mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-04-05 13:35:59 -04:00
Compare commits
263 Commits
Author | SHA1 | Date | |
---|---|---|---|
![]() |
819ec9a22c | ||
![]() |
e5d22ebcaf | ||
![]() |
0926b82a65 | ||
![]() |
d742243cdc | ||
![]() |
ae50f8b500 | ||
![]() |
ba0865706e | ||
![]() |
1079fba200 | ||
![]() |
fa21c55f5d | ||
![]() |
88ca92509c | ||
![]() |
b52639d2b8 | ||
![]() |
ebc962ad68 | ||
![]() |
5ab11ab996 | ||
![]() |
c4d8fe3741 | ||
![]() |
700eb60614 | ||
![]() |
810c8448d9 | ||
![]() |
3e6777c3e5 | ||
![]() |
7b550bbf09 | ||
![]() |
accfd4e041 | ||
![]() |
67efbd43a5 | ||
![]() |
4dab6759bb | ||
![]() |
5a1b7b7944 | ||
![]() |
be146cdb22 | ||
![]() |
f5cd6a9d0b | ||
![]() |
18e67e7deb | ||
![]() |
66815a4a47 | ||
![]() |
83e08e3e37 | ||
![]() |
3cc930fa97 | ||
![]() |
c7369fa2a7 | ||
![]() |
ec46c97d4c | ||
![]() |
4a9d265579 | ||
![]() |
906e93b95c | ||
![]() |
41396b21e5 | ||
![]() |
ddff16badb | ||
![]() |
53c3d12feb | ||
![]() |
e001a8ec8f | ||
![]() |
be9f78cdc7 | ||
![]() |
3ccc7910aa | ||
![]() |
f4840de69e | ||
![]() |
b42f9dfb4f | ||
![]() |
b0a22270f8 | ||
![]() |
a67818f447 | ||
![]() |
0de14a2e60 | ||
![]() |
f64dc96e7a | ||
![]() |
7f52752cbd | ||
![]() |
dbb7c5b0fd | ||
![]() |
cf2e83c723 | ||
![]() |
df06022e9e | ||
![]() |
eb9dc01425 | ||
![]() |
368b52a4dd | ||
![]() |
b08bfd327d | ||
![]() |
fa8b0bab79 | ||
![]() |
e5d1aab7d8 | ||
![]() |
39bca12491 | ||
![]() |
4b9b101378 | ||
![]() |
a491cac57a | ||
![]() |
a1e24742a9 | ||
![]() |
b4b6df2676 | ||
![]() |
f56693c139 | ||
![]() |
f66c03e0c8 | ||
![]() |
ddbcda848b | ||
![]() |
fab1c8e149 | ||
![]() |
494eb265c6 | ||
![]() |
810a6ecac5 | ||
![]() |
08f740d5db | ||
![]() |
84075ca052 | ||
![]() |
7fdece4d6c | ||
![]() |
6225d910de | ||
![]() |
44d20385d2 | ||
![]() |
c5b9208472 | ||
![]() |
ca6cc22beb | ||
![]() |
60663ebe75 | ||
![]() |
60604fdc5e | ||
![]() |
e95c60c3fc | ||
![]() |
10e39c4d7c | ||
![]() |
9e1578aca1 | ||
![]() |
0ccaa00026 | ||
![]() |
473b04abd5 | ||
![]() |
fb609b23b0 | ||
![]() |
d97e60fea5 | ||
![]() |
144d5e9d06 | ||
![]() |
a65176ee06 | ||
![]() |
159e60d8bb | ||
![]() |
148cb1e150 | ||
![]() |
99a81cd246 | ||
![]() |
f8a95de174 | ||
![]() |
758191ad42 | ||
![]() |
28ae7de4ea | ||
![]() |
d208251df1 | ||
![]() |
0abd06053c | ||
![]() |
b204b3c59b | ||
![]() |
df2383ab09 | ||
![]() |
28e92b9732 | ||
![]() |
1551f8884e | ||
![]() |
c39ecc8a82 | ||
![]() |
571c81cfd5 | ||
![]() |
4d79ce2773 | ||
![]() |
cb77e7bb0d | ||
![]() |
3fa29a5ee8 | ||
![]() |
f81c357f51 | ||
![]() |
6d42d9b40e | ||
![]() |
f41c7619e1 | ||
![]() |
f1e30863c1 | ||
![]() |
245700ee54 | ||
![]() |
76b642baf9 | ||
![]() |
ad364f2089 | ||
![]() |
681a341b8f | ||
![]() |
0e4f3a0716 | ||
![]() |
706d1dff15 | ||
![]() |
e6048e093b | ||
![]() |
1faf2dd1b8 | ||
![]() |
bb994d5a01 | ||
![]() |
7242a1eb74 | ||
![]() |
8da08bec8d | ||
![]() |
8e8c44e35a | ||
![]() |
148b82e32c | ||
![]() |
e44adf85d4 | ||
![]() |
3af498fbfe | ||
![]() |
bda3d802dc | ||
![]() |
808631f530 | ||
![]() |
3f702ecda9 | ||
![]() |
12cfd7006b | ||
![]() |
caa80783eb | ||
![]() |
501d1779ed | ||
![]() |
bea2f33efc | ||
![]() |
92d7fc5385 | ||
![]() |
e9a6513346 | ||
![]() |
ebbe61727c | ||
![]() |
44e898e187 | ||
![]() |
f048ebb8e8 | ||
![]() |
f789b8efc7 | ||
![]() |
c6db8bd46b | ||
![]() |
2216098a9b | ||
![]() |
679edd79d4 | ||
![]() |
22d093cc6f | ||
![]() |
53e937522f | ||
![]() |
40754753a2 | ||
![]() |
56b061e84b | ||
![]() |
576add30d1 | ||
![]() |
c24e149b12 | ||
![]() |
3a898e9cff | ||
![]() |
b996a4cbae | ||
![]() |
9a969548e4 | ||
![]() |
cef2436065 | ||
![]() |
188e51bba1 | ||
![]() |
4cffde5036 | ||
![]() |
405d0c6154 | ||
![]() |
1459ab96fe | ||
![]() |
6ba47d5634 | ||
![]() |
0272e7dd15 | ||
![]() |
99c8a1eb11 | ||
![]() |
e3f29ecf4d | ||
![]() |
f10376fd44 | ||
![]() |
e8771e2dab | ||
![]() |
d9ab8c76e0 | ||
![]() |
126dbd69d9 | ||
![]() |
0d2bedbca3 | ||
![]() |
2fad395bb5 | ||
![]() |
2ba6b66cee | ||
![]() |
9f59990c7d | ||
![]() |
91ffc68189 | ||
![]() |
094f5e87a6 | ||
![]() |
40e25c3046 | ||
![]() |
88f26bc161 | ||
![]() |
7dd743b69e | ||
![]() |
19e54a0174 | ||
![]() |
44612b1d93 | ||
![]() |
3d9d386538 | ||
![]() |
fcf778e73c | ||
![]() |
c467ff603b | ||
![]() |
50ab77e37a | ||
![]() |
ba0b2521ab | ||
![]() |
abe54a2f7a | ||
![]() |
4b4afffee7 | ||
![]() |
1b050a636f | ||
![]() |
8496b4ce46 | ||
![]() |
2da6c7d911 | ||
![]() |
2da0ed6da0 | ||
![]() |
1495a7f6dd | ||
![]() |
7d0aca054b | ||
![]() |
be1deb7d4b | ||
![]() |
37e21b2ff0 | ||
![]() |
54878ddc56 | ||
![]() |
7a7b6b3655 | ||
![]() |
eb08fe1025 | ||
![]() |
2596d7c1c2 | ||
![]() |
64b395dba8 | ||
![]() |
59b9d54c44 | ||
![]() |
23354f23a5 | ||
![]() |
cdb3e461bb | ||
![]() |
d346848aac | ||
![]() |
469cae4658 | ||
![]() |
d7728fe3ba | ||
![]() |
36f8c6d540 | ||
![]() |
4bf607529b | ||
![]() |
224e6e397c | ||
![]() |
ab2782a2a2 | ||
![]() |
b03e671a62 | ||
![]() |
0aa44a8221 | ||
![]() |
a1da8aa70c | ||
![]() |
fc0b3cc4a2 | ||
![]() |
af4b15c365 | ||
![]() |
53ae065329 | ||
![]() |
b652baa9c2 | ||
![]() |
6bad8b9839 | ||
![]() |
5b1e3627c9 | ||
![]() |
ed573c46d6 | ||
![]() |
6ebfa28e6d | ||
![]() |
283ea08437 | ||
![]() |
d8e9ed4f93 | ||
![]() |
2c318905a6 | ||
![]() |
17bfce7c11 | ||
![]() |
5977f0f5b1 | ||
![]() |
b99bd53066 | ||
![]() |
8f3d6c42f2 | ||
![]() |
6dbb8ac56a | ||
![]() |
b99413a7cc | ||
![]() |
6d7f687609 | ||
![]() |
900fb3f88b | ||
![]() |
247df63d68 | ||
![]() |
143f683852 | ||
![]() |
52372ae808 | ||
![]() |
fbdf1db053 | ||
![]() |
871be80877 | ||
![]() |
b2e99af86c | ||
![]() |
f06830ec1a | ||
![]() |
4d65c7811b | ||
![]() |
4026752e89 | ||
![]() |
775ba22ab2 | ||
![]() |
521ff0d14c | ||
![]() |
d874b5b5f4 | ||
![]() |
173ef26f70 | ||
![]() |
3b23d080d7 | ||
![]() |
e0c95a34bb | ||
![]() |
7cde5220c5 | ||
![]() |
98cabeebd5 | ||
![]() |
26da32ed95 | ||
![]() |
1c5fe3fe24 | ||
![]() |
36024f20ae | ||
![]() |
a8434a2415 | ||
![]() |
d95a1de17f | ||
![]() |
000a7627fc | ||
![]() |
887b9c5fae | ||
![]() |
273ec733fb | ||
![]() |
f2b919a563 | ||
![]() |
e39d90ac1e | ||
![]() |
960499a937 | ||
![]() |
54058eed2a | ||
![]() |
aa7d47ed5f | ||
![]() |
7458d0e892 | ||
![]() |
bff8bce88f | ||
![]() |
9124691743 | ||
![]() |
7dc38d9ff0 | ||
![]() |
4b7cd84eaf | ||
![]() |
132218ac1e | ||
![]() |
46fcbb5ee8 | ||
![]() |
53caa86cb8 | ||
![]() |
1ed1a627b3 | ||
![]() |
2cd5b05b51 | ||
![]() |
cbd8cc6976 | ||
![]() |
7977746785 | ||
![]() |
96ac7124e3 | ||
![]() |
0997ce2b98 | ||
![]() |
44b2a758dd |
@ -1 +1 @@
|
||||
7.3.2
|
||||
7.4.1
|
||||
|
2
.github/actions/artifact_download/action.yml
vendored
2
.github/actions/artifact_download/action.yml
vendored
@ -28,7 +28,7 @@ runs:
|
||||
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Download the artifact
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: ${{ inputs.name }}
|
||||
path: ${{ steps.tempdir.outputs.directory }}
|
||||
|
2
.github/actions/artifact_upload/action.yml
vendored
2
.github/actions/artifact_upload/action.yml
vendored
@ -69,7 +69,7 @@ runs:
|
||||
done
|
||||
|
||||
- name: Upload archive as artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: ${{ inputs.name }}
|
||||
path: ${{ steps.tempdir.outputs.directory }}/archive.7z
|
||||
|
2
.github/actions/build_cli/action.yml
vendored
2
.github/actions/build_cli/action.yml
vendored
@ -79,7 +79,7 @@ runs:
|
||||
# once it has the functionality
|
||||
- name: Install Cosign
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
||||
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
|
||||
|
||||
- name: Install Rekor
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
|
@ -42,7 +42,7 @@ runs:
|
||||
|
||||
- name: Docker metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
|
||||
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
|
||||
with:
|
||||
images: |
|
||||
ghcr.io/${{ github.repository }}/${{ inputs.name }}
|
||||
@ -62,7 +62,7 @@ runs:
|
||||
|
||||
- name: Build and push container image
|
||||
id: build-micro-service
|
||||
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
|
||||
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
|
||||
with:
|
||||
context: .
|
||||
file: ${{ inputs.dockerfile }}
|
||||
|
4
.github/actions/cdbg_deploy/action.yml
vendored
4
.github/actions/cdbg_deploy/action.yml
vendored
@ -61,7 +61,7 @@ runs:
|
||||
|
||||
- name: Login to AWS (IAM service principal)
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
||||
aws-region: eu-central-1
|
||||
@ -80,7 +80,7 @@ runs:
|
||||
|
||||
- name: Login to AWS (Cluster service principal)
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
||||
aws-region: eu-central-1
|
||||
|
58
.github/actions/check_measurements_reproducibility/action.yml
vendored
Normal file
58
.github/actions/check_measurements_reproducibility/action.yml
vendored
Normal file
@ -0,0 +1,58 @@
|
||||
name: Check measurements reproducibility
|
||||
description: Check if the measurements of a given release are reproducible.
|
||||
|
||||
inputs:
|
||||
version:
|
||||
type: string
|
||||
description: The version of the measurements that are downloaded from the CDN.
|
||||
required: true
|
||||
ref:
|
||||
type: string
|
||||
description: The git ref to check out. You probably want this to be the tag of the release you are testing.
|
||||
required: true
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref }}
|
||||
path: ./release
|
||||
|
||||
- name: Set up bazel
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
with:
|
||||
useCache: "false"
|
||||
nixTools: |
|
||||
systemdUkify
|
||||
jq
|
||||
jd-diff-patch
|
||||
moreutils
|
||||
|
||||
- name: Build images
|
||||
id: build-images
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# Build required binaries
|
||||
pushd release
|
||||
bazel build //image/system:stable
|
||||
echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
|
||||
popd
|
||||
|
||||
- name: Download measurements
|
||||
shell: bash
|
||||
run: |
|
||||
curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
|
||||
|
||||
- name: Cleanup release measurements and generate our own
|
||||
shell: bash
|
||||
run: |
|
||||
${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
|
||||
|
||||
- name: Compare measurements
|
||||
shell: bash
|
||||
run: |
|
||||
${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
|
31
.github/actions/check_measurements_reproducibility/compare_measurements.sh
vendored
Executable file
31
.github/actions/check_measurements_reproducibility/compare_measurements.sh
vendored
Executable file
@ -0,0 +1,31 @@
|
||||
#!/usr/bin/env bash
|
||||
# no -e since we need to collect errors later
|
||||
# no -u since it interferes with checking associative arrays
|
||||
set -o pipefail
|
||||
shopt -s extglob
|
||||
|
||||
declare -A errors
|
||||
|
||||
for directory in "$1"/system/!(mkosi_wrapper.sh); do
|
||||
dirname="$(basename "$directory")"
|
||||
attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
|
||||
|
||||
echo "Their measurements for $attestationVariant:"
|
||||
ts " " < "$attestationVariant"_their-measurements.json
|
||||
echo "Own measurements for $attestationVariant:"
|
||||
ts " " < "$attestationVariant"_own-measurements.json
|
||||
|
||||
diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
|
||||
if [[ -n $diff ]]; then
|
||||
errors["$attestationVariant"]="$diff"
|
||||
fi
|
||||
done
|
||||
|
||||
for attestationVariant in "${!errors[@]}"; do
|
||||
echo "Failed to reproduce measurements for $attestationVariant:"
|
||||
echo "${errors["$attestationVariant"]}" | ts " "
|
||||
done
|
||||
|
||||
if [[ ${#errors[@]} -ne 0 ]]; then
|
||||
exit 1
|
||||
fi
|
28
.github/actions/check_measurements_reproducibility/create_measurements.sh
vendored
Executable file
28
.github/actions/check_measurements_reproducibility/create_measurements.sh
vendored
Executable file
@ -0,0 +1,28 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
shopt -s extglob
|
||||
|
||||
for directory in "$1"/system/!(mkosi_wrapper.sh); do
|
||||
dirname="$(basename "$directory")"
|
||||
csp="$(echo "$dirname" | cut -d_ -f1)"
|
||||
attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
|
||||
|
||||
# This jq filter selects the measurements for the correct CSP and attestation variant
|
||||
# and then removes all `warnOnly: true` measurements.
|
||||
jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
|
||||
'
|
||||
.list.[]
|
||||
| select(
|
||||
.attestationVariant == $attestation_variant
|
||||
and (.csp | ascii_downcase) == $csp
|
||||
)
|
||||
| .measurements
|
||||
| to_entries
|
||||
| map(select(.value.warnOnly | not))
|
||||
| from_entries
|
||||
| del(.[] .warnOnly)
|
||||
' \
|
||||
measurements.json > "$attestationVariant"_their-measurements.json
|
||||
|
||||
bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
|
||||
done
|
13
.github/actions/constellation_create/action.yml
vendored
13
.github/actions/constellation_create/action.yml
vendored
@ -257,9 +257,9 @@ runs:
|
||||
continue-on-error: true
|
||||
uses: ./.github/actions/artifact_upload
|
||||
with:
|
||||
name: serial-logs-${{ inputs.artifactNameSuffix }}
|
||||
path: >
|
||||
!(terraform).log
|
||||
name: debug-logs-${{ inputs.artifactNameSuffix }}
|
||||
path: |
|
||||
*.log
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Prepare terraform state folders
|
||||
@ -268,9 +268,12 @@ runs:
|
||||
run: |
|
||||
mkdir to-zip
|
||||
cp -r constellation-terraform to-zip
|
||||
cp -r constellation-iam-terraform to-zip
|
||||
# constellation-iam-terraform is optional
|
||||
if [ -d constellation-iam-terraform ]; then
|
||||
cp -r constellation-iam-terraform to-zip
|
||||
fi
|
||||
rm -f to-zip/constellation-terraform/plan.zip
|
||||
rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform
|
||||
rm -rf to-zip/*/.terraform
|
||||
|
||||
- name: Upload terraform state
|
||||
if: always()
|
||||
|
@ -67,7 +67,7 @@ runs:
|
||||
|
||||
- name: Login to AWS (Cluster role)
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
||||
aws-region: eu-central-1
|
||||
|
@ -42,6 +42,15 @@ inputs:
|
||||
gcpZone:
|
||||
description: "The GCP zone to deploy Constellation in."
|
||||
required: false
|
||||
#
|
||||
# STACKIT specific inputs
|
||||
#
|
||||
stackitZone:
|
||||
description: "The STACKIT zone to deploy Constellation in."
|
||||
required: false
|
||||
stackitProjectID:
|
||||
description: "The STACKIT project ID to deploy Constellation in."
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
@ -93,6 +102,7 @@ runs:
|
||||
--tf-log=DEBUG \
|
||||
--yes ${extraFlags}
|
||||
|
||||
# TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
|
||||
- name: Constellation iam create gcp
|
||||
shell: bash
|
||||
if: inputs.cloudProvider == 'gcp'
|
||||
@ -104,3 +114,13 @@ runs:
|
||||
--update-config \
|
||||
--tf-log=DEBUG \
|
||||
--yes
|
||||
|
||||
- name: Set STACKIT-specific configuration
|
||||
shell: bash
|
||||
if: inputs.cloudProvider == 'stackit'
|
||||
env:
|
||||
STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
|
||||
run: |
|
||||
yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
|
||||
yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
|
||||
yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
|
||||
|
@ -23,7 +23,7 @@ runs:
|
||||
|
||||
- name: Login to AWS (IAM role)
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
||||
aws-region: eu-central-1
|
||||
|
@ -17,7 +17,7 @@ runs:
|
||||
steps:
|
||||
- name: Use docker for logging in
|
||||
if: runner.os != 'macOS'
|
||||
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
||||
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
||||
with:
|
||||
registry: ${{ inputs.registry }}
|
||||
username: ${{ inputs.username }}
|
||||
|
2
.github/actions/container_sbom/action.yml
vendored
2
.github/actions/container_sbom/action.yml
vendored
@ -19,7 +19,7 @@ runs:
|
||||
steps:
|
||||
- name: Install Cosign
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
||||
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
|
||||
|
||||
- name: Download Syft & Grype
|
||||
uses: ./.github/actions/install_syft_grype
|
||||
|
@ -67,7 +67,7 @@ runs:
|
||||
# Make sure that helm is installed
|
||||
# This is not always the case, e.g. on MacOS runners
|
||||
- name: Install Helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
|
||||
with:
|
||||
version: v3.9.0
|
||||
|
||||
|
@ -5,51 +5,51 @@ runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Download CLI binaries darwin-amd64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation-darwin-amd64
|
||||
|
||||
- name: Download CLI binaries darwin-arm64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation-darwin-arm64
|
||||
|
||||
- name: Download CLI binaries linux-amd64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation-linux-amd64
|
||||
|
||||
- name: Download CLI binaries linux-arm64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation-linux-arm64
|
||||
|
||||
- name: Download CLI binaries windows-amd64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation-windows-amd64
|
||||
|
||||
- name: Download Terraform module
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: terraform-module
|
||||
|
||||
- name: Download Terraform provider binary darwin-amd64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: terraform-provider-constellation-darwin-amd64
|
||||
|
||||
- name: Download Terraform provider binary darwin-arm64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: terraform-provider-constellation-darwin-arm64
|
||||
|
||||
- name: Download Terraform provider binary linux-amd64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: terraform-provider-constellation-linux-amd64
|
||||
|
||||
- name: Download Terraform provider binary linux-arm64
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: terraform-provider-constellation-linux-arm64
|
||||
|
@ -19,7 +19,7 @@ runs:
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
|
||||
aws-region: eu-west-1
|
||||
|
25
.github/actions/e2e_autoscaling/action.yml
vendored
25
.github/actions/e2e_autoscaling/action.yml
vendored
@ -82,7 +82,30 @@ runs:
|
||||
KUBECONFIG: ${{ inputs.kubeconfig }}
|
||||
run: |
|
||||
worker_count=${{ steps.worker_count.outputs.worker_count }}
|
||||
kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))
|
||||
|
||||
cat <<EOF | kubectl apply -f -
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: nginx
|
||||
namespace: default
|
||||
spec:
|
||||
replicas: $(( 110 * (worker_count + 1) + 55 ))
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
EOF
|
||||
|
||||
- name: Wait for autoscaling and check result
|
||||
shell: bash
|
||||
|
6
.github/actions/e2e_benchmark/action.yml
vendored
6
.github/actions/e2e_benchmark/action.yml
vendored
@ -32,7 +32,7 @@ runs:
|
||||
|
||||
steps:
|
||||
- name: Setup python
|
||||
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
|
||||
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
|
||||
with:
|
||||
python-version: "3.10"
|
||||
|
||||
@ -48,7 +48,7 @@ runs:
|
||||
install kubestr /usr/local/bin
|
||||
|
||||
- name: Checkout k8s-bench-suite
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
repository: "edgelesssys/k8s-bench-suite"
|
||||
@ -166,7 +166,7 @@ runs:
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Assume AWS role to retrieve and update benchmarks in S3
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
|
||||
aws-region: us-east-2
|
||||
|
@ -1,3 +1,3 @@
|
||||
numpy ==1.26.4
|
||||
matplotlib ==3.8.3
|
||||
Pillow ==10.3.0
|
||||
numpy ==2.2.4
|
||||
matplotlib ==3.10.1
|
||||
Pillow ==11.1.0
|
18
.github/actions/e2e_cleanup_timeframe/action.yml
vendored
18
.github/actions/e2e_cleanup_timeframe/action.yml
vendored
@ -11,12 +11,18 @@ inputs:
|
||||
azure_credentials:
|
||||
description: "Credentials authorized to create Constellation on Azure."
|
||||
required: true
|
||||
openStackCloudsYaml:
|
||||
description: "The contents of ~/.config/openstack/clouds.yaml"
|
||||
required: false
|
||||
stackitUat:
|
||||
description: "The UAT for STACKIT"
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Authenticate AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
|
||||
aws-region: eu-central-1
|
||||
@ -31,6 +37,16 @@ runs:
|
||||
with:
|
||||
service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
|
||||
|
||||
- name: Login to OpenStack
|
||||
uses: ./.github/actions/login_openstack
|
||||
with:
|
||||
clouds_yaml: ${{ inputs.openStackCloudsYaml }}
|
||||
|
||||
- name: Login to STACKIT
|
||||
uses: ./.github/actions/login_stackit
|
||||
with:
|
||||
serviceAccountToken: ${{ inputs.stackitUat }}
|
||||
|
||||
- name: Install tools
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
with:
|
||||
|
68
.github/actions/e2e_emergency_ssh/action.yml
vendored
Normal file
68
.github/actions/e2e_emergency_ssh/action.yml
vendored
Normal file
@ -0,0 +1,68 @@
|
||||
name: Emergency ssh
|
||||
description: "Verify that an emergency ssh connection can be established."
|
||||
|
||||
inputs:
|
||||
kubeconfig:
|
||||
description: "The kubeconfig file for the cluster."
|
||||
required: true
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Test emergency ssh
|
||||
shell: bash
|
||||
env:
|
||||
KUBECONFIG: ${{ inputs.kubeconfig }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# Activate emergency ssh access to the cluster
|
||||
pushd ./constellation-terraform
|
||||
echo "emergency_ssh = true" >> terraform.tfvars
|
||||
terraform apply -auto-approve
|
||||
lb="$(terraform output -raw loadbalancer_address)"
|
||||
popd
|
||||
|
||||
# write ssh config
|
||||
cat > ssh_config <<EOF
|
||||
Host $lb
|
||||
ProxyJump none
|
||||
|
||||
Host *
|
||||
StrictHostKeyChecking no
|
||||
UserKnownHostsFile=/dev/null
|
||||
IdentityFile ./access-key
|
||||
PreferredAuthentications publickey
|
||||
CertificateFile=constellation_cert.pub
|
||||
User root
|
||||
ProxyJump $lb
|
||||
EOF
|
||||
|
||||
for i in {1..26}; do
|
||||
if [[ "$i" -eq 26 ]]; then
|
||||
echo "Port 22 never became reachable"
|
||||
exit 1
|
||||
fi
|
||||
echo "Waiting until port 22 is reachable: $i/25"
|
||||
if nc -z -w 25 "$lb" 22; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
# generate and try keypair
|
||||
ssh-keygen -t ecdsa -q -N "" -f ./access-key
|
||||
constellation ssh --debug --key ./access-key.pub
|
||||
internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
|
||||
for ip in $internalIPs; do
|
||||
for i in {1..26}; do
|
||||
if [[ "$i" -eq 26 ]]; then
|
||||
echo "Failed to connect to $ip over $lb"
|
||||
exit 1
|
||||
fi
|
||||
echo "Trying connection to $ip over $lb: $i/25"
|
||||
if ssh -F ssh_config -o BatchMode=yes $ip true; then
|
||||
echo "Connected to $ip successfully"
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
2
.github/actions/e2e_mini/action.yml
vendored
2
.github/actions/e2e_mini/action.yml
vendored
@ -25,7 +25,7 @@ runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Install terraform
|
||||
uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
|
||||
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
||||
with:
|
||||
terraform_wrapper: false
|
||||
|
||||
|
2
.github/actions/e2e_sonobuoy/action.yml
vendored
2
.github/actions/e2e_sonobuoy/action.yml
vendored
@ -70,7 +70,7 @@ runs:
|
||||
|
||||
- name: Publish test results
|
||||
if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
|
||||
uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
|
||||
uses: mikepenz/action-junit-report@97744eca465b8df9e6e33271cb155003f85327f1 # v5.5.0
|
||||
with:
|
||||
report_paths: "**/junit_01.xml"
|
||||
fail_on_failure: true
|
||||
|
47
.github/actions/e2e_test/action.yml
vendored
47
.github/actions/e2e_test/action.yml
vendored
@ -56,7 +56,7 @@ inputs:
|
||||
description: "Azure credentials authorized to create an IAM configuration."
|
||||
required: true
|
||||
test:
|
||||
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
|
||||
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
|
||||
required: true
|
||||
sonobuoyTestSuiteCmd:
|
||||
description: "The sonobuoy test suite to run."
|
||||
@ -93,6 +93,15 @@ inputs:
|
||||
encryptionSecret:
|
||||
description: "The secret to use for decrypting the artifact."
|
||||
required: true
|
||||
openStackCloudsYaml:
|
||||
description: "The contents of ~/.config/openstack/clouds.yaml"
|
||||
required: false
|
||||
stackitUat:
|
||||
description: "The UAT for STACKIT"
|
||||
required: false
|
||||
stackitProjectID:
|
||||
description: "The STACKIT project ID to deploy Constellation in."
|
||||
required: false
|
||||
|
||||
outputs:
|
||||
kubeconfig:
|
||||
@ -106,7 +115,7 @@ runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Check input
|
||||
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
|
||||
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
|
||||
shell: bash
|
||||
run: |
|
||||
echo "::error::Invalid input for test field: ${{ inputs.test }}"
|
||||
@ -140,6 +149,8 @@ runs:
|
||||
|
||||
- name: Setup bazel
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
with:
|
||||
nixTools: terraform
|
||||
|
||||
- name: Log in to the Container registry
|
||||
uses: ./.github/actions/container_registry_login
|
||||
@ -216,7 +227,7 @@ runs:
|
||||
|
||||
- name: Login to AWS (IAM role)
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
||||
aws-region: eu-central-1
|
||||
@ -229,12 +240,30 @@ runs:
|
||||
with:
|
||||
azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
|
||||
|
||||
- name: Login to OpenStack
|
||||
if: inputs.cloudProvider == 'stackit'
|
||||
uses: ./.github/actions/login_openstack
|
||||
with:
|
||||
clouds_yaml: ${{inputs.openStackCloudsYaml }}
|
||||
|
||||
- name: Login to STACKIT
|
||||
if: inputs.cloudProvider == 'stackit'
|
||||
uses: ./.github/actions/login_stackit
|
||||
with:
|
||||
serviceAccountToken: ${{ inputs.stackitUat }}
|
||||
|
||||
- name: Create prefix
|
||||
id: create-prefix
|
||||
shell: bash
|
||||
run: |
|
||||
uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
|
||||
uuid=${uuid%%-*}
|
||||
|
||||
# GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
|
||||
if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
|
||||
uuid=${uuid:0:6}
|
||||
fi
|
||||
|
||||
echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
|
||||
echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
|
||||
|
||||
@ -244,7 +273,7 @@ runs:
|
||||
with:
|
||||
attestationVariant: ${{ inputs.attestationVariant }}
|
||||
|
||||
- name: Create IAM configuration
|
||||
- name: Create Constellation config and IAM
|
||||
id: constellation-iam-create
|
||||
uses: ./.github/actions/constellation_iam_create
|
||||
with:
|
||||
@ -256,6 +285,8 @@ runs:
|
||||
azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region }}
|
||||
gcpProjectID: ${{ inputs.gcpProject }}
|
||||
gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
|
||||
stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
|
||||
stackitProjectID: ${{ inputs.stackitProjectID }}
|
||||
kubernetesVersion: ${{ inputs.kubernetesVersion }}
|
||||
additionalTags: "workflow=${{ github.run_id }}"
|
||||
|
||||
@ -267,7 +298,7 @@ runs:
|
||||
|
||||
- name: Login to AWS (Cluster role)
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
||||
aws-region: eu-central-1
|
||||
@ -421,3 +452,9 @@ runs:
|
||||
s3AccessKey: ${{ inputs.s3AccessKey }}
|
||||
s3SecretKey: ${{ inputs.s3SecretKey }}
|
||||
githubToken: ${{ inputs.githubToken }}
|
||||
|
||||
- name: Run emergency ssh test
|
||||
if: inputs.test == 'emergency ssh'
|
||||
uses: ./.github/actions/e2e_emergency_ssh
|
||||
with:
|
||||
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
||||
|
2
.github/actions/e2e_verify/action.yml
vendored
2
.github/actions/e2e_verify/action.yml
vendored
@ -82,7 +82,7 @@ runs:
|
||||
|
||||
- name: Login to AWS
|
||||
if: github.ref_name == 'main'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
||||
aws-region: eu-central-1
|
||||
|
6
.github/actions/find_latest_image/action.yml
vendored
6
.github/actions/find_latest_image/action.yml
vendored
@ -26,19 +26,19 @@ runs:
|
||||
steps:
|
||||
- name: Checkout head
|
||||
if: inputs.imageVersion == '' && inputs.git-ref == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.imageVersion == '' && inputs.git-ref != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.git-ref }}
|
||||
|
||||
- name: Login to AWS
|
||||
if: inputs.imageVersion == ''
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
|
||||
aws-region: eu-central-1
|
||||
|
2
.github/actions/login_azure/action.yml
vendored
2
.github/actions/login_azure/action.yml
vendored
@ -10,6 +10,6 @@ runs:
|
||||
# As described at:
|
||||
# https://github.com/Azure/login#configure-deployment-credentials
|
||||
- name: Login to Azure
|
||||
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
|
||||
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
|
||||
with:
|
||||
creds: ${{ inputs.azure_credentials }}
|
||||
|
6
.github/actions/login_gcp/action.yml
vendored
6
.github/actions/login_gcp/action.yml
vendored
@ -20,11 +20,11 @@ runs:
|
||||
echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Authorize GCP access
|
||||
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
|
||||
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
|
||||
with:
|
||||
workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
|
||||
workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
|
||||
service_account: ${{ inputs.service_account }}
|
||||
|
||||
# Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
|
||||
- name: Set up Cloud SDK
|
||||
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
|
||||
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
|
||||
|
16
.github/actions/login_stackit/action.yml
vendored
Normal file
16
.github/actions/login_stackit/action.yml
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
name: STACKIT login
|
||||
description: "Login to STACKIT"
|
||||
inputs:
|
||||
serviceAccountToken:
|
||||
description: "Credentials authorized to create Constellation on STACKIT."
|
||||
required: true
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Login to STACKIT
|
||||
env:
|
||||
UAT: ${{ inputs.serviceAccountToken }}
|
||||
shell: bash
|
||||
run: |
|
||||
mkdir -p ~/.stackit
|
||||
echo "${UAT}" > ~/.stackit/credentials.json
|
19
.github/actions/notify_stackit/action.yml
vendored
Normal file
19
.github/actions/notify_stackit/action.yml
vendored
Normal file
@ -0,0 +1,19 @@
|
||||
name: Notify STACKIT
|
||||
description: "Notify STACKIT about test failure"
|
||||
inputs:
|
||||
slackToken:
|
||||
description: "Slack access token."
|
||||
required: true
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Notify STACKIT
|
||||
env:
|
||||
SLACK_TOKEN: ${{ inputs.slackToken }}
|
||||
shell: bash
|
||||
run: |
|
||||
curl -X POST \
|
||||
-H "Authorization: Bearer $SLACK_TOKEN" \
|
||||
-H "Content-type: application/json; charset=utf-8" \
|
||||
-d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
|
||||
https://slack.com/api/chat.postMessage
|
4
.github/actions/publish_helmchart/action.yml
vendored
4
.github/actions/publish_helmchart/action.yml
vendored
@ -13,7 +13,7 @@ runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
repository: edgelesssys/helm
|
||||
ref: main
|
||||
@ -29,7 +29,7 @@ runs:
|
||||
echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
|
||||
|
||||
- name: Create pull request
|
||||
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
||||
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
||||
with:
|
||||
path: helm
|
||||
branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"
|
||||
|
2
.github/actions/select_image/action.yml
vendored
2
.github/actions/select_image/action.yml
vendored
@ -18,7 +18,7 @@ runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
|
||||
aws-region: eu-central-1
|
||||
|
5
.github/actions/setup_bazel_nix/action.yml
vendored
5
.github/actions/setup_bazel_nix/action.yml
vendored
@ -75,6 +75,7 @@ runs:
|
||||
echo "$RUNNER_ARCH not supported"
|
||||
exit 1
|
||||
fi
|
||||
echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Install current Bash on macOS
|
||||
@ -114,6 +115,8 @@ runs:
|
||||
- name: Install nix
|
||||
if: steps.check_inputs.outputs.nixPreinstalled == 'false'
|
||||
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
|
||||
with:
|
||||
install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
|
||||
|
||||
- name: Set $USER if not set
|
||||
shell: bash
|
||||
@ -218,7 +221,7 @@ runs:
|
||||
{ tools, repository, rev }:
|
||||
let
|
||||
repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
|
||||
nixpkgs = repoFlake.inputs.nixpkgsUnstable;
|
||||
nixpkgs = repoFlake.inputs.nixpkgs;
|
||||
pkgs = import nixpkgs { system = builtins.currentSystem; };
|
||||
toolPkgs = map (p: pkgs.${p}) tools;
|
||||
in
|
||||
|
15
.github/actions/terraform_apply/action.yml
vendored
15
.github/actions/terraform_apply/action.yml
vendored
@ -29,6 +29,9 @@ runs:
|
||||
"gcpSEVSNP")
|
||||
attestationVariant="gcp-sev-snp"
|
||||
;;
|
||||
"qemuVTPM")
|
||||
attestationVariant="qemu-vtpm"
|
||||
;;
|
||||
*)
|
||||
echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
|
||||
exit 1
|
||||
@ -44,7 +47,7 @@ runs:
|
||||
}
|
||||
random = {
|
||||
source = "hashicorp/random"
|
||||
version = "3.6.2"
|
||||
version = "3.7.1"
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -106,6 +109,16 @@ runs:
|
||||
project_id = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
|
||||
service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
|
||||
}
|
||||
openstack = {
|
||||
cloud = "stackit"
|
||||
clouds_yaml_path = "~/.config/openstack/clouds.yaml"
|
||||
floating_ip_pool_id = "970ace5c-458f-484a-a660-0903bcfd91ad"
|
||||
deploy_yawol_load_balancer = true
|
||||
yawol_image_id = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
|
||||
yawol_flavor_id = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
|
||||
network_id = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
|
||||
subnet_id = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
|
||||
}
|
||||
network_config = {
|
||||
ip_cidr_node = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
|
||||
ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
|
||||
|
@ -15,7 +15,7 @@ runs:
|
||||
zip -r terraform-module.zip terraform-module
|
||||
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: terraform-module
|
||||
path: terraform-module.zip
|
||||
|
2
.github/workflows/assign_reviewer.yml
vendored
2
.github/workflows/assign_reviewer.yml
vendored
@ -18,7 +18,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' && github.event.pull_request.user.login == 'renovate[bot]'
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Pick assignee
|
||||
id: pick-assignee
|
||||
uses: ./.github/actions/pick_assignee
|
||||
|
@ -11,7 +11,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
path: constellation
|
||||
@ -21,7 +21,7 @@ jobs:
|
||||
|
||||
- name: Download Firmware release
|
||||
id: download-firmware
|
||||
uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
|
||||
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
|
||||
with:
|
||||
repository: aws/uefi
|
||||
latest: true
|
||||
@ -44,7 +44,7 @@ jobs:
|
||||
echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
|
||||
popd || exit 1
|
||||
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
repository: virtee/sev-snp-measure-go.git
|
||||
ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8
|
||||
|
2
.github/workflows/build-binaries.yml
vendored
2
.github/workflows/build-binaries.yml
vendored
@ -22,7 +22,7 @@ jobs:
|
||||
runs-on: [arc-runner-set]
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
|
18
.github/workflows/build-ccm-gcp.yml
vendored
18
.github/workflows/build-ccm-gcp.yml
vendored
@ -19,24 +19,24 @@ jobs:
|
||||
latest: ${{ steps.find-latest.outputs.latest }}
|
||||
steps:
|
||||
- name: Checkout Constellation
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Checkout kubernetes/cloud-provider-gcp
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
repository: "kubernetes/cloud-provider-gcp"
|
||||
path: "cloud-provider-gcp"
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
|
||||
with:
|
||||
go-version: "1.23.2"
|
||||
go-version: "1.24.1"
|
||||
cache: false
|
||||
|
||||
- name: Install Crane
|
||||
run: |
|
||||
go install github.com/google/go-containerregistry/cmd/crane@latest
|
||||
go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2
|
||||
|
||||
- name: Find versions
|
||||
id: find-versions
|
||||
@ -65,10 +65,10 @@ jobs:
|
||||
version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
|
||||
steps:
|
||||
- name: Checkout Constellation
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Checkout kubernetes/cloud-provider-gcp
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
repository: "kubernetes/cloud-provider-gcp"
|
||||
path: "cloud-provider-gcp"
|
||||
@ -76,7 +76,7 @@ jobs:
|
||||
|
||||
- name: Docker meta
|
||||
id: meta
|
||||
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
|
||||
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
|
||||
with:
|
||||
images: |
|
||||
ghcr.io/edgelesssys/cloud-provider-gcp
|
||||
@ -113,7 +113,7 @@ jobs:
|
||||
|
||||
- name: Build and push container image
|
||||
id: build
|
||||
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
|
||||
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
|
||||
with:
|
||||
context: ./cloud-provider-gcp
|
||||
push: ${{ github.ref_name == 'main' }}
|
||||
|
8
.github/workflows/build-gcp-guest-agent.yml
vendored
8
.github/workflows/build-gcp-guest-agent.yml
vendored
@ -69,7 +69,7 @@ jobs:
|
||||
|
||||
- name: Checkout GoogleCloudPlatform/guest-agent
|
||||
if: steps.needs-build.outputs.out == 'true'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
repository: "GoogleCloudPlatform/guest-agent"
|
||||
ref: refs/tags/${{ steps.latest-release.outputs.latest }}
|
||||
@ -77,7 +77,7 @@ jobs:
|
||||
|
||||
- name: Checkout Constellation
|
||||
if: steps.needs-build.outputs.out == 'true'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
path: "constellation"
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
@ -85,7 +85,7 @@ jobs:
|
||||
- name: Docker meta
|
||||
id: meta
|
||||
if: steps.needs-build.outputs.out == 'true'
|
||||
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
|
||||
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
|
||||
with:
|
||||
images: |
|
||||
${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
|
||||
@ -114,7 +114,7 @@ jobs:
|
||||
- name: Build and push container image
|
||||
if: steps.needs-build.outputs.out == 'true'
|
||||
id: build
|
||||
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
|
||||
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
|
||||
with:
|
||||
context: ./guest-agent
|
||||
file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile
|
||||
|
@ -19,7 +19,7 @@ jobs:
|
||||
packages: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Setup bazel
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
|
@ -20,7 +20,7 @@ jobs:
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
|
10
.github/workflows/build-os-image-scheduled.yml
vendored
10
.github/workflows/build-os-image-scheduled.yml
vendored
@ -59,15 +59,15 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
|
||||
with:
|
||||
go-version: "1.23.2"
|
||||
go-version: "1.24.1"
|
||||
cache: false
|
||||
|
||||
- name: Determine version
|
||||
@ -97,7 +97,7 @@ jobs:
|
||||
run: rm -f internal/attestation/measurements/measurement-generator/generate
|
||||
|
||||
- name: Create pull request
|
||||
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
||||
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
||||
with:
|
||||
branch: "image/automated/update-measurements-${{ github.run_number }}"
|
||||
base: main
|
||||
@ -120,7 +120,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
|
12
.github/workflows/build-os-image.yml
vendored
12
.github/workflows/build-os-image.yml
vendored
@ -59,7 +59,7 @@ jobs:
|
||||
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -138,7 +138,7 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -147,7 +147,7 @@ jobs:
|
||||
useCache: "false"
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
||||
aws-region: eu-central-1
|
||||
@ -167,6 +167,12 @@ jobs:
|
||||
with:
|
||||
clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
|
||||
|
||||
- name: Allow unrestricted user namespaces
|
||||
shell: bash
|
||||
run: |
|
||||
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
|
||||
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
|
||||
|
||||
- name: Build and upload
|
||||
id: build
|
||||
shell: bash
|
||||
|
4
.github/workflows/check-links.yml
vendored
4
.github/workflows/check-links.yml
vendored
@ -20,12 +20,12 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Link Checker
|
||||
uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
|
||||
uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
|
||||
with:
|
||||
args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
|
||||
fail: true
|
||||
|
25
.github/workflows/check-measurements-reproducibility.yml
vendored
Normal file
25
.github/workflows/check-measurements-reproducibility.yml
vendored
Normal file
@ -0,0 +1,25 @@
|
||||
name: Check measurements reproducibility
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
version:
|
||||
type: string
|
||||
description: The version of the measurements that are downloaded from the CDN.
|
||||
required: true
|
||||
ref:
|
||||
type: string
|
||||
description: The git ref to check out. You probably want this to be the tag of the release you are testing.
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
check-reproducibility:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Check reproducibility
|
||||
uses: ./.github/actions/check_measurements_reproducibility
|
||||
with:
|
||||
version: ${{ github.event.inputs.version }}
|
||||
ref: ${{ github.event.inputs.ref }}
|
10
.github/workflows/codeql.yml
vendored
10
.github/workflows/codeql.yml
vendored
@ -34,17 +34,17 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Setup Go environment
|
||||
if: matrix.language == 'go'
|
||||
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
|
||||
with:
|
||||
go-version: "1.23.2"
|
||||
go-version: "1.24.1"
|
||||
cache: false
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
|
||||
uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
|
||||
@ -63,6 +63,6 @@ jobs:
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
|
||||
uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
|
||||
with:
|
||||
category: "/language:${{ matrix.language }}"
|
||||
|
5
.github/workflows/docs-vale.yml
vendored
5
.github/workflows/docs-vale.yml
vendored
@ -16,7 +16,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
# Work around https://github.com/errata-ai/vale-action/issues/128.
|
||||
@ -25,7 +25,8 @@ jobs:
|
||||
python3 -m venv "$venv"
|
||||
echo "$venv/bin" >> "$GITHUB_PATH"
|
||||
- name: Vale
|
||||
uses: errata-ai/vale-action@91ac403e8d26f5aa1b3feaa86ca63065936a85b6 # tag=reviewdog
|
||||
uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
|
||||
with:
|
||||
files: docs/docs
|
||||
fail_on_error: true
|
||||
version: 3.9.3
|
||||
|
58
.github/workflows/draft-release.yml
vendored
58
.github/workflows/draft-release.yml
vendored
@ -72,7 +72,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -92,8 +92,8 @@ jobs:
|
||||
cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
||||
|
||||
- name: Upload CLI as artifact (unix)
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
if : ${{ matrix.os != 'windows' }}
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
if: ${{ matrix.os != 'windows' }}
|
||||
with:
|
||||
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||
path: |
|
||||
@ -101,8 +101,8 @@ jobs:
|
||||
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
|
||||
|
||||
- name: Upload CLI as artifact (windows)
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
if : ${{ matrix.os == 'windows' }}
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
if: ${{ matrix.os == 'windows' }}
|
||||
with:
|
||||
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||
path: |
|
||||
@ -133,7 +133,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -149,16 +149,16 @@ jobs:
|
||||
targetArch: ${{ matrix.arch }}
|
||||
|
||||
- name: Upload Terraform Provider Binary as artifact (unix)
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
if : ${{ matrix.os != 'windows' }}
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
if: ${{ matrix.os != 'windows' }}
|
||||
with:
|
||||
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||
path: |
|
||||
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||
|
||||
- name: Upload Terraform Provider Binary as artifact (windows)
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
if : ${{ matrix.os == 'windows' }}
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
if: ${{ matrix.os == 'windows' }}
|
||||
with:
|
||||
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||
path: |
|
||||
@ -169,7 +169,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -187,7 +187,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -219,7 +219,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -227,7 +227,7 @@ jobs:
|
||||
uses: ./.github/actions/download_release_binaries
|
||||
|
||||
- name: Download CLI SBOM
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
|
||||
@ -256,12 +256,12 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
||||
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
|
||||
|
||||
- name: Download Syft & Grype
|
||||
uses: ./.github/actions/install_syft_grype
|
||||
@ -296,13 +296,13 @@ jobs:
|
||||
COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
||||
|
||||
- name: Upload Constellation CLI SBOM
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
path: constellation.spdx.sbom
|
||||
|
||||
- name: Upload Constellation CLI SBOM's signature
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: constellation.spdx.sbom.sig
|
||||
path: constellation.spdx.sbom.sig
|
||||
@ -316,14 +316,14 @@ jobs:
|
||||
- provenance-subjects
|
||||
# This must not be pinned to digest. See:
|
||||
# https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
|
||||
with:
|
||||
base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
|
||||
|
||||
provenance-verify:
|
||||
runs-on: ubuntu-24.04
|
||||
env:
|
||||
SLSA_VERIFIER_VERSION: "2.5.1"
|
||||
SLSA_VERIFIER_VERSION: "2.7.0"
|
||||
needs:
|
||||
- build-cli
|
||||
- provenance
|
||||
@ -332,7 +332,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -340,12 +340,12 @@ jobs:
|
||||
uses: ./.github/actions/download_release_binaries
|
||||
|
||||
- name: Download CLI SBOM
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
|
||||
- name: Download provenance
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||
|
||||
@ -405,7 +405,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -418,17 +418,17 @@ jobs:
|
||||
uses: ./.github/actions/download_release_binaries
|
||||
|
||||
- name: Download CLI SBOM
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
|
||||
- name: Download Constellation CLI SBOM's signature
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation.spdx.sbom.sig
|
||||
|
||||
- name: Download Constellation provenance
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||
|
||||
@ -472,7 +472,7 @@ jobs:
|
||||
- name: Create release with artifacts
|
||||
id: create-release
|
||||
# GitHub endorsed release project. See: https://github.com/actions/create-release
|
||||
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
|
||||
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
|
||||
with:
|
||||
draft: true
|
||||
generate_release_notes: true
|
||||
@ -487,7 +487,7 @@ jobs:
|
||||
terraform-module.zip
|
||||
|
||||
- name: Create Terraform provider release with artifcats
|
||||
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
|
||||
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
|
||||
with:
|
||||
draft: true
|
||||
generate_release_notes: false
|
||||
|
@ -26,7 +26,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
# Don't trigger in forks, use head on pull requests, use default otherwise.
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
|
||||
|
6
.github/workflows/e2e-cleanup-weekly.yml
vendored
6
.github/workflows/e2e-cleanup-weekly.yml
vendored
@ -4,7 +4,7 @@ on:
|
||||
schedule:
|
||||
- cron: "0 0 * * 0" # At 00:00 every Sunday UTC
|
||||
workflow_dispatch:
|
||||
|
||||
|
||||
|
||||
jobs:
|
||||
cleanup:
|
||||
@ -14,7 +14,7 @@ jobs:
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Cleanup
|
||||
uses: ./.github/actions/e2e_cleanup_timeframe
|
||||
@ -22,3 +22,5 @@ jobs:
|
||||
ghToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }}
|
||||
openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
|
||||
stackitUat: ${{ secrets.STACKIT_CI_UAT }}
|
||||
|
4
.github/workflows/e2e-mini.yml
vendored
4
.github/workflows/e2e-mini.yml
vendored
@ -29,12 +29,12 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}
|
||||
|
||||
- name: Azure login OIDC
|
||||
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
|
||||
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
|
10
.github/workflows/e2e-test-daily.yml
vendored
10
.github/workflows/e2e-test-daily.yml
vendored
@ -21,7 +21,7 @@ jobs:
|
||||
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
@ -45,7 +45,7 @@ jobs:
|
||||
fail-fast: false
|
||||
max-parallel: 5
|
||||
matrix:
|
||||
kubernetesVersion: ["1.28"] # should be default
|
||||
kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor.
|
||||
attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
|
||||
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
|
||||
test: ["sonobuoy quick"]
|
||||
@ -59,7 +59,7 @@ jobs:
|
||||
needs: [find-latest-image]
|
||||
steps:
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
@ -159,12 +159,12 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Azure login OIDC
|
||||
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
|
||||
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
|
3
.github/workflows/e2e-test-internal-lb.yml
vendored
3
.github/workflows/e2e-test-internal-lb.yml
vendored
@ -23,7 +23,7 @@ on:
|
||||
type: choice
|
||||
options:
|
||||
- "ubuntu-24.04"
|
||||
- "macos-12"
|
||||
- "macos-latest"
|
||||
default: "ubuntu-24.04"
|
||||
test:
|
||||
description: "The test to run."
|
||||
@ -41,7 +41,6 @@ on:
|
||||
required: true
|
||||
kubernetesVersion:
|
||||
description: "Kubernetes version to create the cluster from."
|
||||
default: "1.28"
|
||||
required: true
|
||||
cliVersion:
|
||||
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
|
||||
|
@ -23,7 +23,7 @@ on:
|
||||
type: choice
|
||||
options:
|
||||
- "ubuntu-24.04"
|
||||
- "macos-12"
|
||||
- "macos-latest"
|
||||
default: "ubuntu-24.04"
|
||||
test:
|
||||
description: "The test to run."
|
||||
@ -41,7 +41,6 @@ on:
|
||||
required: true
|
||||
kubernetesVersion:
|
||||
description: "Kubernetes version to create the cluster from."
|
||||
default: "1.28"
|
||||
required: true
|
||||
cliVersion:
|
||||
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
|
||||
|
20
.github/workflows/e2e-test-provider-example.yml
vendored
20
.github/workflows/e2e-test-provider-example.yml
vendored
@ -71,7 +71,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
@ -154,7 +154,7 @@ jobs:
|
||||
|
||||
- name: Login to AWS (IAM + Cluster role)
|
||||
if: steps.determine.outputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
|
||||
aws-region: eu-central-1
|
||||
@ -337,12 +337,12 @@ jobs:
|
||||
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
|
||||
terraform init
|
||||
if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
|
||||
terraform apply -target module.azure_iam -auto-approve
|
||||
terraform apply -target module.azure_infrastructure -auto-approve
|
||||
timeout 1h terraform apply -target module.azure_iam -auto-approve
|
||||
timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
|
||||
${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
|
||||
terraform apply -target constellation_cluster.azure_example -auto-approve
|
||||
timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
|
||||
else
|
||||
terraform apply -auto-approve
|
||||
timeout 1h terraform apply -auto-approve
|
||||
fi
|
||||
|
||||
- name: Cleanup Terraform Cluster on failure
|
||||
@ -353,7 +353,7 @@ jobs:
|
||||
shell: bash
|
||||
run: |
|
||||
terraform init
|
||||
terraform destroy -auto-approve
|
||||
terraform destroy -auto-approve -lock=false
|
||||
|
||||
- name: Add Provider to local Terraform registry # needed if release version was used before
|
||||
if: inputs.providerVersion != ''
|
||||
@ -407,7 +407,7 @@ jobs:
|
||||
shell: bash
|
||||
run: |
|
||||
terraform init --upgrade
|
||||
terraform apply -auto-approve
|
||||
timeout 1h terraform apply -auto-approve
|
||||
|
||||
- name: Assert upgrade successful
|
||||
working-directory: ${{ github.workspace }}/cluster
|
||||
@ -475,11 +475,11 @@ jobs:
|
||||
shell: bash
|
||||
run: |
|
||||
terraform init
|
||||
terraform destroy -auto-approve
|
||||
terraform destroy -auto-approve -lock=false
|
||||
|
||||
- name: Notify about failure
|
||||
if: |
|
||||
failure() &&
|
||||
(failure() || cancelled()) &&
|
||||
github.ref == 'refs/heads/main' &&
|
||||
github.event_name == 'schedule'
|
||||
continue-on-error: true
|
||||
|
30
.github/workflows/e2e-test-release.yml
vendored
30
.github/workflows/e2e-test-release.yml
vendored
@ -73,53 +73,53 @@ jobs:
|
||||
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "gcp-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "azure-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "azure-tdx"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "aws-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "gcp-sev-snp"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "azure-sev-snp"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "azure-tdx"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy full"
|
||||
attestationVariant: "aws-sev-snp"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
runner: "ubuntu-24.04"
|
||||
clusterCreation: "cli"
|
||||
|
||||
@ -306,11 +306,11 @@ jobs:
|
||||
# - test: "verify"
|
||||
# attestationVariant: "azure-sev-snp"
|
||||
# kubernetes-version: "v1.30"
|
||||
# runner: "macos-12"
|
||||
# runner: "macos-latest"
|
||||
- test: "recover"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.30"
|
||||
runner: "macos-12"
|
||||
runner: "macos-latest"
|
||||
clusterCreation: "cli"
|
||||
runs-on: ${{ matrix.runner }}
|
||||
permissions:
|
||||
@ -326,7 +326,7 @@ jobs:
|
||||
run: brew install coreutils kubectl bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
@ -342,7 +342,7 @@ jobs:
|
||||
|
||||
- name: Set up gcloud CLI (macOS)
|
||||
if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
|
||||
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
|
||||
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
|
||||
|
||||
- name: Run E2E test
|
||||
id: e2e_test
|
||||
@ -409,7 +409,7 @@ jobs:
|
||||
fail-fast: false
|
||||
max-parallel: 1
|
||||
matrix:
|
||||
fromVersion: ["v2.18.0"]
|
||||
fromVersion: ["v2.22.0"]
|
||||
attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
|
||||
name: Run upgrade tests
|
||||
secrets: inherit
|
||||
|
153
.github/workflows/e2e-test-stackit.yml
vendored
Normal file
153
.github/workflows/e2e-test-stackit.yml
vendored
Normal file
@ -0,0 +1,153 @@
|
||||
name: e2e test STACKIT
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: "0 0 * * *" # Every day at midnight.
|
||||
|
||||
jobs:
|
||||
find-latest-image:
|
||||
name: Find latest image
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
outputs:
|
||||
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Select relevant image
|
||||
id: select-image-action
|
||||
uses: ./.github/actions/select_image
|
||||
with:
|
||||
osImage: "ref/release/stream/stable/?"
|
||||
|
||||
- name: Relabel output
|
||||
id: relabel-output
|
||||
shell: bash
|
||||
run: |
|
||||
ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2)
|
||||
stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4)
|
||||
|
||||
echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
|
||||
|
||||
e2e-stackit:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
max-parallel: 6
|
||||
matrix:
|
||||
kubernetesVersion: [ "1.29", "1.30", "1.31" ]
|
||||
clusterCreation: [ "cli", "terraform" ]
|
||||
test: [ "sonobuoy quick" ]
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
id-token: write
|
||||
checks: write
|
||||
contents: read
|
||||
packages: write
|
||||
actions: write
|
||||
needs: [find-latest-image]
|
||||
steps:
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup bazel
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
with:
|
||||
nixTools: terraform
|
||||
|
||||
- name: Run E2E test
|
||||
id: e2e_test
|
||||
uses: ./.github/actions/e2e_test
|
||||
with:
|
||||
workerNodesCount: "1"
|
||||
controlNodesCount: "1"
|
||||
cloudProvider: stackit
|
||||
attestationVariant: qemu-vtpm
|
||||
osImage: ${{ needs.find-latest-image.outputs.image-release-stable }}
|
||||
isDebugImage: false
|
||||
cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }}
|
||||
kubernetesVersion: ${{ matrix.kubernetesVersion }}
|
||||
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
|
||||
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
|
||||
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
|
||||
gcpProject: constellation-e2e
|
||||
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
|
||||
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
|
||||
test: ${{ matrix.test }}
|
||||
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
|
||||
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
|
||||
registry: ghcr.io
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
|
||||
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||
fetchMeasurements: false
|
||||
clusterCreation: ${{ matrix.clusterCreation }}
|
||||
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
|
||||
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
|
||||
stackitUat: ${{ secrets.STACKIT_CI_UAT }}
|
||||
stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
uses: ./.github/actions/constellation_destroy
|
||||
with:
|
||||
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
|
||||
clusterCreation: ${{ matrix.clusterCreation }}
|
||||
cloudProvider: stackit
|
||||
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
|
||||
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
|
||||
|
||||
- name: Always delete IAM configuration
|
||||
if: always()
|
||||
uses: ./.github/actions/constellation_iam_destroy
|
||||
with:
|
||||
cloudProvider: stackit
|
||||
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
|
||||
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
|
||||
|
||||
- name: Update tfstate
|
||||
if: always()
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
uses: ./.github/actions/update_tfstate
|
||||
with:
|
||||
name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
|
||||
runID: ${{ github.run_id }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Notify about failure
|
||||
if: |
|
||||
failure() &&
|
||||
github.ref == 'refs/heads/main' &&
|
||||
github.event_name == 'schedule'
|
||||
continue-on-error: true
|
||||
uses: ./.github/actions/notify_e2e_failure
|
||||
with:
|
||||
projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
|
||||
refStream: "ref/release/stream/stable/?"
|
||||
test: ${{ matrix.test }}
|
||||
kubernetesVersion: ${{ matrix.kubernetesVersion }}
|
||||
provider: stackit
|
||||
attestationVariant: qemu-vtpm
|
||||
clusterCreation: ${{ matrix.clusterCreation }}
|
||||
|
||||
- name: Notify STACKIT
|
||||
if: |
|
||||
failure() &&
|
||||
github.ref == 'refs/heads/main' &&
|
||||
github.event_name == 'schedule'
|
||||
continue-on-error: true
|
||||
uses: ./.github/actions/notify_stackit
|
||||
with:
|
||||
slackToken: ${{ secrets.SLACK_TOKEN }}
|
@ -23,7 +23,7 @@ on:
|
||||
type: choice
|
||||
options:
|
||||
- "ubuntu-24.04"
|
||||
- "macos-12"
|
||||
- "macos-latest"
|
||||
default: "ubuntu-24.04"
|
||||
test:
|
||||
description: "The test to run."
|
||||
@ -41,7 +41,6 @@ on:
|
||||
required: true
|
||||
kubernetesVersion:
|
||||
description: "Kubernetes version to create the cluster from."
|
||||
default: "1.28"
|
||||
required: true
|
||||
releaseVersion:
|
||||
description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."
|
||||
|
70
.github/workflows/e2e-test-weekly.yml
vendored
70
.github/workflows/e2e-test-weekly.yml
vendored
@ -10,7 +10,7 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
|
||||
refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
|
||||
name: Find latest image
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
@ -22,7 +22,7 @@ jobs:
|
||||
image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
@ -51,6 +51,33 @@ jobs:
|
||||
# Tests on main-debug refStream
|
||||
#
|
||||
|
||||
# Emergency SSH test on latest k8s version
|
||||
- test: "emergency ssh"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "emergency ssh"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "gcp-sev-snp"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "emergency ssh"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "azure-sev-snp"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "emergency ssh"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "azure-tdx"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "emergency ssh"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "aws-sev-snp"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
|
||||
# Sonobuoy full test on latest k8s version
|
||||
- test: "sonobuoy full"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
@ -89,56 +116,55 @@ jobs:
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "gcp-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "azure-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "azure-tdx"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "aws-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "gcp-sev-snp"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "azure-sev-snp"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "azure-tdx"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
clusterCreation: "cli"
|
||||
- test: "sonobuoy quick"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
attestationVariant: "aws-sev-snp"
|
||||
kubernetes-version: "v1.28"
|
||||
kubernetes-version: "v1.29"
|
||||
clusterCreation: "cli"
|
||||
|
||||
|
||||
# verify test on latest k8s version
|
||||
- test: "verify"
|
||||
refStream: "ref/main/stream/debug/?"
|
||||
@ -290,27 +316,27 @@ jobs:
|
||||
- test: "verify"
|
||||
refStream: "ref/release/stream/stable/?"
|
||||
attestationVariant: "gcp-sev-es"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "verify"
|
||||
refStream: "ref/release/stream/stable/?"
|
||||
attestationVariant: "gcp-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "verify"
|
||||
refStream: "ref/release/stream/stable/?"
|
||||
attestationVariant: "azure-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "verify"
|
||||
refStream: "ref/release/stream/stable/?"
|
||||
attestationVariant: "azure-tdx"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
- test: "verify"
|
||||
refStream: "ref/release/stream/stable/?"
|
||||
attestationVariant: "aws-sev-snp"
|
||||
kubernetes-version: "v1.29"
|
||||
kubernetes-version: "v1.30"
|
||||
clusterCreation: "cli"
|
||||
|
||||
runs-on: ubuntu-24.04
|
||||
@ -323,7 +349,7 @@ jobs:
|
||||
needs: [find-latest-image]
|
||||
steps:
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
@ -420,7 +446,7 @@ jobs:
|
||||
fail-fast: false
|
||||
max-parallel: 1
|
||||
matrix:
|
||||
fromVersion: ["v2.18.0"]
|
||||
fromVersion: ["v2.22.0"]
|
||||
attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
|
||||
name: Run upgrade tests
|
||||
secrets: inherit
|
||||
@ -448,12 +474,12 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Azure login OIDC
|
||||
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
|
||||
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
|
28
.github/workflows/e2e-test.yml
vendored
28
.github/workflows/e2e-test.yml
vendored
@ -16,6 +16,7 @@ on:
|
||||
- "azure-sev-snp"
|
||||
- "azure-tdx"
|
||||
- "aws-sev-snp"
|
||||
- "stackit-qemu-vtpm"
|
||||
default: "azure-sev-snp"
|
||||
required: true
|
||||
runner:
|
||||
@ -23,7 +24,7 @@ on:
|
||||
type: choice
|
||||
options:
|
||||
- "ubuntu-24.04"
|
||||
- "macos-12"
|
||||
- "macos-latest"
|
||||
default: "ubuntu-24.04"
|
||||
test:
|
||||
description: "The test to run. The conformance test is only supported for clusterCreation=cli."
|
||||
@ -39,11 +40,12 @@ on:
|
||||
- "recover"
|
||||
- "malicious join"
|
||||
- "s3proxy"
|
||||
- "emergency ssh"
|
||||
- "nop"
|
||||
required: true
|
||||
kubernetesVersion:
|
||||
description: "Kubernetes version to create the cluster from."
|
||||
default: "1.29"
|
||||
default: "1.30"
|
||||
required: true
|
||||
cliVersion:
|
||||
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
|
||||
@ -137,6 +139,7 @@ jobs:
|
||||
workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
|
||||
controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
|
||||
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
|
||||
attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }}
|
||||
steps:
|
||||
- name: Split nodeCount
|
||||
id: split-nodeCount
|
||||
@ -161,6 +164,12 @@ jobs:
|
||||
attestationVariant="${{ inputs.attestationVariant }}"
|
||||
cloudProvider="${attestationVariant%%-*}"
|
||||
|
||||
# special case for STACKIT, as there's no special attestation variant for it
|
||||
if [[ "${cloudProvider}" == "stackit" ]]; then
|
||||
attestationVariant="qemu-vtpm"
|
||||
fi
|
||||
|
||||
echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT"
|
||||
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
|
||||
|
||||
find-latest-image:
|
||||
@ -175,13 +184,13 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout head
|
||||
if: inputs.git-ref == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.git-ref != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.git-ref }}
|
||||
|
||||
@ -212,19 +221,19 @@ jobs:
|
||||
|
||||
- name: Checkout head
|
||||
if: inputs.git-ref == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.git-ref != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ inputs.git-ref }}
|
||||
|
||||
- name: Set up gcloud CLI (macOS)
|
||||
if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
|
||||
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
|
||||
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
|
||||
|
||||
- name: Run manual E2E test
|
||||
id: e2e_test
|
||||
@ -233,7 +242,7 @@ jobs:
|
||||
workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
|
||||
controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
|
||||
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
|
||||
attestationVariant: ${{ inputs.attestationVariant }}
|
||||
attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }}
|
||||
machineType: ${{ inputs.machineType }}
|
||||
regionZone: ${{ inputs.regionZone }}
|
||||
gcpProject: constellation-e2e
|
||||
@ -262,6 +271,9 @@ jobs:
|
||||
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
|
||||
force: ${{ inputs.force }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
|
||||
stackitUat: ${{ secrets.STACKIT_CI_UAT }}
|
||||
stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
|
||||
|
||||
- name: Always terminate cluster
|
||||
if: always()
|
||||
|
113
.github/workflows/e2e-upgrade.yml
vendored
113
.github/workflows/e2e-upgrade.yml
vendored
@ -132,57 +132,6 @@ jobs:
|
||||
|
||||
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
|
||||
|
||||
build-target-cli:
|
||||
name: Build upgrade target version CLI
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
id-token: write
|
||||
checks: write
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
if: inputs.gitRef == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.gitRef != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ inputs.gitRef }}
|
||||
|
||||
- name: Setup Bazel & Nix
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
|
||||
- name: Log in to the Container registry
|
||||
uses: ./.github/actions/container_registry_login
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Simulate patch upgrade
|
||||
if: inputs.simulatedTargetVersion != ''
|
||||
run: |
|
||||
echo ${{ inputs.simulatedTargetVersion }} > version.txt
|
||||
|
||||
- name: Build CLI
|
||||
uses: ./.github/actions/build_cli
|
||||
with:
|
||||
enterpriseCLI: true
|
||||
outputPath: "build/constellation"
|
||||
push: true
|
||||
|
||||
- name: Upload CLI binary
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
with:
|
||||
name: constellation-upgrade-${{ inputs.attestationVariant }}
|
||||
path: build/constellation
|
||||
|
||||
create-cluster:
|
||||
name: Create upgrade origin version cluster
|
||||
runs-on: ubuntu-24.04
|
||||
@ -198,14 +147,14 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
if: inputs.gitRef == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.gitRef != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ inputs.gitRef }}
|
||||
@ -279,19 +228,18 @@ jobs:
|
||||
packages: write
|
||||
needs:
|
||||
- generate-input-parameters
|
||||
- build-target-cli
|
||||
- create-cluster
|
||||
steps:
|
||||
- name: Checkout
|
||||
if: inputs.gitRef == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.gitRef != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ inputs.gitRef }}
|
||||
@ -299,8 +247,34 @@ jobs:
|
||||
- name: Setup Bazel & Nix
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
|
||||
- name: Log in to the Container registry
|
||||
uses: ./.github/actions/container_registry_login
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# applying the version manipulation here so that the upgrade test tool is also on the simulated target version
|
||||
- name: Simulate patch upgrade
|
||||
if: inputs.simulatedTargetVersion != ''
|
||||
run: |
|
||||
echo ${{ inputs.simulatedTargetVersion }} > version.txt
|
||||
|
||||
- name: Build CLI
|
||||
uses: ./.github/actions/build_cli
|
||||
with:
|
||||
enterpriseCLI: true
|
||||
outputPath: "build/constellation"
|
||||
push: true
|
||||
|
||||
- name: Upload CLI binary # is needed for the cleanup step
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: constellation-upgrade-${{ inputs.attestationVariant }}
|
||||
path: build/constellation
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
|
||||
aws-region: eu-central-1
|
||||
@ -322,7 +296,7 @@ jobs:
|
||||
|
||||
- name: Login to AWS (IAM role)
|
||||
if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
||||
aws-region: eu-central-1
|
||||
@ -335,11 +309,6 @@ jobs:
|
||||
with:
|
||||
azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
|
||||
|
||||
- name: Download CLI
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
with:
|
||||
name: constellation-upgrade-${{ inputs.attestationVariant }}
|
||||
path: build
|
||||
|
||||
- name: Download Working Directory (Pre-test)
|
||||
uses: ./.github/actions/artifact_download
|
||||
@ -378,7 +347,7 @@ jobs:
|
||||
|
||||
- name: Login to AWS (Cluster role)
|
||||
if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
||||
aws-region: eu-central-1
|
||||
@ -404,15 +373,9 @@ jobs:
|
||||
echo "K8s target: $KUBERNETES"
|
||||
echo "Microservice target: $MICROSERVICES"
|
||||
|
||||
if [[ -n ${MICROSERVICES} ]]; then
|
||||
MICROSERVICES_FLAG="--target-microservices=$MICROSERVICES"
|
||||
fi
|
||||
if [[ -n ${KUBERNETES} ]]; then
|
||||
KUBERNETES_FLAG="--target-kubernetes=$KUBERNETES"
|
||||
fi
|
||||
|
||||
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
|
||||
bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
|
||||
CLI=$(realpath ./build/constellation)
|
||||
bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" --target-kubernetes "$KUBERNETES" --target-microservices "$MICROSERVICES" --cli "$CLI"
|
||||
|
||||
- name: Remove Terraform plugin cache
|
||||
if: always()
|
||||
@ -448,20 +411,20 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
if: inputs.gitRef == 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Checkout ref
|
||||
if: inputs.gitRef != 'head'
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ inputs.gitRef }}
|
||||
|
||||
- name: Download CLI
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: constellation-upgrade-${{ inputs.attestationVariant }}
|
||||
path: build
|
||||
|
10
.github/workflows/e2e-windows.yml
vendored
10
.github/workflows/e2e-windows.yml
vendored
@ -21,7 +21,7 @@ jobs:
|
||||
packages: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
@ -45,7 +45,7 @@ jobs:
|
||||
push: true
|
||||
|
||||
- name: Upload CLI artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
path: build/constellation.exe
|
||||
name: "constell-exe"
|
||||
@ -56,12 +56,12 @@ jobs:
|
||||
needs: build-cli
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Download CLI artifact
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
name: "constell-exe"
|
||||
|
||||
@ -186,7 +186,7 @@ jobs:
|
||||
inputs.scheduled
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
|
10
.github/workflows/on-release.yml
vendored
10
.github/workflows/on-release.yml
vendored
@ -26,7 +26,7 @@ jobs:
|
||||
WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0 # fetch all history
|
||||
|
||||
@ -49,7 +49,7 @@ jobs:
|
||||
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Override latest
|
||||
if: github.event.inputs.latest == 'true'
|
||||
@ -123,7 +123,7 @@ jobs:
|
||||
contents: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Remove temporary branch
|
||||
run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
|
||||
@ -137,12 +137,12 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- uses: ./.github/actions/setup_bazel_nix
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
||||
aws-region: eu-central-1
|
||||
|
4
.github/workflows/purge-main.yml
vendored
4
.github/workflows/purge-main.yml
vendored
@ -18,12 +18,12 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
|
||||
aws-region: eu-central-1
|
||||
|
79
.github/workflows/release-publish.yml
vendored
Normal file
79
.github/workflows/release-publish.yml
vendored
Normal file
@ -0,0 +1,79 @@
|
||||
name: 'Release: on-publish'
|
||||
|
||||
on:
|
||||
release:
|
||||
types:
|
||||
- published
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
tag:
|
||||
description: 'Semantic version tag of the release (vX.Y.Z).'
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
post-release-actions:
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
issues: write
|
||||
env:
|
||||
FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
steps:
|
||||
- name: Mark milestone as complete
|
||||
run: |
|
||||
milestones=$(gh api \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
/repos/edgelesssys/constellation/milestones)
|
||||
|
||||
current_milestone=$(echo "${milestones}" | jq -r ".[] | select(.title == \"${FULL_VERSION}\")")
|
||||
echo "current milestone: ${current_milestone}"
|
||||
if [[ -z "${current_milestone}" ]]; then
|
||||
echo "milestone ${FULL_VERSION} does not exist, nothing to do..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
current_milestone_state=$(echo "${current_milestone}" | jq -r '.state')
|
||||
echo "current milestone state: ${current_milestone_state}"
|
||||
if [[ "${current_milestone_state}" != "open" ]]; then
|
||||
echo "milestone ${FULL_VERSION} is already closed, nothing to do..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
milestone_number=$(echo "${current_milestone}" | jq -r '.number')
|
||||
echo "milestone number: ${milestone_number}"
|
||||
if [[ -z "${milestone_number}" ]]; then
|
||||
echo "failed parsing milestone number"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
gh api \
|
||||
--method PATCH \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
"/repos/edgelesssys/constellation/milestones/${milestone_number}" \
|
||||
-f state=closed
|
||||
|
||||
- name: Create next milestone
|
||||
run: |
|
||||
WITHOUT_V=${FULL_VERSION#v}
|
||||
PART_MAJOR=${WITHOUT_V%%.*}
|
||||
PART_MINOR=${WITHOUT_V#*.}
|
||||
PART_MINOR=${PART_MINOR%%.*}
|
||||
NEXT_MINOR=v${PART_MAJOR}.$((PART_MINOR + 1)).0
|
||||
|
||||
gh api \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
/repos/edgelesssys/constellation/milestones |
|
||||
jq -r '.[].title' | \
|
||||
grep -xqF "${NEXT_MINOR}" && exit 0
|
||||
|
||||
gh api \
|
||||
--method POST \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
/repos/edgelesssys/constellation/milestones \
|
||||
-f title="${NEXT_MINOR}" \
|
||||
-f state='open' \
|
||||
-f "due_on=$(date -d '2 months' +'%Y-%m-%dT00:00:00Z')"
|
65
.github/workflows/release.yml
vendored
65
.github/workflows/release.yml
vendored
@ -33,7 +33,7 @@ jobs:
|
||||
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
|
||||
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Working branch
|
||||
run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
|
||||
@ -72,10 +72,9 @@ jobs:
|
||||
echo "WORKING_BRANCH=${WORKING_BRANCH}"
|
||||
} | tee -a "$GITHUB_OUTPUT"
|
||||
|
||||
docs:
|
||||
name: Create docs release (from main)
|
||||
update-main-branch:
|
||||
name: Update main branch with release changes
|
||||
runs-on: ubuntu-24.04
|
||||
if: inputs.kind == 'minor'
|
||||
needs: verify-inputs
|
||||
permissions:
|
||||
contents: write
|
||||
@ -85,30 +84,55 @@ jobs:
|
||||
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
|
||||
BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: main
|
||||
|
||||
- name: Configure git
|
||||
run: |
|
||||
git config --global user.name "edgelessci"
|
||||
git config --global user.email "edgelessci@users.noreply.github.com"
|
||||
|
||||
- name: Create docs release
|
||||
if: inputs.kind == 'minor'
|
||||
working-directory: docs
|
||||
run: |
|
||||
npm install
|
||||
npm ci
|
||||
npm run docusaurus docs:version "${MAJOR_MINOR}"
|
||||
git add .
|
||||
git commit -am "docs: release ${MAJOR_MINOR}"
|
||||
# Clean up auxiliary files, so next steps run on a clean tree
|
||||
git clean -fdx :/
|
||||
|
||||
- name: Update version.txt
|
||||
if: inputs.kind == 'minor'
|
||||
run: |
|
||||
pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
|
||||
echo "${pre_release_version}" > version.txt
|
||||
git add version.txt
|
||||
git commit -m "chore: update version.txt to ${pre_release_version}"
|
||||
|
||||
- name: Update CI for new version
|
||||
run: |
|
||||
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
|
||||
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
|
||||
|
||||
- name: Create docs pull request
|
||||
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
||||
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
||||
with:
|
||||
branch: ${{ env.BRANCH }}
|
||||
base: main
|
||||
title: "docs: add release ${{ env.VERSION }}"
|
||||
title: "Post ${{ env.VERSION }} release updates to main"
|
||||
body: |
|
||||
:robot: *This is an automated PR.* :robot:
|
||||
|
||||
The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
|
||||
It releases a new version of the documentation.
|
||||
commit-message: "docs: add release ${{ env.VERSION }}"
|
||||
commit-message: "chore: update CI for ${{ env.VERSION }}"
|
||||
committer: edgelessci <edgelessci@users.noreply.github.com>
|
||||
author: edgelessci <edgelessci@users.noreply.github.com>
|
||||
labels: no changelog
|
||||
assignees: ${{ github.actor }}
|
||||
reviewers: ${{ github.actor }}
|
||||
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
|
||||
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
|
||||
|
||||
@ -123,7 +147,7 @@ jobs:
|
||||
WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
||||
|
||||
@ -161,7 +185,7 @@ jobs:
|
||||
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
||||
|
||||
@ -215,6 +239,17 @@ jobs:
|
||||
stream: "stable"
|
||||
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
||||
|
||||
check-measurements-reproducibility:
|
||||
name: Check measurements reproducibility
|
||||
needs: [verify-inputs, os-image]
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Check reproducibility
|
||||
uses: ./.github/actions/check_measurements_reproducibility
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
||||
|
||||
update-hardcoded-measurements:
|
||||
name: Update hardcoded measurements (in the CLI)
|
||||
needs: [verify-inputs, os-image]
|
||||
@ -226,14 +261,14 @@ jobs:
|
||||
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
|
||||
with:
|
||||
go-version: "1.23.2"
|
||||
go-version: "1.24.1"
|
||||
cache: true
|
||||
|
||||
- name: Build generateMeasurements tool
|
||||
|
74
.github/workflows/reproducible-builds.yml
vendored
74
.github/workflows/reproducible-builds.yml
vendored
@ -1,8 +1,9 @@
|
||||
# Verify that Constellation builds are reproducible.
|
||||
#
|
||||
# The build-* jobs' matrix has two dimensions: a list of targets to build and
|
||||
# a list of runners to build on. The produced binaries and OS images are
|
||||
# expected to be bit-for-bit identical, regardless of the chosen build runner.
|
||||
# The build-* jobs' matrix has three dimensions: a list of targets to build, a
|
||||
# list of runners to build on and a method of installing dependencies. The
|
||||
# produced binaries and OS images are expected to be bit-for-bit identical,
|
||||
# without any dependencies on the runtime setup details.
|
||||
#
|
||||
# The compare-* jobs only have the target dimension. They obtain the built
|
||||
# targets from all runners and check that there are no diffs between them.
|
||||
@ -12,6 +13,9 @@ on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: "45 06 * * 1" # Every Monday at 6:45am
|
||||
pull_request:
|
||||
paths:
|
||||
- .github/workflows/reproducible-builds.yml
|
||||
|
||||
jobs:
|
||||
build-binaries:
|
||||
@ -24,19 +28,39 @@ jobs:
|
||||
- "cli_enterprise_linux_amd64"
|
||||
- "cli_enterprise_linux_arm64"
|
||||
- "cli_enterprise_windows_amd64"
|
||||
runner: ["ubuntu-22.04", "ubuntu-20.04"]
|
||||
runner:
|
||||
- "ubuntu-24.04"
|
||||
- "ubuntu-22.04"
|
||||
deps:
|
||||
- conventional
|
||||
- eccentric
|
||||
env:
|
||||
bazel_target: "//cli:${{ matrix.target }}"
|
||||
binary: "${{ matrix.target }}-${{ matrix.runner }}"
|
||||
binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
|
||||
runs-on: ${{ matrix.runner }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup bazel
|
||||
- name: Setup dependencies
|
||||
uses: ./.github/actions/setup_bazel_nix
|
||||
if: matrix.deps == 'conventional'
|
||||
|
||||
- name: Setup dependencies (eccentric)
|
||||
if: matrix.deps == 'eccentric'
|
||||
run: |
|
||||
bazelVersion=$(cat .bazelversion)
|
||||
mkdir -p "$HOME/.local/bin"
|
||||
curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64"
|
||||
chmod a+x "$HOME/.local/bin/bazel"
|
||||
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
|
||||
|
||||
curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.2.1/nix-installer-x86_64-linux # renovate:github-release
|
||||
nixVersion=$(cat .nixversion)
|
||||
chmod a+x "$HOME/.local/bin/nix-installer"
|
||||
"$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz"
|
||||
|
||||
- name: Build
|
||||
shell: bash
|
||||
@ -57,15 +81,15 @@ jobs:
|
||||
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
|
||||
|
||||
- name: Upload binary artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
|
||||
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
|
||||
path: "${{ env.binary }}"
|
||||
|
||||
- name: Upload hash artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
|
||||
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
|
||||
path: "${{ env.binary }}.sha256"
|
||||
|
||||
build-osimages:
|
||||
@ -77,14 +101,26 @@ jobs:
|
||||
- "aws_aws-nitro-tpm_console"
|
||||
- "qemu_qemu-vtpm_debug"
|
||||
- "gcp_gcp-sev-snp_nightly"
|
||||
runner: ["ubuntu-22.04", "ubuntu-20.04"]
|
||||
runner: ["ubuntu-24.04", "ubuntu-22.04"]
|
||||
env:
|
||||
bazel_target: "//image/system:${{ matrix.target }}"
|
||||
binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
|
||||
runs-on: ${{ matrix.runner }}
|
||||
steps:
|
||||
- name: Remove security hardening features
|
||||
if: matrix.runner == 'ubuntu-24.04'
|
||||
shell: bash
|
||||
run: |
|
||||
# Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
|
||||
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
|
||||
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
|
||||
# This command fails with a non-zero error code even though it unloads the apparmor profiles.
|
||||
# https://gitlab.com/apparmor/apparmor/-/issues/403
|
||||
sudo aa-teardown || true
|
||||
sudo apt-get remove -y apparmor
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
@ -110,13 +146,13 @@ jobs:
|
||||
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
|
||||
|
||||
- name: Upload binary artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
|
||||
path: "${{ env.binary }}"
|
||||
|
||||
- name: Upload hash artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
|
||||
path: "${{ env.binary }}.sha256"
|
||||
@ -134,12 +170,12 @@ jobs:
|
||||
- "cli_enterprise_windows_amd64"
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Download binaries
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
pattern: "binaries-${{ matrix.target }}-*"
|
||||
merge-multiple: true
|
||||
@ -168,12 +204,12 @@ jobs:
|
||||
- "gcp_gcp-sev-snp_nightly"
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Download os images
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
||||
with:
|
||||
pattern: "osimages-${{ matrix.target }}-*"
|
||||
merge-multiple: true
|
||||
|
8
.github/workflows/scorecard.yml
vendored
8
.github/workflows/scorecard.yml
vendored
@ -18,25 +18,25 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Run analysis
|
||||
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
|
||||
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
publish_results: true
|
||||
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
|
||||
- name: Upload to code-scanning
|
||||
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
|
||||
uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
6
.github/workflows/sync-terraform-docs.yml
vendored
6
.github/workflows/sync-terraform-docs.yml
vendored
@ -18,14 +18,14 @@ jobs:
|
||||
pull-requests: write
|
||||
steps:
|
||||
- name: Checkout constellation repo
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
fetch-depth: 0
|
||||
path: constellation
|
||||
|
||||
- name: Checkout terraform-provider-constellation repo
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
repository: edgelesssys/terraform-provider-constellation
|
||||
ref: main
|
||||
@ -40,7 +40,7 @@ jobs:
|
||||
|
||||
- name: Create pull request
|
||||
id: create-pull-request
|
||||
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
||||
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
||||
with:
|
||||
path: terraform-provider-constellation
|
||||
branch: "feat/docs/update"
|
||||
|
2
.github/workflows/test-integration.yml
vendored
2
.github/workflows/test-integration.yml
vendored
@ -25,7 +25,7 @@ jobs:
|
||||
CTEST_OUTPUT_ON_FAILURE: True
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
|
6
.github/workflows/test-operator-codegen.yml
vendored
6
.github/workflows/test-operator-codegen.yml
vendored
@ -21,14 +21,14 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
|
||||
with:
|
||||
go-version: "1.23.2"
|
||||
go-version: "1.24.1"
|
||||
cache: true
|
||||
|
||||
- name: Run code generation
|
||||
|
2
.github/workflows/test-tfsec.yml
vendored
2
.github/workflows/test-tfsec.yml
vendored
@ -23,7 +23,7 @@ jobs:
|
||||
pull-requests: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
|
4
.github/workflows/test-tidy.yml
vendored
4
.github/workflows/test-tidy.yml
vendored
@ -17,7 +17,7 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
# No token available for forks, so we can't push changes
|
||||
@ -37,7 +37,7 @@ jobs:
|
||||
|
||||
- name: Assume AWS role to upload Bazel dependencies to S3
|
||||
if: startsWith(github.head_ref, 'renovate/')
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
|
||||
aws-region: eu-central-1
|
||||
|
6
.github/workflows/test-unittest.yml
vendored
6
.github/workflows/test-unittest.yml
vendored
@ -30,7 +30,7 @@ jobs:
|
||||
pull-requests: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
fetch-depth: 0
|
||||
@ -49,7 +49,7 @@ jobs:
|
||||
rm -rf awscliv2.zip aws
|
||||
|
||||
- name: Login to AWS (IAM role)
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
|
||||
aws-region: eu-central-1
|
||||
@ -69,7 +69,7 @@ jobs:
|
||||
|
||||
- name: Comment coverage
|
||||
if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request'
|
||||
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
|
||||
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
|
||||
with:
|
||||
header: coverage
|
||||
path: coverage_diff.md
|
||||
|
6
.github/workflows/update-rpms.yml
vendored
6
.github/workflows/update-rpms.yml
vendored
@ -13,12 +13,12 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
|
||||
|
||||
- name: Assume AWS role to upload Bazel dependencies to S3
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
|
||||
aws-region: eu-central-1
|
||||
@ -39,7 +39,7 @@ jobs:
|
||||
fi
|
||||
|
||||
- name: Create pull request
|
||||
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
||||
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
||||
with:
|
||||
branch: "image/automated/update-rpms-${{ github.run_number }}"
|
||||
base: main
|
||||
|
8
.github/workflows/versionsapi.yml
vendored
8
.github/workflows/versionsapi.yml
vendored
@ -115,7 +115,7 @@ jobs:
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
@ -149,21 +149,21 @@ jobs:
|
||||
|
||||
- name: Login to AWS without write access
|
||||
if: steps.check-rights.outputs.write == 'false'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
|
||||
aws-region: eu-central-1
|
||||
|
||||
- name: Login to AWS with write access
|
||||
if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
|
||||
aws-region: eu-central-1
|
||||
|
||||
- name: Login to AWS with write and image remove access
|
||||
if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
|
||||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
||||
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
|
||||
aws-region: eu-central-1
|
||||
|
@ -1,53 +1,65 @@
|
||||
version: "2"
|
||||
run:
|
||||
timeout: 10m
|
||||
build-tags:
|
||||
- integration
|
||||
- e2e
|
||||
modules-download-mode: readonly
|
||||
|
||||
output:
|
||||
formats:
|
||||
- format: tab
|
||||
tab:
|
||||
path: stdout
|
||||
sort-results: true
|
||||
|
||||
colors: false
|
||||
linters:
|
||||
enable:
|
||||
# Default linters
|
||||
- errcheck
|
||||
- gosimple
|
||||
- govet
|
||||
- ineffassign
|
||||
- staticcheck
|
||||
- typecheck
|
||||
- unused
|
||||
# Additional linters
|
||||
- bodyclose
|
||||
- copyloopvar
|
||||
- errname
|
||||
- exportloopref
|
||||
- godot
|
||||
- gofmt
|
||||
- gofumpt
|
||||
- misspell
|
||||
- noctx
|
||||
- revive
|
||||
- tenv
|
||||
- unconvert
|
||||
- unparam
|
||||
- usetesting
|
||||
settings:
|
||||
errcheck:
|
||||
exclude-functions:
|
||||
- (*go.uber.org/zap.Logger).Sync
|
||||
- (*google.golang.org/grpc.Server).Serve
|
||||
exclusions:
|
||||
generated: lax
|
||||
presets:
|
||||
- common-false-positives
|
||||
- legacy
|
||||
- std-error-handling
|
||||
paths:
|
||||
- 3rdparty/node-maintenance-operator
|
||||
rules:
|
||||
# TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed.
|
||||
- linters: ["staticcheck"]
|
||||
text: "QF1008: could remove embedded field"
|
||||
- linters: ["staticcheck"]
|
||||
text: "QF1001: could apply De Morgan's law"
|
||||
- linters: ["staticcheck"]
|
||||
text: "ST1005: error strings should not be capitalized"
|
||||
- linters: ["revive"]
|
||||
text: "package-comments: package comment should be of the form"
|
||||
- linters: ["revive"]
|
||||
text: "package-comments: should have a package comment"
|
||||
- linters: ["staticcheck"]
|
||||
text: "QF1012: Use fmt.Fprintf"
|
||||
- linters: ["staticcheck"]
|
||||
text: "ST1019"
|
||||
|
||||
|
||||
issues:
|
||||
max-issues-per-linter: 0
|
||||
max-same-issues: 20
|
||||
exclude-dirs:
|
||||
- 3rdparty/node-maintenance-operator
|
||||
include:
|
||||
- EXC0012
|
||||
- EXC0014
|
||||
|
||||
linters-settings:
|
||||
errcheck:
|
||||
# List of functions to exclude from checking, where each entry is a single function to exclude.
|
||||
# See https://github.com/kisielk/errcheck#excluding-functions for details.
|
||||
exclude-functions:
|
||||
- (*go.uber.org/zap.Logger).Sync
|
||||
- (*google.golang.org/grpc.Server).Serve
|
||||
formatters:
|
||||
enable:
|
||||
- gofmt
|
||||
- gofumpt
|
||||
exclusions:
|
||||
generated: lax
|
||||
paths:
|
||||
- 3rdparty/node-maintenance-operator
|
||||
|
1
.nixversion
Normal file
1
.nixversion
Normal file
@ -0,0 +1 @@
|
||||
2.25.2
|
13
3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
vendored
Normal file
13
3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
load("//bazel/sh:def.bzl", "sh_template")
|
||||
|
||||
sh_template(
|
||||
name = "pull_files",
|
||||
data = [
|
||||
"@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy",
|
||||
],
|
||||
substitutions = {
|
||||
"@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)",
|
||||
},
|
||||
template = "pull_files.sh",
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
24
3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
vendored
Normal file
24
3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
vendored
Normal file
@ -0,0 +1,24 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
###### script header ######
|
||||
|
||||
lib=$(realpath @@BASE_LIB@@) || exit 1
|
||||
stat "${lib}" >> /dev/null || exit 1
|
||||
|
||||
# shellcheck source=../../../bazel/sh/lib.bash
|
||||
if ! source "${lib}"; then
|
||||
echo "Error: could not find import"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
controller_policy_source="@@POLICY_SRC@@"
|
||||
|
||||
###### script body ######
|
||||
|
||||
controller_policy_real_source=$(realpath "${controller_policy_source}")
|
||||
|
||||
cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath
|
||||
|
||||
targetDir="terraform/infrastructure/iam/aws/alb_policy.json"
|
||||
|
||||
cp "${controller_policy_real_source}" "${targetDir}"
|
22
3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
vendored
Normal file
22
3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
vendored
Normal file
@ -0,0 +1,22 @@
|
||||
"""A module defining the source of the AWS load balancer controller."""
|
||||
|
||||
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||
|
||||
def aws_load_balancer_controller_deps():
|
||||
http_archive(
|
||||
name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
|
||||
"https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz",
|
||||
],
|
||||
strip_prefix = "aws-load-balancer-controller-2.12.0",
|
||||
build_file_content = """
|
||||
filegroup(
|
||||
srcs = ["docs/install/iam_policy.json"],
|
||||
name = "lb_policy",
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
""",
|
||||
type = "tar.gz",
|
||||
sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
|
||||
)
|
4
3rdparty/gcp-guest-agent/Dockerfile
vendored
4
3rdparty/gcp-guest-agent/Dockerfile
vendored
@ -1,4 +1,4 @@
|
||||
FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe as build
|
||||
FROM ubuntu:24.04@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782 as build
|
||||
|
||||
# Install packages
|
||||
RUN apt-get update && apt-get install -y \
|
||||
@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
|
||||
git
|
||||
|
||||
# Install Go
|
||||
ARG GO_VER=1.22.3
|
||||
ARG GO_VER=1.23.6
|
||||
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
|
||||
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
|
||||
rm go${GO_VER}.linux-amd64.tar.gz
|
||||
|
26
MODULE.bazel
26
MODULE.bazel
@ -1,6 +1,6 @@
|
||||
module(name = "constellation")
|
||||
|
||||
bazel_dep(name = "aspect_bazel_lib", version = "2.9.2")
|
||||
bazel_dep(name = "aspect_bazel_lib", version = "2.14.0")
|
||||
|
||||
bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
|
||||
bazel_lib.yq()
|
||||
@ -8,21 +8,27 @@ use_repo(bazel_lib, "jq_toolchains")
|
||||
use_repo(bazel_lib, "yq_toolchains")
|
||||
|
||||
bazel_dep(name = "bazel_skylib", version = "1.7.1")
|
||||
bazel_dep(name = "gazelle", version = "0.39.1")
|
||||
bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1")
|
||||
bazel_dep(name = "rules_cc", version = "0.0.13")
|
||||
bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go")
|
||||
bazel_dep(name = "rules_pkg", version = "0.10.1")
|
||||
bazel_dep(name = "rules_proto", version = "6.0.2")
|
||||
bazel_dep(name = "rules_python", version = "0.36.0")
|
||||
bazel_dep(name = "gazelle", version = "0.42.0")
|
||||
bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0")
|
||||
bazel_dep(name = "rules_cc", version = "0.1.1")
|
||||
bazel_dep(name = "rules_go", version = "0.53.0", repo_name = "io_bazel_rules_go")
|
||||
bazel_dep(name = "rules_pkg", version = "1.1.0")
|
||||
bazel_dep(name = "rules_proto", version = "7.1.0")
|
||||
bazel_dep(name = "rules_python", version = "1.3.0")
|
||||
|
||||
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
|
||||
bazel_dep(name = "buildifier_prebuilt", version = "8.0.1", dev_dependency = True)
|
||||
|
||||
go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
|
||||
go_sdk.download(
|
||||
name = "go_sdk",
|
||||
patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
|
||||
version = "1.23.2",
|
||||
version = "1.23.6",
|
||||
)
|
||||
|
||||
python = use_extension("@rules_python//python/extensions:python.bzl", "python")
|
||||
python.toolchain(
|
||||
ignore_root_user_error = True,
|
||||
python_version = "3.11",
|
||||
)
|
||||
|
||||
# the use_repo rule needs to list all top-level go dependencies
|
||||
|
5398
MODULE.bazel.lock
generated
5398
MODULE.bazel.lock
generated
File diff suppressed because it is too large
Load Diff
@ -234,6 +234,10 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl"
|
||||
|
||||
node_maintainance_operator_deps()
|
||||
|
||||
load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps")
|
||||
|
||||
aws_load_balancer_controller_deps()
|
||||
|
||||
# CI deps
|
||||
load("//bazel/toolchains:ci_deps.bzl", "ci_deps")
|
||||
|
||||
|
@ -62,6 +62,10 @@ build --remote_local_fallback
|
||||
# Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
|
||||
build --grpc_keepalive_time=30s
|
||||
|
||||
# Use fallbacks in case proxy.golang.org is not reachable.
|
||||
# Docs: https://go.dev/ref/mod#goproxy-protocol
|
||||
common '--repo_env=GOPROXY=https://proxy.golang.org|https://goproxy.io|direct'
|
||||
|
||||
|
||||
######################################
|
||||
# Edgeless specific #
|
||||
|
@ -1,7 +1,7 @@
|
||||
load("@buildifier_prebuilt//:rules.bzl", "buildifier", "buildifier_test")
|
||||
load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun")
|
||||
load("@gazelle//:def.bzl", "gazelle")
|
||||
load("@io_bazel_rules_go//go/private/rules:go_bin_for_host.bzl", "go_bin_for_host")
|
||||
load("//bazel/ci:go_bin_for_host.bzl", "go_bin_for_host")
|
||||
load("//bazel/ci:proto_targets.bzl", "proto_targets")
|
||||
load("//bazel/sh:def.bzl", "noop_warn", "repo_command", "sh_template")
|
||||
|
||||
@ -514,16 +514,14 @@ multirun(
|
||||
)
|
||||
|
||||
multirun(
|
||||
name = "check",
|
||||
name = "parallel_checks",
|
||||
testonly = True,
|
||||
commands = [
|
||||
":gazelle_check",
|
||||
":buildifier_check",
|
||||
":golangci_lint",
|
||||
":terraform_check",
|
||||
":golicenses_check",
|
||||
":license_header_check",
|
||||
":govulncheck",
|
||||
":deps_mirror_check",
|
||||
":proto_targets_check",
|
||||
":unused_gh_actions",
|
||||
@ -542,11 +540,25 @@ multirun(
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
|
||||
multirun(
|
||||
name = "check",
|
||||
testonly = True,
|
||||
commands = [
|
||||
":parallel_checks",
|
||||
":golangci_lint",
|
||||
":govulncheck",
|
||||
],
|
||||
jobs = 1, # execute sequentially to avoid running into memory issues on our CI runners
|
||||
stop_on_error = False,
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
|
||||
multirun(
|
||||
name = "generate_files",
|
||||
commands = [
|
||||
":terraform_gen",
|
||||
"//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files",
|
||||
"//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files",
|
||||
":go_generate",
|
||||
":proto_generate",
|
||||
],
|
||||
|
29
bazel/ci/go_bin_for_host.bzl
Normal file
29
bazel/ci/go_bin_for_host.bzl
Normal file
@ -0,0 +1,29 @@
|
||||
"""
|
||||
Go toolchain for the host platformS
|
||||
Inspired by https://github.com/bazel-contrib/rules_go/blob/6e4fdcfeb1a333b54ab39ae3413d4ded46d8958d/go/private/rules/go_bin_for_host.bzl
|
||||
"""
|
||||
|
||||
load("@local_config_platform//:constraints.bzl", "HOST_CONSTRAINTS")
|
||||
|
||||
GO_TOOLCHAIN = "@io_bazel_rules_go//go:toolchain"
|
||||
|
||||
def _ensure_target_cfg(ctx):
|
||||
if "-exec" in ctx.bin_dir.path or "/host/" in ctx.bin_dir.path:
|
||||
fail("exec not found")
|
||||
|
||||
def _go_bin_for_host_impl(ctx):
|
||||
_ensure_target_cfg(ctx)
|
||||
sdk = ctx.toolchains[GO_TOOLCHAIN].sdk
|
||||
sdk_files = ctx.runfiles([sdk.go] + sdk.headers.to_list() + sdk.libs.to_list() + sdk.srcs.to_list() + sdk.tools.to_list())
|
||||
return [
|
||||
DefaultInfo(
|
||||
files = depset([sdk.go]),
|
||||
runfiles = sdk_files,
|
||||
),
|
||||
]
|
||||
|
||||
go_bin_for_host = rule(
|
||||
implementation = _go_bin_for_host_impl,
|
||||
toolchains = [GO_TOOLCHAIN],
|
||||
exec_compatible_with = HOST_CONSTRAINTS,
|
||||
)
|
@ -63,6 +63,8 @@ license_report() {
|
||||
|
||||
github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api) ;;
|
||||
|
||||
github.com/edgelesssys/go-tdx-qpl) ;;
|
||||
|
||||
*)
|
||||
not_allowed
|
||||
;;
|
||||
@ -71,8 +73,6 @@ license_report() {
|
||||
|
||||
Unknown)
|
||||
case ${pkg} in
|
||||
github.com/edgelesssys/go-tdx-qpl/*) ;;
|
||||
|
||||
*)
|
||||
not_allowed
|
||||
;;
|
||||
|
@ -27,11 +27,16 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
|
||||
PATH=$(dirname "${go}"):${PATH}
|
||||
|
||||
check_module() {
|
||||
excluded_osvs=(
|
||||
"GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access
|
||||
"GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition
|
||||
)
|
||||
|
||||
# shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
|
||||
CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
|
||||
"${jq}" -sr '
|
||||
"${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr '
|
||||
(map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs |
|
||||
map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
|
||||
map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
|
||||
group_by(.osv) |
|
||||
map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
|
||||
if length > 0 then halt_error(1) else .[] end'
|
||||
|
@ -46,7 +46,6 @@ excludeDirs=(
|
||||
excludeLockDirs=(
|
||||
"build"
|
||||
"terraform-provider-constellation"
|
||||
"terraform/legacy-module"
|
||||
)
|
||||
|
||||
excludeCheckDirs=(
|
||||
@ -143,6 +142,7 @@ check() {
|
||||
done
|
||||
echo "This may take 5-10 min..."
|
||||
for module in "${terraformLockModules[@]}"; do
|
||||
echo "Generating lock file for ${module}"
|
||||
${terraform} -chdir="${module}" init > /dev/null
|
||||
${terraform} -chdir="${module}" providers lock -platform=linux_arm64 > /dev/null
|
||||
${terraform} -chdir="${module}" providers lock -platform=linux_amd64 > /dev/null
|
||||
|
@ -5,17 +5,14 @@ based on https://github.com/bazelbuild/rules_go/issues/2111#issuecomment-1355927
|
||||
"""
|
||||
|
||||
load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files")
|
||||
load("@io_bazel_rules_go//go:def.bzl", "GoLibrary", "go_context")
|
||||
load("@io_bazel_rules_go//go:def.bzl", "GoInfo")
|
||||
load("@io_bazel_rules_go//proto:compiler.bzl", "GoProtoCompiler")
|
||||
|
||||
def _output_go_library_srcs_impl(ctx):
|
||||
go = go_context(ctx)
|
||||
|
||||
srcs_of_library = []
|
||||
importpath = ""
|
||||
for src in ctx.attr.deps:
|
||||
lib = src[GoLibrary]
|
||||
go_src = go.library_to_source(go, ctx.attr, lib, False)
|
||||
lib = src[GoInfo]
|
||||
if importpath and lib.importpath != importpath:
|
||||
fail(
|
||||
"importpath of all deps must match, got {} and {}",
|
||||
@ -23,7 +20,7 @@ def _output_go_library_srcs_impl(ctx):
|
||||
lib.importpath,
|
||||
)
|
||||
importpath = lib.importpath
|
||||
srcs_of_library.extend(go_src.srcs)
|
||||
srcs_of_library.extend(lib.srcs)
|
||||
|
||||
if len(srcs_of_library) != 1:
|
||||
fail("expected exactly one src for library, got {}", len(srcs_of_library))
|
||||
@ -54,7 +51,7 @@ output_go_library_srcs = rule(
|
||||
default = "@io_bazel_rules_go//proto:go_proto",
|
||||
),
|
||||
"deps": attr.label_list(
|
||||
providers = [GoLibrary],
|
||||
providers = [GoInfo],
|
||||
aspects = [],
|
||||
),
|
||||
"out": attr.output(
|
||||
|
@ -70,5 +70,5 @@ go_test(
|
||||
env = platform_container_sums_paths | platform_clis_paths,
|
||||
# keep
|
||||
x_defs = {"runsUnder": "bazel"},
|
||||
deps = ["@io_bazel_rules_go//go/runfiles:go_default_library"],
|
||||
deps = ["@io_bazel_rules_go//go/runfiles"],
|
||||
)
|
||||
|
@ -97,41 +97,41 @@ def _actionlint_deps():
|
||||
name = "com_github_rhysd_actionlint_linux_amd64",
|
||||
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_amd64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
|
||||
sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_rhysd_actionlint_linux_arm64",
|
||||
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
|
||||
sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_rhysd_actionlint_darwin_amd64",
|
||||
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_amd64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_amd64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
|
||||
sha256 = "28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_rhysd_actionlint_darwin_arm64",
|
||||
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
|
||||
"https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
|
||||
sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
|
||||
)
|
||||
|
||||
def _gofumpt_deps():
|
||||
@ -181,41 +181,41 @@ def _tfsec_deps():
|
||||
name = "com_github_aquasecurity_tfsec_linux_amd64",
|
||||
build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_amd64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_amd64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
|
||||
sha256 = "f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_aquasecurity_tfsec_linux_arm64",
|
||||
build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_arm64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
|
||||
sha256 = "4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_aquasecurity_tfsec_darwin_amd64",
|
||||
build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_amd64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_amd64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
|
||||
sha256 = "966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_aquasecurity_tfsec_darwin_arm64",
|
||||
build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
|
||||
"https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_arm64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
|
||||
sha256 = "a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
|
||||
)
|
||||
|
||||
def _golangci_lint_deps():
|
||||
@ -223,45 +223,45 @@ def _golangci_lint_deps():
|
||||
name = "com_github_golangci_golangci_lint_linux_amd64",
|
||||
build_file = "//bazel/toolchains:BUILD.golangci.bazel",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-amd64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-amd64.tar.gz",
|
||||
],
|
||||
strip_prefix = "golangci-lint-1.61.0-linux-amd64",
|
||||
strip_prefix = "golangci-lint-2.0.2-linux-amd64",
|
||||
type = "tar.gz",
|
||||
sha256 = "77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
|
||||
sha256 = "89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_golangci_golangci_lint_linux_arm64",
|
||||
build_file = "//bazel/toolchains:BUILD.golangci.bazel",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-arm64.tar.gz",
|
||||
],
|
||||
strip_prefix = "golangci-lint-1.61.0-linux-arm64",
|
||||
strip_prefix = "golangci-lint-2.0.2-linux-arm64",
|
||||
type = "tar.gz",
|
||||
sha256 = "af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
|
||||
sha256 = "789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_golangci_golangci_lint_darwin_amd64",
|
||||
build_file = "//bazel/toolchains:BUILD.golangci.bazel",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-amd64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-amd64.tar.gz",
|
||||
],
|
||||
strip_prefix = "golangci-lint-1.61.0-darwin-amd64",
|
||||
strip_prefix = "golangci-lint-2.0.2-darwin-amd64",
|
||||
type = "tar.gz",
|
||||
sha256 = "5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
|
||||
sha256 = "a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_golangci_golangci_lint_darwin_arm64",
|
||||
build_file = "//bazel/toolchains:BUILD.golangci.bazel",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
|
||||
"https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-arm64.tar.gz",
|
||||
],
|
||||
strip_prefix = "golangci-lint-1.61.0-darwin-arm64",
|
||||
strip_prefix = "golangci-lint-2.0.2-darwin-arm64",
|
||||
type = "tar.gz",
|
||||
sha256 = "544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
|
||||
sha256 = "664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
|
||||
)
|
||||
|
||||
def _buf_deps():
|
||||
@ -270,44 +270,44 @@ def _buf_deps():
|
||||
strip_prefix = "buf/bin",
|
||||
build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-x86_64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/3cf4aa139b289e09f76f3b506d0f48b5d27bd4a58b510af6b976e6a0fb4a0953",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Linux-x86_64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
|
||||
sha256 = "3cf4aa139b289e09f76f3b506d0f48b5d27bd4a58b510af6b976e6a0fb4a0953",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_bufbuild_buf_linux_arm64",
|
||||
strip_prefix = "buf/bin",
|
||||
build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-aarch64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/853f91722ab06e8e7d140b9693f6f6eafd4812636f193ab5dbae99ee1612f1b6",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Linux-aarch64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
|
||||
sha256 = "853f91722ab06e8e7d140b9693f6f6eafd4812636f193ab5dbae99ee1612f1b6",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_bufbuild_buf_darwin_amd64",
|
||||
strip_prefix = "buf/bin",
|
||||
build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-x86_64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/ed5873b81f80d2aa95f4534b51c3a9e0d382d807902706b4aee7a61be5516461",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Darwin-x86_64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
|
||||
sha256 = "ed5873b81f80d2aa95f4534b51c3a9e0d382d807902706b4aee7a61be5516461",
|
||||
)
|
||||
http_archive(
|
||||
name = "com_github_bufbuild_buf_darwin_arm64",
|
||||
strip_prefix = "buf/bin",
|
||||
build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-arm64.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/fc34097ddc95533b0d8065bdf9cf368c63f040ea9d96ffda4ab2805122fddbce",
|
||||
"https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Darwin-arm64.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
sha256 = "e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
|
||||
sha256 = "fc34097ddc95533b0d8065bdf9cf368c63f040ea9d96ffda4ab2805122fddbce",
|
||||
)
|
||||
|
||||
def _talos_docgen_deps():
|
||||
|
@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull")
|
||||
def containter_image_deps():
|
||||
oci_pull(
|
||||
name = "distroless_static",
|
||||
digest = "sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea",
|
||||
digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9",
|
||||
image = "gcr.io/distroless/static",
|
||||
platforms = [
|
||||
"linux/amd64",
|
||||
@ -16,6 +16,6 @@ def containter_image_deps():
|
||||
)
|
||||
oci_pull(
|
||||
name = "libvirtd_base",
|
||||
digest = "sha256:99dbf3cf69b3f97cb0158bde152c9bc7c2a96458cf462527ee80b75754f572a7",
|
||||
digest = "sha256:48ba2401ea66490ca1997b9d3e72b4bef7557ffbcdb1c95651fb3308f32fda58",
|
||||
image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
|
||||
)
|
||||
|
@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||
def nixpkgs_deps():
|
||||
http_archive(
|
||||
name = "io_tweag_rules_nixpkgs",
|
||||
sha256 = "f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
|
||||
strip_prefix = "rules_nixpkgs-705ee3b26cf49e990cddbbe6f60510fa46d50904",
|
||||
sha256 = "30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
|
||||
strip_prefix = "rules_nixpkgs-0.13.0",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
|
||||
"https://github.com/tweag/rules_nixpkgs/archive/705ee3b26cf49e990cddbbe6f60510fa46d50904.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
|
||||
"https://github.com/tweag/rules_nixpkgs/releases/download/v0.13.0/rules_nixpkgs-0.13.0.tar.gz",
|
||||
],
|
||||
type = "tar.gz",
|
||||
)
|
||||
|
@ -7,14 +7,13 @@ def oci_deps():
|
||||
# Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed.
|
||||
http_archive(
|
||||
name = "rules_oci",
|
||||
strip_prefix = "rules_oci-2.0.1",
|
||||
strip_prefix = "rules_oci-2.2.5",
|
||||
type = "tar.gz",
|
||||
urls = [
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/f70f07f9d0d6c275d7ec7d3c7f236d9b552ba3205e8f37df9c1125031cf967cc",
|
||||
"https://github.com/bazel-contrib/rules_oci/releases/download/v2.0.1/rules_oci-v2.0.1.tar.gz",
|
||||
"https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
|
||||
"https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz",
|
||||
],
|
||||
sha256 = "acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43",
|
||||
sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
|
||||
patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"],
|
||||
patch_args = ["-p1"],
|
||||
)
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user