-${{ inputs.attestationVariant }}.json \
             -H 'Content-Type: application/json'
 
     - name: Update benchmark records in S3
       if: github.ref_name == 'main'
       shell: bash
-      env:
-        CSP: ${{ inputs.cloudProvider }}
       run: |
-        aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json
+        aws s3 cp benchmarks/constellation-${{ inputs.attestationVariant }}.json ${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json

.github/actions/e2e_benchmark/evaluate/compare.py

@@ -94,18 +94,18 @@ class BenchmarkComparer:
             raise ValueError('Failed reading benchmark file: {e}'.format(e=e))
 
         try:
-            name = bench_curr['provider']
+            name = bench_curr['attestationVariant']
         except KeyError:
             raise ValueError(
-                'Current benchmark record file does not contain provider.')
+                'Current benchmark record file does not contain attestationVariant.')
         try:
-            prev_name = bench_prev['provider']
+            prev_name = bench_prev['attestationVariant']
         except KeyError:
             raise ValueError(
-                'Previous benchmark record file does not contain provider.')
+                'Previous benchmark record file does not contain attestationVariant.')
         if name != prev_name:
             raise ValueError(
-                'Cloud providers of previous and current benchmark data do not match.')
+                'Cloud attestationVariants of previous and current benchmark data do not match.')
 
         if 'fio' not in bench_prev.keys() or 'fio' not in bench_curr.keys():
             raise ValueError('Benchmarks do not both contain fio records.')

.github/actions/e2e_benchmark/evaluate/parse.py

@@ -7,7 +7,7 @@ from datetime import datetime
 from evaluators import fio, knb
 
 
-def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
+def configure() -> Tuple[str, str, str, str, str | None, str, str, str, str]:
     """Read the benchmark data paths.
 
     Expects ENV vars (required):
@@ -25,27 +25,29 @@ def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
     """
     base_path = os.environ.get('BENCH_RESULTS', None)
     csp = os.environ.get('CSP', None)
+    attestation_variant = os.environ.get('ATTESTATION_VARIANT', None)
     out_dir = os.environ.get('BDIR', None)
-    if not base_path or not csp or not out_dir:
+    if not base_path or not csp or not out_dir or not attestation_variant:
         raise TypeError(
-            'ENV variables BENCH_RESULTS, CSP, BDIR are required.')
+            'ENV variables BENCH_RESULTS, CSP, BDIR, ATTESTATION_VARIANT are required.')
 
     ext_provider_name = os.environ.get('EXT_NAME', None)
     commit_hash = os.environ.get('GITHUB_SHA', 'N/A')
     commit_ref = os.environ.get('GITHUB_REF_NAME', 'N/A')
     actor = os.environ.get('GITHUB_ACTOR', 'N/A')
     workflow = os.environ.get('GITHUB_WORKFLOW', 'N/A')
-    return base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
+    return base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
 
 
 class BenchmarkParser:
-    def __init__(self, base_path, csp, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
+    def __init__(self, base_path, csp, attestation_variant, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
         self.base_path = base_path
         self.csp = csp
+        self.attestation_variant = attestation_variant
         self.out_dir = out_dir
         self.ext_provider_name = ext_provider_name
         if not self.ext_provider_name:
-            self.ext_provider_name = f'constellation-{csp}'
+            self.ext_provider_name = f'constellation-{attestation_variant}'
         self.commit_hash = commit_hash
         self.commit_ref = commit_ref
         self.actor = actor
@@ -88,6 +90,7 @@ class BenchmarkParser:
         },
             '@timestamp': str(timestamp),
             'provider': self.ext_provider_name,
+            'attestationVariant': self.attestation_variant,
             'fio': {},
             'knb': {}}
 
@@ -101,8 +104,8 @@ class BenchmarkParser:
 
 
 def main():
-    base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
-    p = BenchmarkParser(base_path, csp, out_dir, ext_provider_name,
+    base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
+    p = BenchmarkParser(base_path, csp, attestation_variant, out_dir, ext_provider_name,
                         commit_hash, commit_ref, actor, workflow)
     p.parse()
 

.github/actions/e2e_benchmark/evaluate/requirements.txt

@@ -1,3 +1,3 @@
-numpy ==1.26.4
-matplotlib ==3.8.3
-Pillow ==10.2.0
+numpy ==2.2.4
+matplotlib ==3.10.1
+Pillow ==11.1.0

.github/actions/e2e_benchmark/fio.ini

@@ -7,7 +7,7 @@ size=10Gi
 time_based=1
 group_reporting
 thread
-cpus_allowed=1
+cpus_allowed=0
 
 
 [read_iops]

.github/actions/e2e_cleanup_timeframe/action.yml

@@ -0,0 +1,62 @@
+name: E2E cleanup over timeframe
+description: Clean up old terraform resources of E2E tests
+
+inputs:
+  ghToken:
+    description:  'The github token that is used with the github CLI.'
+    required: true
+  encryptionSecret:
+    description: 'The secret to use for decrypting the artifacts.'
+    required: true
+  azure_credentials:
+    description: "Credentials authorized to create Constellation on Azure."
+    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Authenticate AWS
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
+        aws-region: eu-central-1
+
+    - name: Authenticate Azure
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azure_credentials }}
+
+    - name: Authenticate GCP
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+    - name: Login to OpenStack
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{ inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
+    - name: Install tools
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+          terraform
+
+    - name: Run cleanup
+      run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.ghToken }}
+        ENCRYPTION_SECRET: ${{ inputs.encryptionSecret }}

.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date.
+function get_e2e_test_ids_on_date {
+  ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)"
+  echo "${ids}"
+}
+
+# download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID.
+function download_tfstate_artifact {
+  gh run download "$1" -p "terraform-state-*" -R edgelesssys/constellation > /dev/null
+}
+
+# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder.
+function delete_resources {
+  if [[ -d "$1/constellation-terraform" ]]; then
+    cd "$1/constellation-terraform" || exit 1
+    terraform init > /dev/null || exit 1 # first, install plugins
+    terraform destroy -auto-approve || exit 1
+    cd ../../ || exit 1
+  fi
+}
+
+# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder.
+function delete_iam_config {
+  if [[ -d "$1/constellation-iam-terraform" ]]; then
+    cd "$1/constellation-iam-terraform" || exit 1
+    terraform init > /dev/null || exit 1 # first, install plugins
+    terraform destroy -auto-approve || exit 1
+    cd ../../ || exit 1
+  fi
+}
+
+# check if the password for artifact decryption was given
+if [[ -z ${ENCRYPTION_SECRET} ]]; then
+  echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret."
+  exit 1
+fi
+
+artifact_pwd=${ENCRYPTION_SECRET}
+
+shopt -s nullglob
+
+start_date=$(date "+%Y-%m-%d")
+end_date=$(date --date "-7 day" "+%Y-%m-%d")
+dates_to_clean=()
+
+# get all dates of the last week
+while [[ ${end_date} != "${start_date}" ]]; do
+  dates_to_clean+=("${end_date}")
+  end_date=$(date --date "${end_date} +1 day" "+%Y-%m-%d")
+done
+
+echo "[*] retrieving run IDs for cleanup"
+database_ids=()
+for d in "${dates_to_clean[@]}"; do
+  echo "    retrieving run IDs from $d"
+  mapfile -td " " tmp < <(get_e2e_test_ids_on_date "$d")
+  database_ids+=("${tmp[*]}")
+done
+
+# cleanup database_ids
+mapfile -t database_ids < <(echo "${database_ids[@]}")
+mapfile -td " " database_ids < <(echo "${database_ids[@]}")
+
+echo "[*] downloading terraform state artifacts"
+for id in "${database_ids[@]}"; do
+  if [[ ${id} == *[^[:space:]]* ]]; then
+    echo "    downloading from workflow ${id}"
+    download_tfstate_artifact "${id}"
+  fi
+done
+
+echo "[*] extracting artifacts"
+for directory in ./terraform-state-*; do
+  echo "    extracting ${directory}"
+
+  # extract and decrypt the artifact
+  7zz x -t7z -p"${artifact_pwd}" -o"${directory}" "${directory}/archive.7z" > /dev/null || exit 1
+done
+
+# create terraform caching directory
+mkdir "${HOME}/tf_plugin_cache"
+export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache"
+echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}"
+
+echo "[*] deleting resources"
+for directory in ./terraform-state-*; do
+  echo "    deleting resources in ${directory}"
+  delete_resources "${directory}"
+  echo "    deleting IAM configuration in ${directory}"
+  delete_iam_config "${directory}"
+  echo "    deleting directory ${directory}"
+  rm -rf "${directory}"
+done
+
+exit 0

.github/actions/e2e_emergency_ssh/action.yml

@@ -0,0 +1,68 @@
+name: Emergency ssh
+description: "Verify that an emergency ssh connection can be established."
+
+inputs:
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test emergency ssh
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        set -euo pipefail
+
+        # Activate emergency ssh access to the cluster
+        pushd ./constellation-terraform
+        echo "emergency_ssh = true" >> terraform.tfvars
+        terraform apply -auto-approve
+        lb="$(terraform output -raw loadbalancer_address)"
+        popd
+
+        # write ssh config
+        cat > ssh_config <<EOF
+        Host $lb
+          ProxyJump none
+
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile=/dev/null
+          IdentityFile ./access-key
+          PreferredAuthentications publickey
+          CertificateFile=constellation_cert.pub
+          User root
+          ProxyJump $lb
+        EOF
+
+        for i in {1..26}; do
+          if [[ "$i" -eq 26 ]]; then
+            echo "Port 22 never became reachable"
+            exit 1
+          fi
+          echo "Waiting until port 22 is reachable: $i/25"
+          if nc -z -w 25 "$lb" 22; then
+            break
+          fi
+        done
+
+        # generate and try keypair
+        ssh-keygen -t ecdsa -q -N "" -f ./access-key
+        constellation ssh --debug --key ./access-key.pub
+        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
+        for ip in $internalIPs; do
+          for i in {1..26}; do
+            if [[ "$i" -eq 26 ]]; then
+              echo "Failed to connect to $ip over $lb"
+              exit 1
+            fi
+            echo "Trying connection to $ip over $lb: $i/25"
+            if ssh -F ssh_config -o BatchMode=yes $ip true; then
+              echo "Connected to $ip successfully"
+              break
+            fi
+          done
+        done

.github/actions/e2e_lb/action.yml

@@ -5,6 +5,9 @@ inputs:
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
+  cloudProvider:
+    description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere."
+    required: false
 
 runs:
   using: "composite"
@@ -18,7 +21,25 @@ runs:
       run: |
         kubectl apply -f ns.yml
         kubectl apply -f lb.yml
-        bazel run //e2e/internal/lb:lb_test
+        bazel run --test_timeout=14400 //e2e/internal/lb:lb_test
+
+    - name: Test AWS Ingress
+      if: inputs.cloudProvider == 'aws'
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      working-directory: ./.github/actions/e2e_lb
+      run: |
+        kubectl apply -f aws-ingress.yml
+        kubectl wait -n lb-test ing/whoami --for=jsonpath='{.status.loadBalancer.ingress}' --timeout=5m
+        host=$(kubectl get -n lb-test ingress whoami -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+        for i in $(seq 30); do
+          curl --silent --fail --connect-timeout 5 --output /dev/null http://$host && exit 0
+          sleep 10
+        done
+        echo "::error::Ingress did not become ready in the alloted time."
+        kubectl describe ing -n lb-test
+        exit 1
 
     - name: Delete deployment
       if: always()
@@ -28,4 +49,5 @@ runs:
       working-directory: ./.github/actions/e2e_lb
       run: |
         kubectl delete -f lb.yml
+        kubectl delete --ignore-not-found -f aws-ingress.yml
         kubectl delete -f ns.yml --timeout=5m

.github/actions/e2e_lb/aws-ingress.yml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami-internal
+  namespace: lb-test
+spec:
+  selector:
+    app: whoami
+  ports:
+    - port: 80
+      targetPort: 80
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: lb-test
+  name: whoami
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: instance
+spec:
+  ingressClassName: alb
+  rules:
+    - http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: whoami-internal
+              port:
+                number: 80

.github/actions/e2e_malicious_join/action.yml

@@ -32,7 +32,7 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       working-directory: e2e/malicious-join
       run: |
-        bazel run //e2e/malicious-join:stamp_and_push
+        bazel run --test_timeout=14400 //e2e/malicious-join:stamp_and_push
         yq eval -i "(.spec.template.spec.containers[0].command) = \
           [ \"/malicious-join_bin\", \
           \"--js-endpoint=join-service.kube-system:9090\", \

.github/actions/e2e_mini/action.yml

@@ -11,8 +11,8 @@ inputs:
   azureTenantID:
     description: "Azure tenant to use for login with OIDC"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
+  azureIAMCredentials:
+    description: "Azure IAM credentials used for cleaning up resources"
     required: true
   registry:
     description: "Container registry to use"
@@ -25,15 +25,12 @@ runs:
   using: "composite"
   steps:
     - name: Install terraform
-      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
         terraform_wrapper: false
 
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
 
     - name: Log in to the Container registry
       uses: ./.github/actions/container_registry_login
@@ -44,9 +41,25 @@ runs:
 
     - name: MiniConstellation E2E
       shell: bash
+      id: e2e-test
       env:
         ARM_CLIENT_ID: ${{ inputs.azureClientID }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
         ARM_TENANT_ID: ${{ inputs.azureTenantID }}
       run: |
-        bazel run //e2e/miniconstellation:push_remote_test
+        bazel run --test_timeout=14400 //e2e/miniconstellation:push_remote_test
+
+    - name: Log in to azure
+      # only log in if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureIAMCredentials }}
+
+    - name: Clean up after failure
+      shell: bash
+      # clean up if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      run: |
+        echo "[*] Deleting resource group ${{ steps.e2e-test.outputs.rgname }}"
+        az group delete -y --resource-group "${{ steps.e2e-test.outputs.rgname }}"

.github/actions/e2e_s3proxy/action.yml

@@ -11,9 +11,6 @@ inputs:
   s3SecretKey:
     description: "Secret key for s3proxy"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key"
-    required: true
   githubToken:
     description: "GitHub token"
     required: true
@@ -23,9 +20,6 @@ runs:
   steps:
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
 
     - name: Get pseudoversion
       id: pseudoversion

.github/actions/e2e_sonobuoy/action.yml

@@ -48,6 +48,12 @@ runs:
         sonobuoy results *_sonobuoy_*.tar.gz
         sonobuoy results *_sonobuoy_*.tar.gz --mode detailed | jq 'select(.status!="passed")' | jq 'select(.status!="skipped")' || true
 
+    - name: Cleanup sonobuoy deployment
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      shell: bash
+      run: sonobuoy delete --wait
+
     - name: Upload test results
       if: always() && !env.ACT
       uses: ./.github/actions/artifact_upload
@@ -64,7 +70,7 @@ runs:
 
     - name: Publish test results
       if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5 # v4.1.0
+      uses: mikepenz/action-junit-report@cf701569b05ccdd861a76b8607a66d76f6fd4857 # v5.5.1
       with:
         report_paths: "**/junit_01.xml"
         fail_on_failure: true

.github/actions/e2e_test/action.yml

@@ -46,6 +46,9 @@ inputs:
     description: "AWS OpenSearch User to upload the benchmark results."
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the benchmark results."
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureClusterCreateCredentials:
     description: "Azure credentials authorized to create a Constellation cluster."
     required: true
@@ -53,12 +56,10 @@ inputs:
     description: "Azure credentials authorized to create an IAM configuration."
     required: true
   test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
     required: true
   sonobuoyTestSuiteCmd:
     description: "The sonobuoy test suite to run."
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
   registry:
     description: "Container registry to use"
     required: true
@@ -90,8 +91,17 @@ inputs:
     description: "Set the force-flag on apply to ignore version mismatches."
     required: false
   encryptionSecret:
-    description: 'The secret to use for decrypting the artifact.'
+    description: "The secret to use for decrypting the artifact."
     required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false
 
 outputs:
   kubeconfig:
@@ -105,7 +115,7 @@ runs:
   using: "composite"
   steps:
     - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
       shell: bash
       run: |
         echo "::error::Invalid input for test field: ${{ inputs.test }}"
@@ -140,8 +150,7 @@ runs:
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
       with:
-        useCache: ${{ inputs.buildBuddyApiKey != '' }}
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
+        nixTools: terraform
 
     - name: Log in to the Container registry
       uses: ./.github/actions/container_registry_login
@@ -169,8 +178,6 @@ runs:
         echo "$(pwd)" >> $GITHUB_PATH
         export PATH="$PATH:$(pwd)"
         constellation version
-        # Do not spam license server from pipeline
-        sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
 
     - name: Build Terraform provider binary
       if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == ''
@@ -220,7 +227,7 @@ runs:
 
     - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
@@ -233,12 +240,30 @@ runs:
       with:
         azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
 
+    - name: Login to OpenStack
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
     - name: Create prefix
       id: create-prefix
       shell: bash
       run: |
         uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
         uuid=${uuid%%-*}
+
+        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
+        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
+          uuid=${uuid:0:6}
+        fi
+
         echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
         echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
 
@@ -248,7 +273,7 @@ runs:
       with:
         attestationVariant: ${{ inputs.attestationVariant }}
 
-    - name: Create IAM configuration
+    - name: Create Constellation config and IAM
       id: constellation-iam-create
       uses: ./.github/actions/constellation_iam_create
       with:
@@ -256,10 +281,14 @@ runs:
         attestationVariant: ${{ inputs.attestationVariant }}
         namePrefix: ${{ steps.create-prefix.outputs.prefix }}
         awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
+        azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
         azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
         gcpProjectID: ${{ inputs.gcpProject }}
         gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
+        stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
+        stackitProjectID: ${{ inputs.stackitProjectID }}
         kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        additionalTags: "workflow=${{ github.run_id }}"
 
     - name: Login to GCP (Cluster service account)
       if: inputs.cloudProvider == 'gcp'
@@ -269,7 +298,7 @@ runs:
 
     - name: Login to AWS (Cluster role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1
@@ -331,7 +360,7 @@ runs:
       if: (inputs.test == 'nop') || (inputs.test == 'upgrade')
       shell: bash
       run: |
-        echo "::warning::This test has a nop payload. It doesn't run any tests."
+        echo "This test has a nop payload. It doesn't run any tests."
         echo "Sleeping for 30 seconds to allow logs to propagate to the log collection service."
         sleep 30
 
@@ -354,6 +383,15 @@ runs:
         artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
         encryptionSecret: ${{ inputs.encryptionSecret }}
 
+    - name: Run sonobuoy conformance
+      if: inputs.test == 'sonobuoy conformance'
+      uses: ./.github/actions/e2e_sonobuoy
+      with:
+        sonobuoyTestSuiteCmd: "--plugin e2e --mode certified-conformance"
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
     - name: Run autoscaling test
       if: inputs.test == 'autoscaling'
       uses: ./.github/actions/e2e_autoscaling
@@ -365,6 +403,7 @@ runs:
       uses: ./.github/actions/e2e_lb
       with:
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        cloudProvider: ${{ inputs.cloudProvider }}
 
     - name: Run Performance Benchmark
       if: inputs.test == 'perf-bench'
@@ -412,5 +451,10 @@ runs:
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         s3AccessKey: ${{ inputs.s3AccessKey }}
         s3SecretKey: ${{ inputs.s3SecretKey }}
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
         githubToken: ${{ inputs.githubToken }}
+    
+    - name: Run emergency ssh test
+      if: inputs.test == 'emergency ssh'
+      uses: ./.github/actions/e2e_emergency_ssh
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}

.github/actions/e2e_verify/action.yml

@@ -66,45 +66,46 @@ runs:
           forwarderPID=$!
           sleep 5
 
-          if [[ ${{ inputs.attestationVariant }} == "azure-sev-snp" ]] || [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]]; then
-            echo "Extracting TCB versions for API update"
-            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
-          else
-            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
-          fi
+          case "${{ inputs.attestationVariant }}"
+          in
+            "azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp")
+              echo "Extracting TCB versions for API update"
+              constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json"
+              ;;
+            *)
+              constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
+              ;;
+          esac
 
           kill $forwarderPID
         done
 
     - name: Login to AWS
       if: github.ref_name == 'main'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
         aws-region: eu-central-1
 
     - name: Upload extracted TCBs
-      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp')
+      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
       shell: bash
       env:
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
       run: |
-        if [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && constellation version | grep -q "v2.13."; then
-          echo "Skipping TCB upload for AWS on CLI v2.13"
-          exit 0
-        fi
+        reports=attestation-report-*.json
 
-        reports=(snp-report-*.json)
-        if [ -z ${#reports[@]} ]; then
-            exit 1
-        fi
-
-        attestationVariant=${{ inputs.attestationVariant }}
-        cloudProvider=${attestationVariant%%-*}
-
-        for file in "${reports[@]}"; do
-          path=$(realpath "${file}")
-          cat "${path}"
-          bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"
+        # bazel run changes the working directory
+        # convert the relative paths to absolute paths to avoid issues
+        absolute_reports=""
+        for report in ${reports}; do
+          absolute_reports="${absolute_reports} $(realpath "${report}")"
         done
+
+        report=$(bazel run //internal/api/attestationconfigapi/cli -- compare ${{ inputs.attestationVariant }} ${absolute_reports})
+
+        path=$(realpath "${report}")
+        cat "${path}"
+
+        bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.attestationVariant }} attestation-report "${path}"

.github/actions/find_latest_image/action.yml

@@ -26,23 +26,25 @@ runs:
   steps:
     - name: Checkout head
       if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
     - name: Checkout ref
       if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ inputs.git-ref }}
 
     - name: Login to AWS
       if: inputs.imageVersion == ''
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1
 
+    - uses: ./.github/actions/setup_bazel_nix
+
     - name: Find latest image
       id: find-latest-image
       if: inputs.imageVersion == ''

.github/actions/gcpccm_vers_to_build/findvers.sh

@@ -82,4 +82,4 @@ for major in "${allMajorVersions[@]}"; do
 done
 
 # Print one elem per line | quote elems | create array | remove empty elems and print compact.
-printf '%s' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'
+printf '%s\n' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'

.github/actions/login_azure/action.yml

@@ -10,6 +10,6 @@ runs:
     # As described at:
     # https://github.com/Azure/login#configure-deployment-credentials
     - name: Login to Azure
-      uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
       with:
         creds: ${{ inputs.azure_credentials }}

.github/actions/login_gcp/action.yml

@@ -20,11 +20,11 @@ runs:
         echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
 
     - name: Authorize GCP access
-      uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
-        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
+        workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
         service_account: ${{ inputs.service_account }}
 
     # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
     - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4

.github/actions/login_stackit/action.yml

@@ -0,0 +1,16 @@
+name: STACKIT login
+description: "Login to STACKIT"
+inputs:
+  serviceAccountToken:
+    description: "Credentials authorized to create Constellation on STACKIT."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Login to STACKIT
+      env:
+        UAT: ${{ inputs.serviceAccountToken }}
+      shell: bash
+      run: |
+          mkdir -p ~/.stackit
+          echo "${UAT}" > ~/.stackit/credentials.json

.github/actions/notify_e2e_failure/action.yml

@@ -36,12 +36,6 @@ runs:
       shell: bash
       run: echo "CURRENT_DATE=$(date +'%Y-%m-%d %H:%M:%S')" >> $GITHUB_ENV
 
-    - name: Encode URI component
-      uses: Ablestor/encode-uri-component-action@790ea01bcf2d5ca4d0dbe8c15351a87b47f22f61 # v1.3
-      id: encode-uri-component
-      with:
-        string: ${{ inputs.test }}
-
     - name: Create body template
       id: body-template
       shell: bash
@@ -69,13 +63,15 @@ runs:
           fi
         }
 
+        e2eTestPayload=$(echo "${{ inputs.test }}" | jq -R -r @uri)
+
         q=$(echo "(filters:!(
           $(queryGen cloud.provider "${{ inputs.provider }}")
           $(queryGen metadata.github.ref-stream "${{ inputs.refStream }}")
           $(queryGen metadata.github.kubernetes-version "${{ inputs.kubernetesVersion }}")
           $(queryGen metadata.github.attestation-variant "${{ inputs.attestationVariant }}")
           $(queryGen metadata.github.cluster-creation "${{ inputs.clusterCreation }}")
-          $(queryGen metadata.github.e2e-test-payload "${{ steps.encode-uri-component.outputs.string }}")
+          $(queryGen metadata.github.e2e-test-payload "${e2eTestPayload}")
           (query:(match_phrase:(metadata.github.run-id:${{ github.run_id }})))
           ))" | tr -d "\t\n ")
 

.github/actions/notify_stackit/action.yml

@@ -0,0 +1,19 @@
+name: Notify STACKIT
+description: "Notify STACKIT about test failure"
+inputs:
+  slackToken:
+    description: "Slack access token."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Notify STACKIT
+      env:
+        SLACK_TOKEN: ${{ inputs.slackToken }}
+      shell: bash
+      run: |
+          curl -X POST \
+            -H "Authorization: Bearer $SLACK_TOKEN" \
+            -H "Content-type: application/json; charset=utf-8" \
+            -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
+            https://slack.com/api/chat.postMessage

.github/actions/notify_teams/README.md

@@ -0,0 +1,27 @@
+# notify Teams action
+
+This action is used to send a message to our Teams channel in case of a failure in the CI/CD pipeline.
+The action will automatically choose an engineer to assign to the issue and tag them in the message.
+
+Engineers are identified by their GitHub username and bound to a Microsoft Teams ID in `.attachments[0].content.msteams.entities`.
+To add a new engineer, add a new entry to the entity list in the format:
+
+```json
+{
+  "type": "mention",
+  "text": "${github_username}",
+  "mentioned": {
+    "id": "${msteams_id}",
+    "name": "${name}"
+  }
+}
+```
+
+Where `${github_username}` is the GitHub username of the engineer, `${msteams_id}` is the Microsoft Teams ID of the engineer, and `${name}` is the name of the engineer.
+To find the Microsoft Teams ID use the following command:
+
+```bash
+az ad user show --id ${email} --query id
+```
+
+Where `${email}` is the email address of the engineer.

.github/actions/notify_teams/action.yml

@@ -25,7 +25,7 @@ runs:
       continue-on-error: true
       shell: bash
       run: |
-        cp .github/teams_payload_template.json teams_payload.json
+        cp .github/actions/notify_teams/teams_payload_template.json teams_payload.json
 
         # Add workflow name to the notification
         yq -oj -iP '.attachments[0].content.body[0].columns[1].items[0].text = "${{ inputs.title }}"' teams_payload.json

.github/actions/notify_teams/teams_payload_template.json

@@ -1,5 +1,5 @@
 {
-    "type": "message",
+    "type": "AdaptiveCard",
     "attachments": [
         {
             "contentType": "application/vnd.microsoft.card.adaptive",
@@ -61,10 +61,10 @@
                         },
                         {
                             "type": "mention",
-                            "text": "<at>malt3</at>",
+                            "text": "<at>burgerdev</at>",
                             "mentioned": {
-                                "id": "3012fe21-cff7-499d-88cf-48cf12f2e90c",
-                                "name": "Malte Poll"
+                                "id": "c9efc581-58ca-4da6-93ce-79f69f89deeb",
+                                "name": "Markus Rudy"
                             }
                         }
                     ]

.github/actions/pick_assignee/action.yml

@@ -15,8 +15,6 @@ runs:
       run: |
         possibleAssignees=(
           "elchead"
-          "malt3"
-          "3u13r"
           "daniel-weisse"
           "msanft"
           "burgerdev"

.github/actions/publish_helmchart/action.yml

@@ -13,7 +13,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: edgelesssys/helm
         ref: main
@@ -29,7 +29,7 @@ runs:
         echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
 
     - name: Create pull request
-      uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         path: helm
         branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"

.github/actions/select_image/action.yml

@@ -3,22 +3,22 @@ description: Resolve string presets and shortpaths to shortpaths only
 
 inputs:
   osImage:
-    description: "Shortpath or main-debug or release-stable"
+    description: "Shortpath, main-debug, main-nightly, or release-stable"
     required: true
 
 outputs:
   osImage:
-    description: "Shortpath of for input string, original input if that was already a shortpath"
+    description: "Shortpath of input string, original input if that was already a shortpath"
     value: ${{ steps.set-output.outputs.osImage }}
   isDebugImage:
-    description: "Input represents a debug image or not"
+    description: "Input is a debug image or not"
     value: ${{ steps.set-output.outputs.isDebugImage }}
 
 runs:
   using: "composite"
   steps:
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1
@@ -27,7 +27,7 @@ runs:
       id: input-is-preset
       shell: bash
       run: |
-        if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
+        if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/main/stream/nightly/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
           echo "result=true" | tee -a "$GITHUB_OUTPUT"
         else
           echo "result=false" | tee -a "$GITHUB_OUTPUT"
@@ -43,6 +43,10 @@ runs:
         echo "ref=$(echo $REFSTREAM | cut -d/ -f2)" | tee -a "$GITHUB_OUTPUT"
         echo "stream=$(echo $REFSTREAM | cut -d/ -f4)" | tee -a "$GITHUB_OUTPUT"
 
+    - name: Setup Bazel & Nix
+      if: steps.input-is-preset.outputs.result == 'true'
+      uses: ./.github/actions/setup_bazel_nix
+
     - name: Find latest image
       if: steps.input-is-preset.outputs.result == 'true'
       id: find-latest-image

.github/actions/setup_bazel_nix/action.yml

@@ -3,12 +3,9 @@ description: Setup Bazel and Nix for CI builds and tests
 
 inputs:
   useCache:
-    description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, 'rbe' to enable with remote execution, 'log' to disable cache but upload logs, and 'false' to disable."
+    description: "Cache Bazel artifacts. Use 'rbe' to enable with remote execution, and 'false' to disable."
     default: "false"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
-    required: false
   rbePlatform:
     description: "RBE platform to use. If empty, RBE will not be used."
     required: false
@@ -25,12 +22,8 @@ runs:
       shell: bash
       run: |
         echo "::group::Check inputs"
-        if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "rbe" && "${{ inputs.useCache }}" != "logs" && "${{ inputs.useCache }}" != "false" ]]; then
-          echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'."
-          exit 1
-        fi
-        if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" || "${{ inputs.useCache }}" == "logs" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then
-          echo "BuildBuddy API key is required when cache is enabled."
+        if [[ "${{ inputs.useCache }}" != "rbe" && "${{ inputs.useCache }}" != "false" ]]; then
+          echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'rbe', or 'false'."
           exit 1
         fi
         if [[ "${{ inputs.useCache }}" == "rbe" && -z "${{ inputs.rbePlatform }}" ]]; then
@@ -82,6 +75,7 @@ runs:
             echo "$RUNNER_ARCH not supported"
             exit 1
         fi
+        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
         echo "::endgroup::"
 
     - name: Install current Bash on macOS
@@ -120,7 +114,9 @@ runs:
 
     - name: Install nix
       if: steps.check_inputs.outputs.nixPreinstalled == 'false'
-      uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
+      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
+      with:
+        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
 
     - name: Set $USER if not set
       shell: bash
@@ -182,57 +178,6 @@ runs:
         EOF
         echo "::endgroup::"
 
-    - name: Configure Bazel (rw)
-      if: inputs.useCache == 'true' || inputs.useCache == 'readonly'
-      shell: bash
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        common --bes_results_url=https://app.buildbuddy.io/invocation/
-        common --bes_backend=grpcs://remote.buildbuddy.io
-        common --remote_cache=grpcs://remote.buildbuddy.io
-        common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        cquery --bes_results_url=
-        cquery --bes_backend=
-        cquery --remote_cache=
-        query --bes_results_url=
-        query --bes_backend=
-        query --remote_cache=
-        EOF
-        echo "::endgroup::"
-
-    - name: Configure Bazel (readonly)
-      if: inputs.useCache == 'readonly'
-      shell: bash
-      env:
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel (readonly)"
-        echo "common --remote_upload_local_results=false" >> "${WORKSPACE}/.bazeloverwriterc"
-        echo "::endgroup::"
-
-    - name: Configure Bazel (logs)
-      if: inputs.useCache == 'logs'
-      shell: bash
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        common --bes_results_url=https://app.buildbuddy.io/invocation/
-        common --bes_backend=grpcs://remote.buildbuddy.io
-        common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        cquery --bes_results_url=
-        cquery --bes_backend=
-        query --bes_results_url=
-        query --bes_backend=
-        EOF
-        echo "::endgroup::"
-
     - name: Configure Bazel (rbe)
       if: inputs.useCache == 'rbe'
       shell: bash
@@ -247,24 +192,6 @@ runs:
         common --repo_env=GOPROXY=http://goproxy:3000
         EOF
         echo "::endgroup::"
-    - name: Configure Bazel (rbe logs)
-      if: inputs.useCache == 'rbe' && inputs.buildBuddyApiKey != ''
-      shell: bash
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-        WORKSPACE: ${{ github.workspace }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        common --bes_results_url=https://app.buildbuddy.io/invocation/
-        common --bes_backend=grpcs://remote.buildbuddy.io
-        common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        cquery --bes_results_url=
-        cquery --bes_backend=
-        query --bes_results_url=
-        query --bes_backend=
-        EOF
-        echo "::endgroup::"
 
     - name: Disable disk cache on GitHub Actions runners
       if: startsWith(runner.name , 'GitHub Actions')
@@ -294,7 +221,7 @@ runs:
         { tools, repository, rev }:
         let
           repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
-          nixpkgs = repoFlake.inputs.nixpkgsUnstable;
+          nixpkgs = repoFlake.inputs.nixpkgs;
           pkgs = import nixpkgs { system = builtins.currentSystem; };
           toolPkgs = map (p: pkgs.${p}) tools;
         in

.github/actions/terraform_apply/action.yml

@@ -26,6 +26,12 @@ runs:
           "gcpSEVES")
             attestationVariant="gcp-sev-es"
             ;;
+          "gcpSEVSNP")
+            attestationVariant="gcp-sev-snp"
+            ;;
+          "qemuVTPM")
+            attestationVariant="qemu-vtpm"
+            ;;
           *)
             echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
             exit 1
@@ -41,7 +47,7 @@ runs:
             }
             random = {
               source  = "hashicorp/random"
-              version = "3.6.0"
+              version = "3.7.1"
             }
           }
         }
@@ -103,6 +109,16 @@ runs:
             project_id          = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
             service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
           }
+          openstack = {
+            cloud                      = "stackit"
+            clouds_yaml_path           = "~/.config/openstack/clouds.yaml"
+            floating_ip_pool_id        = "970ace5c-458f-484a-a660-0903bcfd91ad"
+            deploy_yawol_load_balancer = true
+            yawol_image_id             = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
+            yawol_flavor_id            = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
+            network_id                 = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
+            subnet_id                  = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
+          }
           network_config = {
             ip_cidr_node    = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
             ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"

.github/actions/update_tfstate/action.yml

@@ -0,0 +1,64 @@
+name: Update TFState
+description: "Update the terraform state artifact. We use this to either delete an artifact if the e2e test was cleaned up successfully or to update the artifact with the latest terraform state."
+
+inputs:
+  name:
+    description: "The name of the artifact that contains the tfstate."
+    required: true
+  runID:
+    description: "The ID of your current run (github.run_id)."
+    required: true
+  encryptionSecret:
+    description: "The encryption secret for the artifacts."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check if uploaded tfstate can be deleted
+      if: always()
+      shell: bash
+      run: |
+        if [[ ! -d constellation-terraform ]] && [[ ! -d constellation-iam-terraform ]]; then
+          echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV"
+        else
+          echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV"
+        fi
+
+    - name: Delete tfstate artifact if necessary
+      if: always() && env.DELETE_TF_STATE == 'true'
+      uses: ./.github/actions/artifact_delete
+      with:
+        name: ${{ inputs.name }}
+        workflowID: ${{ inputs.runID }}
+
+    - name: Prepare left over terraform state folders
+      if: always() && env.DELETE_TF_STATE == 'false'
+      shell: bash
+      run: |
+        rm -rf to-zip/*
+        mkdir -p to-zip
+
+        to_upload=""
+        if [[ -d constellation-terraform ]]; then
+          cp -r constellation-terraform to-zip
+          rm -f to-zip/constellation-terraform/plan.zip
+          rm -rf to-zip/constellation-terraform/.terraform
+          to_upload+="to-zip/constellation-terraform"
+        fi
+        if [[ -d constellation-iam-terraform ]]; then
+          cp -r constellation-iam-terraform to-zip
+          rm -rf to-zip/constellation-iam-terraform/.terraform
+          to_upload+=" to-zip/constellation-iam-terraform"
+        fi
+        echo "TO_UPLOAD=$to_upload" >> "$GITHUB_ENV"
+
+    - name: Update tfstate
+      if: always() && env.TO_UPLOAD != ''
+      uses: ./.github/actions/artifact_upload
+      with:
+        name: ${{ inputs.name }}
+        path: >
+          ${{ env.TO_UPLOAD }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+        overwrite: true

.github/actions/upload_terraform_module/action.yml

@@ -15,7 +15,7 @@ runs:
         zip -r terraform-module.zip terraform-module
 
     - name: Upload artifact
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: terraform-module
         path: terraform-module.zip
@@ -23,4 +23,4 @@ runs:
     - name: Cleanup Terraform module dir
       shell: bash
       run: |
-        rm -r terraform-module terraform-module.zip
+        rm -rf terraform-module terraform-module.zip

.github/actions/versionsapi/Dockerfile

@@ -1,21 +0,0 @@
-FROM golang:1.22.0@sha256:7b297d9abee021bab9046e492506b3c2da8a3722cbf301653186545ecc1e00bb as builder
-
-# Download project root dependencies
-WORKDIR /workspace
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-COPY . .
-
-# Build
-WORKDIR /workspace/internal/api/versionsapi/cli
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o versionsapi .
-
-FROM scratch as release
-
-COPY --from=builder /workspace/internal/api/versionsapi/cli/versionsapi .
-
-CMD ["/notIntendedToBeExecuted"]

.github/actions/versionsapi/action.yml

@@ -52,19 +52,12 @@ outputs:
 runs:
   using: composite
   steps:
-    - name: Get versionsapi binary
-      shell: bash
-      # TODO: This should probably be `bazel run`.
-      run: |
-        containerID=$(docker create "ghcr.io/edgelesssys/constellation/versionsapi-ci-cli:latest")
-        docker cp ${containerID}:/versionsapi .
-
     - name: Run versionsapi
       id: run
       shell: bash
       run: |
         out=$(
-          ./versionsapi \
+          bazel run //internal/api/versionsapi/cli:cli -- \
             ${{ inputs.command }} \
             ${{ inputs.ref != '' && format('--ref="{0}"', inputs.ref) || '' }} \
             ${{ inputs.stream != '' && format('--stream="{0}"', inputs.stream) || '' }} \

.github/workflows/assign_reviewer.yml

@@ -0,0 +1,36 @@
+name: Assign Reviewer
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+      - review_request_removed
+      - labeled
+
+permissions:
+  pull-requests: write
+
+jobs:
+  assign_reviewer:
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' &&  github.event.pull_request.user.login == 'renovate[bot]'
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Pick assignee
+      id: pick-assignee
+      uses: ./.github/actions/pick_assignee
+    - name: Assign reviewer
+      env:
+        GH_TOKEN: ${{ github.token }}
+        PR: ${{ github.event.pull_request.number }}
+        ASSIGNEE: ${{ steps.pick-assignee.outputs.assignee }}
+      run: |
+        gh api \
+          --method POST \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "/repos/edgelesssys/constellation/pulls/${PR}/requested_reviewers" \
+          -f "reviewers[]=${ASSIGNEE}"

.github/workflows/aws-snp-launchmeasurement.yml

@@ -8,26 +8,20 @@ on:
 
 jobs:
   run:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
         path: constellation
 
-    - name: Install necessary tools
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y python3 python3-pip
-        sudo python3 -m pip install --user --require-hashes -r constellation/.github/workflows/aws-snp-launchmeasurements-requirements.txt
-
     - name: Install Nix
-      uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
+      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
 
     - name: Download Firmware release
       id: download-firmware
-      uses: robinraju/release-downloader@368754b9c6f47c345fcfbf42bcb577c2f0f5f395 # v1.9
+      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
       with:
         repository: aws/uefi
         latest: true
@@ -50,7 +44,7 @@ jobs:
         echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
         popd || exit 1
 
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: virtee/sev-snp-measure-go.git
         ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8

.github/workflows/aws-snp-launchmeasurements-requirements.txt

@@ -1,106 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile --generate-hashes --output-file=aws-snp-launchmeasurements-requirements.txt input.txt
-#
-cffi==1.16.0 \
-    --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \
-    --hash=sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a \
-    --hash=sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417 \
-    --hash=sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab \
-    --hash=sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520 \
-    --hash=sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36 \
-    --hash=sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743 \
-    --hash=sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8 \
-    --hash=sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed \
-    --hash=sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684 \
-    --hash=sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56 \
-    --hash=sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324 \
-    --hash=sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d \
-    --hash=sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235 \
-    --hash=sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e \
-    --hash=sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088 \
-    --hash=sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000 \
-    --hash=sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7 \
-    --hash=sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e \
-    --hash=sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673 \
-    --hash=sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c \
-    --hash=sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe \
-    --hash=sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2 \
-    --hash=sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098 \
-    --hash=sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8 \
-    --hash=sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a \
-    --hash=sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0 \
-    --hash=sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b \
-    --hash=sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896 \
-    --hash=sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e \
-    --hash=sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9 \
-    --hash=sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2 \
-    --hash=sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b \
-    --hash=sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6 \
-    --hash=sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404 \
-    --hash=sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f \
-    --hash=sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0 \
-    --hash=sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4 \
-    --hash=sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc \
-    --hash=sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936 \
-    --hash=sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba \
-    --hash=sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872 \
-    --hash=sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb \
-    --hash=sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614 \
-    --hash=sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1 \
-    --hash=sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d \
-    --hash=sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969 \
-    --hash=sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b \
-    --hash=sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4 \
-    --hash=sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627 \
-    --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \
-    --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357
-    # via cryptography
-cryptography==42.0.4 \
-    --hash=sha256:01911714117642a3f1792c7f376db572aadadbafcd8d75bb527166009c9f1d1b \
-    --hash=sha256:0e89f7b84f421c56e7ff69f11c441ebda73b8a8e6488d322ef71746224c20fce \
-    --hash=sha256:12d341bd42cdb7d4937b0cabbdf2a94f949413ac4504904d0cdbdce4a22cbf88 \
-    --hash=sha256:15a1fb843c48b4a604663fa30af60818cd28f895572386e5f9b8a665874c26e7 \
-    --hash=sha256:1cdcdbd117681c88d717437ada72bdd5be9de117f96e3f4d50dab3f59fd9ab20 \
-    --hash=sha256:1df6fcbf60560d2113b5ed90f072dc0b108d64750d4cbd46a21ec882c7aefce9 \
-    --hash=sha256:3c6048f217533d89f2f8f4f0fe3044bf0b2090453b7b73d0b77db47b80af8dff \
-    --hash=sha256:3e970a2119507d0b104f0a8e281521ad28fc26f2820687b3436b8c9a5fcf20d1 \
-    --hash=sha256:44a64043f743485925d3bcac548d05df0f9bb445c5fcca6681889c7c3ab12764 \
-    --hash=sha256:4e36685cb634af55e0677d435d425043967ac2f3790ec652b2b88ad03b85c27b \
-    --hash=sha256:5f8907fcf57392cd917892ae83708761c6ff3c37a8e835d7246ff0ad251d9298 \
-    --hash=sha256:69b22ab6506a3fe483d67d1ed878e1602bdd5912a134e6202c1ec672233241c1 \
-    --hash=sha256:6bfadd884e7280df24d26f2186e4e07556a05d37393b0f220a840b083dc6a824 \
-    --hash=sha256:6d0fbe73728c44ca3a241eff9aefe6496ab2656d6e7a4ea2459865f2e8613257 \
-    --hash=sha256:6ffb03d419edcab93b4b19c22ee80c007fb2d708429cecebf1dd3258956a563a \
-    --hash=sha256:810bcf151caefc03e51a3d61e53335cd5c7316c0a105cc695f0959f2c638b129 \
-    --hash=sha256:831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb \
-    --hash=sha256:887623fe0d70f48ab3f5e4dbf234986b1329a64c066d719432d0698522749929 \
-    --hash=sha256:a0298bdc6e98ca21382afe914c642620370ce0470a01e1bef6dd9b5354c36854 \
-    --hash=sha256:a1327f280c824ff7885bdeef8578f74690e9079267c1c8bd7dc5cc5aa065ae52 \
-    --hash=sha256:c1f25b252d2c87088abc8bbc4f1ecbf7c919e05508a7e8628e6875c40bc70923 \
-    --hash=sha256:c3a5cbc620e1e17009f30dd34cb0d85c987afd21c41a74352d1719be33380885 \
-    --hash=sha256:ce8613beaffc7c14f091497346ef117c1798c202b01153a8cc7b8e2ebaaf41c0 \
-    --hash=sha256:d2a27aca5597c8a71abbe10209184e1a8e91c1fd470b5070a2ea60cafec35bcd \
-    --hash=sha256:dad9c385ba8ee025bb0d856714f71d7840020fe176ae0229de618f14dae7a6e2 \
-    --hash=sha256:db4b65b02f59035037fde0998974d84244a64c3265bdef32a827ab9b63d61b18 \
-    --hash=sha256:e09469a2cec88fb7b078e16d4adec594414397e8879a4341c6ace96013463d5b \
-    --hash=sha256:e53dc41cda40b248ebc40b83b31516487f7db95ab8ceac1f042626bc43a2f992 \
-    --hash=sha256:f1e85a178384bf19e36779d91ff35c7617c885da487d689b05c1366f9933ad74 \
-    --hash=sha256:f47be41843200f7faec0683ad751e5ef11b9a56a220d57f300376cd8aba81660 \
-    --hash=sha256:fb0cef872d8193e487fc6bdb08559c3aa41b659a7d9be48b2e10747f47863925 \
-    --hash=sha256:ffc73996c4fca3d2b6c1c8c12bfd3ad00def8621da24f547626bf06441400449
-    # via sev-snp-measure
-pycparser==2.21 \
-    --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \
-    --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206
-    # via cffi
-sev-snp-measure==0.0.9 \
-    --hash=sha256:32ac67a0db6b639186116d8806a730aac4743584e6ca810c65e8fc57b875f87d \
-    --hash=sha256:a1796822e15430c2db7749d1da269819b8cec1330600bb5589ed0ed61400dc41
-    # via -r input.txt
-types-cryptography==3.3.23.2 \
-    --hash=sha256:09cc53f273dd4d8c29fa7ad11fefd9b734126d467960162397bc5e3e604dea75 \
-    --hash=sha256:b965d548f148f8e87f353ccf2b7bd92719fdf6c845ff7cedf2abb393a0643e4f
-    # via sev-snp-measure

.github/workflows/build-binaries.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: [arc-runner-set]
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
@@ -31,7 +31,6 @@ jobs:
         with:
           useCache: "rbe"
           rbePlatform: "ubuntu-22.04"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Build all
         shell: bash

.github/workflows/build-ccm-gcp.yml

@@ -13,30 +13,30 @@ on:
 
 jobs:
   find-ccm-versions:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       versions: ${{ steps.find-versions.outputs.versions }}
       latest: ${{ steps.find-latest.outputs.latest }}
     steps:
       - name: Checkout Constellation
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "kubernetes/cloud-provider-gcp"
           path: "cloud-provider-gcp"
           fetch-depth: 0
 
       - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22.0"
+          go-version: "1.24.2"
           cache: false
 
       - name: Install Crane
         run: |
-          go install github.com/google/go-containerregistry/cmd/crane@latest
+          go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2
 
       - name: Find versions
         id: find-versions
@@ -54,7 +54,7 @@ jobs:
   build-ccm-gcp:
     # matrix cannot handle empty lists
     if: needs.find-ccm-versions.outputs.versions != '[]'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -65,10 +65,10 @@ jobs:
         version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
     steps:
       - name: Checkout Constellation
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "kubernetes/cloud-provider-gcp"
           path: "cloud-provider-gcp"
@@ -76,7 +76,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             ghcr.io/edgelesssys/cloud-provider-gcp
@@ -113,7 +113,7 @@ jobs:
 
       - name: Build and push container image
         id: build
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: ./cloud-provider-gcp
           push: ${{ github.ref_name == 'main' }}

.github/workflows/build-gcp-guest-agent.yml

@@ -10,7 +10,7 @@ env:
 
 jobs:
   build-gcp-guest-agent:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -69,7 +69,7 @@ jobs:
 
       - name: Checkout GoogleCloudPlatform/guest-agent
         if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "GoogleCloudPlatform/guest-agent"
           ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@@ -77,7 +77,7 @@ jobs:
 
       - name: Checkout Constellation
         if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: "constellation"
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@@ -85,7 +85,7 @@ jobs:
       - name: Docker meta
         id: meta
         if: steps.needs-build.outputs.out == 'true'
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@@ -114,7 +114,7 @@ jobs:
       - name: Build and push container image
         if: steps.needs-build.outputs.out == 'true'
         id: build
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: ./guest-agent
           file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile

.github/workflows/build-libvirt-container.yml

@@ -13,18 +13,17 @@ on:
 
 jobs:
   build-container:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
         with:
-          useCache: "false"
           nixTools: |
             crane
             gzip

.github/workflows/build-logcollector-images.yml

@@ -13,14 +13,14 @@ on:
 
 jobs:
   build-logcollector-debugd-images:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
     steps:
       - name: Check out repository
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/build-os-image-scheduled.yml

@@ -4,15 +4,15 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 21 * * 2" # At 21:00 on Tuesday.
-    - cron: "10 21 * * 2" # At 21:10 on Tuesday.
     - cron: "20 21 * * 2" # At 21:20 on Tuesday.
+    - cron: "40 21 * * 2" # At 21:40 on Tuesday.
     - cron: "0 21 * * 4" # At 21:00 on Thursday.
-    - cron: "10 21 * * 4" # At 21:10 on Thursday.
     - cron: "20 21 * * 4" # At 21:20 on Thursday.
+    - cron: "40 21 * * 4" # At 21:40 on Thursday.
 
 jobs:
   stream:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       stream: ${{ steps.stream.outputs.stream }}
     steps:
@@ -28,10 +28,10 @@ jobs:
             "0 21 * * 4" | "0 21 * * 2")
               echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
               ;;
-            "10 21 * * 4" | "10 21 * * 2")
+            "20 21 * * 4" | "20 21 * * 2")
               echo "stream=console" | tee -a "$GITHUB_OUTPUT"
               ;;
-            "20 21 * * 4" | "20 21 * * 2")
+            "40 21 * * 4" | "40 21 * * 2")
               echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
               ;;
             *)
@@ -54,22 +54,20 @@ jobs:
 
   update-code:
     # On nightly stream only.
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      github.event.schedule == '20 21 * * 4' ||
-      github.event.schedule == '20 21 * * 2'
-    needs: build-image
-    runs-on: ubuntu-22.04
+    if: needs.stream.outputs.stream == 'nightly'
+    needs: ["build-image", "stream"]
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
+          token: ${{ secrets.CI_COMMIT_PUSH_PR }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22.0"
+          go-version: "1.24.2"
           cache: false
 
       - name: Determine version
@@ -99,7 +97,7 @@ jobs:
         run: rm -f internal/attestation/measurements/measurement-generator/generate
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           branch: "image/automated/update-measurements-${{ github.run_number }}"
           base: main
@@ -111,6 +109,7 @@ jobs:
             It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
           commit-message: "image: update measurements and image version"
           committer: edgelessci <edgelessci@users.noreply.github.com>
+          author: edgelessci <edgelessci@users.noreply.github.com>
           labels: no changelog
           # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
           token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
@@ -118,10 +117,10 @@ jobs:
   notify-failure:
     if: failure()
     needs: [ "stream", "build-image", "update-code" ]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
 

.github/workflows/build-os-image.yml

@@ -47,7 +47,7 @@ on:
 jobs:
   build-settings:
     name: "Determine build settings"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       ref: ${{ steps.ref.outputs.ref }}
       stream: ${{ steps.stream.outputs.stream }}
@@ -59,7 +59,7 @@ jobs:
       cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -138,7 +138,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -147,7 +147,7 @@ jobs:
           useCache: "false"
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
           aws-region: eu-central-1
@@ -167,6 +167,12 @@ jobs:
         with:
           clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
 
+      - name: Allow unrestricted user namespaces
+        shell: bash
+        run: |
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+          
       - name: Build and upload
         id: build
         shell: bash

.github/workflows/build-versionsapi-ci-image.yml

@@ -1,32 +0,0 @@
-name: Build and upload versionsapi CI image
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - "internal/api/versionsapi/**"
-      - ".github/workflows/build-versionsapi-ci-image.yml"
-      - ".github/actions/versionsapi/**"
-      - "go.mod"
-
-jobs:
-  build-versionsapi-ci-cli:
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Check out repository
-        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
-      - name: Build and upload container image
-        uses: ./.github/actions/build_micro_service
-        with:
-          name: versionsapi-ci-cli
-          dockerfile: .github/actions/versionsapi/Dockerfile
-          githubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/check-links.yml

@@ -17,15 +17,15 @@ on:
 
 jobs:
   linkChecker:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3
+        uses: lycheeverse/lychee-action@1d97d84f0bc547f7b25f4c2170d87d810dc2fb2c # v2.4.0
         with:
           args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
           fail: true

.github/workflows/check-measurements-reproducibility.yml

@@ -0,0 +1,25 @@
+name: Check measurements reproducibility
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        description: The version of the measurements that are downloaded from the CDN.
+        required: true
+      ref:
+        type: string
+        description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+        required: true
+
+jobs:
+  check-reproducibility:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ github.event.inputs.version }}
+          ref: ${{ github.event.inputs.ref }}

.github/workflows/codeql.yml

@@ -17,7 +17,7 @@ on:
 jobs:
   codeql:
     name: CodeQL
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       # Force CodeQL to run the extraction on the files compiled by our custom
       # build command, as opposed to letting the autobuilder figure it out.
@@ -34,17 +34,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Go environment
         if: matrix.language == 'go'
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22.0"
+          go-version: "1.24.2"
           cache: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
+        uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           languages: ${{ matrix.language }}
 
@@ -63,6 +63,6 @@ jobs:
           echo "::endgroup::"
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
+        uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/docs-vale.yml

@@ -13,15 +13,20 @@ on:
 
 jobs:
   vale:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
+      # Work around https://github.com/errata-ai/vale-action/issues/128.
+      - run: |
+          venv="$HOME/.local/share/venv"
+          python3 -m venv "$venv"
+          echo "$venv/bin" >> "$GITHUB_PATH"
       - name: Vale
-        uses: errata-ai/vale-action@3f7188c866bcb3259339a09f517d7c4a8838303c # tag=reviewdog
+        uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
         with:
           files: docs/docs
           fail_on_error: true
+          version: 3.9.3

.github/workflows/draft-release.yml

@@ -50,7 +50,7 @@ on:
 
 jobs:
   build-cli:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -72,7 +72,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -92,8 +92,8 @@ jobs:
           cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
       - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -101,8 +101,8 @@ jobs:
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
 
       - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -110,7 +110,7 @@ jobs:
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
 
   build-terraform-provider:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -133,7 +133,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -149,27 +149,27 @@ jobs:
           targetArch: ${{ matrix.arch }}
 
       - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
         with:
           name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
 
       - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
         with:
           name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
 
   upload-terraform-module:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -177,7 +177,7 @@ jobs:
         uses: ./.github/actions/upload_terraform_module
 
   push-containers:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: inputs.pushContainers
     permissions:
       actions: read
@@ -187,7 +187,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -208,7 +208,7 @@ jobs:
         run: bazel run //bazel/release:push
 
   provenance-subjects:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - build-cli
       - signed-sbom
@@ -219,7 +219,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -227,7 +227,7 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
@@ -252,16 +252,16 @@ jobs:
           echo provenance-subjects="${HASHESB64}" >> "$GITHUB_OUTPUT"
 
   signed-sbom:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
       - name: Download Syft & Grype
         uses: ./.github/actions/install_syft_grype
@@ -296,13 +296,13 @@ jobs:
           COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
       - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation.spdx.sbom
           path: constellation.spdx.sbom
 
       - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation.spdx.sbom.sig
           path: constellation.spdx.sbom.sig
@@ -316,14 +316,14 @@ jobs:
       - provenance-subjects
     # This must not be pinned to digest. See:
     # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
 
   provenance-verify:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
-      SLSA_VERIFIER_VERSION: "2.0.1"
+      SLSA_VERIFIER_VERSION: "2.7.0"
     needs:
       - build-cli
       - provenance
@@ -332,7 +332,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -340,14 +340,12 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
       - name: Download provenance
-        # Need to use the same major version as slsa-github-generator to find uploaded artifacts
-        # https://github.com/slsa-framework/slsa-github-generator/issues/3068
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
 
@@ -397,7 +395,7 @@ jobs:
   release:
     permissions:
       contents: write
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - build-cli
       - provenance
@@ -407,7 +405,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -420,19 +418,17 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
       - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom.sig
 
       - name: Download Constellation provenance
-        # Need to use the same major version as slsa-github-generator to find uploaded artifacts
-        # https://github.com/slsa-framework/slsa-github-generator/issues/3068
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
 
@@ -476,7 +472,7 @@ jobs:
       - name: Create release with artifacts
         id: create-release
         # GitHub endorsed release project. See: https://github.com/actions/create-release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           draft: true
           generate_release_notes: true
@@ -491,7 +487,7 @@ jobs:
             terraform-module.zip
 
       - name: Create Terraform provider release with artifcats
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           draft: true
           generate_release_notes: false

.github/workflows/e2e-attestationconfigapi.yml

@@ -10,11 +10,6 @@ on:
       - "internal/api/**"
       - ".github/workflows/e2e-attestationconfigapi.yml"
       - "go.mod"
-  pull_request:
-    paths:
-      - "internal/api/**"
-      - ".github/workflows/e2e-attestationconfigapi.yml"
-      - "go.mod"
 
 jobs:
   e2e-api:
@@ -22,8 +17,8 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        csp: ["azure", "aws"]
-    runs-on: ubuntu-22.04
+        attestationVariant: ["azure-sev-snp", "azure-tdx", "aws-sev-snp", "gcp-sev-snp"]
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -31,7 +26,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # Don't trigger in forks, use head on pull requests, use default otherwise.
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
@@ -39,7 +34,6 @@ jobs:
       - name: Run Attestationconfig API E2E
         uses: ./.github/actions/e2e_attestationconfigapi
         with:
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           cosignPrivateKey: ${{ secrets.COSIGN_DEV_PRIVATE_KEY }}
           cosignPassword: ${{ secrets.COSIGN_DEV_PASSWORD }}
-          csp: ${{ matrix.csp }}
+          attestationVariant: ${{ matrix.attestationVariant }}

.github/workflows/e2e-cleanup-weekly.yml

@@ -0,0 +1,26 @@
+name: e2e weekly cleanup
+
+on:
+  schedule:
+    - cron: "0 0 * * 0" # At 00:00 every Sunday UTC
+  workflow_dispatch:
+
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Cleanup
+        uses: ./.github/actions/e2e_cleanup_timeframe
+        with:
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}

.github/workflows/e2e-mini.yml

@@ -20,7 +20,7 @@ on:
 
 jobs:
   e2e-mini:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: e2e
     permissions:
       id-token: write
@@ -29,12 +29,12 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}
 
       - name: Azure login OIDC
-        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -46,6 +46,6 @@ jobs:
           azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/e2e-test-daily.yml

@@ -12,7 +12,7 @@ jobs:
       matrix:
         refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
     name: Find latest image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -21,7 +21,7 @@ jobs:
       image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
@@ -45,20 +45,21 @@ jobs:
       fail-fast: false
       max-parallel: 5
       matrix:
-        kubernetesVersion: ["1.28"] # should be default
-        attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
+        kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor.
+        attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
         refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
         test: ["sonobuoy quick"]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
       contents: read
       packages: write
+      actions: write
     needs: [find-latest-image]
     steps:
       - name: Check out repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@@ -89,7 +90,7 @@ jobs:
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           kubernetesVersion: ${{ matrix.kubernetesVersion }}
           test: ${{ matrix.test }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -121,6 +122,16 @@ jobs:
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
       - name: Notify about failure
         if: |
           failure() &&
@@ -139,7 +150,7 @@ jobs:
 
   e2e-mini:
     name: Run miniconstellation E2E test
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: e2e
     permissions:
       id-token: write
@@ -148,12 +159,12 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Azure login OIDC
-        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -165,7 +176,7 @@ jobs:
           azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/e2e-test-internal-lb.yml

@@ -11,19 +11,20 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
         description: "The test to run."
         type: choice
@@ -40,7 +41,6 @@ on:
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.28"
         required: true
       cliVersion:
         description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."

.github/workflows/e2e-test-marketplace-image.yml

@@ -11,19 +11,20 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
         description: "The test to run."
         type: choice
@@ -40,7 +41,6 @@ on:
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.28"
         required: true
       cliVersion:
         description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."

.github/workflows/e2e-test-provider-example.yml

@@ -31,6 +31,7 @@ on:
           - "azure-sev-snp"
           - "azure-tdx"
           - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
   workflow_call:
@@ -62,7 +63,7 @@ on:
 
 jobs:
   provider-example-test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -70,7 +71,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -83,14 +84,6 @@ jobs:
           ref: main
           stream: nightly
 
-      - name: Create resource prefix
-        id: create-prefix
-        shell: bash
-        run: |
-          run_id=${{ github.run_id }}
-          last_three="${run_id: -3}"
-          echo "prefix=e2e-${last_three}" | tee -a "$GITHUB_OUTPUT"
-
       - name: Determine cloudprovider from attestation variant
         id: determine
         shell: bash
@@ -120,10 +113,18 @@ jobs:
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
         with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           nixTools: terraform
 
+      - name: Create prefix
+        id: create-prefix
+        shell: bash
+        run: |
+          uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
+          uuid="${uuid%%-*}"
+          uuid="${uuid: -3}" # Final resource name must be no longer than 10 characters on AWS
+          echo "uuid=${uuid}" | tee -a "${GITHUB_OUTPUT}"
+          echo "prefix=e2e-${uuid}" | tee -a "${GITHUB_OUTPUT}"
+
       - name: Build Constellation provider and CLI # CLI is needed for the upgrade assert and container push is needed for the microservice upgrade
         working-directory: ${{ github.workspace }}
         id: build
@@ -153,7 +154,7 @@ jobs:
 
       - name: Login to AWS (IAM + Cluster role)
         if: steps.determine.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
           aws-region: eu-central-1
@@ -263,11 +264,21 @@ jobs:
         run: |
           region=$(echo ${{ inputs.regionZone || 'europe-west3-b' }} | rev | cut -c 3- | rev)
 
+          case "${{ inputs.attestationVariant }}" in
+            "gcp-sev-snp")
+              cc_tech="SEV_SNP"
+              ;;
+            *)
+              cc_tech="SEV"
+              ;;
+          esac
+
           cat >> _override.tf <<EOF
           locals {
             project_id         = "constellation-e2e"
             region = "${region}"
             zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
+            cc_technology = "${cc_tech}"
           }
           EOF
           cat _override.tf
@@ -295,6 +306,19 @@ jobs:
           cat >> _override.tf <<EOF
           locals {
             instance_type = "Standard_DC4es_v5"
+            subscription_id = "$(az account show --query id --output tsv)"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create Azure SEV-SNP Terraform overrides
+        if: inputs.attestationVariant == 'azure-sev-snp'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          cat >> _override.tf <<EOF
+          locals {
+            subscription_id = "$(az account show --query id --output tsv)"
           }
           EOF
           cat _override.tf
@@ -310,14 +334,15 @@ jobs:
         working-directory: ${{ github.workspace }}/cluster
         shell: bash
         run: |
+          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
           terraform init
           if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
-            terraform apply -target module.azure_iam -auto-approve
-            terraform apply -target module.azure_infrastructure -auto-approve
+            timeout 1h terraform apply -target module.azure_iam -auto-approve
+            timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
             ${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
-            terraform apply -target constellation_cluster.azure_example -auto-approve
+            timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
           else
-            terraform apply -auto-approve
+            timeout 1h terraform apply -auto-approve
           fi
 
       - name: Cleanup Terraform Cluster on failure
@@ -328,7 +353,7 @@ jobs:
         shell: bash
         run: |
           terraform init
-          terraform destroy -auto-approve
+          terraform destroy -auto-approve -lock=false
 
       - name: Add Provider to local Terraform registry # needed if release version was used before
         if: inputs.providerVersion != ''
@@ -382,7 +407,7 @@ jobs:
         shell: bash
         run: |
           terraform init --upgrade
-          terraform apply -auto-approve
+          timeout 1h terraform apply -auto-approve
 
       - name: Assert upgrade successful
         working-directory: ${{ github.workspace }}/cluster
@@ -390,7 +415,7 @@ jobs:
           IMAGE: ${{ inputs.toImage && inputs.toImage || steps.find-latest-image.outputs.image }}
           KUBERNETES: ${{ inputs.toKubernetes }}
           MICROSERVICES: ${{ steps.build.outputs.build_version }}
-          WORKERNODES:  1
+          WORKERNODES: 1
           CONTROLNODES: 1
         run: |
           terraform output -raw kubeconfig > constellation-admin.conf
@@ -441,20 +466,20 @@ jobs:
             yq e '.nodeGroups.control_plane_default.zone = "eu-central-1a"' -i constellation-conf.yaml
             yq e '.nodeGroups.worker_default.zone = "eu-central-1a"' -i constellation-conf.yaml
           fi
-          KUBECONFIG=${{ github.workspace }}/cluster/constellation-admin.conf bazel run //e2e/provider-upgrade:provider-upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --cli "${{ github.workspace }}/build/constellation" "$IMAGE_FLAG" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
+          KUBECONFIG=${{ github.workspace }}/cluster/constellation-admin.conf bazel run --test_timeout=14400 //e2e/provider-upgrade:provider-upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --cli "${{ github.workspace }}/build/constellation" "$IMAGE_FLAG" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
 
       - name: Destroy Terraform Cluster
-      # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
+        # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
         if: always() && steps.apply_terraform.outcome != 'skipped'
         working-directory: ${{ github.workspace }}/cluster
         shell: bash
         run: |
           terraform init
-          terraform destroy -auto-approve
+          terraform destroy -auto-approve -lock=false
 
       - name: Notify about failure
         if: |
-          failure() &&
+          (failure() || cancelled()) &&
           github.ref == 'refs/heads/main' &&
           github.event_name == 'schedule'
         continue-on-error: true

.github/workflows/e2e-test-release.yml

@@ -47,197 +47,256 @@ jobs:
           # sonobuoy full test on all k8s versions
           - test: "sonobuoy full"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
-            clusterCreation: "cli"
-
-
-          - test: "sonobuoy full"
-            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "cli"
-          - test: "sonobuoy full"
-            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "cli"
-          - test: "sonobuoy full"
-            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
-            clusterCreation: "cli"
-          - test: "sonobuoy full"
-            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.28"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           - test: "sonobuoy full"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.27"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # verify test on latest k8s version
           - test: "verify"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "verify"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "verify"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "verify"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "verify"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # recover test on latest k8s version
           - test: "recover"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "recover"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "recover"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "recover"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "recover"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # lb test on latest k8s version
           - test: "lb"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "lb"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "lb"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "lb"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "lb"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # autoscaling test on latest k8s version
           - test: "autoscaling"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "autoscaling"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "autoscaling"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "autoscaling"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "autoscaling"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
-          # perf-bench test on latest k8s version, not supported on AWS
+          # perf-bench test on latest k8s version
           - test: "perf-bench"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
           - test: "perf-bench"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # s3proxy test on latest k8s version
           - test: "s3proxy"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "ubuntu-22.04"
+            kubernetes-version: "v1.30"
+            runner: "ubuntu-24.04"
             clusterCreation: "cli"
 
           # malicious join test on latest k8s version
           - test: "malicious join"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
+            runner: "ubuntu-24.04"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+            runner: "ubuntu-24.04"
           - test: "malicious join"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
+            runner: "ubuntu-24.04"
           - test: "malicious join"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
+            runner: "ubuntu-24.04"
           - test: "malicious join"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
+            runner: "ubuntu-24.04"
 
           #
           # Tests on macOS runner
@@ -246,12 +305,12 @@ jobs:
           # TODO(3u13r): Update verify test to work on MacOS runners
           # - test: "verify"
           #  attestationVariant: "azure-sev-snp"
-          #  kubernetes-version: "v1.29"
-          #  runner: "macos-12"
+          #  kubernetes-version: "v1.30"
+          #  runner: "macos-latest"
           - test: "recover"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
-            runner: "macos-12"
+            kubernetes-version: "v1.30"
+            runner: "macos-latest"
             clusterCreation: "cli"
     runs-on: ${{ matrix.runner }}
     permissions:
@@ -259,6 +318,7 @@ jobs:
       checks: write
       contents: read
       packages: write
+      actions: write
     steps:
       - name: Install the basics tools (macOS)
         if: runner.os == 'macOS'
@@ -266,7 +326,7 @@ jobs:
         run: brew install coreutils kubectl bash
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref || github.head_ref }}
@@ -282,7 +342,7 @@ jobs:
 
       - name: Set up gcloud CLI (macOS)
         if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Run E2E test
         id: e2e_test
@@ -304,7 +364,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -334,13 +394,23 @@ jobs:
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
   e2e-upgrade:
     strategy:
       fail-fast: false
       max-parallel: 1
       matrix:
-        fromVersion: ["v2.15.1"]
-        attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
+        fromVersion: ["v2.22.0"]
+        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     name: Run upgrade tests
     secrets: inherit
     permissions:
@@ -348,6 +418,7 @@ jobs:
       contents: read
       checks: write
       packages: write
+      actions: write
     uses: ./.github/workflows/e2e-upgrade.yml
     with:
       fromVersion: ${{ matrix.fromVersion }}

.github/workflows/e2e-test-stackit.yml

@@ -0,0 +1,153 @@
+name: e2e test STACKIT
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Every day at midnight.
+
+jobs:
+  find-latest-image:
+    name: Find latest image
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Select relevant image
+        id: select-image-action
+        uses: ./.github/actions/select_image
+        with:
+          osImage: "ref/release/stream/stable/?"
+
+      - name: Relabel output
+        id: relabel-output
+        shell: bash
+        run: |
+          ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2)
+          stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4)
+
+          echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
+
+  e2e-stackit:
+    strategy:
+      fail-fast: false
+      max-parallel: 6
+      matrix:
+        kubernetesVersion: [ "1.29", "1.30", "1.31" ]
+        clusterCreation: [ "cli", "terraform" ]
+        test: [ "sonobuoy quick" ]
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
+      actions: write
+    needs: [find-latest-image]
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          nixTools: terraform
+
+      - name: Run E2E test
+        id: e2e_test
+        uses: ./.github/actions/e2e_test
+        with:
+          workerNodesCount: "1"
+          controlNodesCount: "1"
+          cloudProvider: stackit
+          attestationVariant: qemu-vtpm
+          osImage: ${{ needs.find-latest-image.outputs.image-release-stable }}
+          isDebugImage: false
+          cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }}
+          kubernetesVersion: ${{ matrix.kubernetesVersion }}
+          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
+          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
+          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
+          gcpProject: constellation-e2e
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+          test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          fetchMeasurements: false
+          clusterCreation: ${{ matrix.clusterCreation }}
+          s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
+          s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
+          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
+
+      - name: Always terminate cluster
+        if: always()
+        uses: ./.github/actions/constellation_destroy
+        with:
+          kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
+          clusterCreation: ${{ matrix.clusterCreation }}
+          cloudProvider: stackit
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Always delete IAM configuration
+        if: always()
+        uses: ./.github/actions/constellation_iam_destroy
+        with:
+          cloudProvider: stackit
+          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Notify about failure
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_e2e_failure
+        with:
+          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
+          refStream: "ref/release/stream/stable/?"
+          test: ${{ matrix.test }}
+          kubernetesVersion: ${{ matrix.kubernetesVersion }}
+          provider: stackit
+          attestationVariant: qemu-vtpm
+          clusterCreation: ${{ matrix.clusterCreation }}
+
+      - name: Notify STACKIT
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_stackit
+        with:
+          slackToken: ${{ secrets.SLACK_TOKEN }}

.github/workflows/e2e-test-terraform-provider.yml

@@ -11,19 +11,20 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
         description: "The test to run."
         type: choice
@@ -40,7 +41,6 @@ on:
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.28"
         required: true
       releaseVersion:
         description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."

.github/workflows/e2e-test-weekly.yml

@@ -10,9 +10,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
     name: Find latest image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -22,7 +22,7 @@ jobs:
       image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
@@ -51,184 +51,261 @@ jobs:
           # Tests on main-debug refStream
           #
 
+          # Emergency SSH test on latest k8s version
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+
           # Sonobuoy full test on latest k8s version
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy full"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+
+          # Sonobuoy conformance test
+          - test: "sonobuoy conformance"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # Sonobuoy quick test on all but the latest k8s versions
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.27"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
             clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.27"
+            kubernetes-version: "v1.29"
             clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.27"
+            kubernetes-version: "v1.29"
             clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.27"
+            kubernetes-version: "v1.29"
             clusterCreation: "cli"
 
-
           # verify test on latest k8s version
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             attestationVariant: "aws-sev-snp"
             refStream: "ref/main/stream/debug/?"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # recover test on latest k8s version
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "recover"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # lb test on latest k8s version
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "lb"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           # autoscaling test on latest k8s version
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "autoscaling"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
-          # perf-bench test on latest k8s version, not supported on AWS
+          # perf-bench test on latest k8s version
           - test: "perf-bench"
-            refStream: "ref/main/stream/debug/?"
+            refStream: "ref/main/stream/nightly/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "perf-bench"
-            refStream: "ref/main/stream/debug/?"
-            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/nightly/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
-          # TODO: check what needs to be done for perf-bench on Azure TDX
-          #- test: "perf-bench"
-          #  refStream: "ref/main/stream/debug/?"
-          #  attestationVariant: "azure-tdx"
-          #  kubernetes-version: "v1.29"
-          #  clusterCreation: "cli"
 
           # s3proxy test on latest k8s version
           - test: "s3proxy"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
           #
@@ -239,34 +316,40 @@ jobs:
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
             attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/release/stream/stable/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
             attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
             attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
             attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.30"
             clusterCreation: "cli"
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
       contents: read
       packages: write
+      actions: write
     needs: [find-latest-image]
     steps:
       - name: Check out repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@@ -288,7 +371,7 @@ jobs:
           controlNodesCount: "3"
           cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
           attestationVariant: ${{ matrix.attestationVariant }}
-          osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
+          osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || matrix.refStream == 'ref/main/stream/nightly/?' && needs.find-latest-image.outputs.image-main-nightly || needs.find-latest-image.outputs.image-main-debug }}
           isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
           cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
           kubernetesVersion: ${{ matrix.kubernetes-version }}
@@ -300,7 +383,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -332,6 +415,16 @@ jobs:
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
       - name: Notify about failure
         if: |
           failure() &&
@@ -353,8 +446,8 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        fromVersion: ["v2.15.1"]
-        attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
+        fromVersion: ["v2.22.0"]
+        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     name: Run upgrade tests
     secrets: inherit
     permissions:
@@ -362,6 +455,7 @@ jobs:
       checks: write
       contents: read
       packages: write
+      actions: write
     uses: ./.github/workflows/e2e-upgrade.yml
     with:
       fromVersion: ${{ matrix.fromVersion }}
@@ -371,7 +465,7 @@ jobs:
 
   e2e-mini:
     name: Run miniconstellation E2E test
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: e2e
     permissions:
       id-token: write
@@ -380,12 +474,12 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Azure login OIDC
-        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -397,7 +491,7 @@ jobs:
           azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
           azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}
 
@@ -420,6 +514,7 @@ jobs:
       id-token: write
       contents: read
       packages: write
+      checks: write
     secrets: inherit
     uses: ./.github/workflows/e2e-windows.yml
     with:
@@ -430,7 +525,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
+        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     permissions:
       id-token: write
       contents: read

.github/workflows/e2e-test.yml

@@ -12,24 +12,27 @@ on:
         type: choice
         options:
           - "gcp-sev-es"
+          - "gcp-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
           - "aws-sev-snp"
+          - "stackit-qemu-vtpm"
         default: "azure-sev-snp"
         required: true
       runner:
         description: "Architecture of the runner that executes the CLI"
         type: choice
         options:
-          - "ubuntu-22.04"
-          - "macos-12"
-        default: "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "macos-latest"
+        default: "ubuntu-24.04"
       test:
-        description: "The test to run."
+        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
         type: choice
         options:
           - "sonobuoy quick"
           - "sonobuoy full"
+          - "sonobuoy conformance"
           - "autoscaling"
           - "lb"
           - "perf-bench"
@@ -37,11 +40,12 @@ on:
           - "recover"
           - "malicious join"
           - "s3proxy"
+          - "emergency ssh"
           - "nop"
         required: true
       kubernetesVersion:
         description: "Kubernetes version to create the cluster from."
-        default: "1.28"
+        default: "1.30"
         required: true
       cliVersion:
         description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@@ -81,7 +85,7 @@ on:
         type: string
         required: true
       test:
-        description: "The test to run."
+        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
         type: string
         required: true
       kubernetesVersion:
@@ -127,7 +131,7 @@ on:
 jobs:
   generate-input-parameters:
     name: Generate input parameters
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -135,6 +139,7 @@ jobs:
       workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
       controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
       cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+      attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }}
     steps:
       - name: Split nodeCount
         id: split-nodeCount
@@ -159,11 +164,17 @@ jobs:
           attestationVariant="${{ inputs.attestationVariant }}"
           cloudProvider="${attestationVariant%%-*}"
 
+          # special case for STACKIT, as there's no special attestation variant for it
+          if [[ "${cloudProvider}" == "stackit" ]]; then
+            attestationVariant="qemu-vtpm"
+          fi
+
+          echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT"
           echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
 
   find-latest-image:
     name: Select image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -173,13 +184,13 @@ jobs:
     steps:
       - name: Checkout head
         if: inputs.git-ref == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.git-ref != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.git-ref }}
 
@@ -199,6 +210,7 @@ jobs:
       checks: write
       contents: read
       packages: write
+      actions: write
     needs: [find-latest-image, generate-input-parameters]
     if: always() && !cancelled()
     steps:
@@ -209,19 +221,19 @@ jobs:
 
       - name: Checkout head
         if: inputs.git-ref == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.git-ref != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.git-ref }}
 
       - name: Set up gcloud CLI (macOS)
         if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Run manual E2E test
         id: e2e_test
@@ -230,7 +242,7 @@ jobs:
           workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
           controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
           cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
-          attestationVariant: ${{ inputs.attestationVariant }}
+          attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }}
           machineType: ${{ inputs.machineType }}
           regionZone: ${{ inputs.regionZone }}
           gcpProject: constellation-e2e
@@ -244,7 +256,7 @@ jobs:
           osImage: ${{ needs.find-latest-image.outputs.image }}
           cliVersion: ${{ inputs.cliVersion }}
           isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -259,6 +271,9 @@ jobs:
           marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
           force: ${{ inputs.force }}
           encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
+          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
 
       - name: Always terminate cluster
         if: always()
@@ -277,3 +292,13 @@ jobs:
           cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}

.github/workflows/e2e-upgrade.yml

@@ -7,10 +7,11 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       nodeCount:
@@ -21,6 +22,10 @@ on:
         description: CLI version to create a new cluster with. This has to be a released version, e.g., 'v2.1.3'.
         type: string
         required: true
+      fromKubernetes:
+        description: Kubernetes version for the origin cluster, empty for origin target's default version.
+        type: string
+        required: false
       gitRef:
         description: Ref to build upgrading CLI on, empty for HEAD.
         type: string
@@ -31,11 +36,11 @@ on:
         type: string
         required: false
       toKubernetes:
-        description: Kubernetes version to target for the upgrade, empty for target's default version.
+        description: Kubernetes version to target for the upgrade, empty for upgrade target's default version.
         type: string
         required: false
       toMicroservices:
-        description: Microservice version to target for the upgrade, empty for target's default version.
+        description: Microservice version to target for the upgrade, empty for upgrade target's default version.
         type: string
         required: false
       simulatedTargetVersion:
@@ -59,6 +64,10 @@ on:
         description: CLI version to create a new cluster with. This has to be a released version, e.g., 'v2.1.3'.
         type: string
         required: true
+      fromKubernetes:
+        description: Kubernetes version for the origin cluster, empty for origin target's default version.
+        type: string
+        required: false
       gitRef:
         description: Ref to build upgrading CLI on.
         type: string
@@ -89,7 +98,7 @@ on:
 jobs:
   generate-input-parameters:
     name: Generate input parameters
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -123,63 +132,9 @@ jobs:
 
           echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
 
-  build-target-cli:
-    name: Build upgrade target version CLI
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-      checks: write
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout
-        if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
-      - name: Checkout ref
-        if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-          ref: ${{ inputs.gitRef }}
-
-      - name: Setup Bazel & Nix
-        uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
-
-      - name: Log in to the Container registry
-        uses: ./.github/actions/container_registry_login
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Simulate patch upgrade
-        if: inputs.simulatedTargetVersion != ''
-        run: |
-          echo ${{ inputs.simulatedTargetVersion }} > version.txt
-
-      - name: Build CLI
-        uses: ./.github/actions/build_cli
-        with:
-          enterpriseCLI: true
-          outputPath: "build/constellation"
-          push: true
-
-      - name: Upload CLI binary
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        with:
-          name: constellation-upgrade-${{ inputs.attestationVariant }}
-          path: build/constellation
-
   create-cluster:
     name: Create upgrade origin version cluster
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
@@ -188,25 +143,23 @@ jobs:
     needs: [generate-input-parameters]
     outputs:
       kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
+      e2e-name-prefix: ${{ steps.e2e_test.outputs.namePrefix }}
     steps:
       - name: Checkout
         if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ inputs.gitRef }}
 
       - uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Create cluster with 'fromVersion' CLI.
         id: e2e_test
@@ -219,12 +172,13 @@ jobs:
           osImage: ${{ inputs.fromVersion }}
           isDebugImage: "false"
           cliVersion: ${{ inputs.fromVersion }}
+          kubernetesVersion: ${{ inputs.fromKubernetes }}
           regionZone: ${{ inputs.regionZone }}
           gcpProject: constellation-e2e
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: "upgrade"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
@@ -266,7 +220,7 @@ jobs:
 
   e2e-upgrade:
     name: Run upgrade test
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
@@ -274,31 +228,53 @@ jobs:
       packages: write
     needs:
       - generate-input-parameters
-      - build-target-cli
       - create-cluster
     steps:
       - name: Checkout
         if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ inputs.gitRef }}
 
       - name: Setup Bazel & Nix
         uses: ./.github/actions/setup_bazel_nix
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
         with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # applying the version manipulation here so that the upgrade test tool is also on the simulated target version
+      - name: Simulate patch upgrade
+        if: inputs.simulatedTargetVersion != ''
+        run: |
+          echo ${{ inputs.simulatedTargetVersion }} > version.txt
+
+      - name: Build CLI
+        uses: ./.github/actions/build_cli
+        with:
+          enterpriseCLI: true
+          outputPath: "build/constellation"
+          push: true
+
+      - name: Upload CLI binary # is needed for the cleanup step
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: constellation-upgrade-${{ inputs.attestationVariant }}
+          path: build/constellation
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1
@@ -320,7 +296,7 @@ jobs:
 
       - name: Login to AWS (IAM role)
         if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
           aws-region: eu-central-1
@@ -333,11 +309,6 @@ jobs:
         with:
           azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
 
-      - name: Download CLI
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
-        with:
-          name: constellation-upgrade-${{ inputs.attestationVariant }}
-          path: build
 
       - name: Download Working Directory (Pre-test)
         uses: ./.github/actions/artifact_download
@@ -376,7 +347,7 @@ jobs:
 
       - name: Login to AWS (Cluster role)
         if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
           aws-region: eu-central-1
@@ -395,21 +366,16 @@ jobs:
           IMAGE: ${{ inputs.toImage && inputs.toImage || steps.find-image.outputs.output }}
           KUBERNETES: ${{ inputs.toKubernetes }}
           MICROSERVICES: ${{ inputs.toMicroservices }}
-          WORKERNODES:  ${{ needs.generate-input-parameters.outputs.workerNodes }}
+          WORKERNODES: ${{ needs.generate-input-parameters.outputs.workerNodes }}
           CONTROLNODES: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
         run: |
           echo "Image target: $IMAGE"
           echo "K8s target: $KUBERNETES"
           echo "Microservice target: $MICROSERVICES"
 
-          if [[ -n ${MICROSERVICES} ]]; then
-            MICROSERVICES_FLAG="--target-microservices=$MICROSERVICES"
-          fi
-          if [[ -n ${KUBERNETES} ]]; then
-            KUBERNETES_FLAG="--target-kubernetes=$KUBERNETES"
-          fi
-
-          bazel run //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
+          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
+          CLI=$(realpath ./build/constellation)
+          bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" --target-kubernetes "$KUBERNETES" --target-microservices "$MICROSERVICES" --cli "$CLI"
 
       - name: Remove Terraform plugin cache
         if: always()
@@ -433,31 +399,32 @@ jobs:
 
   clean-up:
     name: Clean up resources
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       checks: write
       contents: read
       packages: write
+      actions: write
     if: always()
     needs: [generate-input-parameters, create-cluster, e2e-upgrade]
     steps:
       - name: Checkout
         if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Checkout ref
         if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ inputs.gitRef }}
 
       - name: Download CLI
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation-upgrade-${{ inputs.attestationVariant }}
           path: build
@@ -503,6 +470,17 @@ jobs:
             constellation-version.yaml
           encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
+      - name: Prepare terraform state artifact upload
+        if: always()
+        shell: bash
+        run: |
+          mkdir -p to-zip
+          cp -r constellation-terraform to-zip
+          rm -f to-zip/constellation-terraform/plan.zip
+          rm -rf to-zip/constellation-terraform/.terraform
+          cp -r constellation-iam-terraform to-zip
+          rm -rf to-zip/constellation-iam-terraform/.terraform
+
       - name: Always terminate cluster
         if: always()
         uses: ./.github/actions/constellation_destroy
@@ -521,6 +499,16 @@ jobs:
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ needs.create-cluster.outputs.e2e-name-prefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
       - name: Notify about failure
         if: |
           always() &&

.github/workflows/e2e-windows.yml

@@ -13,18 +13,27 @@ on:
 jobs:
   build-cli:
     name: Build Windows CLI
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
         with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build CLI
         uses: ./.github/actions/build_cli
@@ -32,33 +41,35 @@ jobs:
           targetOS: "windows"
           targetArch: "amd64"
           enterpriseCLI: true
+          outputPath: "build/constellation"
+          push: true
 
       - name: Upload CLI artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          path: "bazel-bin/cli/cli_enterprise_windows_amd64"
+          path: build/constellation.exe
           name: "constell-exe"
 
   e2e-test:
     name: E2E Test Windows
-    runs-on: windows-2022
+    runs-on: windows-2025
     needs: build-cli
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download CLI artifact
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: "constell-exe"
 
       - name: Check CLI version
         shell: pwsh
         run: |
-          Move-Item -Path .\cli_enterprise_windows_amd64 -Destination .\constellation.exe
           .\constellation.exe version
+          Add-Content -Path $env:windir\System32\drivers\etc\hosts -Value "`n127.0.0.1`tlicense.confidential.cloud" -Force
 
       - name: Login to Azure (IAM service principal)
         uses: ./.github/actions/login_azure
@@ -66,10 +77,14 @@ jobs:
           azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
 
       - name: Create IAM configuration
+        id: iam-create
         shell: pwsh
         run: |
-          .\constellation.exe config generate azure
-          .\constellation.exe iam create azure --region=westus --resourceGroup=e2eWindoewsRG --servicePrincipal=e2eWindoewsSP --update-config --debug -y
+          $uid = Get-Random -Minimum 1000 -Maximum 9999
+          $rgName = "e2e-win-${{ github.run_id }}-${{ github.run_attempt }}-$uid"
+          "rgName=$($rgName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+          .\constellation.exe config generate azure -t "workflow=${{ github.run_id }}"
+          .\constellation.exe iam create azure --subscriptionID=${{ secrets.AZURE_SUBSCRIPTION_ID }} --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
 
       - name: Login to Azure (Cluster service principal)
         uses: ./.github/actions/login_azure
@@ -95,24 +110,31 @@ jobs:
               Write-Host "Retry ${retryCount}: Checking node status..."
 
               $nodesOutput = & kubectl get nodes --kubeconfig "$PWD\constellation-admin.conf"
+              $status = $?
 
-              $lines = $nodesOutput -split "`r?`n" | Select-Object -Skip 1
+              $nodesOutput
 
-              $allNodesReady = $true
+              if ($status) {
+                  $lines = $nodesOutput -split "`r?`n" | Select-Object -Skip 1
 
-              foreach ($line in $lines) {
-                  $columns = $line -split '\s+' | Where-Object { $_ -ne '' }
+                  if ($lines.count -eq 4) {
+                      $allNodesReady = $true
 
-                  $nodeName = $columns[0]
-                  $status = $columns[1]
+                      foreach ($line in $lines) {
+                          $columns = $line -split '\s+' | Where-Object { $_ -ne '' }
 
-                  if ($status -ne "Ready") {
-                      Write-Host "Node $nodeName is not ready!"
-                      $allNodesReady = $false
+                          $nodeName = $columns[0]
+                          $status = $columns[1]
+
+                          if ($status -ne "Ready") {
+                              Write-Host "Node $nodeName is not ready!"
+                              $allNodesReady = $false
+                          }
+                      }
                   }
               }
 
-              if (-not $allNodesReady) {
+              if (-not $allNodesReady -and $retryCount -lt $maxRetries) {
                   Write-Host "Retrying in $retryIntervalSeconds seconds..."
                   Start-Sleep -Seconds $retryIntervalSeconds
               }
@@ -127,6 +149,7 @@ jobs:
           }
 
       - name: Terminate cluster
+        id: terminate-cluster
         if: always()
         shell: pwsh
         run: |
@@ -139,14 +162,23 @@ jobs:
           azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
 
       - name: Delete IAM configuration
+        id: delete-iam
         if: always()
         shell: pwsh
         run: |
           .\constellation.exe iam destroy --debug -y
 
+      - name: Clean up after failure
+        # run on a cleanup failure or if cancelled
+        if: (failure() && (steps.terminate-cluster.conclusion == 'failure' || steps.delete-iam.conclusion == 'failure')) || cancelled()
+        shell: pwsh
+        run: |
+          az group delete --name ${{ steps.iam-create.outputs.rgName }}-rg --yes
+          az group delete --name ${{ steps.iam-create.outputs.rgName }}-rg-identity --yes
+
   notify-failure:
     name: Notify about failure
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: e2e-test
     if: |
       failure() &&
@@ -154,15 +186,12 @@ jobs:
       inputs.scheduled
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Notify about failure
         continue-on-error: true

.github/workflows/on-release.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   complete-release-branch-transaction:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: write
@@ -26,7 +26,7 @@ jobs:
       WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # fetch all history
 
@@ -44,12 +44,12 @@ jobs:
           git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"
 
   update:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Override latest
         if: github.event.inputs.latest == 'true'
@@ -117,13 +117,13 @@ jobs:
         add-image-version-to-versionsapi,
         add-cli-version-to-versionsapi,
       ]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Remove temporary branch
         run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@@ -131,20 +131,18 @@ jobs:
   mirror-gcp-mpi:
     name: "Mirror GCP Marketplace Image"
     needs: [add-image-version-to-versionsapi]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "false"
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
           aws-region: eu-central-1
@@ -162,7 +160,7 @@ jobs:
         shell: bash
         run: |
           aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
-          FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
+          FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-snp") | .reference' info.json)
           IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
           echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"
 

.github/workflows/purge-main.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   find-version:
     name: Delete version from main ref
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       version: ${{ steps.find.outputs.version }}
     permissions:
@@ -18,12 +18,12 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1
@@ -47,6 +47,8 @@ jobs:
               ;;
           esac
 
+      - uses: ./.github/actions/setup_bazel_nix
+
       - name: List versions
         id: list
         uses: ./.github/actions/versionsapi

.github/workflows/release-publish.yml

@@ -0,0 +1,79 @@
+name: 'Release: on-publish'
+
+on:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Semantic version tag of the release (vX.Y.Z).'
+        required: true
+
+jobs:
+  post-release-actions:
+    runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+    env:
+      FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Mark milestone as complete
+        run: |
+          milestones=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/edgelesssys/constellation/milestones)
+
+          current_milestone=$(echo "${milestones}" | jq -r ".[] | select(.title == \"${FULL_VERSION}\")")
+          echo "current milestone: ${current_milestone}"
+          if [[ -z "${current_milestone}" ]]; then
+            echo "milestone ${FULL_VERSION} does not exist, nothing to do..."
+            exit 0
+          fi
+
+          current_milestone_state=$(echo "${current_milestone}" | jq -r '.state')
+          echo "current milestone state: ${current_milestone_state}"
+          if [[ "${current_milestone_state}" != "open" ]]; then
+            echo "milestone ${FULL_VERSION} is already closed, nothing to do..."
+            exit 0
+          fi
+
+          milestone_number=$(echo "${current_milestone}" | jq -r '.number')
+          echo "milestone number: ${milestone_number}"
+          if [[ -z "${milestone_number}" ]]; then
+            echo "failed parsing milestone number"
+            exit 1
+          fi
+
+          gh api \
+            --method PATCH \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/edgelesssys/constellation/milestones/${milestone_number}" \
+            -f state=closed
+
+      - name: Create next milestone
+        run: |
+          WITHOUT_V=${FULL_VERSION#v}
+          PART_MAJOR=${WITHOUT_V%%.*}
+          PART_MINOR=${WITHOUT_V#*.}
+          PART_MINOR=${PART_MINOR%%.*}
+          NEXT_MINOR=v${PART_MAJOR}.$((PART_MINOR + 1)).0
+
+          gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/edgelesssys/constellation/milestones |
+            jq -r '.[].title' | \
+            grep -xqF "${NEXT_MINOR}" && exit 0
+
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/edgelesssys/constellation/milestones \
+            -f title="${NEXT_MINOR}" \
+            -f state='open' \
+            -f "due_on=$(date -d '2 months' +'%Y-%m-%dT00:00:00Z')"

.github/workflows/release.yml

@@ -19,7 +19,7 @@ concurrency:
 jobs:
   verify-inputs:
     name: Verify inputs
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       FULL_VERSION: ${{ inputs.version }}
     outputs:
@@ -33,7 +33,7 @@ jobs:
       RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
       WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Working branch
         run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@@ -72,10 +72,9 @@ jobs:
             echo "WORKING_BRANCH=${WORKING_BRANCH}"
           } | tee -a "$GITHUB_OUTPUT"
 
-  docs:
-    name: Create docs release (from main)
-    runs-on: ubuntu-22.04
-    if: inputs.kind == 'minor'
+  update-main-branch:
+    name: Update main branch with release changes
+    runs-on: ubuntu-24.04
     needs: verify-inputs
     permissions:
       contents: write
@@ -85,36 +84,61 @@ jobs:
       MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
       BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
 
+      - name: Configure git
+        run: |
+          git config --global user.name "edgelessci"
+          git config --global user.email "edgelessci@users.noreply.github.com"
+
       - name: Create docs release
+        if: inputs.kind == 'minor'
         working-directory: docs
         run: |
-          npm install
+          npm ci
           npm run docusaurus docs:version "${MAJOR_MINOR}"
+          git add .
+          git commit -am "docs: release ${MAJOR_MINOR}"
+          # Clean up auxiliary files, so next steps run on a clean tree
+          git clean -fdx :/
+
+      - name: Update version.txt
+        if: inputs.kind == 'minor'
+        run: |
+          pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
+          echo "${pre_release_version}" > version.txt
+          git add version.txt
+          git commit -m "chore: update version.txt to ${pre_release_version}"
+
+      - name: Update CI for new version
+        run: |
+          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
+          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
 
       - name: Create docs pull request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           branch: ${{ env.BRANCH }}
           base: main
-          title: "docs: add release ${{ env.VERSION }}"
+          title: "Post ${{ env.VERSION }} release updates to main"
           body: |
             :robot: *This is an automated PR.* :robot:
 
             The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
-            It releases a new version of the documentation.
-          commit-message: "docs: add release ${{ env.VERSION }}"
+          commit-message: "chore: update CI for ${{ env.VERSION }}"
           committer: edgelessci <edgelessci@users.noreply.github.com>
+          author: edgelessci <edgelessci@users.noreply.github.com>
           labels: no changelog
+          assignees: ${{ github.actor }}
+          reviewers: ${{ github.actor }}
           # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
           token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
 
   check-working-branch:
     name: Check temporary working branch
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: verify-inputs
     permissions:
       contents: write
@@ -123,7 +147,7 @@ jobs:
       WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
@@ -152,7 +176,7 @@ jobs:
   update-versions:
     name: Update container image versions
     needs: [verify-inputs, check-working-branch]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
       packages: read
@@ -161,7 +185,7 @@ jobs:
       WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
@@ -181,7 +205,7 @@ jobs:
           yq eval -i ".version = \"$WITHOUT_V\"" s3proxy/deploy/s3proxy/Chart.yaml
           yq eval -i ".image = \"ghcr.io/edgelesssys/constellation/s3proxy:$VERSION\"" s3proxy/deploy/s3proxy/values.yaml
 
-          git add s3proxy/deploy/s3proxy/Chart.yaml
+          git add s3proxy/deploy/s3proxy/Chart.yaml s3proxy/deploy/s3proxy/values.yaml
 
       - name: Commit
         run: |
@@ -215,25 +239,36 @@ jobs:
       stream: "stable"
       ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
+  check-measurements-reproducibility:
+    name: Check measurements reproducibility
+    needs: [verify-inputs, os-image]
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ inputs.version }}
+          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
+
   update-hardcoded-measurements:
     name: Update hardcoded measurements (in the CLI)
     needs: [verify-inputs, os-image]
     permissions:
       contents: write
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       VERSION: ${{ inputs.version }}
       WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22.0"
+          go-version: "1.24.2"
           cache: true
 
       - name: Build generateMeasurements tool
@@ -250,8 +285,12 @@ jobs:
         run: |
           git config --global user.name "edgelessci"
           git config --global user.email "edgelessci@users.noreply.github.com"
-          git commit -m "attestation: hardcode measurements for ${VERSION}"
-          git push
+          if git diff-index --quiet HEAD --; then
+            echo "No changes to commit"
+          else
+            git commit -m "attestation: hardcode measurements for ${VERSION}"
+            git push
+          fi
 
   draft-release:
     name: Draft release (CLI)
@@ -278,6 +317,7 @@ jobs:
       packages: write
       id-token: write
       contents: read
+      actions: write
     secrets: inherit
     with:
       ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

.github/workflows/reproducible-builds.yml

@@ -1,8 +1,9 @@
 # Verify that Constellation builds are reproducible.
 #
-# The build-* jobs' matrix has two dimensions: a list of targets to build and
-# a list of runners to build on. The produced binaries and OS images are
-# expected to be bit-for-bit identical, regardless of the chosen build runner.
+# The build-* jobs' matrix has three dimensions: a list of targets to build, a
+# list of runners to build on and a method of installing dependencies. The
+# produced binaries and OS images are expected to be bit-for-bit identical,
+# without any dependencies on the runtime setup details.
 #
 # The compare-* jobs only have the target dimension. They obtain the built
 # targets from all runners and check that there are no diffs between them.
@@ -12,6 +13,9 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "45 06 * * 1" # Every Monday at 6:45am
+  pull_request:
+    paths:
+      - .github/workflows/reproducible-builds.yml
 
 jobs:
   build-binaries:
@@ -24,22 +28,39 @@ jobs:
             - "cli_enterprise_linux_amd64"
             - "cli_enterprise_linux_arm64"
             - "cli_enterprise_windows_amd64"
-          runner: ["ubuntu-22.04", "ubuntu-20.04"]
+          runner:
+            - "ubuntu-24.04"
+            - "ubuntu-22.04"
+          deps:
+            - conventional
+            - eccentric
     env:
         bazel_target: "//cli:${{ matrix.target }}"
-        binary: "${{ matrix.target }}-${{ matrix.runner }}"
+        binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
     runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
-      - name: Setup bazel
+      - name: Setup dependencies
         uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "logs"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+        if: matrix.deps == 'conventional'
+
+      - name: Setup dependencies (eccentric)
+        if: matrix.deps == 'eccentric'
+        run: |
+          bazelVersion=$(cat .bazelversion)
+          mkdir -p "$HOME/.local/bin"
+          curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64"
+          chmod a+x "$HOME/.local/bin/bazel"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+          curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.2.1/nix-installer-x86_64-linux # renovate:github-release
+          nixVersion=$(cat .nixversion)
+          chmod a+x "$HOME/.local/bin/nix-installer"
+          "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz"
 
       - name: Build
         shell: bash
@@ -60,15 +81,15 @@ jobs:
         run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
 
       - name: Upload binary artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
+          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
           path: "${{ env.binary }}"
 
       - name: Upload hash artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
+          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
           path: "${{ env.binary }}.sha256"
 
   build-osimages:
@@ -80,22 +101,31 @@ jobs:
             - "aws_aws-nitro-tpm_console"
             - "qemu_qemu-vtpm_debug"
             - "gcp_gcp-sev-snp_nightly"
-          runner: ["ubuntu-22.04", "ubuntu-20.04"]
+          runner: ["ubuntu-24.04", "ubuntu-22.04"]
     env:
         bazel_target: "//image/system:${{ matrix.target }}"
         binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
     runs-on: ${{ matrix.runner }}
     steps:
+      - name: Remove security hardening features
+        if: matrix.runner == 'ubuntu-24.04'
+        shell: bash
+        run: |
+          # Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+          # This command fails with a non-zero error code even though it unloads the apparmor profiles.
+          # https://gitlab.com/apparmor/apparmor/-/issues/403
+          sudo aa-teardown || true
+          sudo apt-get remove -y apparmor
+
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "logs"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Build
         shell: bash
@@ -116,13 +146,13 @@ jobs:
         run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
 
       - name: Upload binary artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
           path: "${{ env.binary }}"
 
       - name: Upload hash artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
           path: "${{ env.binary }}.sha256"
@@ -138,14 +168,14 @@ jobs:
             - "cli_enterprise_linux_amd64"
             - "cli_enterprise_linux_arm64"
             - "cli_enterprise_windows_amd64"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download binaries
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           pattern: "binaries-${{ matrix.target }}-*"
           merge-multiple: true
@@ -172,14 +202,14 @@ jobs:
               - "aws_aws-nitro-tpm_console"
               - "qemu_qemu-vtpm_debug"
               - "gcp_gcp-sev-snp_nightly"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download os images
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           pattern: "osimages-${{ matrix.target }}-*"
           merge-multiple: true

.github/workflows/scorecard.yml

@@ -9,7 +9,7 @@ on:
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
@@ -18,25 +18,25 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: Upload artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: results.sarif

.github/workflows/sync-terraform-docs.yml

@@ -18,14 +18,14 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout constellation repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
           fetch-depth: 0
           path: constellation
 
       - name: Checkout terraform-provider-constellation repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: edgelesssys/terraform-provider-constellation
           ref: main
@@ -40,7 +40,7 @@ jobs:
 
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           path: terraform-provider-constellation
           branch: "feat/docs/update"

.github/workflows/test-integration.yml

@@ -20,20 +20,17 @@ on:
 
 jobs:
   integration-test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       CTEST_OUTPUT_ON_FAILURE: True
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix
-        with:
-          useCache: "true"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Integration Tests
         env:

.github/workflows/test-operator-codegen.yml

@@ -18,17 +18,17 @@ on:
 jobs:
   govulncheck:
     name: check-codegen
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22.0"
+          go-version: "1.24.2"
           cache: true
 
       - name: Run code generation

.github/workflows/test-tfsec.yml

@@ -17,13 +17,13 @@ on:
 jobs:
   tfsec:
     name: tfsec
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/test-tidy.yml

@@ -17,7 +17,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
           # No token available for forks, so we can't push changes
@@ -34,11 +34,10 @@ jobs:
         with:
           useCache: "rbe"
           rbePlatform: "ubuntu-22.04"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Assume AWS role to upload Bazel dependencies to S3
         if: startsWith(github.head_ref, 'renovate/')
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
           aws-region: eu-central-1
@@ -52,7 +51,9 @@ jobs:
 
       - name: Run Bazel tidy
         shell: bash
-        run: bazel run //:tidy
+        run: |
+          bazel run //:tidy
+          bazel mod deps --lockfile_mode=update
 
       - name: Check if untidy
         id: untidy
@@ -97,10 +98,11 @@ jobs:
             exit 0
           fi
 
+          # Use quadruple backticks to escape triple backticks in diff'ed files.
           cat << EOF >> "${GITHUB_STEP_SUMMARY}"
-          \`\`\`diff
+          \`\`\`\`diff
           ${diff}
-          \`\`\`
+          \`\`\`\`
           EOF
 
           if [[ "${{ steps.untidy.outputs.untidy }}" == "true" ]] &&

.github/workflows/test-unittest.yml

@@ -30,7 +30,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
           fetch-depth: 0
@@ -40,7 +40,6 @@ jobs:
         with:
           useCache: "rbe"
           rbePlatform: "ubuntu-22.04"
-          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
 
       - name: Install AWS cli
         run: |
@@ -50,7 +49,7 @@ jobs:
           rm -rf awscliv2.zip aws
 
       - name: Login to AWS (IAM role)
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
           aws-region: eu-central-1
@@ -70,7 +69,7 @@ jobs:
 
       - name: Comment coverage
         if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
         with:
           header: coverage
           path: coverage_diff.md