image: update locked rpms (#3742)

Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>

.bazelignore

@@ -0,0 +1,2 @@
+.direnv
+build

.bazelrc

@@ -1,54 +1,56 @@
-# share bazel cache between checkouts of the same project
-# and keep old build caches around for longer
-build --disk_cache=~/.cache/shared_bazel_action_cache
-build --repository_cache=~/.cache/shared_bazel_repository_cache
-
-# better caching / reproducibility
-build --incompatible_strict_action_env=true
-build --experimental_output_directory_naming_scheme=diff_against_baseline
-
-# disable automatic toolchain detection for C/C++
-build --incompatible_enable_cc_toolchain_resolution
-build --action_env BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
+# Import bazelrc presets
+import %workspace%/bazel/bazelrc/bazel7.bazelrc
+import %workspace%/bazel/bazelrc/convenience.bazelrc
+import %workspace%/bazel/bazelrc/correctness.bazelrc
+import %workspace%/bazel/bazelrc/debug.bazelrc
+import %workspace%/bazel/bazelrc/performance.bazelrc
+import %workspace%/bazel/bazelrc/cc.bazelrc
 
 # inject version information into binaries
-build --stamp --workspace_status_command=tools/workspace_status.sh
+common --stamp --workspace_status_command=tools/workspace_status.sh
 
 # strip binaries for better reproducibility
-build --strip=always
+common --strip=always
 
 # set build mode to opt by default (better reproducibility and performance)
-build --compilation_mode=opt
+common --compilation_mode=opt
 
 # use pure go implementation of netdns
-build --define=gotags=netgo
+common --define=gotags=netgo
 
 # enable tpm simulator for tests
 test --//bazel/settings:tpm_simulator
 
-# disable test caching (rerun all test cases even if they passed before)
-test --cache_test_results=no
+# set registry flag alias
+build --flag_alias=container_prefix=//bazel/settings:container_prefix
 
-# bazel config for debug builds
-build:debug --compilation_mode=dbg --strip=never
+# set cli edition flag alias
+build --flag_alias=cli_edition=//bazel/settings:cli_edition
+
+# disable integration tests by default
+test --test_tag_filters=-integration
+# enable all tests (including integration)
+test:integration --test_tag_filters= --@io_bazel_rules_go//go/config:tags=integration
+# enable only integration tests
+test:integration-only --test_tag_filters=+integration --@io_bazel_rules_go//go/config:tags=integration,enterprise
 
 # bazel configs to explicitly target a platform
-build:host --platforms @local_config_platform//:host
-build:linux_amd64 --platforms @zig_sdk//libc_aware/platform:linux_amd64_gnu.2.34
-build:linux_arm64 --platforms @zig_sdk//libc_aware/platform:linux_arm64_gnu.2.34
-build:linux_amd64_static --platforms @zig_sdk//libc_aware/platform:linux_amd64_musl
-build:linux_arm64_static --platforms @zig_sdk//libc_aware/platform:linux_arm64_musl
+common:host --platforms @local_config_platform//:host
+common:linux_amd64 --platforms @zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23
+common:linux_arm64 --platforms @zig_sdk//libc_aware/platform:linux_arm64_gnu.2.23
+common:linux_amd64_static --platforms @zig_sdk//libc_aware/platform:linux_amd64_musl
+common:linux_arm64_static --platforms @zig_sdk//libc_aware/platform:linux_arm64_musl
+
+# bazel configs to explicitly target NixOS
+common --host_platform=@io_tweag_rules_nixpkgs//nixpkgs/platforms:host
+common --crosstool_top=@local_config_cc//:toolchain
 
 # bazel config to explicitly disable stamping (hide version information at build time)
-build:nostamp --nostamp --workspace_status_command=
+common:nostamp --nostamp --workspace_status_command=
 
-# bazel config to use remote cache
-build:remote_cache --bes_results_url=https://app.buildbuddy.io/invocation/
-build:remote_cache --bes_backend=grpcs://remote.buildbuddy.io
-build:remote_cache --remote_cache=grpcs://remote.buildbuddy.io
-build:remote_cache --remote_timeout=3600
-build:remote_cache --experimental_remote_build_event_upload=minimal
-build:remote_cache --experimental_remote_cache_compression
-build:remote_cache_readonly --noremote_upload_local_results # Uploads logs & artifacts without writing to cache
+common:build_barn_rbe_ubuntu_22_04 --remote_timeout=3600
+common:build_barn_rbe_ubuntu_22_04 --remote_executor=grpc://frontend.buildbarn:8980 # this maps to the kubernetes internal buildbarn/frontend service
+common:build_barn_rbe_ubuntu_22_04 --extra_execution_platforms=//bazel/rbe:ubuntu-act-22-04-platform
+common:build_barn_rbe_ubuntu_22_04 --shell_executable=/bin/bash
 
-try-import .bazeloverwriterc
+try-import %workspace%/.bazeloverwriterc

.bazelversion

@@ -1 +1 @@
-6.1.0
+7.4.1

.envrc

@@ -0,0 +1 @@
+use flake

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,33 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
----
-
-### Issue description
-<!-- A clear and concise description of what the issue is -->
-
-
-### To reproduce
-Steps to reproduce the behavior:
-
-1.
-2.
-3.
-
-
-### Environment
-
-- `constellation version`:
-- `constellation-conf.yaml`
-  - (make sure to remove sensitive information, e.g., `yq e 'del(.provider.*.project)' constellation-conf.yaml`)
-- VM type used to run Constellation.
-
-### Expected behavior
-<!-- A clear and concise description of what you expected to happen -->
-
-### Additional info / screenshot
-<!-- Any additional information or context -->

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,25 @@
+name: Bug report
+description: File a bug report to help us improve
+labels: ["bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    attributes:
+      label: Issue description
+      description: A concise description of what you're experiencing.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps to reproduce the behavior
+  - type: textarea
+    attributes:
+      label: Version
+      description: Output of `constellation version`
+  - type: textarea
+    attributes:
+      label: Constellation Config
+      description: Make sure to remove sensitive information, e.g., `yq e 'del(.provider.*.project)' constellation-conf.yaml`.

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: true
 contact_links:
-  - name: Confidential Computing Discord
-    url: https://discord.com/invite/rH8QTH56JN
-    about: Join the Confidential Computing community!
+  - name: Having trouble or questions?
+    url: https://github.com/edgelesssys/constellation/discussions/new?category=q-a
+    about: Open a discussion instead! We will be happy to help you.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,17 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: ''
-assignees: ''
-
----
-
-### Use case
-<!-- A clear and concise description of what the problem is. -->
-
-### Describe your solution
-<!-- A clear and concise description of what you want to happen. -->
-
-### Additional context
-<!-- Add any other context or screenshots about the feature request here. -->

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,18 @@
+name: Feature request
+description: Suggest an idea for this project
+body:
+  - type: textarea
+    attributes:
+      label: Use case
+      description: A concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe your solution
+      description: In case you have an idea how to implement this feature.
+  - type: checkboxes
+    attributes:
+      label: Would you be willing to implement this feature?
+      options:
+        - label: Yes, I could contribute this feature.

.github/ISSUE_TEMPLATE/question.md

@@ -1,14 +0,0 @@
----
-name: Question
-about: Get help or more information on a topic
-title: ''
-labels: question
-assignees: ''
-
----
-
-<!--
-Ask your question here.
-Make sure you've checked the docs at https://docs.edgeless.systems/constellation
-You can also search within the existing issues at https://github.com/edgelesssys/constellation/issues
--->

.github/actionlint.yaml

@@ -1,3 +1,10 @@
 self-hosted-runner:
   # Labels of self-hosted runner in array of string
-  labels: [azure-cvm]
+  labels:
+    [
+      azure-cvm,
+      arc-runner-set,
+      bazel-cached,
+      bazel-nocache,
+      ubuntu-latest-8-cores,
+    ]

.github/actions/artifact_delete/action.yml

@@ -0,0 +1,17 @@
+name: Delete artifact
+description: Delete an artifact by name
+
+inputs:
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  workflowID:
+    description: 'The ID of the workflow.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Delete artifact
+      shell: bash
+      run: ./.github/actions/artifact_delete/delete_artifact.sh ${{ inputs.workflowID }} ${{ inputs.name }}

.github/actions/artifact_delete/delete_artifact.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# get_artifact_id retrieves the artifact id of
+# an artifact that was generated by a workflow.
+# $1 should be the workflow run id. $2 should be the artifact name.
+function get_artifact_id {
+  artifact_id="$(gh api \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    --paginate \
+    "/repos/edgelesssys/constellation/actions/runs/$1/artifacts" --jq ".artifacts |= map(select(.name==\"$2\")) | .artifacts[0].id" || exit 1)"
+  echo "$artifact_id" | tr -d "\n"
+}
+
+# delete_artifact_by_id deletes an artifact by its artifact id.
+# $1 should be the id of the artifact.
+function delete_artifact_by_id {
+  gh api \
+    --method DELETE \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/edgelesssys/constellation/actions/artifacts/$1" || exit 1
+}
+
+workflow_id="$1"
+artifact_name="$2"
+
+if [[ -z $workflow_id ]] || [[ -z $artifact_name ]]; then
+  echo "Usage: delete_artifact.sh <WORKFLOW_ID> <ARTIFACT_NAME>"
+  exit 1
+fi
+
+echo "[*] retrieving artifact ID"
+artifact_id="$(get_artifact_id "$workflow_id" "$artifact_name")"
+
+echo "[*] deleting artifact with ID $artifact_id"
+delete_artifact_by_id "$artifact_id"

.github/actions/artifact_download/action.yml

@@ -0,0 +1,40 @@
+name: Download artifact
+description: Download and decrypt an artifact.
+
+inputs:
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  path:
+    description: 'Download to a specified path.'
+    required: false
+    default: ./
+  encryptionSecret:
+    description: 'The secret to use for decrypting the artifact.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install 7zip
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Download the artifact
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}
+
+    - name: Decrypt and unzip archive
+      shell: bash
+      run: |
+        mkdir -p ${{ inputs.path }}
+        7zz x -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

.github/actions/artifact_upload/action.yml

@@ -0,0 +1,78 @@
+name: Upload artifact
+description: Upload an encrypted zip archive as a github artifact.
+
+inputs:
+  path:
+    description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.'
+    required: true
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  retention-days:
+    description: 'How long the artifact should be retained for.'
+    default: 60
+  encryptionSecret:
+    description: 'The secret to use for encrypting the files.'
+    required: true
+  overwrite:
+    description: 'Overwrite an artifact with the same name.'
+    default: false
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install 7zip
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Create archive
+      shell: bash
+      run: |
+        set -euo pipefail
+        shopt -s extglob
+        paths="${{ inputs.path }}"
+        paths=${paths%$'\n'} # Remove trailing newline
+        # Check if any file matches the given pattern(s).
+        something_exists=false
+        for pattern in ${paths}
+        do
+          if compgen -G "${pattern}" > /dev/null; then
+            something_exists=true
+          fi
+        done
+
+        # Create an archive if files exist.
+        # Don't create an archive file if no files are found
+        # and warn.
+        if ! ${something_exists}
+        then
+          echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
+          exit 0
+        fi
+
+        for target in ${paths}
+        do
+          if compgen -G "${target}" > /dev/null
+          then
+            pushd "$(dirname "${target}")"
+            7zz a -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
+            popd
+          fi
+        done
+
+    - name: Upload archive as artifact
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
+        retention-days: ${{ inputs.retention-days }}
+        if-no-files-found: ignore
+        overwrite: ${{ inputs.overwrite }}

.github/actions/azure_snp_reporter/action.yaml

@@ -1,12 +0,0 @@
-name: Azure SNP Reporter
-description: "Get SNP MAA statement from Azure."
-inputs:
-  outputPath:
-    description: "Path to put signed JWT into."
-    required: true
-runs:
-  using: "composite" # some azure SNP-enabled machine.
-  steps:
-    - name: Fetch report
-      shell: bash
-      run: docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter | tail -n 1 > ${{ inputs.outputPath }}

.github/actions/build_apko/action.yml

@@ -1,111 +0,0 @@
-name: Build container base images using apko
-description: Build one or multiple apko base images based on supplied .yaml files
-
-inputs:
-  apkoConfig:
-    description: "Path to the apko .yaml config file. If left empty, all images will be built."
-    required: false
-  apkoArch:
-    description: "Use this image architecture"
-    required: false
-    default: amd64
-  containerTags:
-    description: "Tags for the resulting container image, space separated"
-    required: true
-  registry:
-    description: "Container registry to use"
-    default: "ghcr.io"
-    required: true
-  githubToken:
-    description: "GitHub authorization token"
-    required: true
-  cosignPublicKey:
-    description: "Cosign public key"
-    required: false
-    default: ""
-  cosignPrivateKey:
-    description: "Cosign private key"
-    required: false
-    default: ""
-  cosignPassword:
-    description: "Password for Cosign private key"
-    required: false
-    default: ""
-
-# Linux runner only (docker required)
-runs:
-  using: composite
-  steps:
-    - name: Install deps
-      shell: bash
-      run: |
-        echo "::group::Install dependencies"
-        sudo apt-get update
-        sudo apt-get install -y zip
-        echo "::endgroup::"
-
-    - name: Log in to the Container registry
-      id: docker-login
-      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
-      with:
-        registry: ${{ inputs.registry }}
-        username: ${{ github.actor }}
-        password: ${{ inputs.githubToken }}
-
-    - name: Install Cosign
-      if: |
-        inputs.cosignPublicKey != '' &&
-        inputs.cosignPrivateKey != '' &&
-        inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
-
-    - name: Download apk repository
-      shell: bash
-      env:
-        DOCKER_BUILDKIT: "1"
-      run: |
-        docker build -o ./apko -f hack/package-hasher/Containerfile.apk.downloader ./apko
-
-    - name: Build apko images and sign them
-      shell: bash
-      working-directory: apko
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
-        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-        APKO_CONFIG: ${{ inputs.apkoConfig }}
-        APKO_ARCH: ${{ inputs.apkoArch }}
-        CONTAINER_TAGS: ${{ inputs.containerTags }}
-        REGISTRY: ${{ inputs.registry }}
-      run: ../.github/actions/build_apko/build_and_sign.sh
-
-    - name: Sign sboms
-      if: |
-        inputs.cosignPublicKey != '' &&
-        inputs.cosignPrivateKey != '' &&
-        inputs.cosignPassword != ''
-      shell: bash
-      working-directory: apko
-      env:
-        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
-        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-      run: |
-        for dir in sboms/*; do
-          for file in $dir/*; do
-            cosign sign-blob \
-              --key env://COSIGN_PRIVATE_KEY \
-              $file \
-              -y \
-              > $file.sig
-          done
-        done
-
-        zip -r sboms.zip sboms
-
-    - name: Upload SBOMs
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-      with:
-        name: sboms
-        path: apko/sboms.zip

.github/actions/build_apko/build_and_sign.sh

@@ -1,68 +0,0 @@
-#!/usr/bin/env bash
-
-set -exuo pipefail
-shopt -s inherit_errexit
-
-# buildImage <apko_config_path>
-buildImage() {
-  local imageConfig=$1
-
-  echo "Building image for ${imageConfig}"
-
-  local imageName
-  imageName=$(basename "${imageConfig}" | cut -d. -f1)
-  local registryPath
-  registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
-  local outTar
-  outTar="${imageName}.tar"
-
-  mkdir -p "sboms/${imageName}"
-
-  # build the image
-  docker run \
-    -v "${PWD}":/work \
-    cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \
-    build \
-    "${imageConfig}" \
-    --build-arch "${APKO_ARCH}" \
-    --sbom \
-    "${registryPath}" \
-    "${outTar}"
-
-  docker load < "${outTar}"
-
-  for tag in ${CONTAINER_TAGS}; do
-    tagSanitized=${tag//\//-}
-
-    docker image tag "${registryPath}" "${registryPath}:${tagSanitized}"
-    docker push "${registryPath}:${tagSanitized}"
-
-    imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
-
-    # write full image as Markdown code block to step summary
-    cat << EOF >> "${GITHUB_STEP_SUMMARY}"
-\`\`\`
-${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@}
-\`\`\`
-EOF
-  done
-
-  # cosign the container and push to registry
-  cosign sign \
-    --key env://COSIGN_PRIVATE_KEY \
-    "${imageDigest}" \
-    -y
-
-  # move sboms to folder
-  mv sbom-*.* "sboms/${imageName}/"
-}
-
-if [[ -n ${APKO_CONFIG} ]]; then
-  buildImage "${APKO_CONFIG}"
-  exit 0
-fi
-
-echo "Building all images in image"
-for imageConfig in ./*.yaml; do
-  buildImage "${imageConfig}"
-done

.github/actions/build_bootstrapper/action.yml

@@ -18,7 +18,7 @@ runs:
       run: |
         echo "::group::Build the bootstrapper"
         mkdir -p "$(dirname "${OUTPUT_PATH}")"
-        label=//bootstrapper/cmd/bootstrapper:bootstrapper_linux_amd64
+        label=//bootstrapper/cmd/bootstrapper:bootstrapper_patched
         bazel build "${label}"
         repository_root=$(git rev-parse --show-toplevel)
         out_rel=$(bazel cquery --output=files "${label}")

.github/actions/build_cdbg/action.yml

@@ -21,13 +21,13 @@ runs:
     - name: Build cdbg
       shell: bash
       env:
-        GOOS: ${{ inputs.targetOS }}
-        GOARCH: ${{ inputs.targetArch }}
+        TARGET_GOOS: ${{ inputs.targetOS }}
+        TARGET_GOARCH: ${{ inputs.targetArch }}
         OUTPUT_PATH: ${{ inputs.outputPath }}
       run: |
         echo "::group::Build cdbg"
         mkdir -p "$(dirname "${OUTPUT_PATH}")"
-        label="//debugd/cmd/cdbg:cdbg_${GOOS}_${GOARCH}"
+        label="//debugd/cmd/cdbg:cdbg_${TARGET_GOOS}_${TARGET_GOARCH}"
         bazel build "${label}"
         repository_root=$(git rev-parse --show-toplevel)
         out_rel=$(bazel cquery --output=files "${label}")

.github/actions/build_cli/action.yml

@@ -5,7 +5,7 @@ description: |
   when run on v* tag.
 inputs:
   targetOS:
-    description: "Build CLI for this OS. [linux, darwin]"
+    description: "Build CLI for this OS. [linux, darwin, windows]"
     required: true
     default: "linux"
   targetArch:
@@ -31,6 +31,10 @@ inputs:
   outputPath:
     description: "Output path of the binary"
     required: false
+  push:
+    description: "Push container images"
+    required: false
+    default: false
 runs:
   using: "composite"
   steps:
@@ -43,9 +47,9 @@ runs:
     - name: Build CLI
       shell: bash
       env:
-        GOOS: ${{ inputs.targetOS }}
-        GOARCH: ${{ inputs.targetArch }}
-        OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
+        TARGET_GOOS: ${{ inputs.targetOS }}
+        TARGET_GOARCH: ${{ inputs.targetArch }}
+        OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}${{ inputs.targetOS == 'windows' && '.exe' || '' }}
       run: |
         echo "::group::Build CLI"
         mkdir -p "$(dirname "${OUTPUT_PATH}")"
@@ -55,22 +59,27 @@ runs:
         else
           cli_variant=oss
         fi
-        label="//cli:cli_${cli_variant}_${GOOS}_${GOARCH}"
+        label="//cli:cli_${cli_variant}_${TARGET_GOOS}_${TARGET_GOARCH}"
         bazel build "${label}"
         repository_root=$(git rev-parse --show-toplevel)
         out_rel=$(bazel cquery --output=files "${label}")
         out_loc="$(realpath "${repository_root}/${out_rel}")"
         cp "${out_loc}" "${OUTPUT_PATH}"
         chmod +w "${OUTPUT_PATH}"
-        echo "$(dirname "${OUTPUT_PATH}")" >> $GITHUB_PATH
-        export PATH="$PATH:$(dirname "${OUTPUT_PATH}")"
+        export PATH="$PATH:$(realpath $(dirname "${OUTPUT_PATH}"))"
+        echo "$(realpath $(dirname "${OUTPUT_PATH}"))" >> $GITHUB_PATH
         echo "::endgroup::"
 
-    # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
+    - name: Upload container images
+      if: inputs.push == 'true'
+      shell: bash
+      run: bazel run //bazel/release:push
+
+    # TODO(3u13r): Replace with https://github.com/sigstore/sigstore-installer/tree/initial
     # once it has the functionality
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Install Rekor
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
@@ -91,11 +100,11 @@ runs:
         COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-        OUTPUT_PATH: ${{ github.workspace }}/${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
+        OUTPUT_PATH: ${{ github.workspace }}/${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}${{ inputs.targetOS == 'windows' && '.exe' || '' }}
       run: |
         echo "$COSIGN_PUBLIC_KEY" > cosign.pub
         # Enabling experimental mode also publishes signature to Rekor
-        COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
+        COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
         # Verify - As documentation & check
         # Local Signature (input: artifact, key, signature)
         cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}"

.github/actions/build_debugd/action.yml

@@ -1,28 +0,0 @@
-name: Build debugd
-description: Build the Constellation debugd binary
-
-inputs:
-  outputPath:
-    description: "Output path of the binary"
-    default: "./build/debugd"
-    required: true
-
-# Linux runner only (homedir trick does not work on macOS, required for private runner)
-runs:
-  using: "composite"
-  steps:
-    - name: Build debugd
-      shell: bash
-      env:
-        OUTPUT_PATH: ${{ inputs.outputPath }}
-      run: |
-        echo "::group::Build debugd"
-        mkdir -p "$(dirname "${OUTPUT_PATH}")"
-        label=//debugd/cmd/debugd:debugd_linux_amd64
-        bazel build "${label}"
-        repository_root=$(git rev-parse --show-toplevel)
-        out_rel=$(bazel cquery --output=files "${label}")
-        out_loc="$(realpath "${repository_root}/${out_rel}")"
-        cp "${out_loc}" "${OUTPUT_PATH}"
-        chmod +w "${OUTPUT_PATH}"
-        echo "::endgroup::"

.github/actions/build_disk_mapper/action.yml

@@ -1,28 +0,0 @@
-name: Build disk-mapper
-description: Build the Constellation disk-mapper binary
-
-inputs:
-  outputPath:
-    description: "Output path of the binary"
-    default: "./build/disk-mapper"
-    required: true
-
-# Linux runner only (Docker required)
-runs:
-  using: "composite"
-  steps:
-    - name: Build the disk-mapper
-      shell: bash
-      env:
-        OUTPUT_PATH: ${{ inputs.outputPath }}
-      run: |
-        echo "::group::Build the disk-mapper"
-        mkdir -p "$(dirname "${OUTPUT_PATH}")"
-        label="//disk-mapper/cmd:disk-mapper_linux_amd64"
-        bazel build "${label}"
-        repository_root=$(git rev-parse --show-toplevel)
-        out_rel=$(bazel cquery --output=files "${label}")
-        out_loc="$(realpath "${repository_root}/${out_rel}")"
-        cp "${out_loc}" "${OUTPUT_PATH}"
-        chmod +w "${OUTPUT_PATH}"
-        echo "::endgroup::"

.github/actions/build_ko/action.yml

@@ -1,115 +0,0 @@
-name: Build micro service using Ko
-description: Build and upload a go micro service using ko
-inputs:
-  name:
-    description: "Name of the micro-service"
-    required: true
-  registry:
-    description: "Name of the registry to use"
-    required: false
-    default: "ghcr.io"
-  koConfig:
-    description: "Path to the .ko.yaml config file"
-    required: false
-    default: ".ko.yaml"
-  koTarget:
-    description: "Go package to build with ko"
-    required: true
-  pushTag:
-    description: "Use this image tag"
-    required: true
-  githubToken:
-    description: "GitHub authorization token"
-    required: true
-  generateKoSBOM:
-    description: "Generate unsigned ko SBOM"
-    required: false
-    default: "false"
-
-outputs:
-  container_full:
-    description: "Full container reference"
-    value: ${{ steps.build.container_full }}
-  container_image:
-    description: "Container image"
-    value: ${{ steps.build.outputs.container_image }}
-  container_tag:
-    description: "Container tag"
-    value: ${{ steps.build.container_tag }}
-
-# Linux runner only
-runs:
-  using: "composite"
-  steps:
-    - name: Determine pseudo version
-      if: ${{ !inputs.pushTag}}
-      id: pseudo-version
-      uses: ./.github/actions/pseudo_version
-
-    - name: Setup Go environment
-      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
-      with:
-        go-version: "1.20.2"
-        cache: true
-
-    - name: Set up ko
-      uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
-      with:
-        ko-version: "v0.12.0"
-
-    - name: Build and upload ko container image
-      id: build
-      shell: bash
-      env:
-        KO_USER: ${{ github.actor }}
-        KO_CONFIG_PATH: ${{ inputs.koConfig }}
-        KO_PASSWORD: ${{ inputs.githubToken }}
-        KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }}
-      run: |
-        tags=""
-        sbom=""
-
-        if [[ "$(git branch --show-current)" == "${{ github.event.repository.default_branch }}" ]]; then
-          tags="latest"
-        else
-          tags="${{ github.sha }}"
-        fi
-
-        if [[ -n "${{ inputs.pushTag }}" ]]; then
-          if [[ -n "${tags}" ]]; then
-            tags="${tags},${{ inputs.pushTag }}"
-          else
-            tags="${{ inputs.pushTag }}"
-          fi
-        fi
-
-        if [[ -n "${{ steps.pseudo-version.outputs.version }}" ]]; then
-          if [[ -n "${tags}" ]]; then
-            tags="${tags},${{ steps.pseudo-version.outputs.version }}"
-          else
-            tags="${{ steps.pseudo-version.outputs.version }}"
-          fi
-        fi
-
-        if [[ "${{ inputs.generateKoSBOM }}" == "false" ]]; then
-          sbom="--sbom=none"
-        fi
-
-        echo "Building container image with tags: ${tags}"
-        container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom})
-        container_image=$(echo $container_full | cut -d@ -f1)
-        container_sha256=$(echo $container_full | cut -d: -f2)
-
-        cat <<EOF > container_data_ko.json
-        {
-          "container_full": "${container_full}",
-          "container_image": "${container_image}",
-          "container_sha256": "${container_sha256}"
-        }
-        EOF
-
-    - name: Upload Container Data # since github censors hashes that may share data with secrets, we need to upload the data as an artifact
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-      with:
-        name: container_data_ko
-        path: container_data_ko.json

.github/actions/build_measurement_reader/action.yml

@@ -1,28 +0,0 @@
-name: Build measurement-reader
-description: Build the Constellation measurement-reader binary
-
-inputs:
-  outputPath:
-    description: "Output path of the binary"
-    default: "./build/measurement-reader"
-    required: true
-
-# Linux runner only (Docker required)
-runs:
-  using: "composite"
-  steps:
-    - name: Build the measurement-reader
-      shell: bash
-      env:
-        OUTPUT_PATH: ${{ inputs.outputPath }}
-      run: |
-        echo "::group::Build the measurement-reader"
-        mkdir -p "$(dirname "${OUTPUT_PATH}")"
-        label="//measurement-reader/cmd:measurement-reader_linux_amd64"
-        bazel build "${label}"
-        repository_root=$(git rev-parse --show-toplevel)
-        out_rel=$(bazel cquery --output=files "${label}")
-        out_loc="$(realpath "${repository_root}/${out_rel}")"
-        cp "${out_loc}" "${OUTPUT_PATH}"
-        chmod +w "${OUTPUT_PATH}"
-        echo "::endgroup::"

.github/actions/build_micro_service/action.yml

@@ -42,7 +42,7 @@ runs:
 
     - name: Docker metadata
       id: meta
-      uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
       with:
         images: |
           ghcr.io/${{ github.repository }}/${{ inputs.name }}
@@ -54,7 +54,7 @@ runs:
 
     - name: Log in to the Container registry
       id: docker-login
-      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+      uses: ./.github/actions/container_registry_login
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
@@ -62,7 +62,7 @@ runs:
 
     - name: Build and push container image
       id: build-micro-service
-      uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
       with:
         context: .
         file: ${{ inputs.dockerfile }}

.github/actions/build_micro_service_ko/action.yml

@@ -1,68 +0,0 @@
-name: Build micro service (KO)
-description: Build and upload a container image for a Constellation micro-service
-inputs:
-  name:
-    description: "Name of the micro-service"
-    required: true
-  koConfig:
-    description: "Path to the .ko.yaml config file"
-    default: ".ko.yaml"
-    required: false
-  koTarget:
-    description: "Go package to build with ko"
-    required: true
-  pushTag:
-    description: "Use this image tag"
-    required: false
-  githubToken:
-    description: "GitHub authorization token"
-    required: true
-  generateKoSBOM:
-    description: "Generate unsigned ko SBOM"
-    required: false
-    default: "false"
-  cosignPublicKey:
-    description: "Cosign public key"
-    required: true
-  cosignPrivateKey:
-    description: "Cosign private key"
-    required: true
-  cosignPassword:
-    description: "Password for Cosign private key"
-    required: false
-
-# Linux runner only
-runs:
-  using: "composite"
-  steps:
-    - name: Build and upload container image
-      id: build-and-upload
-      uses: ./.github/actions/build_ko
-      with:
-        name: ${{ inputs.name }}
-        koConfig: ${{ inputs.koConfig }}
-        koTarget: ${{ inputs.koTarget }}
-        pushTag: ${{ inputs.pushTag }}
-        githubToken: ${{ inputs.GITHUB_TOKEN }}
-
-    - name: Download ko Container Data
-      id: download_container_data
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-      with:
-        name: container_data_ko
-        path: CONTAINER_DATA_KO
-
-    - name: Set container url to Github Env
-      shell: bash
-      run: |
-        container_full=$(jq -r .container_full < container_data_ko.json)
-        echo CONTAINER_FULL=$container_full >> $GITHUB_ENV
-
-    - name: Generate SBOM
-      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false'
-      uses: ./.github/actions/container_sbom
-      with:
-        containerReference: ${{ env.CONTAINER_FULL }}
-        cosignPublicKey: ${{ inputs.cosignPublicKey }}
-        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
-        cosignPassword: ${{ inputs.cosignPassword }}

.github/actions/build_operator/action.yml

@@ -1,137 +0,0 @@
-name: Build operator
-description: Build and upload a container image for a Constellation operator
-inputs:
-  name:
-    description: "Name of the operator"
-    required: true
-  sourceDir:
-    description: "Path to the operators source directory"
-    required: true
-  pushTag:
-    description: "Use this image tag"
-    required: false
-  githubToken:
-    description: "GitHub authorization token"
-    required: true
-  cosignPublicKey:
-    description: "Cosign public key"
-    required: false
-  cosignPrivateKey:
-    description: "Cosign private key"
-    required: false
-  cosignPassword:
-    description: "Password for Cosign private key"
-    required: false
-
-# Linux runner only (Docker required)
-runs:
-  using: "composite"
-  steps:
-    - name: Determine pseudo version
-      id: pseudo-version
-      uses: ./.github/actions/pseudo_version
-
-    - name: Install operator-sdk
-      uses: ./.github/actions/install_operator_sdk
-      with:
-        version: v1.22.2
-
-    - name: Log in to the Container registry
-      id: docker-login
-      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ inputs.githubToken }}
-
-    - name: Docker metadata
-      id: meta
-      uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
-      with:
-        images: |
-          ghcr.io/${{ github.repository }}/${{ inputs.name }}
-        tags: |
-          type=raw,value=latest,enable={{is_default_branch}}
-          type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
-          type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }}
-          type=ref,event=branch
-
-    - name: Build and push container image
-      id: build-image
-      uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
-      with:
-        context: .
-        file: ${{ inputs.sourceDir }}/Dockerfile
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
-
-    - name: Generate SBOM
-      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: ./.github/actions/container_sbom
-      with:
-        containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }}
-        cosignPublicKey: ${{ inputs.cosignPublicKey }}
-        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
-        cosignPassword: ${{ inputs.cosignPassword }}
-
-    - name: Bundle for pseudo version
-      if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == ''
-      shell: bash
-      working-directory: ${{ inputs.sourceDir }}
-      env:
-        VERSION: ${{ steps.pseudo-version.outputs.version }}
-      run: make bundle VERSION=${VERSION#v}
-
-    - name: Bundle for semantic version
-      if: inputs.pushTag != ''
-      shell: bash
-      working-directory: ${{ inputs.sourceDir }}
-      env:
-        VERSION: ${{ inputs.pushTag }}
-      run: make bundle VERSION=${VERSION#v}
-
-    - name: Docker metadata for bundle
-      id: bundle-meta
-      uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
-      with:
-        images: |
-          ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle
-        tags: |
-          type=raw,value=latest,enable={{is_default_branch}}
-          type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
-          type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }}
-          type=ref,event=branch
-
-    - name: Build and push bundle image
-      id: build-image-bundle
-      uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
-      with:
-        context: ${{ inputs.sourceDir }}
-        file: ${{ inputs.sourceDir }}/bundle.Dockerfile
-        push: true
-        tags: ${{ steps.bundle-meta.outputs.tags }}
-
-    - name: Generate Bundle SBOM
-      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: ./.github/actions/container_sbom
-      with:
-        containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }}
-        cosignPublicKey: ${{ inputs.cosignPublicKey }}
-        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
-        cosignPassword: ${{ inputs.cosignPassword }}
-
-    - name: Build and push catalog for pseudo versions
-      if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == ''
-      shell: bash
-      working-directory: ${{ inputs.sourceDir }}
-      env:
-        VERSION: ${{ steps.pseudo-version.outputs.version }}
-      run: make VERSION=${VERSION#v} catalog-build catalog-push
-
-    - name: Build and push catalog for releases
-      if: inputs.pushTag != ''
-      shell: bash
-      working-directory: ${{ inputs.sourceDir }}
-      env:
-        VERSION: ${{ inputs.pushTag }}
-      run: make VERSION=${VERSION#v} catalog-build catalog-push

.github/actions/build_tf_provider/action.yml

@@ -0,0 +1,43 @@
+name: Build Terraform provider
+description: |
+  Builds Terraform provider binaries cross platform.
+inputs:
+  targetOS:
+    description: "Build for this OS. [linux, darwin, windows]"
+    required: true
+    default: "linux"
+  targetArch:
+    description: "Build for this architecture. [amd64, arm64]"
+    required: true
+    default: "amd64"
+  outputPath:
+    description: "Output path of the binary"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    # https://github.blog/2022-04-12-git-security-vulnerability-announced/
+    - name: Mark repository safe
+      shell: bash
+      run: |
+        git config --global --add safe.directory /__w/constellation/constellation
+
+    - name: Build Binaries
+      shell: bash
+      env:
+        TARGET_GOOS: ${{ inputs.targetOS }}
+        TARGET_GOARCH: ${{ inputs.targetArch }}
+        OUTPUT_PATH: ${{ inputs.outputPath || format('./build/terraform-provider-constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}${{ inputs.targetOS == 'windows' && '.exe' || '' }}
+      run: |
+        echo "::group::Build Terraform provider"
+        mkdir -p "$(dirname "${OUTPUT_PATH}")"
+        label="//terraform-provider-constellation:tf_provider_${TARGET_GOOS}_${TARGET_GOARCH}"
+        bazel build "${label}"
+        repository_root=$(git rev-parse --show-toplevel)
+        out_rel=$(bazel cquery --output=files "${label}")
+        out_loc="$(realpath "${repository_root}/${out_rel}")"
+        cp "${out_loc}" "${OUTPUT_PATH}"
+        chmod +w "${OUTPUT_PATH}"
+        export PATH="$PATH:$(realpath $(dirname "${OUTPUT_PATH}"))"
+        echo "$(realpath $(dirname "${OUTPUT_PATH}"))" >> $GITHUB_PATH
+        echo "::endgroup::"

.github/actions/cdbg_deploy/action.yml

@@ -0,0 +1,120 @@
+name: Cdbg deploy
+description: Deploy the Constellation Bootstrapper to the cluster via the debugd.
+
+inputs:
+  test:
+    description: "The e2e test payload."
+    required: true
+  azureClusterCreateCredentials:
+    description: "Azure credentials authorized to create a Constellation cluster."
+    required: true
+  azureIAMCreateCredentials:
+    description: "Azure credentials authorized to create an IAM configuration."
+    required: true
+  cloudProvider:
+    description: "The cloud provider to use."
+    required: true
+  attestationVariant:
+    description: "Attestation variant of the cluster."
+    required: false
+  kubernetesVersion:
+    description: "Kubernetes version to create the cluster from."
+    required: true
+  refStream:
+    description: "The refStream of the image the test runs on."
+    required: true
+  clusterCreation:
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
+    default: "cli"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Login to Azure (IAM service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
+
+    - name: Add Azure Keyvault access role
+      if: inputs.cloudProvider == 'azure'
+      shell: bash
+      run: |
+        UAMI=$(yq eval ".provider.azure.userAssignedIdentity" constellation-conf.yaml)
+        PRINCIPAL_ID=$(az identity show --ids "$UAMI" | yq ".principalId")
+        if [ -z "$PRINCIPAL_ID" ]; then
+          echo "::error::PRINCIPAL_ID for \"$UAMI\" not found"
+          echo "::group::Available identities"
+          az identity list | yq ".[].id"
+          echo "::endgroup::"
+          exit 1
+        fi
+        az role assignment create --role "Key Vault Secrets User" \
+          --assignee "$PRINCIPAL_ID" \
+          --scope /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.KeyVault/vaults/opensearch-creds
+
+    - name: Login to Azure (Cluster service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureClusterCreateCredentials }}
+
+    - name: Login to AWS (IAM service principal)
+      if: inputs.cloudProvider == 'aws'
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
+        aws-region: eu-central-1
+        # extend token expiry to 6 hours to ensure constellation can terminate
+        role-duration-seconds: 21600
+
+    - name: Add AWS Secrets Manager access role
+      if: inputs.cloudProvider == 'aws'
+      shell: bash
+      run: |
+        INSTANCE_PROFILE=$(yq eval ".provider.aws.iamProfileControlPlane" constellation-conf.yaml)
+        ROLE_NAME=$(aws iam get-instance-profile --instance-profile-name "$INSTANCE_PROFILE" | yq ".InstanceProfile.Roles[0].RoleName")
+        aws iam attach-role-policy \
+          --role-name "$ROLE_NAME" \
+          --policy-arn arn:aws:iam::795746500882:policy/GitHubActionsOSCredAccess
+
+    - name: Login to AWS (Cluster service principal)
+      if: inputs.cloudProvider == 'aws'
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
+        aws-region: eu-central-1
+        # extend token expiry to 6 hours to ensure constellation can terminate
+        role-duration-seconds: 21600
+
+    - name: Cdbg deploy
+      shell: bash
+      run: |
+        echo "::group::cdbg deploy"
+        on_error() {
+          echo "::error::cdbg deploy failed"
+        }
+        trap on_error ERR
+        
+        chmod +x $GITHUB_WORKSPACE/build/cdbg
+        cdbg deploy \
+          --bootstrapper "${{ github.workspace }}/build/bootstrapper" \
+          --upgrade-agent "${{ github.workspace }}/build/upgrade-agent" \
+          --info logcollect=true \
+          --info logcollect.github.actor="${{ github.triggering_actor }}" \
+          --info logcollect.github.workflow="${{ github.workflow }}" \
+          --info logcollect.github.run-id="${{ github.run_id }}" \
+          --info logcollect.github.run-attempt="${{ github.run_attempt }}" \
+          --info logcollect.github.ref-name="${{ github.ref_name }}" \
+          --info logcollect.github.sha="${{ github.sha }}" \
+          --info logcollect.github.runner-os="${{ runner.os }}" \
+          --info logcollect.github.e2e-test-payload="${{ inputs.test }}" \
+          --info logcollect.github.is-debug-cluster=false \
+          --info logcollect.github.ref-stream="${{ inputs.refStream }}" \
+          --info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
+          --info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \
+          --info logcollect.github.attestation-variant="${{ inputs.attestationVariant }}" \
+          --info logcollect.deployment-type="debugd" \
+          --verbosity=-1 \
+          --force
+        echo "::endgroup::"

.github/actions/check_measurements_reproducibility/action.yml

@@ -0,0 +1,58 @@
+name: Check measurements reproducibility
+description: Check if the measurements of a given release are reproducible.
+
+inputs:
+  version:
+    type: string
+    description: The version of the measurements that are downloaded from the CDN.
+    required: true
+  ref:
+    type: string
+    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ inputs.ref }}
+        path: ./release
+
+    - name: Set up bazel
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        useCache: "false"
+        nixTools: |
+          systemdUkify
+          jq
+          jd-diff-patch
+          moreutils
+
+    - name: Build images
+      id: build-images
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Build required binaries
+        pushd release
+        bazel build //image/system:stable
+        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
+        popd
+
+    - name: Download measurements
+      shell: bash
+      run: |
+        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
+    
+    - name: Cleanup release measurements and generate our own
+      shell: bash
+      run: |
+        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
+        
+    - name: Compare measurements
+      shell: bash
+      run: |
+        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"

.github/actions/check_measurements_reproducibility/compare_measurements.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# no -e since we need to collect errors later
+# no -u since it interferes with checking associative arrays
+set -o pipefail
+shopt -s extglob
+
+declare -A errors
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  echo "Their measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_their-measurements.json
+  echo "Own measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_own-measurements.json
+
+  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
+  if [[ -n $diff ]]; then
+    errors["$attestationVariant"]="$diff"
+  fi
+done
+
+for attestationVariant in "${!errors[@]}"; do
+  echo "Failed to reproduce measurements for $attestationVariant:"
+  echo "${errors["$attestationVariant"]}" | ts "  "
+done
+
+if [[ ${#errors[@]} -ne 0 ]]; then
+  exit 1
+fi

.github/actions/check_measurements_reproducibility/create_measurements.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s extglob
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  csp="$(echo "$dirname" | cut -d_ -f1)"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  # This jq filter selects the measurements for the correct CSP and attestation variant
+  # and then removes all `warnOnly: true` measurements.
+  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
+    '
+      .list.[]
+      | select(
+        .attestationVariant == $attestation_variant
+        and (.csp | ascii_downcase) == $csp
+      )
+      | .measurements
+      | to_entries
+      | map(select(.value.warnOnly | not))
+      | from_entries
+      | del(.[] .warnOnly)
+  ' \
+    measurements.json > "$attestationVariant"_their-measurements.json
+
+  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
+done

.github/actions/constellation_create/action.yml

@@ -1,5 +1,5 @@
 name: Constellation create
-description: Create a new Constellation cluster using latest OS image.
+description: Create a new Constellation cluster using the latest OS image.
 
 inputs:
   workerNodesCount:
@@ -9,11 +9,17 @@ inputs:
     description: "Number of control-plane nodes to spawn."
     required: true
   cloudProvider:
-    description: "Either 'gcp' or 'azure'."
+    description: "Either 'gcp', 'aws' or 'azure'."
+    required: true
+  attestationVariant:
+    description: "Attestation variant to use."
     required: true
   machineType:
     description: "Machine type of VM to spawn."
     required: false
+  cliVersion:
+    description: "Version of the CLI"
+    required: true
   osImage:
     description: "OS image to use."
     required: true
@@ -23,50 +29,47 @@ inputs:
   kubernetesVersion:
     description: "Kubernetes version to create the cluster from."
     required: false
-  keepMeasurements:
+  artifactNameSuffix:
+    description: "Suffix for artifact naming."
+    required: true
+  fetchMeasurements:
     default: "false"
-    description: "Keep measurements embedded in the CLI."
-  existingConfig:
-    default: "false"
-    description: "Use existing config file."
-  #
-  # GCP specific inputs
-  #
-  gcpProject:
-    description: "The GCP project to deploy Constellation in."
+    description: "Update measurements via the 'constellation config fetch-measurements' command."
+  azureSNPEnforcementPolicy:
     required: false
-  gcpClusterServiceAccountKey:
-    description: "The GCP Service account to use inside the created Constellation cluster."
+    description: "Azure SNP enforcement policy."
+  test:
+    description: "The e2e test payload."
+    required: true
+  azureClusterCreateCredentials:
+    description: "Azure credentials authorized to create a Constellation cluster."
+    required: true
+  azureIAMCreateCredentials:
+    description: "Azure credentials authorized to create an IAM configuration."
+    required: true
+  refStream:
+    description: "Reference and stream of the image in use"
     required: false
-  #
-  # Azure specific inputs
-  #
-  azureSubscription:
-    description: "The Azure subscription ID to deploy Constellation in."
+  internalLoadBalancer:
+    description: "Whether to use an internal load balancer for the control plane"
     required: false
-  azureTenant:
-    description: "The Azure tenant ID to deploy Constellation in."
+  clusterCreation:
+    description: "How to create infrastructure for the e2e test. One of [cli, terraform]."
+    default: "cli"
+  marketplaceImageVersion:
+    description: "Marketplace OS image version. Used instead of osImage."
     required: false
-  azureClientID:
-    description: "The Azure client ID of the application registration created for Constellation."
-    required: false
-  azureClientSecret:
-    description: "The Azure client secret value of the used secret."
-    required: false
-  azureUserAssignedIdentity:
-    description: "The Azure user assigned identity to use for Constellation."
-    required: false
-  azureResourceGroup:
-    description: "The Azure resource group to use for Constellation cluster"
+  force:
+    description: "Set the force-flag on apply to ignore version mismatches."
     required: false
+  encryptionSecret:
+    description: "The secret to use for encrypting the artifact."
+    required: true
 
 outputs:
   kubeconfig:
     description: "The kubeconfig for the cluster."
-    value: ${{ steps.constellation-init.outputs.KUBECONFIG }}
-  masterSecret:
-    description: "The master-secret for the cluster."
-    value: ${{ steps.constellation-init.outputs.MASTERSECRET }}
+    value: ${{ steps.get-kubeconfig.outputs.KUBECONFIG }}
   osImageUsed:
     description: "The OS image used in the cluster."
     value: ${{ steps.setImage.outputs.image }}
@@ -74,65 +77,21 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Constellation config generate
+    - name: Set constellation name
       shell: bash
-      if: inputs.existingConfig != 'true'
       run: |
-        if [[ -n "${{ inputs.kubernetesVersion }}" ]]; then
-          constellation config generate ${{ inputs.cloudProvider }} --kubernetes="${{ inputs.kubernetesVersion }}" --debug
-        else
-          constellation config generate ${{ inputs.cloudProvider }} --debug
-        fi
-
         yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml
 
-        yq eval -i \
-          "(.provider | select(. | has(\"azure\")).azure.subscription) = \"${{ inputs.azureSubscription }}\" |
-            (.provider | select(. | has(\"azure\")).azure.tenant) = \"${{ inputs.azureTenant }}\" |
-            (.provider | select(. | has(\"azure\")).azure.location) = \"West US\" |
-            (.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"${{ inputs.azureUserAssignedIdentity }}\" |
-            (.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" |
-            (.provider | select(. | has(\"azure\")).azure.appClientID) = \"${{ inputs.azureClientID }}\" |
-            (.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\"" \
-          constellation-conf.yaml
-
-        yq eval -i \
-          "(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" |
-            (.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" |
-            (.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" |
-            (.provider | select(. | has(\"gcp\")).gcp.serviceAccountKeyPath) = \"serviceAccountKey.json\"" \
-          constellation-conf.yaml
-
-        yq eval -i \
-          "(.provider | select(. | has(\"aws\")).aws.region) = \"eu-central-1\" |
-            (.provider | select(. | has(\"aws\")).aws.zone) = \"eu-central-1c\" |
-            (.provider | select(. | has(\"aws\")).aws.iamProfileControlPlane) = \"e2e_test_control_plane_instance_profile\" |
-            (.provider | select(. | has(\"aws\")).aws.iamProfileWorkerNodes) = \"e2e_test_worker_node_instance_profile\"" \
-          constellation-conf.yaml
-
-        if [[ -n "${{ inputs.kubernetesVersion }}" ]]; then
-          yq eval -i "(.kubernetesVersion) = \"${{ inputs.kubernetesVersion }}\"" constellation-conf.yaml
-        fi
-
-    - name: Remove embedded measurements
-      if: inputs.keepMeasurements == 'false'
+    - name: Set Azure SNP enforcement policy
+      if: inputs.azureSNPEnforcementPolicy != ''
       shell: bash
       run: |
-        yq eval -i \
-          "(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-          constellation-conf.yaml
-
-        yq eval -i \
-          "(.provider | select(. | has(\"azure\")).azure.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-          constellation-conf.yaml
-
-        yq eval -i \
-          "(.provider | select(. | has(\"gcp\")).gcp.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\
-          constellation-conf.yaml
-
-        yq eval -i \
-          "(.provider | select(. | has(\"qemu\")).qemu.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-          constellation-conf.yaml
+        if [[ ${{ inputs.attestationVariant }} != 'azure-sev-snp' ]]; then
+          echo "SNP enforcement policy is only supported for Azure"
+          exit 1
+        fi
+        yq eval -i "(.attestation.azureSEVSNP.firmwareSignerConfig.enforcementPolicy) \
+          = \"${{ inputs.azureSNPEnforcementPolicy }}\"" constellation-conf.yaml
 
     - name: Set image
       id: setImage
@@ -150,21 +109,44 @@ runs:
         yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml
         echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT"
 
+    - name: Set marketplace image flag (AWS)
+      if: inputs.marketplaceImageVersion != '' && inputs.cloudProvider == 'aws'
+      shell: bash
+      run: |
+        yq eval -i "(.provider.aws.useMarketplaceImage) = true" constellation-conf.yaml
+        yq eval -i "(.image) = \"${{ inputs.marketplaceImageVersion }}\"" constellation-conf.yaml
+
+    - name: Set marketplace image flag (Azure)
+      if: inputs.marketplaceImageVersion != '' && inputs.cloudProvider == 'azure'
+      shell: bash
+      run: |
+        yq eval -i "(.provider.azure.useMarketplaceImage) = true" constellation-conf.yaml
+        yq eval -i "(.image) = \"${{ inputs.marketplaceImageVersion }}\"" constellation-conf.yaml
+
+    - name: Set marketplace image flag (GCP)
+      if: inputs.marketplaceImageVersion != '' && inputs.cloudProvider == 'gcp'
+      shell: bash
+      run: |
+        yq eval -i "(.provider.gcp.useMarketplaceImage) = true" constellation-conf.yaml
+        yq eval -i "(.image) = \"${{ inputs.marketplaceImageVersion }}\"" constellation-conf.yaml
+
+    - name: Update measurements for non-stable images
+      if: inputs.fetchMeasurements
+      shell: bash
+      run: |
+        constellation config fetch-measurements --debug --insecure
+
     - name: Set instanceType
       if: inputs.machineType && inputs.machineType != 'default'
       shell: bash
       run: |
-        yq eval -i "(.provider | select(. | has(\"azure\")).azure.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml
-        yq eval -i "(.provider | select(. | has(\"gcp\")).gcp.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml
-        yq eval -i "(.provider | select(. | has(\"aws\")).aws.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml
+        yq eval -i "(.nodeGroups[] | .instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml
 
-    - name: Create serviceAccountKey.json
-      if: inputs.cloudProvider == 'gcp' && !inputs.existingConfig # Skip if using existing config. serviceAccountKey.json is already present in that case.
+    - name: Set node count
       shell: bash
-      env:
-        GCP_CLUSTER_SERVICE_ACCOUNT_KEY: ${{ inputs.gcpClusterServiceAccountKey }}
       run: |
-        echo "$GCP_CLUSTER_SERVICE_ACCOUNT_KEY" > serviceAccountKey.json
+        yq eval -i "(.nodeGroups[] | select(.role == \"control-plane\") | .initialCount) = ${{ inputs.controlNodesCount }}" constellation-conf.yaml
+        yq eval -i "(.nodeGroups[] | select(.role == \"worker\") | .initialCount) = ${{ inputs.workerNodesCount }}" constellation-conf.yaml
 
     - name: Enable debugCluster flag
       if: inputs.isDebugImage == 'true'
@@ -172,74 +154,79 @@ runs:
       run: |
         yq eval -i '(.debugCluster) = true' constellation-conf.yaml
 
-    # Uses --force flag since the CLI currently does not have a pre-release version and is always on the latest released version.
-    # However, many of our pipelines work on prerelease images. Thus the used images are newer than the CLI's version.
-    # This makes the version validation in the CLI fail.
-    - name: Constellation create
+    - name: Enable internalLoadBalancer flag
+      if: inputs.internalLoadBalancer == 'true'
+      shell: bash
+      run: |
+        yq eval -i '(.internalLoadBalancer) = true' constellation-conf.yaml
+
+    - name: Show Cluster Configuration
       shell: bash
       run: |
         echo "Creating cluster using config:"
         cat constellation-conf.yaml
         sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true
-        constellation create -c ${{ inputs.controlNodesCount }} -w ${{ inputs.workerNodesCount }} -y --force --debug
+
+    - name: Constellation create (CLI)
+      shell: bash
+      run: |
+        constellation apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s -y --debug --tf-log=DEBUG
 
     - name: Cdbg deploy
       if: inputs.isDebugImage == 'true'
+      uses: ./.github/actions/cdbg_deploy
+      with:
+        cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
+        test: ${{ inputs.test }}
+        azureClusterCreateCredentials: ${{ inputs.azureClusterCreateCredentials }}
+        azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }}
+        refStream: ${{ inputs.refStream }}
+        kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        clusterCreation: ${{ inputs.clusterCreation }}
+
+    - name: Set force flag
+      id: set-force-flag
+      if: inputs.force == 'true'
       shell: bash
       run: |
-        echo "::group::cdbg deploy"
-        chmod +x $GITHUB_WORKSPACE/build/cdbg
-        cdbg deploy \
-          --bootstrapper "${{ github.workspace }}/build/bootstrapper" \
-          --upgrade-agent "${{ github.workspace }}/build/upgrade-agent" \
-          --info logcollect=true \
-          --info logcollect.github.actor="${{ github.triggering_actor }}" \
-          --info logcollect.github.workflow="${{ github.workflow }}" \
-          --info logcollect.github.run-id="${{ github.run_id }}" \
-          --info logcollect.github.run-attempt="${{ github.run_attempt }}" \
-          --info logcollect.github.ref-name="${{ github.ref_name }}" \
-          --info logcollect.github.sha="${{ github.sha }}" \
-          --info logcollect.github.runner-os="${{ runner.os }}" \
-          --force
-        echo "::endgroup::"
+        echo "flag=--force" | tee -a $GITHUB_OUTPUT
 
-    - name: Constellation init
-      id: constellation-init
+    - name: Set conformance flag
+      id: set-conformance-flag
+      if: inputs.test == 'sonobuoy conformance'
       shell: bash
       run: |
-        constellation init --force --debug
-        echo "KUBECONFIG=$(pwd)/constellation-admin.conf" >> $GITHUB_OUTPUT
-        echo "MASTERSECRET=$(pwd)/constellation-mastersecret.json" >> $GITHUB_OUTPUT
+        echo "flag=--conformance" | tee -a $GITHUB_OUTPUT
+
+    - name: Constellation apply (Terraform)
+      id: constellation-apply-terraform
+      if: inputs.clusterCreation == 'terraform'
+      uses: ./.github/actions/terraform_apply
+      with:
+        cloudProvider: ${{ inputs.cloudProvider }}
+
+    - name: Constellation apply
+      id: constellation-apply-cli
+      if: inputs.clusterCreation != 'terraform'
+      shell: bash
+      run: |
+        constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }} ${{ steps.set-conformance-flag.outputs.flag }}
+
+    - name: Get kubeconfig
+      id: get-kubeconfig
+      shell: bash
+      run: |
+        echo "KUBECONFIG=$(pwd)/constellation-admin.conf" | tee -a $GITHUB_OUTPUT
 
-    # TODO(nirusu): Temporarily increase kubectl wait timeout here - might be related to all the Cilium / cert-manager issues?
     - name: Wait for nodes to join and become ready
       shell: bash
       env:
-        KUBECONFIG: "${{ steps.constellation-init.outputs.KUBECONFIG }}"
+        KUBECONFIG: "${{ steps.get-kubeconfig.outputs.KUBECONFIG }}"
         JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join
-      run: |
-        echo "::group::Wait for nodes"
-        NODES_COUNT=$((${{ inputs.controlNodesCount }} + ${{ inputs.workerNodesCount }}))
-        JOINWAIT=0
-        until [[ "$(kubectl get nodes -o json | jq '.items | length')" == "${NODES_COUNT}" ]] || [[ $JOINWAIT -gt $JOINTIMEOUT ]];
-        do
-            echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined.. waiting.."
-            JOINWAIT=$((JOINWAIT+30))
-            sleep 30
-        done
-        if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then
-            echo "Timed out waiting for nodes to join"
-            exit 1
-        fi
-        echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined"
-        if ! kubectl wait --for=condition=ready --all nodes --timeout=20m; then
-          kubectl get pods -n kube-system
-          kubectl get events -n kube-system
-          echo "::error::kubectl wait timed out before all nodes became ready"
-          echo "::endgroup::"
-          exit 1
-        fi
-        echo "::endgroup::"
+        CONTROL_NODES_COUNT: "${{ inputs.controlNodesCount }}"
+        WORKER_NODES_COUNT: "${{ inputs.workerNodesCount }}"
+      run: ./.github/actions/constellation_create/wait-for-nodes.sh
 
     - name: Download boot logs
       if: always()
@@ -249,23 +236,51 @@ runs:
         CSP: ${{ inputs.cloudProvider }}
       run: |
         echo "::group::Download boot logs"
+        CONSTELL_UID=$(yq '.infrastructure.uid' constellation-state.yaml)
         case $CSP in
           azure)
             AZURE_RESOURCE_GROUP=$(yq eval ".provider.azure.resourceGroup" constellation-conf.yaml)
             ./.github/actions/constellation_create/az-logs.sh ${AZURE_RESOURCE_GROUP}
             ;;
           gcp)
-            ./.github/actions/constellation_create/gcp-logs.sh
+            GCP_ZONE=$(yq eval ".provider.gcp.zone" constellation-conf.yaml)
+            ./.github/actions/constellation_create/gcp-logs.sh ${GCP_ZONE} ${CONSTELL_UID}
             ;;
           aws)
-            ./.github/actions/constellation_create/aws-logs.sh eu-central-1
+            ./.github/actions/constellation_create/aws-logs.sh us-east-2 ${CONSTELL_UID}
             ;;
         esac
         echo "::endgroup::"
 
     - name: Upload boot logs
       if: always() && !env.ACT
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      continue-on-error: true
+      uses: ./.github/actions/artifact_upload
       with:
-        name: serial-logs-${{ inputs.cloudProvider }}
-        path: "*.log"
+        name: debug-logs-${{ inputs.artifactNameSuffix }}
+        path: |
+          *.log
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Prepare terraform state folders
+      if: always()
+      shell: bash
+      run: |
+        mkdir to-zip
+        cp -r constellation-terraform to-zip
+        # constellation-iam-terraform is optional
+        if [ -d constellation-iam-terraform ]; then
+          cp -r constellation-iam-terraform to-zip
+        fi
+        rm -f to-zip/constellation-terraform/plan.zip
+        rm -rf to-zip/*/.terraform
+
+    - name: Upload terraform state
+      if: always()
+      uses: ./.github/actions/artifact_upload
+      with:
+        name: terraform-state-${{ inputs.artifactNameSuffix }}
+        path: >
+          to-zip/constellation-terraform
+          to-zip/constellation-iam-terraform
+        encryptionSecret: ${{ inputs.encryptionSecret }}

.github/actions/constellation_create/aws-logs.sh

@@ -6,53 +6,39 @@ set -euo pipefail
 shopt -s inherit_errexit
 
 echo "Using AWS region: ${1}"
-
-pushd constellation-terraform
-controlAutoscalingGroup=$(
-  terraform show -json |
-    jq -r .'values.root_module.child_modules[] |
-        select(.address == "module.instance_group_control_plane") |
-        .resources[0].values.name'
-)
-workerAutoscalingGroup=$(
-  terraform show -json |
-    jq -r .'values.root_module.child_modules[] |
-        select(.address == "module.instance_group_worker_nodes") |
-        .resources[0].values.name'
-)
-popd
+echo "Using Constellation UID: ${2}"
 
 controlInstances=$(
-  aws autoscaling describe-auto-scaling-groups \
+  aws ec2 describe-instances \
+    --filters "Name=tag:constellation-uid,Values=${2}" "Name=tag:constellation-role,Values=control-plane" \
     --region "${1}" \
     --no-paginate \
-    --output json \
-    --auto-scaling-group-names "${controlAutoscalingGroup}" |
-    jq -r '.AutoScalingGroups[0].Instances[].InstanceId'
+    --output json |
+    yq eval '.Reservations[].Instances[].InstanceId' -
 )
 workerInstances=$(
-  aws autoscaling describe-auto-scaling-groups \
+  aws ec2 describe-instances \
+    --filters "Name=tag:constellation-uid,Values=${2}" "Name=tag:constellation-role,Values=worker" \
     --region "${1}" \
     --no-paginate \
-    --output json \
-    --auto-scaling-group-names "${workerAutoscalingGroup}" |
-    jq -r '.AutoScalingGroups[0].Instances[].InstanceId'
+    --output json |
+    yq eval '.Reservations[].Instances[].InstanceId' -
 )
 
-echo "Fetching logs from control planes: ${controlInstances}"
+for flag in "" "--latest"; do
+  echo "Fetching ${flag} logs from control planes"
+  for instance in ${controlInstances}; do
+    printf "Fetching for %s\n" "${instance}"
+    aws ec2 get-console-output "${flag}" --region "${1}" --instance-id "${instance}" |
+      jq -r .'Output' |
+      tail -n +2 > "control-plane-${instance}${flag}.log"
+  done
 
-for instance in ${controlInstances}; do
-  printf "Fetching for %s\n" "${instance}"
-  aws ec2 get-console-output --region "${1}" --instance-id "${instance}" |
-    jq -r .'Output' |
-    tail -n +2 > control-plane-"${instance}".log
-done
-
-echo "Fetching logs from worker nodes: ${workerInstances}"
-
-for instance in ${workerInstances}; do
-  printf "Fetching for %s\n" "${instance}"
-  aws ec2 get-console-output --region "${1}" --instance-id "${instance}" |
-    jq -r .'Output' |
-    tail -n +2 > worker-"${instance}".log
+  echo "Fetching ${flag} logs from worker nodes"
+  for instance in ${workerInstances}; do
+    printf "Fetching for %s\n" "${instance}"
+    aws ec2 get-console-output "${flag}" --region "${1}" --instance-id "${instance}" |
+      jq -r .'Output' |
+      tail -n +2 > "worker-${instance}${flag}.log"
+  done
 done

.github/actions/constellation_create/az-logs.sh

@@ -7,8 +7,8 @@ printf "Fetching logs of instances in resource group %s\n" "${1}"
 
 # get list of all scale sets
 scalesetsjson=$(az vmss list --resource-group "${1}" -o json)
-scalesetslist=$(echo "${scalesetsjson}" | jq -r '.[] | .name')
-subscription=$(az account show | jq -r .id)
+scalesetslist=$(echo "${scalesetsjson}" | yq eval '.[] | .name' -)
+subscription=$(az account show | yq eval .id -)
 
 printf "Checking scalesets %s\n" "${scalesetslist}"
 
@@ -18,7 +18,7 @@ for scaleset in ${scalesetslist}; do
       --resource-group "${1}" \
       --name "${scaleset}" \
       -o json |
-      jq -r '.[] | .instanceId'
+      yq eval '.[] | .instanceId' -
   )
   printf "Checking instance IDs %s\n" "${instanceids}"
   for instanceid in ${instanceids}; do
@@ -26,7 +26,7 @@ for scaleset in ${scalesetslist}; do
       az rest \
         --method post \
         --url https://management.azure.com/subscriptions/"${subscription}"/resourceGroups/"${1}"/providers/Microsoft.Compute/virtualMachineScaleSets/"${scaleset}"/virtualmachines/"${instanceid}"/retrieveBootDiagnosticsData?api-version=2022-03-01 |
-        jq '.serialConsoleLogBlobUri' -r
+        yq eval '.serialConsoleLogBlobUri' -
     )
     sleep 4
     curl -fsSL -o "./${scaleset}-${instanceid}.log" "${bloburi}"

.github/actions/constellation_create/gcp-logs.sh

@@ -3,49 +3,19 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
-pushd constellation-terraform
-controlInstanceGroup=$(
-  terraform show -json |
-    jq -r .'values.root_module.child_modules[] |
-    select(.address == "module.instance_group_control_plane") |
-    .resources[0].values.base_instance_name'
-)
-workerInstanceGroup=$(
-  terraform show -json |
-    jq -r .'values.root_module.child_modules[] |
-    select(.address == "module.instance_group_worker") |
-     .resources[0].values.base_instance_name'
-)
-zone=$(
-  terraform show -json |
-    jq -r .'values.root_module.child_modules[] |
-    select(.address == "module.instance_group_control_plane") |
-     .resources[0].values.zone'
-)
-popd
+echo "Using Zone: ${1}"
+echo "Using Constellation UID: ${2}"
 
-controlInstances=$(
-  gcloud compute instance-groups managed list-instances "${controlInstanceGroup##*/}" \
-    --zone "${zone}" \
-    --format=json |
-    jq -r '.[] | .instance'
+allInstances=$(
+  gcloud compute instances list \
+    --filter="labels.constellation-uid=${2}" \
+    --format=json | yq eval '.[] | .name' -
 )
-workerInstances=$(
-  gcloud compute instance-groups managed list-instances "${workerInstanceGroup##*/}" \
-    --zone "${zone}" \
-    --format=json |
-    jq -r '.[] | .instance'
-)
-
-allInstances="${controlInstances} ${workerInstances}"
-
-printf "Fetching logs for %s and %s\n" "${controlInstances}" "${workerInstances}"
 
 for instance in ${allInstances}; do
-  shortName=${instance##*/}
-  printf "Fetching for %s\n" "${shortName}"
+  printf "Fetching for %s\n" "${instance}"
   gcloud compute instances get-serial-port-output "${instance}" \
     --port 1 \
     --start 0 \
-    --zone "${zone}" > "${shortName}".log
+    --zone "${1}" > "${instance}".log
 done

.github/actions/constellation_create/wait-for-nodes.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# We don't want to abort the script if there's a transient error in kubectl.
+set +e
+set -uo pipefail
+
+NODES_COUNT=$((CONTROL_NODES_COUNT + WORKER_NODES_COUNT))
+JOINWAIT=0
+
+# Reports how many nodes are registered and fulfill condition=ready.
+num_nodes_ready() {
+  kubectl get nodes -o json |
+    jq '.items | map(select(.status.conditions[] | .type == "Ready" and .status == "True")) | length'
+}
+
+# Reports how many API server pods are ready.
+num_apiservers_ready() {
+  kubectl get pods -n kube-system -l component=kube-apiserver -o json |
+    jq '.items | map(select(.status.conditions[] | .type == "Ready" and .status == "True")) | length'
+}
+
+# Prints node joining progress.
+report_join_progress() {
+  echo -n "nodes_joined=$(kubectl get nodes -o json | jq '.items | length')/${NODES_COUNT} "
+  echo -n "nodes_ready=$(num_nodes_ready)/${NODES_COUNT} "
+  echo "api_servers_ready=$(num_apiservers_ready)/${CONTROL_NODES_COUNT} ..."
+}
+
+# Indicates by exit code whether the cluster is ready, i.e. all nodes and API servers are ready.
+cluster_ready() {
+  [[ "$(num_nodes_ready)" == "${NODES_COUNT}" && "$(num_apiservers_ready)" == "${CONTROL_NODES_COUNT}" ]]
+}
+
+echo "::group::Wait for nodes"
+until cluster_ready || [[ ${JOINWAIT} -gt ${JOINTIMEOUT} ]]; do
+  report_join_progress
+  JOINWAIT=$((JOINWAIT + 30))
+  sleep 30
+done
+report_join_progress
+if [[ ${JOINWAIT} -gt ${JOINTIMEOUT} ]]; then
+  set -x
+  kubectl get nodes -o wide
+  kubectl get pods -n kube-system -o wide
+  kubectl get events -n kube-system
+  set +x
+  echo "::error::timeout reached before all nodes became ready"
+  echo "::endgroup::"
+  exit 1
+fi
+echo "::endgroup::"

.github/actions/constellation_destroy/action.yml

@@ -5,14 +5,26 @@ inputs:
   kubeconfig:
     description: "The kubeconfig for the cluster."
     required: true
+  clusterCreation:
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
+    default: "cli"
+  gcpClusterDeleteServiceAccount:
+    description: "Service account with permissions to delete a Constellation cluster on GCP."
+    required: true
+  azureClusterDeleteCredentials:
+    description: "Azure credentials authorized to delete a Constellation cluster."
+    required: true
+  cloudProvider:
+    description: "Either 'aws', 'azure' or 'gcp'."
+    required: true
 
 runs:
   using: "composite"
   steps:
     - name: Delete persistent volumes
       if: inputs.kubeconfig != ''
-      continue-on-error: true
       shell: bash
+      continue-on-error: true
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         PV_DELETION_TIMEOUT: "120" # 2 minutes timeout for pv deletion
@@ -23,6 +35,14 @@ runs:
         # Scrap namespaces that contain PVCs
         for namespace in `kubectl get namespace --no-headers=true -o custom-columns=":metadata.name"`; do
           if [[ `kubectl get pvc -n $namespace --no-headers=true -o custom-columns=":metadata.name" | wc -l` -gt 0 ]]; then
+            if [[ "${namespace}" == "default" ]]; then
+              kubectl delete all --all --namespace "default" --wait
+              continue
+            fi
+            if [[ "${namespace}" == "kube-system" ]]; then
+              kubectl delete pvc --all --namespace "kube-system" --wait
+              continue
+            fi
             kubectl delete namespace $namespace --wait
           fi
         done
@@ -39,6 +59,28 @@ runs:
         fi
         echo "::endgroup::"
 
+    - name: Login to GCP (Cluster service account)
+      if: inputs.cloudProvider == 'gcp'
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: ${{ inputs.gcpClusterDeleteServiceAccount }}
+
+    - name: Login to AWS (Cluster role)
+      if: inputs.cloudProvider == 'aws'
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
+        aws-region: eu-central-1
+        # extend token expiry to 6 hours to ensure constellation can terminate
+        role-duration-seconds: 21600
+
+    - name: Login to Azure (Cluster service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureClusterDeleteCredentials }}
+
     - name: Constellation terminate
       shell: bash
-      run: constellation terminate --yes
+      run: |
+        constellation terminate --yes --tf-log=DEBUG

.github/actions/constellation_iam_create/action.yml

@@ -3,29 +3,36 @@ description: Create IAM configuration for a Constellation cluster.
 
 inputs:
   cloudProvider:
-      description: "Either 'aws', 'azure' or 'gcp'."
-      required: true
+    description: "Either 'aws', 'azure' or 'gcp'."
+    required: true
+  attestationVariant:
+    description: "The attestation variant to use."
+    required: true
+  kubernetesVersion:
+    description: "Kubernetes version to create the cluster from."
+    required: false
+  namePrefix:
+    description: "Name prefix to use for resources."
+    required: true
+  additionalTags:
+    description: "Additional resource tags that will be written into the constellation configuration."
+    default: ""
+    required: false
   #
   # AWS specific inputs
   #
   awsZone:
     description: "AWS zone to deploy Constellation in."
     required: false
-  awsPrefix:
-    description: "name prefix to use for the AWS resources."
-    required: false
   #
   # Azure specific inputs
   #
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureRegion:
     description: "Azure region to deploy Constellation in."
     required: false
-  azureResourceGroup:
-    description: "Name of the Azure resource group being created."
-    required: false
-  azureServicePrincipal:
-    description: "Name of the Azure service principal being created."
-    required: false
   #
   # GCP specific inputs
   #
@@ -35,49 +42,85 @@ inputs:
   gcpZone:
     description: "The GCP zone to deploy Constellation in."
     required: false
-  gcpServiceAccountID:
-    description: "ID of the GCP service account being created."
+  #
+  # STACKIT specific inputs
+  #
+  stackitZone:
+    description: "The STACKIT zone to deploy Constellation in."
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
     required: false
-
-outputs:
-  existingConfig:
-    description: "Whether a configuration file has been created to be used in the next step."
-    value: ${{ steps.setExistingConfig.outputs.existingConfig }}
 
 runs:
   using: "composite"
   steps:
+    - name: Generate config
+      id: generate-config
+      shell: bash
+      run: |
+        kubernetesFlag=""
+        if [[ ! -z "${{ inputs.kubernetesVersion }}" ]]; then
+          kubernetesFlag="--kubernetes=${{ inputs.kubernetesVersion }}"
+        fi
+
+        # TODO(v2.17): Remove this fallback and always use --tags flag
+        tagsFlag=""
+        if constellation config generate --help | grep -q -- --tags; then
+          tagsFlag="--tags=\"${{ inputs.additionalTags }}\""
+        fi
+
+        echo "flag=--update-config" | tee -a "$GITHUB_OUTPUT"
+        constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} --attestation ${{ inputs.attestationVariant }} ${tagsFlag}
+
     - name: Constellation iam create aws
       shell: bash
       if: inputs.cloudProvider == 'aws'
       run: |
         constellation iam create aws \
-          --zone=${{ inputs.awsZone }} \
-          --prefix=${{ inputs.awsPrefix }} \
-          --generate-config --yes
+          --zone="${{ inputs.awsZone }}" \
+          --prefix="${{ inputs.namePrefix }}" \
+          --update-config \
+          --tf-log=DEBUG \
+          --yes
 
     - name: Constellation iam create azure
       shell: bash
       if: inputs.cloudProvider == 'azure'
       run: |
-        constellation iam create azure \
-          --region=${{ inputs.azureRegion }} \
-          --resourceGroup=${{ inputs.azureResourceGroup }} \
-          --servicePrincipal=${{ inputs.azureServicePrincipal }} \
-          --generate-config --yes
+        extraFlags=""
 
+        if [[ $(constellation iam create azure --help | grep -c -- --subscriptionID) -ne 0 ]]; then
+          extraFlags="--subscriptionID=${{ inputs.azureSubscriptionID }}"
+        fi
+
+        constellation iam create azure \
+          --region="${{ inputs.azureRegion }}" \
+          --resourceGroup="${{ inputs.namePrefix }}-rg" \
+          --servicePrincipal="${{ inputs.namePrefix }}-sp" \
+          --update-config \
+          --tf-log=DEBUG \
+          --yes ${extraFlags}
+
+    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
     - name: Constellation iam create gcp
       shell: bash
       if: inputs.cloudProvider == 'gcp'
       run: |
         constellation iam create gcp \
-          --projectID=${{ inputs.gcpProjectID }} \
-          --zone=${{ inputs.gcpZone }} \
-          --serviceAccountID=${{ inputs.gcpServiceAccountID }} \
-          --generate-config --yes
+          --projectID="${{ inputs.gcpProjectID }}" \
+          --zone="${{ inputs.gcpZone }}" \
+          --serviceAccountID="${{ inputs.namePrefix }}-sa" \
+          --update-config \
+          --tf-log=DEBUG \
+          --yes
 
-    - name: Set existing config
-      id: setExistingConfig
+    - name: Set STACKIT-specific configuration
       shell: bash
+      if: inputs.cloudProvider == 'stackit'
+      env:
+        STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
       run: |
-        echo "existingConfig=true" >> $GITHUB_OUTPUT
+        yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
+        yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
+        yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml

.github/actions/constellation_iam_destroy/action.yml

@@ -1,10 +1,42 @@
 name: Delete IAM configuration
 description: Delete previously created IAM configuration.
 
+inputs:
+  cloudProvider:
+    description: "Either 'aws', 'azure' or 'gcp'."
+    required: true
+  gcpServiceAccount:
+    description: "GCP service account to use for authentication."
+    required: false
+  azureCredentials:
+    description: "Azure service principal to use for authentication."
+    required: false
+
 runs:
   using: "composite"
   steps:
+    - name: Login to GCP (IAM service account)
+      if: inputs.cloudProvider == 'gcp'
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: ${{ inputs.gcpServiceAccount }}
+
+    - name: Login to AWS (IAM role)
+      if: inputs.cloudProvider == 'aws'
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
+        aws-region: eu-central-1
+        # extend token expiry to 6 hours to ensure constellation can terminate
+        role-duration-seconds: 21600
+
+    - name: Login to Azure (IAM service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureCredentials }}
+
     - name: Delete IAM configuration
       shell: bash
       run: |
-        constellation iam destroy --yes
+        constellation iam destroy --yes --tf-log=DEBUG

.github/actions/constellation_iam_upgrade/action.yml

@@ -0,0 +1,9 @@
+name: Constellation IAM upgrade
+description: Upgrade IAM configuration for a Constellation cluster.
+runs:
+  using: "composite"
+  steps:
+    - name: Constellation iam upgrade aws
+      shell: bash
+      run: |
+        constellation iam upgrade apply --yes --debug

.github/actions/container_registry_login/action.yml

@@ -0,0 +1,35 @@
+name: Create container registry login credentials file
+description: Delete previously created IAM configuration.
+
+inputs:
+  registry:
+    description: "Container registry to use"
+    required: true
+  username:
+    description: "Username used for authentication."
+    required: true
+  password:
+    description: "Password used for authentication."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Use docker for logging in
+      if: runner.os != 'macOS'
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+
+    - name: Manually create docker config.json
+      if: runner.os == 'macOS'
+      shell: bash
+      env:
+        REGISTRY: ${{ inputs.registry }}
+        USERNAME: ${{ inputs.username }}
+        PASSWORD: ${{ inputs.password }}
+      run: |
+        mkdir -p ~/.docker
+        echo "{\"auths\":{\"${REGISTRY}\":{\"username\":\"${USERNAME}\",\"password\":\"${PASSWORD}\"}}}"  | tee ~/.docker/config.json

.github/actions/container_sbom/action.yml

@@ -19,7 +19,7 @@ runs:
   steps:
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Download Syft & Grype
       uses: ./.github/actions/install_syft_grype
@@ -27,7 +27,6 @@ runs:
     - name: Generate SBOM
       shell: bash
       env:
-        # COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
         COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
@@ -37,7 +36,7 @@ runs:
         syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
         cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json
         cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
-        # TODO: type should be auto-discovered after issue is resolved:
+        # TODO(3u13r): type should be auto-discovered after issue is resolved:
         # https://github.com/sigstore/cosign/issues/2264
         cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY
         grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none

.github/actions/deploy_logcollection/action.yml

@@ -0,0 +1,96 @@
+name: Log Collection Deployment
+description: Deploy log collection functionality to the cluster.
+
+inputs:
+  logstash-port:
+    description: "The port of the logstash service."
+    default: "5045"
+  kubeconfig:
+    description: "The kubeconfig of the cluster to deploy to."
+    required: true
+  opensearchUser:
+    description: "The username of the opensearch cluster."
+    required: true
+  opensearchPwd:
+    description: "The password of the opensearch cluster."
+    required: true
+  test:
+    description: "The e2e test payload."
+    required: true
+  provider:
+    description: "The CSP of the cluster."
+    required: true
+  attestationVariant:
+    description: "Attestation variant of the cluster."
+    required: false
+  isDebugImage:
+    description: "Whether the cluster is a debug cluster / uses a debug image."
+    required: true
+  refStream:
+    description: "Reference and stream of the image in use"
+    required: false
+  kubernetesVersion:
+    description: "Kubernetes version of the cluster"
+    required: false
+  clusterCreation:
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
+    default: "cli"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Template Logcollection Helm Values
+      id: template
+      shell: bash
+      run: |
+        bazel run //hack/logcollector template -- \
+         --dir $(realpath .) \
+         --username ${{ inputs.opensearchUser }} \
+         --password ${{ inputs.opensearchPwd }} \
+         --port ${{ inputs.logstash-port }} \
+         --fields github.actor="${{ github.triggering_actor }}" \
+         --fields github.workflow="${{ github.workflow }}" \
+         --fields github.run-id="${{ github.run_id }}" \
+         --fields github.run-attempt="${{ github.run_attempt }}" \
+         --fields github.ref-name="${{ github.ref_name }}" \
+         --fields github.sha="${{ github.sha }}" \
+         --fields github.runner-os="${{ runner.os }}" \
+         --fields github.e2e-test-payload="${{ inputs.test }}" \
+         --fields github.is-debug-cluster="${{ inputs.isDebugImage }}" \
+         --fields github.e2e-test-provider="${{ inputs.provider }}" \
+         --fields github.ref-stream="${{ inputs.refStream }}" \
+         --fields github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
+         --fields github.cluster-creation="${{ inputs.clusterCreation }}" \
+         --fields github.attestation-variant="${{ inputs.attestationVariant }}" \
+         --fields deployment-type="k8s"
+
+    # Make sure that helm is installed
+    # This is not always the case, e.g. on MacOS runners
+    - name: Install Helm
+      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+      with:
+        version: v3.9.0
+
+    - name: Deploy Logstash
+      id: deploy-logstash
+      shell: bash
+      working-directory: ./logstash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        helm repo add elastic https://helm.elastic.co
+        helm repo update
+        helm install logstash elastic/logstash \
+          --wait --timeout=1200s --values values.yml
+
+    - name: Deploy Filebeat
+      id: deploy-filebeat
+      shell: bash
+      working-directory: ./filebeat
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        helm repo add elastic https://helm.elastic.co
+        helm repo update
+        helm install filebeat elastic/filebeat \
+          --wait --timeout=1200s --values values.yml

.github/actions/download_release_binaries/action.yml

@@ -0,0 +1,55 @@
+name: Download release binaries
+description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline."
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download CLI binaries darwin-amd64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: constellation-darwin-amd64
+
+    - name: Download CLI binaries darwin-arm64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: constellation-darwin-arm64
+
+    - name: Download CLI binaries linux-amd64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: constellation-linux-amd64
+
+    - name: Download CLI binaries linux-arm64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: constellation-linux-arm64
+
+    - name: Download CLI binaries windows-amd64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: constellation-windows-amd64
+
+    - name: Download Terraform module
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: terraform-module
+
+    - name: Download Terraform provider binary darwin-amd64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: terraform-provider-constellation-darwin-amd64
+
+    - name: Download Terraform provider binary darwin-arm64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: terraform-provider-constellation-darwin-arm64
+
+    - name: Download Terraform provider binary linux-amd64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: terraform-provider-constellation-linux-amd64
+
+    - name: Download Terraform provider binary linux-arm64
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: terraform-provider-constellation-linux-arm64

.github/actions/e2e_attestationconfigapi/action.yml

@@ -0,0 +1,33 @@
+name: E2E Attestationconfig API Test
+description: "Test the attestationconfig CLI is functional."
+
+inputs:
+  attestationVariant:
+    description: "attestation variant to run tests against"
+    default: "azure-sev-snp"
+  cosignPrivateKey:
+    description: "Cosign private key"
+    required: true
+  cosignPassword:
+    description: "Password for Cosign private key"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup bazel
+      uses: ./.github/actions/setup_bazel_nix
+
+    - name: Login to AWS
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
+        aws-region: eu-west-1
+
+    - name: Run attestationconfig API E2E
+      shell: bash
+      env:
+        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
+        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
+      run: |
+        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.attestationVariant }}

.github/actions/e2e_autoscaling/action.yml

@@ -18,7 +18,7 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
         worker_count=$(kubectl get nodes -o json --selector='!node-role.kubernetes.io/control-plane' | jq '.items | length')
-        echo "worker_count=${worker_count}" >> $GITHUB_OUTPUT
+        echo "worker_count=${worker_count}" | tee -a "$GITHUB_OUTPUT"
         echo "The cluster currently has ${worker_count} nodes."
 
     # The following step identifies the name of the worker scaling group. As the scaling group is
@@ -43,7 +43,7 @@ runs:
             exit 1
         fi
         worker_group=$(kubectl get scalinggroups -o json | jq -r '.items[].metadata.name | select(contains("worker"))')
-        echo "worker_name=${worker_group}" >> $GITHUB_OUTPUT
+        echo "worker_name=${worker_group}" | tee -a "$GITHUB_OUTPUT"
         echo "The name of your worker scaling group is '${worker_group}'."
 
     - name: Patch autoscaling to true
@@ -64,7 +64,7 @@ runs:
         worker_group=${{ steps.worker_name.outputs.worker_name }}
         worker_count=${{ steps.worker_count.outputs.worker_count }}
         worker_target=$((worker_count + 2))
-        echo "worker_target=${worker_target}" >> $GITHUB_OUTPUT
+        echo "worker_target=${worker_target}" | tee -a "$GITHUB_OUTPUT"
         kubectl patch scalinggroups ${worker_group} --patch '{"spec":{"max": '${worker_target}'}}' --type='merge'
         kubectl get scalinggroup ${worker_group} -o jsonpath='{.spec}' | jq
 
@@ -82,14 +82,37 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
         worker_count=${{ steps.worker_count.outputs.worker_count }}
-        kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))
+
+        cat <<EOF | kubectl apply -f -
+        kind: Deployment
+        apiVersion: apps/v1
+        metadata:
+          name: nginx
+          namespace: default
+        spec:
+          replicas: $(( 110 * (worker_count + 1) + 55 ))
+          strategy:
+            rollingUpdate:
+              maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
+          selector:
+            matchLabels:
+              app: nginx
+          template:
+            metadata:
+              labels:
+                app: nginx
+            spec:
+              containers:
+              - name: nginx
+                image: nginx
+        EOF
 
     - name: Wait for autoscaling and check result
       shell: bash
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
-        kubectl wait deployment nginx --for condition=available --timeout=15m
+        kubectl wait deployment nginx --for condition=available --timeout=25m
         worker_count=$(kubectl get nodes -o json --selector='!node-role.kubernetes.io/control-plane' | jq '.items | length')
         if [[ $(( "${{ steps.scaling_limit.outputs.worker_target }}" )) -ne $(( "${worker_count}" )) ]]; then
           echo "::error::Expected worker count ${{ steps.scaling_limit.outputs.worker_target }}, but was ${worker_count}"

.github/actions/e2e_benchmark/.gitignore

@@ -0,0 +1,2 @@
+benchmarks/
+out/

.github/actions/e2e_benchmark/README.md

@@ -41,18 +41,19 @@ Example table:
 
 </details>
 
-### Drawing Performance Charts
-The action also draws graphs as used in the [Constellation docs](https://docs.edgeless.systems/constellation/next/overview/performance). The graphs compare the performance of Constellation to the performance of managed Kubernetes clusters.
-
-Graphs are created with every run of the benchmarking action. The action attaches them to the `benchmark` artifact of the workflow run.
-
 ## Updating Stored Records
 
 ### Managed Kubernetes
 One must manually update the stored benchmark records of managed Kubernetes:
 
 ### AKS
-Follow the [Azure documentation](https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-portal?tabs=azure-cli) to create an AKS cluster of desired benchmarking settings (region, instance types). If comparing against Constellation clusters with CVM instances, make sure to select the matching CVM instance type on Azure as well.
+Follow the [Azure documentation](https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-portal?tabs=azure-cli) to create an AKS cluster of desired benchmarking settings (region, instance types). If comparing against Constellation clusters with CVM instances, make sure to select the instance type on AKS as well.
+
+For example:
+```bash
+az aks create -g moritz-constellation -n benchmark --node-count 2 -s Standard_DC4as_v5
+az aks get-credentials -g moritz-constellation -n benchmark
+```
 
 Once the cluster is ready, set up managing access via `kubectl` and take the benchmark:
 ```bash
@@ -63,42 +64,72 @@ install knb /usr/local/bin
 cd ..
 
 # Setup kubestr
-HOSTOS="$(go env GOOS)"
+case "$(go env GOOS)" in "darwin") HOSTOS="MacOS";; *) HOSTOS="$(go env GOOS)";; esac
 HOSTARCH="$(go env GOARCH)"
+KUBESTR_VER=0.4.37
 curl -fsSLO https://github.com/kastenhq/kubestr/releases/download/v${KUBESTR_VER}/kubestr_${KUBESTR_VER}_${HOSTOS}_${HOSTARCH}.tar.gz
 tar -xzf kubestr_${KUBESTR_VER}_${HOSTOS}_${HOSTARCH}.tar.gz
 install kubestr /usr/local/bin
 
+# Clone Constellation
+git clone https://github.com/edgelesssys/constellation.git
+
+# Create storage class without cloud caching
+cat <<EOF | kubectl apply -f -
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: default-no-cache
+allowVolumeExpansion: true
+allowedTopologies: []
+mountOptions: []
+parameters:
+  skuname: StandardSSD_LRS
+  cachingMode: None
+provisioner: disk.csi.azure.com
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+EOF
 
 # Run kubestr
 mkdir -p out
-kubestr fio -e "out/fio-constellation-aks.json" -o json -s encrypted-rwo -z 400Gi
+kubestr fio -e "out/fio-AKS.json" -o json -s default -z 400Gi -f constellation/.github/actions/e2e_benchmark/fio.ini
 
 # Run knb
-workers=$(kubectl get nodes | grep worker)
-server=$(echo $workers | head -1 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')
-client=$(echo $workers | head -2 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')
-knb -f "out/knb-constellation-aks.json" -o json --server-node $server --client-node $client
+workers="$(kubectl get nodes | grep nodepool)"
+server="$(echo $workers | head -1 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')"
+client="$(echo $workers | head -2 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')"
+knb -f "out/knb-AKS.json" -o json --server-node $server --client-node $client
 
 
 # Benchmarks done, do processing.
 
 # Parse
-git clone https://github.com/edgelesssys/constellation.git
 mkdir -p benchmarks
-BDIR=benchmarks
-EXT_NAME=AKS
-KBENCH_RESULTS=out/
+export BDIR=benchmarks
+export CSP=azure
+export EXT_NAME=AKS
+export BENCH_RESULTS=out/
 
 python constellation/.github/actions/e2e_benchmark/evaluate/parse.py
 
 # Upload result to S3
-S3_PATH=s3://edgeless-artifact-store/constellation/benchmarks
+S3_PATH=s3://edgeless-artifact-store/constellation/benchmarks/<version>
 aws s3 cp benchmarks/AKS.json ${S3_PATH}/AKS.json
 ```
 
 ### GKE
-Create a GKE cluster of desired benchmarking settings (region, instance types). If comparing against Constellation clusters with CVM instances, make sure to select the matching CVM instance type on GCP and enable **confidential** VMs as well.
+Create a GKE cluster of desired benchmarking settings (region, instance types). If comparing against Constellation clusters with CVM instances, make sure to select the matching instance type on GKE.
+For example:
+
+```bash
+gcloud container clusters create benchmark \
+    --zone europe-west3-b \
+    --node-locations europe-west3-b \
+    --machine-type n2d-standard-4 \
+    --num-nodes 2
+gcloud container clusters get-credentials benchmark --region europe-west3-b
+```
 
 Once the cluster is ready, set up managing access via `kubectl` and take the benchmark:
 ```bash
@@ -109,36 +140,52 @@ install knb /usr/local/bin
 cd ..
 
 # Setup kubestr
-HOSTOS="$(go env GOOS)"
+case "$(go env GOOS)" in "darwin") HOSTOS="MacOS";; *) HOSTOS="$(go env GOOS)";; esac
 HOSTARCH="$(go env GOARCH)"
+KUBESTR_VER=0.4.37
 curl -fsSLO https://github.com/kastenhq/kubestr/releases/download/v${KUBESTR_VER}/kubestr_${KUBESTR_VER}_${HOSTOS}_${HOSTARCH}.tar.gz
 tar -xzf kubestr_${KUBESTR_VER}_${HOSTOS}_${HOSTARCH}.tar.gz
 install kubestr /usr/local/bin
 
+# Clone Constellation
+git clone https://github.com/edgelesssys/constellation.git
+
 # Run kubestr
 mkdir -p out
-kubestr fio -e "out/fio-constellation-gke.json" -o json -s encrypted-rwo -z 400Gi
+kubestr fio -e "out/fio-GKE.json" -o json -s standard-rwo -z 400Gi -f constellation/.github/actions/e2e_benchmark/fio.ini
 
 # Run knb
-workers=$(kubectl get nodes | grep worker)
-server=$(echo $workers | head -1 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')
-client=$(echo $workers | head -2 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')
-knb -f "out/knb-constellation-gke.json" -o json --server-node $server --client-node $client
+workers="$(kubectl get nodes | grep default-pool)"
+server="$(echo $workers | head -1 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')"
+client="$(echo $workers | head -2 | tail -1 |cut -d ' ' -f1|tr '\n' ' ')"
+knb -f "out/knb-GKE.json" -o json --server-node "$server" --client-node "$client"
 
 
 # Parse
-git clone https://github.com/edgelesssys/constellation.git
 mkdir -p benchmarks
-BDIR=benchmarks
-EXT_NAME=GKE
-KBENCH_RESULTS=out/
+export BDIR=benchmarks
+export CSP=gcp
+export EXT_NAME=GKE
+export BENCH_RESULTS=out/
 
 python constellation/.github/actions/e2e_benchmark/evaluate/parse.py
 
 # Upload result to S3
-S3_PATH=s3://edgeless-artifact-store/constellation/benchmarks
+S3_PATH=s3://edgeless-artifact-store/constellation/benchmarks/<version>
 aws s3 cp benchmarks/GKE.json ${S3_PATH}/GKE.json
 ```
 
 ### Constellation
 The action updates the stored Constellation records for the selected cloud provider when running on the main branch.
+
+## Drawing Performance Charts
+The action also contains the code to draw graphs as used in the [Constellation docs](https://docs.edgeless.systems/constellation/next/overview/performance).
+The graphs compare the performance of Constellation to the performance of managed Kubernetes clusters.
+It expects the results of `[AKS.json, GKE.json, constellation-azure.json, constellation-gcp.json]` to be present in the `BDIR` folder.
+
+Graphs can thne be created from using the `graphs.py` script:
+
+```bash
+BDIR=benchmarks
+python ./graph.py
+```

.github/actions/e2e_benchmark/action.yml

@@ -5,6 +5,9 @@ inputs:
   cloudProvider:
     description: "Which cloud provider to use."
     required: true
+  attestationVariant:
+    description: "Which attestation variant to use."
+    required: true
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
@@ -17,13 +20,19 @@ inputs:
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the results."
     required: false
+  artifactNameSuffix:
+    description: "Suffix for artifact naming."
+    required: true
+  encryptionSecret:
+    description: 'The secret to use for encrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
 
   steps:
     - name: Setup python
-      uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: "3.10"
 
@@ -39,11 +48,11 @@ runs:
         install kubestr /usr/local/bin
 
     - name: Checkout k8s-bench-suite
-      uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
-        repository: "InfraBuilder/k8s-bench-suite"
-        ref: 1698974913b7b18ad54cf5860838029c295c77b1
+        repository: "edgelesssys/k8s-bench-suite"
+        ref: 67c64c854841165b778979375444da1c02e02210
         path: k8s-bench-suite
 
     - name: Run FIO benchmark
@@ -51,15 +60,66 @@ runs:
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
+        if [[ "${{ inputs.cloudProvider }}" == "azure" ]]
+        then
+        cat <<EOF | kubectl apply -f -
+        apiVersion: storage.k8s.io/v1
+        kind: StorageClass
+        metadata:
+          name: fio-benchmark
+        allowVolumeExpansion: true
+        allowedTopologies: []
+        mountOptions: []
+        parameters:
+          skuname: StandardSSD_LRS
+          cachingMode: None
+        provisioner: azuredisk.csi.confidential.cloud
+        reclaimPolicy: Delete
+        volumeBindingMode: Immediate
+        EOF
+        fi
+
+        if [[ "${{ inputs.cloudProvider }}" == "gcp" ]]
+        then
+        cat <<EOF | kubectl apply -f -
+        apiVersion: storage.k8s.io/v1
+        kind: StorageClass
+        metadata:
+          name: fio-benchmark
+        provisioner: gcp.csi.confidential.cloud
+        volumeBindingMode: Immediate
+        allowVolumeExpansion: true
+        parameters:
+          type: pd-balanced
+        EOF
+        fi
+
+        if [[ "${{ inputs.cloudProvider }}" == "aws" ]]
+        then
+        cat <<EOF | kubectl apply -f -
+        apiVersion: storage.k8s.io/v1
+        kind: StorageClass
+        metadata:
+          name: fio-benchmark
+        parameters:
+          type: gp3
+        provisioner: aws.csi.confidential.cloud
+        allowVolumeExpansion: true
+        reclaimPolicy: Delete
+        volumeBindingMode: Immediate
+        EOF
+        fi
+
         mkdir -p out
-        kubestr fio -e "out/fio-constellation-${{ inputs.cloudProvider }}.json" -o json -s encrypted-rwo -z 400Gi
+        kubestr fio -e "out/fio-constellation-${{ inputs.attestationVariant }}.json" -o json -s fio-benchmark -z 400Gi -f .github/actions/e2e_benchmark/fio.ini
 
     - name: Upload raw FIO benchmark results
       if: (!env.ACT)
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: ./.github/actions/artifact_upload
       with:
-        path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
-        name: "fio-constellation-${{ inputs.cloudProvider }}.json"
+        path: "out/fio-constellation-${{ inputs.attestationVariant }}.json"
+        name: "fio-constellation-${{ inputs.artifactNameSuffix }}.json"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Run knb benchmark
       shell: bash
@@ -67,23 +127,46 @@ runs:
         KUBECONFIG: ${{ inputs.kubeconfig }}
         TERM: xterm-256color
       run: |
-        workers="$(kubectl get nodes -o name | grep worker)"
+        workers="$(kubectl get nodes -o name -l '!node-role.kubernetes.io/control-plane')"
         echo -e "Found workers:\n$workers"
         server="$(echo "$workers" | tail +1 | head -1 | cut -d '/' -f2)"
         echo "Server: $server"
         client="$(echo "$workers" | tail +2 | head -1 | cut -d '/' -f2)"
         echo "Client: $client"
-        k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.cloudProvider }}.json" -o json --server-node "$server" --client-node "$client"
+        k8s-bench-suite/knb -f "out/knb-constellation-${{ inputs.attestationVariant }}.json" -o json --server-node "$server" --client-node "$client"
 
     - name: Upload raw knb benchmark results
       if: (!env.ACT)
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: ./.github/actions/artifact_upload
       with:
-        path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
-        name: "knb-constellation-${{ inputs.cloudProvider }}.json"
+        path: "out/knb-constellation-${{ inputs.attestationVariant }}.json"
+        name: "knb-constellation-${{ inputs.artifactNameSuffix }}.json"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Parse results, create diagrams and post the progression summary
+      shell: bash
+      env:
+        # Original result directory
+        BENCH_RESULTS: out/
+        # Working directory containing the previous results as JSON and to contain the graphs
+        BDIR: benchmarks
+        CSP: ${{ inputs.cloudProvider }}
+        ATTESTATION_VARIANT: ${{ inputs.attestationVariant }}
+      run: |
+        mkdir -p benchmarks
+        python .github/actions/e2e_benchmark/evaluate/parse.py
+
+    - name: Upload benchmark results to action run
+      if: (!env.ACT)
+      uses: ./.github/actions/artifact_upload
+      with:
+        path: >
+          benchmarks/constellation-${{ inputs.attestationVariant }}.json
+        name: "benchmarks-${{ inputs.artifactNameSuffix }}"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
         aws-region: us-east-2
@@ -96,46 +179,27 @@ runs:
 
     - name: Get previous benchmark records from S3
       shell: bash
-      env:
-        CSP: ${{ inputs.cloudProvider }}
       run: |
-        mkdir -p benchmarks
-        aws s3 cp --recursive ${S3_PATH} benchmarks --no-progress
-        if [[ -f benchmarks/constellation-${CSP}.json ]]; then
-          mv benchmarks/constellation-${CSP}.json benchmarks/constellation-${CSP}-previous.json
+        if aws s3 cp "${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json" ./ --no-progress
+        then
+          mv "constellation-${{ inputs.attestationVariant }}.json" "benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json"
         else
             echo "::warning::Couldn't retrieve previous benchmark records from s3"
         fi
 
-    - name: Parse results, create diagrams and post the progression summary
+    - name: Compare results
       shell: bash
       env:
-        # Original result directory
-        BENCH_RESULTS: out/
-        # Working directory containing the previous results as JSON and to contain the graphs
-        BDIR: benchmarks
         # Paths to benchmark results as JSON of the previous run and the current run
-        PREV_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}-previous.json
-        CURR_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}.json
-        CSP: ${{ inputs.cloudProvider }}
+        PREV_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}-previous.json
+        CURR_BENCH: benchmarks/constellation-${{ inputs.attestationVariant }}.json
       run: |
-        python .github/actions/e2e_benchmark/evaluate/parse.py
-        export BENCHMARK_SUCCESS=true
         if [[ -f "$PREV_BENCH" ]]; then
-          # Sets $BENCHMARK_SUCCESS=false if delta is bigger than defined in compare.py
+          # Fails if the results are outside the threshold range
           python .github/actions/e2e_benchmark/evaluate/compare.py >> $GITHUB_STEP_SUMMARY
         fi
-        echo BENCHMARK_SUCCESS=$BENCHMARK_SUCCESS >> $GITHUB_ENV
 
-    - name: Upload benchmark results to action run
-      if: (!env.ACT)
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-      with:
-        path: |
-          benchmarks/constellation-${{ inputs.cloudProvider }}.json
-        name: "benchmarks"
-
-    - name: Upload benchmark results to opensearch
+    - name: Upload benchmark results to OpenSearch
       if: (!env.ACT)
       shell: bash
       env:
@@ -145,24 +209,12 @@ runs:
       run: |
         curl -XPOST \
             -u "${OPENSEARCH_USER}:${OPENSEARCH_PWD}" \
-            "${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.cloudProvider }}-$(date '+%Y')"/_doc \
-            --data-binary @benchmarks/constellation-${{ inputs.cloudProvider }}.json \
+            "${OPENSEARCH_DOMAIN}/benchmarks-${{ inputs.attestationVariant }}-$(date '+%Y')"/_doc \
+            --data-binary @benchmarks/constellation-${{ inputs.attestationVariant }}.json \
             -H 'Content-Type: application/json'
 
     - name: Update benchmark records in S3
       if: github.ref_name == 'main'
       shell: bash
-      env:
-        CSP: ${{ inputs.cloudProvider }}
       run: |
-        aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json
-
-    - name: Check performance comparison result
-      shell: bash
-      run: |
-        if [[ $BENCHMARK_SUCCESS == true ]] ; then
-          echo "Benchmark successful, all metrics in the expected range."
-        else
-          echo "::error::Benchmark failed, some metrics are outside of the expected range."
-          exit 1
-        fi
+        aws s3 cp benchmarks/constellation-${{ inputs.attestationVariant }}.json ${S3_PATH}/constellation-${{ inputs.attestationVariant }}.json

.github/actions/e2e_benchmark/evaluate/.gitignore

@@ -0,0 +1,4 @@
+__pycache__
+benchmarks/
+results/
+out/

.github/actions/e2e_benchmark/evaluate/compare.py

@@ -40,12 +40,15 @@ API_UNIT_STR = "ms"
 
 # List of allowed deviation
 ALLOWED_RATIO_DELTA = {
-    'iops': 0.7,
-    'bw_kbytes': 0.7,
-    'tcp_bw_mbit': 0.7,
-    'udp_bw_mbit': 0.7,
+    'iops': 0.8,
+    'bw_kbytes': 0.8,
+    'tcp_bw_mbit': 0.8,
+    'udp_bw_mbit': 0.8,
 }
 
+# Track failed comparison status
+failed = False
+
 
 def is_bigger_better(bench_suite: str) -> bool:
     return bench_suite in BIGGER_BETTER
@@ -91,18 +94,18 @@ class BenchmarkComparer:
             raise ValueError('Failed reading benchmark file: {e}'.format(e=e))
 
         try:
-            name = bench_curr['provider']
+            name = bench_curr['attestationVariant']
         except KeyError:
             raise ValueError(
-                'Current benchmark record file does not contain provider.')
+                'Current benchmark record file does not contain attestationVariant.')
         try:
-            prev_name = bench_prev['provider']
+            prev_name = bench_prev['attestationVariant']
         except KeyError:
             raise ValueError(
-                'Previous benchmark record file does not contain provider.')
+                'Previous benchmark record file does not contain attestationVariant.')
         if name != prev_name:
             raise ValueError(
-                'Cloud providers of previous and current benchmark data do not match.')
+                'Cloud attestationVariants of previous and current benchmark data do not match.')
 
         if 'fio' not in bench_prev.keys() or 'fio' not in bench_curr.keys():
             raise ValueError('Benchmarks do not both contain fio records.')
@@ -171,7 +174,8 @@ class BenchmarkComparer:
 
 
 def set_failed() -> None:
-    os.environ['COMPARISON_SUCCESS'] = str(False)
+    global failed
+    failed = True
 
 
 def main():
@@ -179,6 +183,8 @@ def main():
     c = BenchmarkComparer(path_prev, path_curr)
     output = c.compare()
     print(output)
+    if failed:
+        exit(1)
 
 
 if __name__ == '__main__':

.github/actions/e2e_benchmark/evaluate/graph.py

@@ -0,0 +1,250 @@
+"""Generate graphs comparing K-Bench benchmarks across cloud providers and Constellation."""
+import json
+import os
+import tempfile
+from collections import defaultdict
+from pathlib import Path
+from urllib import request
+
+import numpy as np
+from matplotlib import pyplot as plt
+from matplotlib import font_manager as fm
+
+SUBJECTS_AZURE = ['constellation-azure', 'AKS']
+SUBJECTS_GCP = ['constellation-gcp', 'GKE']
+
+LEGEND_NAMES_AZURE = ['Constellation', 'AKS']
+LEGEND_NAMES_GCP = ['Constellation', 'GKE']
+
+
+BAR_COLORS = ['#90FF99', '#929292', '#8B04DD', '#000000']
+
+FONT_URL = "https://github.com/google/fonts/raw/main/apache/roboto/static/Roboto-Regular.ttf"
+FONT_NAME = "Roboto-Regular.ttf"
+FONT_SIZE = 13
+
+# Some lookup dictionaries for x axis
+fio_iops_unit = 'IOPS'
+fio_bw_unit = 'MiB/s'
+
+net_unit = 'Mbit/s'
+
+
+def configure() -> str:
+    """Read the benchmark data paths.
+
+    Expects ENV vars (required):
+    - BDIR=benchmarks
+
+    Raises TypeError if at least one of them is missing.
+
+    Returns: out_dir
+    """
+    out_dir = os.environ.get('BDIR', None)
+    if not out_dir:
+        raise TypeError(
+            'ENV variables BDIR is required.')
+    return out_dir
+
+
+def bar_chart(data, title='', unit='', x_label=''):
+    #     """Draws a bar chart with multiple bars per data point.
+
+    #     Args:
+    #         data (dict[str, list]): Benchmark data dictionary: subject -> lists of value points
+    #         title (str, optional): The title for the chart. Defaults to "".
+    #         suffix (str, optional): The suffix for values e.g. "MiB/s". Defaults to "".
+    #         x_label (str, optional): The label for the x-axis. Defaults to "".
+    #     Returns:
+    #         fig (matplotlib.pyplot.figure): The pyplot figure
+    #     """
+
+    # Create plot and set configs
+    plt.rcdefaults()
+    plt.rc('font', family=FONT_NAME, size=FONT_SIZE)
+    fig, ax = plt.subplots(figsize=(10, 5))
+
+    # Calculate y positions
+    y_pos = np.arange(len(data))
+
+    bars = ax.barh(y_pos, data.values(), align='center', color=BAR_COLORS)
+
+    # Axis formatting
+    ax.spines['top'].set_visible(False)
+    ax.spines['right'].set_visible(False)
+    ax.spines['left'].set_visible(False)
+    ax.spines['bottom'].set_color('#DDDDDD')
+    ax.tick_params(bottom=False, left=False)
+    ax.set_axisbelow(True)
+    ax.xaxis.grid(True, color='#EEEEEE')
+    ax.yaxis.grid(False)
+
+    # Bar annotations
+    for bar in bars:
+        ax.text(
+            1.03*bar.get_width(),
+            bar.get_y() + bar.get_height() / 2,
+            f'{bar.get_width():.0f}',
+            verticalalignment='center',
+        )
+
+    # Set labels and titles
+    ax.set_yticks(y_pos, labels=data.keys())
+    ax.invert_yaxis()  # labels read top-to-bottom
+    ax.set_xlabel(x_label, fontdict={"fontsize": 12})
+    if unit != '':
+        unit = f"({unit})"
+    ax.set_title(f'{title} {unit}', fontdict={
+                 "fontsize": 20, 'weight': 'bold'})
+
+    plt.tight_layout()
+    # plt.show()
+    return fig
+
+
+def main():
+    """ Download and setup fonts"""
+    path = Path(tempfile.mkdtemp())
+    font_path = path / FONT_NAME
+    request.urlretrieve(FONT_URL, font_path)
+
+    font = fm.FontEntry(fname=str(font_path), name=FONT_NAME)
+    fm.fontManager.ttflist.append(font)
+
+    """Read the files and create diagrams."""
+    out_dir = configure()
+    combined_results = defaultdict(dict)
+
+    for test in SUBJECTS_AZURE+SUBJECTS_GCP:
+        # Read the previous results
+        read_path = os.path.join(
+            out_dir, '{subject}.json'.format(subject=test))
+        try:
+            with open(read_path, 'r') as res_file:
+                combined_results[test].update(json.load(res_file))
+        except OSError as e:
+            raise ValueError(
+                'Failed reading {subject} benchmark records: {e}'.format(subject=test, e=e))
+
+    # Network charts
+    # P2P TCP + UDP Azure
+    net_data = {}
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        net_data[l+" - TCP"] = int(combined_results[s]
+                                   ['knb']['pod2pod']['tcp_bw_mbit'])
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        net_data[l+" - UDP"] = int(combined_results[s]
+                                   ['knb']['pod2pod']['udp_bw_mbit'])
+    bar_chart(data=net_data,
+              title='K8S CNI Benchmark - Pod to Pod - Azure - Bandwidth',
+              unit=net_unit,
+              x_label=f"Bandwidth in {net_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_net_p2p_azure.png')
+    plt.savefig(save_name)
+
+    # P2P TCP + UDP GCP
+    net_data = {}
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        net_data[l+" - TCP"] = int(combined_results[s]
+                                   ['knb']['pod2pod']['tcp_bw_mbit'])
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        net_data[l+" - UDP"] = int(combined_results[s]
+                                   ['knb']['pod2pod']['udp_bw_mbit'])
+    bar_chart(data=net_data,
+              title='K8S CNI Benchmark - Pod to Pod - GCP - Bandwidth',
+              unit=net_unit,
+              x_label=f"Bandwidth in {net_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_net_p2p_gcp.png')
+    plt.savefig(save_name)
+
+    # P2SVC TCP + UDP Azure
+    net_data = {}
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        net_data[l+" - TCP"] = int(combined_results[s]
+                                   ['knb']['pod2svc']['tcp_bw_mbit'])
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        net_data[l+" - UDP"] = int(combined_results[s]
+                                   ['knb']['pod2svc']['udp_bw_mbit'])
+    bar_chart(data=net_data,
+              title='K8S CNI Benchmark - Pod to Service - Azure - Bandwidth',
+              unit=net_unit,
+              x_label=f"Bandwidth in {net_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_net_p2svc_azure.png')
+    plt.savefig(save_name)
+
+    # P2P TCP + UDP GCP
+    net_data = {}
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        net_data[l+" - TCP"] = int(combined_results[s]
+                                   ['knb']['pod2svc']['tcp_bw_mbit'])
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        net_data[l+" - UDP"] = int(combined_results[s]
+                                   ['knb']['pod2svc']['udp_bw_mbit'])
+    bar_chart(data=net_data,
+              title='K8S CNI Benchmark - Pod to Service - GCP - Bandwidth',
+              unit=net_unit,
+              x_label=f"Bandwidth in {net_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_net_p2svc_gcp.png')
+    plt.savefig(save_name)
+
+    # FIO charts
+
+    # IOPS on Azure
+    fio_data = {}
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        fio_data[l+" - Read"] = int(combined_results[s]
+                                    ['fio']['read_iops']['iops'])
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        fio_data[l+" - Write"] = int(combined_results[s]
+                                     ['fio']['write_iops']['iops'])
+    bar_chart(data=fio_data,
+              title='FIO Benchmark - Azure - IOPS',
+              x_label=f"{fio_iops_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_fio_azure_iops.png')
+    plt.savefig(save_name)
+
+    # IOPS on GCP
+    fio_data = {}
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        fio_data[l+" - Read"] = int(combined_results[s]
+                                    ['fio']['read_iops']['iops'])
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        fio_data[l+" - Write"] = int(combined_results[s]
+                                     ['fio']['write_iops']['iops'])
+    bar_chart(data=fio_data,
+              title='FIO Benchmark - GCP - IOPS',
+              x_label=f"{fio_iops_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_fio_gcp_iops.png')
+    plt.savefig(save_name)
+
+    # Bandwidth on Azure
+    fio_data = {}
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        fio_data[l+" - Read"] = int(combined_results[s]
+                                    ['fio']['read_bw']['bw_kbytes'] / 1024)
+    for s, l in zip(SUBJECTS_AZURE, LEGEND_NAMES_AZURE):
+        fio_data[l+" - Write"] = int(combined_results[s]
+                                     ['fio']['write_bw']['bw_kbytes'] / 1024)
+    bar_chart(data=fio_data,
+              title='FIO Benchmark - Azure - Bandwidth',
+              x_label=f"Bandwidth in {fio_bw_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_fio_azure_bw.png')
+    plt.savefig(save_name)
+
+    # Bandwidth on GCP
+    fio_data = {}
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        fio_data[l+" - Read"] = int(combined_results[s]
+                                    ['fio']['read_bw']['bw_kbytes'] / 1024)
+    for s, l in zip(SUBJECTS_GCP, LEGEND_NAMES_GCP):
+        fio_data[l+" - Write"] = int(combined_results[s]
+                                     ['fio']['write_bw']['bw_kbytes'] / 1024)
+    bar_chart(data=fio_data,
+              title='FIO Benchmark - GCP - Bandwidth',
+              x_label=f"Bandwidth in {fio_bw_unit} - Higher is better")
+    save_name = os.path.join(out_dir, 'benchmark_fio_gcp_bw.png')
+    plt.savefig(save_name)
+
+
+if __name__ == '__main__':
+    main()

.github/actions/e2e_benchmark/evaluate/parse.py

@@ -7,7 +7,7 @@ from datetime import datetime
 from evaluators import fio, knb
 
 
-def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
+def configure() -> Tuple[str, str, str, str, str | None, str, str, str, str]:
     """Read the benchmark data paths.
 
     Expects ENV vars (required):
@@ -25,32 +25,34 @@ def configure() -> Tuple[str, str, str, str | None, str, str, str, str]:
     """
     base_path = os.environ.get('BENCH_RESULTS', None)
     csp = os.environ.get('CSP', None)
+    attestation_variant = os.environ.get('ATTESTATION_VARIANT', None)
     out_dir = os.environ.get('BDIR', None)
-    if not base_path or not csp or not out_dir:
+    if not base_path or not csp or not out_dir or not attestation_variant:
         raise TypeError(
-            'ENV variables BENCH_RESULTS, CSP, BDIR are required.')
+            'ENV variables BENCH_RESULTS, CSP, BDIR, ATTESTATION_VARIANT are required.')
 
     ext_provider_name = os.environ.get('EXT_NAME', None)
     commit_hash = os.environ.get('GITHUB_SHA', 'N/A')
     commit_ref = os.environ.get('GITHUB_REF_NAME', 'N/A')
     actor = os.environ.get('GITHUB_ACTOR', 'N/A')
     workflow = os.environ.get('GITHUB_WORKFLOW', 'N/A')
-    return base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
+    return base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow
+
 
 class BenchmarkParser:
-    def __init__(self, base_path, csp, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
+    def __init__(self, base_path, csp, attestation_variant, out_dir, ext_provider_name=None, commit_hash="N/A", commit_ref="N/A", actor="N/A", workflow="N/A"):
         self.base_path = base_path
-        self.csp= csp
+        self.csp = csp
+        self.attestation_variant = attestation_variant
         self.out_dir = out_dir
         self.ext_provider_name = ext_provider_name
         if not self.ext_provider_name:
-            self.ext_provider_name = f'constellation-{csp}'
+            self.ext_provider_name = f'constellation-{attestation_variant}'
         self.commit_hash = commit_hash
         self.commit_ref = commit_ref
         self.actor = actor
         self.workflow = workflow
 
-
     def parse(self) -> None:
         """Read and parse the K-Bench tests.
 
@@ -81,15 +83,16 @@ class BenchmarkParser:
         timestamp = now.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
 
         combined_results = {'metadata': {
-                                'github.sha': self.commit_hash,
-                                'github.ref-name': self.commit_ref,
-                                'github.actor': self.actor,
-                                'github.workflow': self.workflow,
-                            },
-                            '@timestamp': str(timestamp),
-                            'provider': self.ext_provider_name,
-                            'fio': {}, 
-                            'knb': {}}
+            'github.sha': self.commit_hash,
+            'github.ref-name': self.commit_ref,
+            'github.actor': self.actor,
+            'github.workflow': self.workflow,
+        },
+            '@timestamp': str(timestamp),
+            'provider': self.ext_provider_name,
+            'attestationVariant': self.attestation_variant,
+            'fio': {},
+            'knb': {}}
 
         combined_results['knb'].update(knb_results)
         combined_results['fio'].update(fio_results)
@@ -101,9 +104,11 @@ class BenchmarkParser:
 
 
 def main():
-    base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
-    p = BenchmarkParser(base_path, csp, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow)
+    base_path, csp, attestation_variant, out_dir, ext_provider_name, commit_hash, commit_ref, actor, workflow = configure()
+    p = BenchmarkParser(base_path, csp, attestation_variant, out_dir, ext_provider_name,
+                        commit_hash, commit_ref, actor, workflow)
     p.parse()
 
+
 if __name__ == '__main__':
     main()

.github/actions/e2e_benchmark/evaluate/requirements.txt

@@ -0,0 +1,3 @@
+numpy ==2.2.4
+matplotlib ==3.10.1
+Pillow ==11.1.0

.github/actions/e2e_benchmark/fio.ini

@@ -0,0 +1,36 @@
+[global]
+direct=1
+ioengine=libaio
+runtime=60s
+ramp_time=10s
+size=10Gi
+time_based=1
+group_reporting
+thread
+cpus_allowed=0
+
+
+[read_iops]
+stonewall
+readwrite=randread
+bs=4k
+iodepth=128
+
+[write_iops]
+stonewall
+readwrite=randwrite
+bs=4k
+iodepth=128
+
+[read_bw]
+stonewall
+readwrite=randread
+bs=1024k
+iodepth=128
+
+
+[write_bw]
+stonewall
+readwrite=randwrite
+bs=1024k
+iodepth=128

.github/actions/e2e_cleanup_timeframe/action.yml

@@ -0,0 +1,62 @@
+name: E2E cleanup over timeframe
+description: Clean up old terraform resources of E2E tests
+
+inputs:
+  ghToken:
+    description:  'The github token that is used with the github CLI.'
+    required: true
+  encryptionSecret:
+    description: 'The secret to use for decrypting the artifacts.'
+    required: true
+  azure_credentials:
+    description: "Credentials authorized to create Constellation on Azure."
+    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Authenticate AWS
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
+        aws-region: eu-central-1
+
+    - name: Authenticate Azure
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azure_credentials }}
+
+    - name: Authenticate GCP
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+    - name: Login to OpenStack
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{ inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
+    - name: Install tools
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          _7zz
+          terraform
+
+    - name: Run cleanup
+      run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.ghToken }}
+        ENCRYPTION_SECRET: ${{ inputs.encryptionSecret }}

.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date.
+function get_e2e_test_ids_on_date {
+  ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)"
+  echo "${ids}"
+}
+
+# download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID.
+function download_tfstate_artifact {
+  gh run download "$1" -p "terraform-state-*" -R edgelesssys/constellation > /dev/null
+}
+
+# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder.
+function delete_resources {
+  if [[ -d "$1/constellation-terraform" ]]; then
+    cd "$1/constellation-terraform" || exit 1
+    terraform init > /dev/null || exit 1 # first, install plugins
+    terraform destroy -auto-approve || exit 1
+    cd ../../ || exit 1
+  fi
+}
+
+# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder.
+function delete_iam_config {
+  if [[ -d "$1/constellation-iam-terraform" ]]; then
+    cd "$1/constellation-iam-terraform" || exit 1
+    terraform init > /dev/null || exit 1 # first, install plugins
+    terraform destroy -auto-approve || exit 1
+    cd ../../ || exit 1
+  fi
+}
+
+# check if the password for artifact decryption was given
+if [[ -z ${ENCRYPTION_SECRET} ]]; then
+  echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret."
+  exit 1
+fi
+
+artifact_pwd=${ENCRYPTION_SECRET}
+
+shopt -s nullglob
+
+start_date=$(date "+%Y-%m-%d")
+end_date=$(date --date "-7 day" "+%Y-%m-%d")
+dates_to_clean=()
+
+# get all dates of the last week
+while [[ ${end_date} != "${start_date}" ]]; do
+  dates_to_clean+=("${end_date}")
+  end_date=$(date --date "${end_date} +1 day" "+%Y-%m-%d")
+done
+
+echo "[*] retrieving run IDs for cleanup"
+database_ids=()
+for d in "${dates_to_clean[@]}"; do
+  echo "    retrieving run IDs from $d"
+  mapfile -td " " tmp < <(get_e2e_test_ids_on_date "$d")
+  database_ids+=("${tmp[*]}")
+done
+
+# cleanup database_ids
+mapfile -t database_ids < <(echo "${database_ids[@]}")
+mapfile -td " " database_ids < <(echo "${database_ids[@]}")
+
+echo "[*] downloading terraform state artifacts"
+for id in "${database_ids[@]}"; do
+  if [[ ${id} == *[^[:space:]]* ]]; then
+    echo "    downloading from workflow ${id}"
+    download_tfstate_artifact "${id}"
+  fi
+done
+
+echo "[*] extracting artifacts"
+for directory in ./terraform-state-*; do
+  echo "    extracting ${directory}"
+
+  # extract and decrypt the artifact
+  7zz x -t7z -p"${artifact_pwd}" -o"${directory}" "${directory}/archive.7z" > /dev/null || exit 1
+done
+
+# create terraform caching directory
+mkdir "${HOME}/tf_plugin_cache"
+export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache"
+echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}"
+
+echo "[*] deleting resources"
+for directory in ./terraform-state-*; do
+  echo "    deleting resources in ${directory}"
+  delete_resources "${directory}"
+  echo "    deleting IAM configuration in ${directory}"
+  delete_iam_config "${directory}"
+  echo "    deleting directory ${directory}"
+  rm -rf "${directory}"
+done
+
+exit 0

.github/actions/e2e_emergency_ssh/action.yml

@@ -0,0 +1,68 @@
+name: Emergency ssh
+description: "Verify that an emergency ssh connection can be established."
+
+inputs:
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test emergency ssh
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        set -euo pipefail
+
+        # Activate emergency ssh access to the cluster
+        pushd ./constellation-terraform
+        echo "emergency_ssh = true" >> terraform.tfvars
+        terraform apply -auto-approve
+        lb="$(terraform output -raw loadbalancer_address)"
+        popd
+
+        # write ssh config
+        cat > ssh_config <<EOF
+        Host $lb
+          ProxyJump none
+
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile=/dev/null
+          IdentityFile ./access-key
+          PreferredAuthentications publickey
+          CertificateFile=constellation_cert.pub
+          User root
+          ProxyJump $lb
+        EOF
+
+        for i in {1..26}; do
+          if [[ "$i" -eq 26 ]]; then
+            echo "Port 22 never became reachable"
+            exit 1
+          fi
+          echo "Waiting until port 22 is reachable: $i/25"
+          if nc -z -w 25 "$lb" 22; then
+            break
+          fi
+        done
+
+        # generate and try keypair
+        ssh-keygen -t ecdsa -q -N "" -f ./access-key
+        constellation ssh --debug --key ./access-key.pub
+        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
+        for ip in $internalIPs; do
+          for i in {1..26}; do
+            if [[ "$i" -eq 26 ]]; then
+              echo "Failed to connect to $ip over $lb"
+              exit 1
+            fi
+            echo "Trying connection to $ip over $lb: $i/25"
+            if ssh -F ssh_config -o BatchMode=yes $ip true; then
+              echo "Connected to $ip successfully"
+              break
+            fi
+          done
+        done

.github/actions/e2e_lb/action.yml

@@ -5,6 +5,9 @@ inputs:
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
+  cloudProvider:
+    description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere."
+    required: false
 
 runs:
   using: "composite"
@@ -18,7 +21,25 @@ runs:
       run: |
         kubectl apply -f ns.yml
         kubectl apply -f lb.yml
-        go test -timeout=3h ../../../e2e/internal/lb/lb_test.go -v
+        bazel run --test_timeout=14400 //e2e/internal/lb:lb_test
+
+    - name: Test AWS Ingress
+      if: inputs.cloudProvider == 'aws'
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      working-directory: ./.github/actions/e2e_lb
+      run: |
+        kubectl apply -f aws-ingress.yml
+        kubectl wait -n lb-test ing/whoami --for=jsonpath='{.status.loadBalancer.ingress}' --timeout=5m
+        host=$(kubectl get -n lb-test ingress whoami -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+        for i in $(seq 30); do
+          curl --silent --fail --connect-timeout 5 --output /dev/null http://$host && exit 0
+          sleep 10
+        done
+        echo "::error::Ingress did not become ready in the alloted time."
+        kubectl describe ing -n lb-test
+        exit 1
 
     - name: Delete deployment
       if: always()
@@ -28,4 +49,5 @@ runs:
       working-directory: ./.github/actions/e2e_lb
       run: |
         kubectl delete -f lb.yml
+        kubectl delete --ignore-not-found -f aws-ingress.yml
         kubectl delete -f ns.yml --timeout=5m

.github/actions/e2e_lb/aws-ingress.yml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami-internal
+  namespace: lb-test
+spec:
+  selector:
+    app: whoami
+  ports:
+    - port: 80
+      targetPort: 80
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: lb-test
+  name: whoami
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: instance
+spec:
+  ingressClassName: alb
+  rules:
+    - http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: whoami-internal
+              port:
+                number: 80

.github/actions/e2e_lb/lb.yml

@@ -3,6 +3,8 @@ kind: Service
 metadata:
   name: whoami
   namespace: lb-test
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
 spec:
   selector:
     app: whoami

.github/actions/e2e_malicious_join/action.yml

@@ -0,0 +1,52 @@
+name: Malicious join
+description: "Verify that a malicious node cannot join a Constellation cluster."
+
+inputs:
+  cloudProvider:
+    description: "The cloud provider the test runs on."
+    required: true
+  attestationVariant:
+    description: "The attestation variant used in the cluster."
+    required: true
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Log in to the Container registry
+      id: docker-login
+      uses: ./.github/actions/container_registry_login
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
+
+    - name: Run malicious join
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      working-directory: e2e/malicious-join
+      run: |
+        bazel run --test_timeout=14400 //e2e/malicious-join:stamp_and_push
+        yq eval -i "(.spec.template.spec.containers[0].command) = \
+          [ \"/malicious-join_bin\", \
+          \"--js-endpoint=join-service.kube-system:9090\", \
+          \"--csp=${{ inputs.cloudProvider }}\", \
+          \"--variant=${{ inputs.attestationVariant }}\" ]" stamped_job.yaml
+
+        kubectl create ns malicious-join
+        kubectl apply -n malicious-join -f stamped_job.yaml
+        kubectl wait -n malicious-join --for=condition=complete --timeout=10m job/malicious-join
+        kubectl logs -n malicious-join job/malicious-join | tail -n 1 | jq '.'
+        ALL_TESTS_PASSED=$(kubectl logs -n malicious-join job/malicious-join | tail -n 1 | jq -r '.result.allPassed')
+        if [[ "$ALL_TESTS_PASSED" != "true" ]]; then
+          kubectl logs -n malicious-join job/malicious-join
+          kubectl logs -n kube-system svc/join-service
+          exit 1
+        fi
+        kubectl delete ns malicious-join

.github/actions/e2e_mini/action.yml

@@ -11,29 +11,55 @@ inputs:
   azureTenantID:
     description: "Azure tenant to use for login with OIDC"
     required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
+  azureIAMCredentials:
+    description: "Azure IAM credentials used for cleaning up resources"
+    required: true
+  registry:
+    description: "Container registry to use"
+    required: true
+  githubToken:
+    description: "GitHub authorization token"
     required: true
 
 runs:
   using: "composite"
   steps:
     - name: Install terraform
-      uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
         terraform_wrapper: false
 
     - name: Setup bazel
-      uses: ./.github/actions/setup_bazel
+      uses: ./.github/actions/setup_bazel_nix
+
+    - name: Log in to the Container registry
+      uses: ./.github/actions/container_registry_login
       with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
 
     - name: MiniConstellation E2E
       shell: bash
+      id: e2e-test
       env:
         ARM_CLIENT_ID: ${{ inputs.azureClientID }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
         ARM_TENANT_ID: ${{ inputs.azureTenantID }}
       run: |
-        bazelisk run //e2e/miniconstellation:remote_test
+        bazel run --test_timeout=14400 //e2e/miniconstellation:push_remote_test
+
+    - name: Log in to azure
+      # only log in if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureIAMCredentials }}
+
+    - name: Clean up after failure
+      shell: bash
+      # clean up if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      run: |
+        echo "[*] Deleting resource group ${{ steps.e2e-test.outputs.rgname }}"
+        az group delete -y --resource-group "${{ steps.e2e-test.outputs.rgname }}"

.github/actions/e2e_recover/action.yml

@@ -8,31 +8,36 @@ inputs:
   kubeconfig:
     description: "The kubeconfig for the cluster."
     required: true
-  masterSecret:
-    description: "The master-secret for the cluster."
-    required: true
 
 runs:
   using: "composite"
   steps:
     - name: Restart worker node
       shell: bash
-      run: |
-        WORKER_NODE=$(kubectl get nodes --selector='!node-role.kubernetes.io/control-plane' -o json | jq '.items[0].metadata.name' -r)
-        kubectl debug node/$WORKER_NODE --image=ubuntu -- bash -c "echo reboot > reboot.sh && chroot /host < reboot.sh"
-        kubectl wait --for=condition=Ready=false --timeout=10m node/$WORKER_NODE
-        kubectl wait --for=condition=Ready=true --timeout=10m --all nodes
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        WORKER_NODE=$(kubectl get nodes --selector='!node-role.kubernetes.io/control-plane' -o json | jq '.items[0].metadata.name' -r)
+
+        echo "Disabling the join-service and waiting for the node to be unresponsive"
+        kubectl patch daemonset -n kube-system join-service -p '{"spec":{"template":{"spec":{"nodeSelector":{"some-tag":""}}}}}'
+        kubectl debug node/$WORKER_NODE --image=ubuntu -- bash -c "echo reboot > reboot.sh && chroot /host < reboot.sh"
+        kubectl wait --for=condition=Ready=Unknown --timeout=10m node/$WORKER_NODE
+
+        echo "Re-enabling the join-service and waiting for the node to be back up"
+        kubectl patch daemonset -n kube-system join-service --type=json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/some-tag"}]'
+        kubectl wait --for=condition=Ready=true --timeout=10m --all nodes
+
     - name: Restart all control plane nodes
       shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
         CONTROL_PLANE_NODES=$(kubectl get nodes --selector='node-role.kubernetes.io/control-plane' -o json | jq '.items[].metadata.name' -r)
         for CONTROL_PLANE_NODE in ${CONTROL_PLANE_NODES}; do
           kubectl debug node/$CONTROL_PLANE_NODE --image=ubuntu -- bash -c "echo reboot > reboot.sh && chroot /host < reboot.sh"
         done
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
+
     - name: Constellation recover
       shell: bash
       run: |
@@ -40,12 +45,12 @@ runs:
         start_time=$(date +%s)
         recovered=0
         while true; do
-            output=$(constellation recover --master-secret=${{ inputs.masterSecret }} --force)
+            output=$(constellation recover)
             if echo "$output" | grep -q "Pushed recovery key."; then
                 echo "$output"
                 i=$(echo "$output" | grep -o "Pushed recovery key." | wc -l | sed 's/ //g')
                 recovered=$((recovered+i))
-                if [[ $recovered -eq ${{ inputs.controlNodesCount }} ]]; then
+                if [[ $recovered -gt ${{ inputs.controlNodesCount }}/2 ]]; then
                     break
                 fi
             fi
@@ -56,11 +61,14 @@ runs:
                 exit 1
             fi
 
-            echo "Did not recover all nodes yet, retrying in 5 seconds [$recovered/${{ inputs.controlNodesCount }}]"
+            echo "Did not recover a quorum (>${{inputs.controlNodesCount}}/2) of control-plane nodes yet, retrying in 5 seconds [$recovered/${{ inputs.controlNodesCount }}]"
             sleep 5
         done
+
     - name: Wait for control plane to get back up
       shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
       run: |
         timeout=600
         start_time=$(date +%s)
@@ -80,5 +88,3 @@ runs:
           echo "Cannot reach control plane, retrying in 10 seconds"
           sleep 10
         done
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}

.github/actions/e2e_s3proxy/action.yml

@@ -0,0 +1,65 @@
+name: E2E Test s3proxy
+description: "Test the s3proxy."
+
+inputs:
+  kubeconfig:
+    description: "Kubeconfig to access target cluster"
+    required: true
+  s3AccessKey:
+    description: "Access key for s3proxy"
+    required: true
+  s3SecretKey:
+    description: "Secret key for s3proxy"
+    required: true
+  githubToken:
+    description: "GitHub token"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup bazel
+      uses: ./.github/actions/setup_bazel_nix
+
+    - name: Get pseudoversion
+      id: pseudoversion
+      shell: bash
+      run: |
+        bazel build //bazel/settings:tag
+        echo pseudoversion=$(cat ./bazel-bin/bazel/settings/_tag.tags.txt) | tee -a "$GITHUB_OUTPUT"
+
+    - name: Log in to the Container registry
+      uses: ./.github/actions/container_registry_login
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
+
+    - name: Build and push s3proxy image
+      id: s3proxybuild
+      shell: bash
+      run: |
+        bazel run //bazel/release:s3proxy_push
+        bazel build //bazel/release:s3proxy_tag.txt
+        tagpath=$(bazel cquery --output=files //bazel/release:s3proxy_tag.txt)
+        echo s3proxyImage=$(cat "${tagpath}") | tee -a "$GITHUB_OUTPUT"
+
+    - name: Setup s3proxy
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+        S3_PROXY_IMAGE: ${{ steps.s3proxybuild.outputs.s3proxyImage }}
+        AWS_ACCESS_KEY_ID: ${{ inputs.s3AccessKey }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.s3SecretKey }}
+      run: |
+        helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$S3_PROXY_IMAGE" --set allowMultipart=true s3proxy/deploy/s3proxy
+
+    - name: Run mint
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+        ACCESS_KEY: ${{ inputs.s3AccessKey }}
+        SECRET_KEY: ${{ inputs.s3SecretKey }}
+        IMAGE: "ghcr.io/edgelesssys/mint:v2.0.0@sha256:cf82f029ca77fd4ade4fb36f19945f44e58b1d03c1acb930d95ae7ec75a25c22" # renovate:mint-fork
+      run: |
+        ./s3proxy/e2e/deploy.sh "$IMAGE"

.github/actions/e2e_sonobuoy/action.yml

@@ -2,14 +2,18 @@ name: sonobuoy
 description: "Execute the e2e test framework sonobuoy."
 
 inputs:
-  cloudProvider:
-    description: "CSP name necessary for artifact naming."
+  artifactNameSuffix:
+    description: "Suffix for artifact naming."
     required: true
   sonobuoyTestSuiteCmd:
     description: "Which tests should be run?"
+    required: true
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
+  encryptionSecret:
+    description: 'The secret to use for encrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
@@ -17,7 +21,7 @@ runs:
     - name: Install sonobuoy
       shell: bash
       env:
-        SONOBUOY_VER: "0.56.16"
+        SONOBUOY_VER: "0.57.1"
       run: |
         HOSTOS="$(go env GOOS)"
         HOSTARCH="$(go env GOARCH)"
@@ -39,14 +43,24 @@ runs:
       shell: bash
       env:
         KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: sonobuoy retrieve --kubeconfig constellation-admin.conf
+      run: |
+        sonobuoy retrieve --kubeconfig constellation-admin.conf
+        sonobuoy results *_sonobuoy_*.tar.gz
+        sonobuoy results *_sonobuoy_*.tar.gz --mode detailed | jq 'select(.status!="passed")' | jq 'select(.status!="skipped")' || true
+
+    - name: Cleanup sonobuoy deployment
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      shell: bash
+      run: sonobuoy delete --wait
 
     - name: Upload test results
       if: always() && !env.ACT
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: ./.github/actions/artifact_upload
       with:
-        name: "sonobuoy_logs_${{ inputs.cloudProvider}}.tar.gz"
+        name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
         path: "*_sonobuoy_*.tar.gz"
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     # Only works on "sonobuoy full" tests (e2e plugin)
     - name: Extract test results
@@ -56,7 +70,7 @@ runs:
 
     - name: Publish test results
       if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@959aefb7f095e717eb407fe917238d61ca323ff3 # v3.7.6
+      uses: mikepenz/action-junit-report@97744eca465b8df9e6e33271cb155003f85327f1 # v5.5.0
       with:
         report_paths: "**/junit_01.xml"
         fail_on_failure: true

.github/actions/e2e_test/action.yml

@@ -4,90 +4,118 @@ description: "This test does the infrastructure management and runs the e2e test
 inputs:
   workerNodesCount:
     description: "Number of worker nodes to spawn."
-    required: false
     default: "2"
   controlNodesCount:
     description: "Number of control-plane nodes to spawn."
-    required: false
     default: "3"
   cloudProvider:
     description: "Which cloud provider to use."
     required: true
+  attestationVariant:
+    description: "Which attestation variant to use."
+    required: true
   machineType:
     description: "VM machine type. Make sure it matches selected cloud provider!"
-    required: false
   osImage:
     description: "OS image to run."
     required: true
   isDebugImage:
     description: "Is OS img a debug img?"
-    default: "true"
     required: true
   cliVersion:
     description: "Version of a released CLI to download, e.g. 'v2.3.0', leave empty to build it."
-    required: false
   kubernetesVersion:
     description: "Kubernetes version to create the cluster from."
+  refStream:
+    description: "RefStream of the image"
+  regionZone:
+    description: "Region or zone to use for resource creation"
     required: false
-  keepMeasurements:
-    default: "false"
-    description: "Keep measurements embedded in the CLI."
   gcpProject:
     description: "The GCP project to deploy Constellation in."
-    required: false
-  gcp_service_account:
-    description: "Service account with permissions to create Constellation on GCP."
-    required: false
-  gcpClusterServiceAccountKey:
-    description: "Service account to use inside the created Constellation cluster on GCP."
-    required: false
+    required: true
+  gcpIAMCreateServiceAccount:
+    description: "Service account with permissions to create IAM configuration on GCP."
+    required: true
+  gcpClusterCreateServiceAccount:
+    description: "Service account with permissions to create a Constellation cluster on GCP."
+    required: true
   awsOpenSearchDomain:
     description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
-    required: false
   awsOpenSearchUsers:
     description: "AWS OpenSearch User to upload the benchmark results."
-    required: false
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the benchmark results."
-    required: false
-  azureSubscription:
-    description: "The Azure subscription ID to deploy Constellation in."
-    required: false
-  azureTenant:
-    description: "The Azure tenant ID to deploy Constellation in."
-    required: false
-  azureClientID:
-    description: "The client ID of the application registration created for Constellation in Azure."
-    required: false
-  azureClientSecret:
-    description: "The client secret value of the used secret"
-    required: false
-  azureUserAssignedIdentity:
-    description: "The Azure user assigned identity to use for Constellation."
-    required: false
-  azureResourceGroup:
-    description: "The resource group to use"
-    required: false
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
+  azureClusterCreateCredentials:
+    description: "Azure credentials authorized to create a Constellation cluster."
+    required: true
+  azureIAMCreateCredentials:
+    description: "Azure credentials authorized to create an IAM configuration."
+    required: true
   test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, nop, iamcreate]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
     required: true
   sonobuoyTestSuiteCmd:
     description: "The sonobuoy test suite to run."
-    required: false
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
+  registry:
+    description: "Container registry to use"
     required: true
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+  cosignPassword:
+    description: "The password for the cosign private key. Used for uploading to the config API"
+  cosignPrivateKey:
+    description: "The cosign private key. Used for uploading to the config API"
+  fetchMeasurements:
+    description: "Update measurements via the 'constellation config fetch-measurements' command."
+    default: "false"
+  azureSNPEnforcementPolicy:
+    description: "Enable security policy for the cluster."
+  internalLoadBalancer:
+    description: "Enable internal load balancer for the cluster."
+  clusterCreation:
+    description: "How to create infrastructure for the e2e test. One of [cli,, terraform]."
+    default: "cli"
+  s3AccessKey:
+    description: "Access key for s3proxy"
+  s3SecretKey:
+    description: "Secret key for s3proxy"
+  marketplaceImageVersion:
+    description: "Marketplace OS image version. Used instead of osImage."
+    required: false
+  force:
+    description: "Set the force-flag on apply to ignore version mismatches."
+    required: false
+  encryptionSecret:
+    description: "The secret to use for decrypting the artifact."
+    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false
 
 outputs:
   kubeconfig:
     description: "The kubeconfig for the cluster."
     value: ${{ steps.constellation-create.outputs.kubeconfig }}
+  namePrefix:
+    description: "The name prefix of the cloud resources used in the e2e test."
+    value: ${{ steps.create-prefix.outputs.prefix }}
 
 runs:
   using: "composite"
   steps:
     - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "nop", "iamcreate"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
       shell: bash
       run: |
         echo "::error::Invalid input for test field: ${{ inputs.test }}"
@@ -103,18 +131,33 @@ runs:
           exit 1
         fi
 
+    - name: Validate verify input
+      if: inputs.test == 'verify'
+      shell: bash
+      run: |
+        if [[ "${{ inputs.cosignPassword }}" == '' || "${{ inputs.cosignPrivateKey }}" == '' ]]; then
+          echo "::error::e2e test verify requires cosignPassword and cosignPrivateKey to be set."
+          exit 1
+        fi
+
     - name: Determine build target
       id: determine-build-target
       shell: bash
       run: |
-        echo "hostOS=$(go env GOOS)" >> $GITHUB_OUTPUT
-        echo "hostArch=$(go env GOARCH)" >> $GITHUB_OUTPUT
+        echo "hostOS=$(go env GOOS)" | tee -a "$GITHUB_OUTPUT"
+        echo "hostArch=$(go env GOARCH)" | tee -a "$GITHUB_OUTPUT"
 
     - name: Setup bazel
-      uses: ./.github/actions/setup_bazel
+      uses: ./.github/actions/setup_bazel_nix
       with:
-        useCache: "true"
-        buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
+        nixTools: terraform
+
+    - name: Log in to the Container registry
+      uses: ./.github/actions/container_registry_login
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
 
     - name: Build CLI
       if: inputs.cliVersion == ''
@@ -122,8 +165,9 @@ runs:
       with:
         targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
         targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
-        enterpriseCLI: ${{ inputs.keepMeasurements }}
+        enterpriseCLI: true
         outputPath: "build/constellation"
+        push: ${{ inputs.cliVersion == '' }}
 
     - name: Download CLI
       if: inputs.cliVersion != ''
@@ -134,8 +178,28 @@ runs:
         echo "$(pwd)" >> $GITHUB_PATH
         export PATH="$PATH:$(pwd)"
         constellation version
-        # Do not spam license server from pipeline
-        sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
+
+    - name: Build Terraform provider binary
+      if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == ''
+      uses: ./.github/actions/build_tf_provider
+      with:
+        targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
+        targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
+        outputPath: "build/terraform-provider-constellation"
+
+    - name: Move Terraform provider binary
+      if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == ''
+      shell: bash
+      run: |
+        bazel build //bazel/settings:tag
+
+        repository_root=$(git rev-parse --show-toplevel)
+        out_rel=$(bazel cquery --output=files //bazel/settings:tag)
+        build_version=$(cat "$(realpath "${repository_root}/${out_rel}")")
+
+        terraform_provider_dir="${HOME}/.terraform.d/plugins/registry.terraform.io/edgelesssys/constellation/${build_version#v}/${{ steps.determine-build-target.outputs.hostOS }}_${{ steps.determine-build-target.outputs.hostArch }}/"
+        mkdir -p "${terraform_provider_dir}"
+        mv build/terraform-provider-constellation "${terraform_provider_dir}/terraform-provider-constellation_${build_version}"
 
     - name: Build the bootstrapper
       id: build-bootstrapper
@@ -155,66 +219,150 @@ runs:
         targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
         targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
 
-    - name: Login to GCP
+    - name: Login to GCP (IAM service account)
       if: inputs.cloudProvider == 'gcp'
       uses: ./.github/actions/login_gcp
       with:
-        service_account: ${{ inputs.gcp_service_account }}
+        service_account: ${{ inputs.gcpIAMCreateServiceAccount }}
 
-    - name: Login to AWS
+    - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
-        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2E
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
         # extend token expiry to 6 hours to ensure constellation can terminate
         role-duration-seconds: 21600
 
-    - name: Create IAM configuration
+    - name: Login to Azure (IAM service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
+
+    - name: Login to OpenStack
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
+    - name: Create prefix
+      id: create-prefix
+      shell: bash
+      run: |
+        uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
+        uuid=${uuid%%-*}
+
+        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
+        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
+          uuid=${uuid:0:6}
+        fi
+
+        echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
+        echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
+
+    - name: Pick a random Azure region
+      id: pick-az-region
+      uses: ./.github/actions/pick_azure_region
+      with:
+        attestationVariant: ${{ inputs.attestationVariant }}
+
+    - name: Create Constellation config and IAM
       id: constellation-iam-create
-      if: inputs.test == 'iamcreate' && inputs.cloudProvider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions
       uses: ./.github/actions/constellation_iam_create
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
-        awsZone: eu-central-1c
-        awsPrefix: e2e_${{ github.run_id }}_${{ github.run_attempt }}
-        azureRegion: northeurope
-        azureResourceGroup: e2e_${{ github.run_id }}_${{ github.run_attempt }}_rg
-        azureServicePrincipal: e2e_${{ github.run_id }}_${{ github.run_attempt }}_sp
+        attestationVariant: ${{ inputs.attestationVariant }}
+        namePrefix: ${{ steps.create-prefix.outputs.prefix }}
+        awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
+        azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
+        azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
         gcpProjectID: ${{ inputs.gcpProject }}
-        gcpZone: europe-west3-b
-        gcpServiceAccountID: e2e-${{ github.run_id }}-${{ github.run_attempt }}-sa
+        gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
+        stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
+        stackitProjectID: ${{ inputs.stackitProjectID }}
+        kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        additionalTags: "workflow=${{ github.run_id }}"
+
+    - name: Login to GCP (Cluster service account)
+      if: inputs.cloudProvider == 'gcp'
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: ${{ inputs.gcpClusterCreateServiceAccount }}
+
+    - name: Login to AWS (Cluster role)
+      if: inputs.cloudProvider == 'aws'
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
+        aws-region: eu-central-1
+        # extend token expiry to 6 hours to ensure constellation can terminate
+        role-duration-seconds: 21600
+
+    - name: Login to Azure (Cluster service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureClusterCreateCredentials }}
 
     - name: Create cluster
       id: constellation-create
       uses: ./.github/actions/constellation_create
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
-        gcpProject: ${{ inputs.gcpProject }}
-        gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         workerNodesCount: ${{ inputs.workerNodesCount }}
         controlNodesCount: ${{ inputs.controlNodesCount }}
         machineType: ${{ inputs.machineType }}
         osImage: ${{ inputs.osImage }}
         isDebugImage: ${{ inputs.isDebugImage }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        fetchMeasurements: ${{ inputs.fetchMeasurements }}
+        cliVersion: ${{ inputs.cliVersion }}
+        azureSNPEnforcementPolicy: ${{ inputs.azureSNPEnforcementPolicy }}
+        azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }}
+        azureClusterCreateCredentials: ${{ inputs.azureClusterCreateCredentials }}
         kubernetesVersion: ${{ inputs.kubernetesVersion }}
-        keepMeasurements: ${{ inputs.keepMeasurements }}
-        azureSubscription: ${{ inputs.azureSubscription }}
-        azureTenant: ${{ inputs.azureTenant }}
-        azureClientID: ${{ inputs.azureClientID }}
-        azureClientSecret: ${{ inputs.azureClientSecret }}
-        azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
-        azureResourceGroup: ${{ inputs.azureResourceGroup }}
-        existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }}
+        refStream: ${{ inputs.refStream }}
+        internalLoadBalancer: ${{ inputs.internalLoadBalancer }}
+        test: ${{ inputs.test }}
+        clusterCreation: ${{ inputs.clusterCreation }}
+        marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
+        force: ${{ inputs.force }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Deploy log- and metrics-collection (Kubernetes)
+      id: deploy-logcollection
+      if: inputs.isDebugImage == 'false'
+      uses: ./.github/actions/deploy_logcollection
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        opensearchUser: ${{ inputs.awsOpenSearchUsers }}
+        opensearchPwd: ${{ inputs.awsOpenSearchPwd }}
+        test: ${{ inputs.test }}
+        provider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
+        isDebugImage: ${{ inputs.isDebugImage }}
+        kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        refStream: ${{ inputs.refStream }}
+        clusterCreation: ${{ inputs.clusterCreation }}
 
     #
     # Test payloads
     #
-
     - name: Nop test payload
-      if: inputs.test == 'nop'
+      if: (inputs.test == 'nop') || (inputs.test == 'upgrade')
       shell: bash
-      run: echo "::warning::This test has a nop payload. It doesn't run any tests."
+      run: |
+        echo "This test has a nop payload. It doesn't run any tests."
+        echo "Sleeping for 30 seconds to allow logs to propagate to the log collection service."
+        sleep 30
 
     - name: Run sonobuoy quick test
       if: inputs.test == 'sonobuoy quick'
@@ -222,16 +370,27 @@ runs:
       with:
         sonobuoyTestSuiteCmd: "--mode quick"
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
-        cloudProvider: ${{ inputs.cloudProvider }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Run sonobuoy full test
       if: inputs.test == 'sonobuoy full'
       uses: ./.github/actions/e2e_sonobuoy
       with:
-        # TODO: Remove E2E_SKIP once AB#2174 is resolved
-        sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
+        # TODO(3u13r): Remove E2E_SKIP once AB#2174 is resolved
+        sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol|Services should serve endpoints on same port and different protocols" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/102cd62a4091f80a795189f64ccc20738f931ef0/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/102cd62a4091f80a795189f64ccc20738f931ef0/cis-benchmarks/kube-bench-master-plugin.yaml'
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
-        cloudProvider: ${{ inputs.cloudProvider }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+
+    - name: Run sonobuoy conformance
+      if: inputs.test == 'sonobuoy conformance'
+      uses: ./.github/actions/e2e_sonobuoy
+      with:
+        sonobuoyTestSuiteCmd: "--plugin e2e --mode certified-conformance"
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Run autoscaling test
       if: inputs.test == 'autoscaling'
@@ -244,23 +403,30 @@ runs:
       uses: ./.github/actions/e2e_lb
       with:
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        cloudProvider: ${{ inputs.cloudProvider }}
 
     - name: Run Performance Benchmark
       if: inputs.test == 'perf-bench'
       uses: ./.github/actions/e2e_benchmark
       with:
         cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
         awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
         awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
 
     - name: Run constellation verify test
       if: inputs.test == 'verify'
       uses: ./.github/actions/e2e_verify
       with:
-        cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
         osImage: ${{ steps.constellation-create.outputs.osImageUsed }}
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        cosignPassword: ${{ inputs.cosignPassword }}
+        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
 
     - name: Run recover test
       if: inputs.test == 'recover'
@@ -268,4 +434,27 @@ runs:
       with:
         controlNodesCount: ${{ inputs.controlNodesCount }}
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
-        masterSecret: ${{ steps.constellation-create.outputs.masterSecret }}
+
+    - name: Run malicious join test
+      if: inputs.test == 'malicious join'
+      uses: ./.github/actions/e2e_malicious_join
+      with:
+        cloudProvider: ${{ inputs.cloudProvider }}
+        attestationVariant: ${{ inputs.attestationVariant }}
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        githubToken: ${{ inputs.githubToken }}
+
+    - name: Run s3proxy e2e test
+      if: inputs.test == 's3proxy'
+      uses: ./.github/actions/e2e_s3proxy
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        s3AccessKey: ${{ inputs.s3AccessKey }}
+        s3SecretKey: ${{ inputs.s3SecretKey }}
+        githubToken: ${{ inputs.githubToken }}
+    
+    - name: Run emergency ssh test
+      if: inputs.test == 'emergency ssh'
+      uses: ./.github/actions/e2e_emergency_ssh
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}

.github/actions/e2e_test/teams-payload.json

@@ -1,24 +0,0 @@
-{
-    "@type": "MessageCard",
-    "@context": "http://schema.org/extensions",
-    "themeColor": "FF5733",
-    "summary": "E2E Job Failed",
-    "sections": [{
-        "activityTitle": "E2E Job Failed",
-        "activitySubtitle": "${TEAMS_JOB_NAME}",
-        "activityImage": "https://miro.medium.com/max/552/1*G7s61tFPaLI9JRxWYpRNLw.png",
-        "facts": [{
-            "name": "Status",
-            "value": "Error"
-        }],
-        "markdown": true
-    }],
-    "potentialAction": [{
-        "@type": "OpenUri",
-        "name": "Go To Failed Action",
-        "targets": [{
-            "os": "default",
-            "uri": "https://github.com/edgelesssys/constellation/actions/runs/${TEAMS_RUN_ID}"
-        }]
-    }]
-}

.github/actions/e2e_verify/action.yml

@@ -5,39 +5,107 @@ inputs:
   osImage:
     description: "The OS image used in the cluster."
     required: true
-  cloudProvider:
-    description: "The cloud provider used in the cluster."
+  attestationVariant:
+    description: "The attestation variant used in the cluster."
     required: true
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+  cosignPassword:
+    required: true
+    description: "The password for the cosign private key."
+  cosignPrivateKey:
+    required: true
+    description: "The cosign private key."
 
 runs:
   using: "composite"
   steps:
-    - name: Clear current measurements
-      shell: bash
-      run: |
-        yq -i 'del(.provider.${{ inputs.cloudProvider }}.measurements)' constellation-conf.yaml
-
     - name: Expand version path
       id: expand-version
       uses: ./.github/actions/shortname
       with:
         shortname: ${{ inputs.osImage }}
 
-    - name: Fetch & write measurements
+    - name: Constellation fetch measurements
       shell: bash
       run: |
-        ref=${{ steps.expand-version.outputs.ref }}
-        stream=${{ steps.expand-version.outputs.stream }}
-        version=${{ steps.expand-version.outputs.version }}
-        verPath="ref/${ref}/stream/${stream}/${version}"
-        MEASUREMENTS=$(curl -fsSL https://cdn.confidential.cloud/constellation/v1/${verPath}/image/csp/${{ inputs.cloudProvider }}/measurements.json | jq '.measurements' -r)
-        for key in $(echo $MEASUREMENTS | jq 'keys[]' -r); do
-            echo Updating $key to $(echo $MEASUREMENTS | jq ".\"$key\"" -r)
-            yq -i ".provider.${{ inputs.cloudProvider }}.measurements.[$key] = $(echo $MEASUREMENTS | jq ".\"$key\"")" constellation-conf.yaml
-        done
-        yq -i '.provider.${{ inputs.cloudProvider }}.measurements |= array_to_map' constellation-conf.yaml
-        cat constellation-conf.yaml
+        if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]
+        then
+          constellation config fetch-measurements --insecure
+        else
+          constellation config fetch-measurements
+        fi
 
     - name: Constellation verify
       shell: bash
-      run: constellation verify --cluster-id $(jq -r ".clusterID" constellation-id.json) --force
+      run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml)
+
+    - name: Verify all nodes
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml)
+        nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name")
+
+        for node in $nodes ; do
+          verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1)
+
+          mapfile -t verificationPod <<< "$verificationPod"
+
+          if [[ ${#verificationPod[@]} -ne 1 ]]; then
+            echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"
+            exit 1
+          fi
+
+          echo "Verifying pod ${verificationPod} on node ${node}"
+
+          kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m
+          kubectl port-forward -n kube-system "pods/${verificationPod}"  9090:9090 &
+          forwarderPID=$!
+          sleep 5
+
+          case "${{ inputs.attestationVariant }}"
+          in
+            "azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp")
+              echo "Extracting TCB versions for API update"
+              constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json"
+              ;;
+            *)
+              constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
+              ;;
+          esac
+
+          kill $forwarderPID
+        done
+
+    - name: Login to AWS
+      if: github.ref_name == 'main'
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
+        aws-region: eu-central-1
+
+    - name: Upload extracted TCBs
+      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
+      shell: bash
+      env:
+        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
+        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
+      run: |
+        reports=attestation-report-*.json
+
+        # bazel run changes the working directory
+        # convert the relative paths to absolute paths to avoid issues
+        absolute_reports=""
+        for report in ${reports}; do
+          absolute_reports="${absolute_reports} $(realpath "${report}")"
+        done
+
+        report=$(bazel run //internal/api/attestationconfigapi/cli -- compare ${{ inputs.attestationVariant }} ${absolute_reports})
+
+        path=$(realpath "${report}")
+        cat "${path}"
+
+        bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.attestationVariant }} attestation-report "${path}"

.github/actions/find_latest_image/action.yml

@@ -0,0 +1,78 @@
+name: Find latest image
+description: 'Find the latest image reference for a given ref/stream.'
+
+inputs:
+  git-ref:
+    description: 'Git ref to checkout.'
+  imageVersion:
+    description: 'Image version to use. If set, no image will be searched for and the specified image will be returned.'
+  ref:
+    description: 'The ref the image was built on. (e.g. "main")'
+    default: 'main'
+  stream:
+    description: 'The publication stream of the image. (e.g. "debug")'
+    default: 'debug'
+
+outputs:
+  image:
+    description: "Image reference to be used in the cluster."
+    value: ${{ steps.find-latest-image.outputs.output }}${{ steps.use-given-image.outputs.output }}
+  isDebugImage:
+    description: "Whether the image is a debug image."
+    value: ${{ steps.isDebugImage.outputs.isDebugImage }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout head
+      if: inputs.imageVersion == '' && inputs.git-ref == 'head'
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+    - name: Checkout ref
+      if: inputs.imageVersion == '' && inputs.git-ref != 'head'
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ inputs.git-ref }}
+
+    - name: Login to AWS
+      if: inputs.imageVersion == ''
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
+        aws-region: eu-central-1
+
+    - uses: ./.github/actions/setup_bazel_nix
+
+    - name: Find latest image
+      id: find-latest-image
+      if: inputs.imageVersion == ''
+      uses: ./.github/actions/versionsapi
+      with:
+        command: latest
+        ref: ${{ inputs.ref }}
+        stream: ${{ inputs.stream }}
+
+    - name: Use given image
+      id: use-given-image
+      if: inputs.imageVersion != ''
+      shell: bash
+      run: |
+        echo "output=${{ inputs.imageVersion }}" | tee -a "$GITHUB_OUTPUT"
+
+    - name: Is debug image?
+      id: isDebugImage
+      shell: bash
+      run: |
+        case "${{ inputs.imageVersion }}" in
+          "")
+            echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT"
+            ;;
+          *"/stream/debug/"*)
+            echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT"
+            ;;
+          *)
+            echo "isDebugImage=false" | tee -a "$GITHUB_OUTPUT"
+            ;;
+        esac

.github/actions/gcpccm_vers_to_build/action.yml

@@ -0,0 +1,24 @@
+name: Find GCP CCM versions that need to be build
+description: Find GCP CCM versions that need to be build
+
+inputs:
+  path:
+    description: "Path to the GCP CCM repository"
+    required: true
+
+outputs:
+  versions:
+    description: "Versions that need to be build"
+    value: ${{ steps.find-versions.outputs.versions }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Find versions that need to be build
+      id: find-versions
+      shell: bash
+      run: |
+        script=$(realpath .github/actions/gcpccm_vers_to_build/findvers.sh)
+        pushd "${{ inputs.path }}"
+        versions=$(${script})
+        echo "versions=${versions}" | tee -a "$GITHUB_OUTPUT"

.github/actions/gcpccm_vers_to_build/findvers.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function info() {
+  echo "$@" 1>&2
+}
+
+function error() {
+  echo "::err::$*"
+  exit 1
+}
+
+allCCMVersions=$(git tag | grep ccm || test $? = 1)
+if [[ -z ${allCCMVersions} ]]; then
+  error "No CCM tags found in git"
+fi
+
+allMajorVersions=()
+
+for ver in ${allCCMVersions}; do
+  major=${ver#ccm/v} # remove "ccm/v" prefix
+  major=${major%%.*} # remove everything after the first dot
+
+  if [[ ${major} -eq 0 ]]; then
+    continue # skip major version 0
+  fi
+
+  # Check if this major version is already in the list.
+  for existingMajor in "${allMajorVersions[@]}"; do
+    if [[ ${existingMajor} -eq ${major} ]]; then
+      continue 2
+    fi
+  done
+
+  info "Found major version ${major}"
+  allMajorVersions+=("${major}")
+done
+
+if [[ ${#allMajorVersions[@]} -eq 0 ]]; then
+  error "No major versions found in CCM tags"
+fi
+
+existingContainerVersions=$(crane ls "ghcr.io/edgelesssys/cloud-provider-gcp")
+if [[ -z ${existingContainerVersions} ]]; then
+  info "No existing container versions found"
+fi
+
+versionsToBuild=()
+
+for major in "${allMajorVersions[@]}"; do
+  # Get the latest released version with this major version.
+  latest=$(echo "${allCCMVersions[@]}" | grep "${major}" | sort -V | tail -n 1)
+  latest=${latest#ccm/} # remove "ccm/" prefix, keep v
+  if [[ -z ${latest} ]]; then
+    error "Could not determine latest version with major ${major}"
+  fi
+  info "Latest ${major} version is ${latest}"
+
+  # Find the latest version with this major version.
+  majorVerRegexp="v${major}.[0-9]+.[0-9]+"
+  allExistingWithMajor=$(grep -E "${majorVerRegexp}" <<< "${existingContainerVersions}" || test $? = 1)
+  latestExistingWithMinor=$(echo "${allExistingWithMajor}" | sort -V | tail -n 1)
+
+  # If there is no existing version with this major version, build the latest released version.
+  if [[ -z ${latestExistingWithMinor} ]]; then
+    info "No existing version with major ${major}, adding ${latest} to versionsToBuild"
+    versionsToBuild+=("${latest}")
+    continue
+  fi
+  info "Latest existing version with major ${major} is ${latestExistingWithMinor}"
+
+  newerVer=$(echo -e "${latest}\n${latestExistingWithMinor}" | sort -V | tail -n 1)
+  if [[ ${newerVer} == "${latestExistingWithMinor}" ]]; then
+    info "Existing version ${latestExistingWithMinor} is up to date, skipping"
+    continue
+  fi
+
+  info "Newer version ${latest} is available, existing version is ${latestExistingWithMinor}."
+  info "Adding ${latest} to versionsToBuild"
+  versionsToBuild+=("${latest}")
+done
+
+# Print one elem per line | quote elems | create array | remove empty elems and print compact.
+printf '%s\n' "${versionsToBuild[@]}" | jq -R | jq -s | jq -c 'map(select(length > 0))'

.github/actions/gh_create_issue/action.yml

@@ -0,0 +1,64 @@
+name: Create a GitHub issue
+description: "Create an issue on GitHub, and optionally add it to a project board."
+
+inputs:
+  title:
+    description: "The title of the issue."
+    required: true
+  owner:
+    description: "The owner of the repository to create the issue in."
+    required: false
+    default: ${{ github.repository_owner }}
+  repo:
+    description: "The repository to create the issue in."
+    required: false
+    default: ${{ github.repository }}
+  token:
+    description: "The GitHub token to use to authenticate."
+    required: false
+    default: ${{ github.token }}
+  body:
+    description: "The body of the issue."
+    required: false
+  body-file:
+    description: "The absolute path to a file containing the body of the issue."
+    required: false
+  assignee:
+    description: "The GitHub username to assign the issue to."
+    required: false
+  label:
+    description: "A comma-separated list of labels to add to the issue."
+    required: false
+  milestone:
+    description: "The milestone to add the issue to."
+    required: false
+  project:
+    description: "Number of the project to add the issue to."
+    required: false
+  template:
+    description: "The template to use for the issue."
+    required: false
+  fields:
+    description: "A YAML or JSON object containing the fields to use for the issue."
+    required: false
+
+outputs:
+  issue-url:
+    description: "The URL of the created issue."
+    value: ${{ steps.run.outputs.issue-url }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run create_issue.sh
+      id: run
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        set -x
+        cat << EOF | tee inputs.json
+        ${{ toJSON(inputs) }}
+        EOF
+        out=$(./.github/actions/gh_create_issue/create_issue.sh inputs.json)
+        echo "issue-url=${out}" | tee -a "$GITHUB_OUTPUT"

.github/actions/gh_create_issue/create_issue.sh

@@ -0,0 +1,254 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function debug() {
+  echo "DEBUG: $*" >&2
+}
+
+function warn() {
+  echo "WARN: $*" >&2
+}
+
+function inputs() {
+  name="${1}"
+  local val
+  val=$(jq -r ".\"${name}\"" "${inputFile}")
+  if [[ ${val} == "null" ]]; then
+    warn "Input ${name} not found in ${inputFile}"
+    return
+  fi
+  echo "${val}"
+}
+
+function flagsFromInput() {
+  flagNames=("${@}")
+  for name in "${flagNames[@]}"; do
+    val=$(inputs "${name}")
+    if [[ -n ${val} ]]; then
+      echo "--${name}=${val}"
+    fi
+  done
+}
+
+function createIssue() {
+  flags=(
+    "assignee"
+    "body"
+    "body-file"
+    "label"
+    "milestone"
+    "project"
+    "template"
+    "title"
+  )
+  readarray -t flags <<< "$(flagsFromInput "${flags[@]}")"
+  flags+=("--repo=$(inputs owner)/$(inputs repo)")
+  debug gh issue create "${flags[@]}"
+  gh issue create "${flags[@]}"
+}
+
+function listProjects() {
+  flags=(
+    "owner"
+  )
+  readarray -t flags <<< "$(flagsFromInput "${flags[@]}")"
+  flags+=("--format=json")
+  debug gh project list "${flags[@]}"
+  gh project list "${flags[@]}" >> projects.json
+}
+
+function findProjectID() {
+  project=$(inputs "project")
+  out="$(
+    jq -r \
+      --arg project "${project}" \
+      '.projects[]
+        | select(.title == $project)
+        | .id' \
+      projects.json
+  )"
+  debug "Project ID: ${out}"
+  echo "${out}"
+}
+
+function findProjectNo() {
+  project=$(inputs "project")
+  out="$(
+    jq -r \
+      --arg project "${project}" \
+      '.projects[]
+        | select(.title == $project)
+        | .number' \
+      projects.json
+  )"
+  debug "Project Number: ${out}"
+  echo "${out}"
+}
+
+function listItems() {
+  local projectNo="${1}"
+  flags=(
+    "owner"
+  )
+  readarray -t flags <<< "$(flagsFromInput "${flags[@]}")"
+  flags+=("--limit=1000")
+  flags+=("--format=json")
+  debug gh project item-list "${flags[@]}" "${projectNo}"
+  gh project item-list "${flags[@]}" "${projectNo}" >> issues.json
+}
+
+function findIssueItemID() {
+  local issueURL="${1}"
+  out="$(
+    jq -r \
+      --arg issueURL "${issueURL}" \
+      '.items[]
+        | select(.content.url == $issueURL)
+        | .id' \
+      issues.json
+  )"
+  debug "Issue Item ID: ${out}"
+  echo "${out}"
+}
+
+function listFields() {
+  local projectNo="${1}"
+  flags=(
+    "owner"
+  )
+  readarray -t flags <<< "$(flagsFromInput "${flags[@]}")"
+  flags+=("--limit=1000")
+  flags+=("--format=json")
+  debug gh project field-list "${flags[@]}" "${projectNo}"
+  gh project field-list "${flags[@]}" "${projectNo}" >> fields.json
+}
+
+function findFieldID() {
+  local fieldName="${1}"
+  out="$(
+    jq -r \
+      --arg fieldName "${fieldName}" \
+      '.fields[]
+        | select(.name == $fieldName)
+        | .id' \
+      fields.json
+  )"
+  debug "Field ID of '${fieldName}': ${out}"
+  echo "${out}"
+}
+
+function findSelectFieldID() {
+  local fieldName="${1}"
+  local fieldValue="${2}"
+  out="$(
+    jq -r \
+      --arg fieldName "${fieldName}" \
+      --arg fieldValue "${fieldValue}" \
+      '.fields[]
+        | select(.name == $fieldName)
+        | .options[]
+        | select(.name == $fieldValue)
+        | .id' \
+      fields.json
+  )"
+  debug "Field ID of '${fieldName}': ${out}"
+  echo "${out}"
+}
+
+function findFieldType() {
+  local fieldName="${1}"
+  out="$(
+    jq -r \
+      --arg fieldName "${fieldName}" \
+      '.fields[]
+        | select(.name == $fieldName)
+        | .type' \
+      fields.json
+  )"
+  debug "Field type of '${fieldName}': ${out}"
+  echo "${out}"
+}
+
+function editItem() {
+  local projectID="${1}"
+  local itemID="${2}"
+  local id="${3}"
+  local value="${4}"
+
+  if [[ -z ${value} ]]; then
+    debug skipping empty value
+    return
+  fi
+
+  flags=(
+    "--project-id=${projectID}"
+    "--id=${itemID}"
+    "--field-id=${id}"
+    "--text=${value}"
+  )
+  debug gh project item-edit "${flags[@]}"
+  gh project item-edit "${flags[@]}" > /dev/null
+}
+
+function setFields() {
+  local projectID="${1}"
+  local itemID="${2}"
+
+  fieldsLen="$(jq -r '.fields' "${inputFile}" | yq 'length')"
+  debug "Number of fields in input: ${fieldsLen}"
+  for ((i = 0; i < fieldsLen; i++)); do
+    name="$(jq -r '.fields' "${inputFile}" |
+      yq "to_entries | .[${i}].key")"
+    value="$(jq -r '.fields' "${inputFile}" |
+      yq "to_entries | .[${i}].value")"
+    debug "Field ${i}: ${name} = ${value}"
+    type=$(findFieldType "${name}")
+
+    case "${type}" in
+    "ProjectV2Field")
+      id=$(findFieldID "${name}")
+      ;;
+    "ProjectV2SingleSelectField")
+      id=$(findSelectFieldID "${name}" "${value}")
+      ;;
+    *)
+      warn "Unknown field type: ${type}"
+      return 1
+      ;;
+    esac
+
+    editItem "${projectID}" "${itemID}" "${id}" "${value}"
+  done
+}
+
+function main() {
+  inputFile="$(realpath "${1}")"
+
+  workdir=$(mktemp -d)
+  pushd "${workdir}" > /dev/null
+  trap 'debug "not cleaning up, working directory at: ${workdir}"' ERR
+
+  issueURL=$(createIssue)
+  echo "${issueURL}"
+
+  project=$(inputs "project")
+  if [[ -z ${project} ]]; then
+    return
+  fi
+
+  listProjects
+  projectNo=$(findProjectNo)
+  projectID=$(findProjectID)
+
+  listItems "${projectNo}"
+  issueItemID=$(findIssueItemID "${issueURL}")
+  listFields "${projectNo}"
+
+  setFields "${projectID}" "${issueItemID}"
+
+  popd > /dev/null
+  rm -rf "${workdir}"
+}
+
+main "${@}"

.github/actions/install_docgen/action.yml

@@ -1,26 +0,0 @@
-name: Install Docgen
-description: |
-  Install Docgen
-runs:
-  using: "composite"
-  steps:
-    - name: Checkout talos
-      uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
-      with:
-        fetch-depth: 0
-        repository: "siderolabs/talos"
-        ref: "v1.3.1"
-        path: talos
-
-    # This is required to be able to build docgen
-    - name: Remove go.work
-      shell: bash
-      working-directory: talos
-      run: rm go.work*
-
-    - name: Install Docgen
-      shell: bash
-      working-directory: talos/hack/docgen
-      run: |
-        go build -o docgen .
-        mv docgen /usr/local/bin

.github/actions/install_operator_sdk/action.yml

@@ -1,24 +0,0 @@
-name: Install operator-sdk
-description: |
-  Installs the operator-sdk binary.
-inputs:
-  version:
-    description: "Version of the operator-sdk to install"
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Install operator-sdk
-      shell: bash
-      run: |
-        export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)
-        export OS=$(uname | awk '{print tolower($0)}')
-        export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ inputs.version }}
-        curl -fsSLO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH}
-        gpg --keyserver keyserver.ubuntu.com --recv-keys 052996E2A20B5C7E
-        curl -fsSLO ${OPERATOR_SDK_DL_URL}/checksums.txt
-        curl -fsSLO ${OPERATOR_SDK_DL_URL}/checksums.txt.asc
-        gpg -u "Operator SDK (release) <cncf-operator-sdk@cncf.io>" --verify checksums.txt.asc
-        grep operator-sdk_${OS}_${ARCH} checksums.txt | sha256sum -c -
-        chmod +x operator-sdk_${OS}_${ARCH} && sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
-        rm checksums.txt checksums.txt.asc

.github/actions/login_azure/action.yml

@@ -10,6 +10,6 @@ runs:
     # As described at:
     # https://github.com/Azure/login#configure-deployment-credentials
     - name: Login to Azure
-      uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+      uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
       with:
         creds: ${{ inputs.azure_credentials }}

.github/actions/login_gcp/action.yml

@@ -7,14 +7,24 @@ inputs:
 runs:
   using: "composite"
   steps:
-    # As described at:
-    # https://github.com/google-github-actions/setup-gcloud#service-account-key-json
+    - name: Clean env to prevent warnings
+      shell: bash
+      run: |
+        echo "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=" >> "$GITHUB_ENV"
+        echo "GOOGLE_APPLICATION_CREDENTIALS=" >> "$GITHUB_ENV"
+        echo "GOOGLE_GHA_CREDS_PATH=" >> "$GITHUB_ENV"
+        echo "CLOUDSDK_CORE_PROJECT=" >> "$GITHUB_ENV"
+        echo "CLOUDSDK_PROJECT=" >> "$GITHUB_ENV"
+        echo "GCLOUD_PROJECT=" >> "$GITHUB_ENV"
+        echo "GCP_PROJECT=" >> "$GITHUB_ENV"
+        echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
+
     - name: Authorize GCP access
-      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
-        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
+        workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
         service_account: ${{ inputs.service_account }}
 
     # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
     - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4

.github/actions/login_openstack/action.yml

@@ -0,0 +1,16 @@
+name: OpenStack login
+description: "Login to OpenStack"
+inputs:
+  clouds_yaml:
+    description: "Credentials authorized to create Constellation on OpenStack."
+    required: true
+runs:
+  using: "composite"
+  steps:
+   - name: Login to OpenStack
+     env:
+       CLOUDS_YAML: ${{ inputs.clouds_yaml }}
+     shell: bash
+     run: |
+        mkdir -p ~/.config/openstack
+        echo "${CLOUDS_YAML}" > ~/.config/openstack/clouds.yaml

.github/actions/login_stackit/action.yml

@@ -0,0 +1,16 @@
+name: STACKIT login
+description: "Login to STACKIT"
+inputs:
+  serviceAccountToken:
+    description: "Credentials authorized to create Constellation on STACKIT."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Login to STACKIT
+      env:
+        UAT: ${{ inputs.serviceAccountToken }}
+      shell: bash
+      run: |
+          mkdir -p ~/.stackit
+          echo "${UAT}" > ~/.stackit/credentials.json

.github/actions/notify_e2e_failure/action.yml

@@ -0,0 +1,113 @@
+name: notify e2e failure
+description: "Post a failure message to project board and teams"
+
+inputs:
+  projectWriteToken:
+    description: "Token to write to the project board"
+    required: true
+  test:
+    description: "Test name"
+    required: true
+  provider:
+    description: "CSP"
+    required: true
+  attestationVariant:
+    description: "Attestation variant"
+    required: false
+  refStream:
+    description: "RefStream of the run"
+    required: false
+  kubernetesVersion:
+    description: "Kubernetes version"
+    required: false
+  clusterCreation:
+    description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Pick assignee
+      id: pick-assignee
+      uses: ./.github/actions/pick_assignee
+
+    - name: Get the current date
+      id: date
+      shell: bash
+      run: echo "CURRENT_DATE=$(date +'%Y-%m-%d %H:%M:%S')" >> $GITHUB_ENV
+
+    - name: Create body template
+      id: body-template
+      shell: bash
+      run: |
+        # TODO(katexochen): add job number when possible
+        jobURL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
+        # OpenSearch instance details
+        instance=search-e2e-logs-y46renozy42lcojbvrt3qq7csm
+        region=eu-central-1
+
+        # UUID of index "logs-*"
+        a="(metadata:(indexPattern:'9004ee20-77cc-11ee-b137-27c60b9ad4a4',view:discover))"
+
+        # Default window: last 7 days
+        g='(time:(from:now-7d,to:now))'
+
+        # Query construction
+        # Omit empty fields since OpenSearch will otherwise only display results where the field is empty
+        queryGen() {
+          key=$1
+          val=$2
+          if [[ -n "${val}" ]];  then
+            printf "(query:(match_phrase:(%s:'%s')))," "${key}" "${val}"
+          fi
+        }
+
+        e2eTestPayload=$(echo "${{ inputs.test }}" | jq -R -r @uri)
+
+        q=$(echo "(filters:!(
+          $(queryGen cloud.provider "${{ inputs.provider }}")
+          $(queryGen metadata.github.ref-stream "${{ inputs.refStream }}")
+          $(queryGen metadata.github.kubernetes-version "${{ inputs.kubernetesVersion }}")
+          $(queryGen metadata.github.attestation-variant "${{ inputs.attestationVariant }}")
+          $(queryGen metadata.github.cluster-creation "${{ inputs.clusterCreation }}")
+          $(queryGen metadata.github.e2e-test-payload "${e2eTestPayload}")
+          (query:(match_phrase:(metadata.github.run-id:${{ github.run_id }})))
+          ))" | tr -d "\t\n ")
+
+        # URL construction
+        opensearchURL="https://${instance}.${region}.es.amazonaws.com/_dashboards/app/data-explorer/discover/#?_a=${a}&_q=${q}&_g=${g}"
+        cat << EOF > header.md
+
+        ## Metadata
+
+        * [Job URL](${jobURL})
+        * [OpenSearch URL](${opensearchURL})
+
+        EOF
+
+        cat header.md .github/failure_project_template.md > body.md
+        echo "BODY_PATH=$(pwd)/body.md" >> $GITHUB_ENV
+
+    - uses: ./.github/actions/gh_create_issue
+      id: gh_create_issue
+      with:
+        title: "${{ env.CURRENT_DATE }}"
+        body-file: ${{ env.BODY_PATH }}
+        repo: issues
+        label: "e2e failure"
+        assignee: ${{ steps.pick-assignee.outputs.assignee }}
+        project: Constellation bugs
+        fields: |
+          workflow: ${{ github.workflow }}
+          kubernetesVersion: ${{ inputs.kubernetesVersion }}
+          cloudProvider: ${{ inputs.provider }}
+          attestationVariant: ${{ inputs.attestationVariant }}
+          clusterCreation: ${{ inputs.clusterCreation }}
+          test: ${{ inputs.test }}
+          refStream: ${{ inputs.refStream }}
+        token: ${{ inputs.projectWriteToken }}
+
+    - name: Issue URL ${{ steps.gh_create_issue.outputs.issue-url }}
+      shell: bash
+      run: echo ${{ steps.gh_create_issue.outputs.issue-url }}

.github/actions/notify_stackit/action.yml

@@ -0,0 +1,19 @@
+name: Notify STACKIT
+description: "Notify STACKIT about test failure"
+inputs:
+  slackToken:
+    description: "Slack access token."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Notify STACKIT
+      env:
+        SLACK_TOKEN: ${{ inputs.slackToken }}
+      shell: bash
+      run: |
+          curl -X POST \
+            -H "Authorization: Bearer $SLACK_TOKEN" \
+            -H "Content-type: application/json; charset=utf-8" \
+            -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
+            https://slack.com/api/chat.postMessage

.github/actions/notify_teams/README.md

@@ -0,0 +1,27 @@
+# notify Teams action
+
+This action is used to send a message to our Teams channel in case of a failure in the CI/CD pipeline.
+The action will automatically choose an engineer to assign to the issue and tag them in the message.
+
+Engineers are identified by their GitHub username and bound to a Microsoft Teams ID in `.attachments[0].content.msteams.entities`.
+To add a new engineer, add a new entry to the entity list in the format:
+
+```json
+{
+  "type": "mention",
+  "text": "${github_username}",
+  "mentioned": {
+    "id": "${msteams_id}",
+    "name": "${name}"
+  }
+}
+```
+
+Where `${github_username}` is the GitHub username of the engineer, `${msteams_id}` is the Microsoft Teams ID of the engineer, and `${name}` is the name of the engineer.
+To find the Microsoft Teams ID use the following command:
+
+```bash
+az ad user show --id ${email} --query id
+```
+
+Where `${email}` is the email address of the engineer.

.github/actions/notify_teams/action.yml

@@ -0,0 +1,52 @@
+name: notify teams
+description: "Post a message to Teams"
+
+inputs:
+  teamsWebhookURI:
+    description: "URI to send a message to the Teams channel"
+    required: true
+  title:
+    description: "Title of the Teams notification"
+    required: true
+  assignee:
+    description: "Assignee of the message"
+    required: true
+  additionalFields:
+    description: "Additional fields to add to the Teams message (JSON formatted)"
+    default: "[]"
+  additionalButtons:
+    description: "Additional Buttons to add to the Teams message (JSON formatted)"
+    default: "[]"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Notify Teams channel
+      continue-on-error: true
+      shell: bash
+      run: |
+        cp .github/actions/notify_teams/teams_payload_template.json teams_payload.json
+
+        # Add workflow name to the notification
+        yq -oj -iP '.attachments[0].content.body[0].columns[1].items[0].text = "${{ inputs.title }}"' teams_payload.json
+        yq -oj -iP '.attachments[0].content.body[0].columns[1].items[1].text = "${{ github.workflow }}"' teams_payload.json
+
+        # Add additional fields
+        yq -oj -iP '.attachments[0].content.body[0].columns[1].items[2].facts += ${{ inputs.additionalFields }} ' teams_payload.json
+
+        # Remove everyone but the assignee from the JSON payload so the final message only contains the assignee
+        filtered_entity=$(yq -oj '.attachments[0].content.msteams.entities[] | select(.text == "<at>${{ inputs.assignee }}</at>")' teams_payload.json)
+        yq -oj -iP '.attachments[0].content.msteams.entities = [ '"$filtered_entity"' ]' teams_payload.json
+        yq -oj -iP '.attachments[0].content.body[0].columns[1].items[2].facts += [ { "title": "Assignee", "value": "<at>${{ inputs.assignee }}</at>" } ]' teams_payload.json
+
+        # Add clickable button which links to the workflow triggering this notification
+        yq -oj -iP '.attachments[0].content.actions[0].url = "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"' teams_payload.json
+
+        # Add additional buttons
+        yq -oj -iP '.attachments[0].content.actions += ${{ inputs.additionalButtons }}' teams_payload.json
+
+        cat teams_payload.json
+        curl \
+          -H "Content-Type: application/json" \
+          -d @teams_payload.json \
+          "${{ inputs.teamsWebhookURI }}"

.github/actions/notify_teams/teams_payload_template.json

@@ -0,0 +1,131 @@
+{
+    "type": "AdaptiveCard",
+    "attachments": [
+        {
+            "contentType": "application/vnd.microsoft.card.adaptive",
+            "contentUrl": null,
+            "content": {
+                "type": "AdaptiveCard",
+                "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
+                "version": "1.2",
+                "msteams": {
+                    "width": "Full",
+                    "entities": [
+                        {
+                            "type": "mention",
+                            "text": "<at>elchead</at>",
+                            "mentioned": {
+                                "id": "3931943b-8d4b-4300-ac7e-bbb06c4da27f",
+                                "name": "Adrian Stobbe"
+                            }
+                        },
+                        {
+                            "type": "mention",
+                            "text": "<at>msanft</at>",
+                            "mentioned": {
+                                "id": "1359ea62-4415-423e-b808-9d9acb96def0",
+                                "name": "Moritz Sanft"
+                            }
+                        },
+                        {
+                            "type": "mention",
+                            "text": "<at>3u13r</at>",
+                            "mentioned": {
+                                "id": "26869b29-b0d6-48f8-a9ed-7a6374410a53",
+                                "name": "Leonard Cohnen"
+                            }
+                        },
+                        {
+                            "type": "mention",
+                            "text": "<at>daniel-weisse</at>",
+                            "mentioned": {
+                                "id": "759f3380-526e-4776-a620-cc713dce6177",
+                                "name": "Daniel Weisse"
+                            }
+                        },
+                        {
+                            "type": "mention",
+                            "text": "<at>katexochen</at>",
+                            "mentioned": {
+                                "id": "fcb7b554-33bb-47f7-8f0e-41b66aab4556",
+                                "name": "Paul Meyer"
+                            }
+                        },
+                        {
+                            "type": "mention",
+                            "text": "<at>derpsteb</at>",
+                            "mentioned": {
+                                "id": "a9a34611-9a38-4c00-a8a2-f87d94c2bf7d",
+                                "name": "Otto Bittner"
+                            }
+                        },
+                        {
+                            "type": "mention",
+                            "text": "<at>burgerdev</at>",
+                            "mentioned": {
+                                "id": "c9efc581-58ca-4da6-93ce-79f69f89deeb",
+                                "name": "Markus Rudy"
+                            }
+                        }
+                    ]
+                },
+                "body": [
+                    {
+                        "type": "ColumnSet",
+                        "columns": [
+                            {
+                                "type": "Column",
+                                "width": 1,
+                                "items": [
+                                    {
+                                        "type": "Image",
+                                        "url": "https://miro.medium.com/max/552/1*G7s61tFPaLI9JRxWYpRNLw.png",
+                                        "size": "large",
+                                        "horizontalAlignment": "center"
+                                    }
+                                ],
+                                "horizontalAlignment": "center",
+                                "verticalContentAlignment": "center"
+                            },
+                            {
+                                "type": "Column",
+                                "width": 2,
+                                "items": [
+                                    {
+                                        "type": "TextBlock",
+                                        "text": "Title",
+                                        "wrap": true,
+                                        "fontType": "Default",
+                                        "size": "large",
+                                        "weight": "bolder"
+                                    },
+                                    {
+                                        "type": "TextBlock",
+                                        "text": "Subtitle",
+                                        "wrap": true,
+                                        "size": "large",
+                                        "isSubtle": true,
+                                        "spacing": "Small"
+                                    },
+                                    {
+                                        "type": "FactSet",
+                                        "facts": [],
+                                        "spacing": "small"
+                                    }
+                                ]
+                            }
+                        ]
+                    }
+                ],
+                "actions": [
+                    {
+                        "type": "Action.OpenUrl",
+                        "title": "GitHub workflow run",
+                        "url": "",
+                        "style": "positive"
+                    }
+                ]
+            }
+        }
+    ]
+}

.github/actions/os_build_variables/action.yml

@@ -1,304 +0,0 @@
-name: Determine OS image upload variables
-description: "Determine parameters used for image upload to various CSPs."
-inputs:
-  csp:
-    description: "Cloud Service Provider"
-    required: true
-  uploadVariant:
-    description: "Upload variant"
-    required: true
-  basePath:
-    description: "Base path to the image build directory"
-    required: true
-  ref:
-    description: "Branch of the image to be built (or '-' for releases)"
-    required: true
-  stream:
-    description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
-    required: true
-  imageVersion:
-    description: "Semantic version including patch e.g. v<major>.<minor>.<patch> or pseudo version"
-    required: false
-  imageType:
-    description: "Type of image to build"
-    required: true
-  debug:
-    description: "Build debug image"
-    required: false
-    default: "false"
-outputs:
-  awsRegion:
-    description: "Primary AWS region"
-    value: ${{ steps.aws.outputs.region }}
-  awsReplicationRegions:
-    description: "AWS regions to replicate the image to"
-    value: ${{ steps.aws.outputs.replicationRegions }}
-  awsBucket:
-    description: "AWS S3 bucket to upload the image to"
-    value: ${{ steps.aws.outputs.bucket }}
-  awsEfivarsPath:
-    description: "AWS efivars path"
-    value: ${{ steps.aws.outputs.efivarsPath }}
-  awsImagePath:
-    description: "AWS image path"
-    value: ${{ steps.aws.outputs.imagePath }}
-  awsJsonOutput:
-    description: "AWS ami json output path"
-    value: ${{ steps.aws.outputs.jsonOutput }}
-  awsImageFilename:
-    description: "AWS raw image filename"
-    value: ${{ steps.aws.outputs.imageFilename }}
-  awsImageName:
-    description: "AWS image name"
-    value: ${{ steps.aws.outputs.imageName }}
-  awsPublish:
-    description: "Should AWS AMI be published"
-    value: ${{ steps.aws.outputs.publish }}
-  azureResourceGroupName:
-    description: "Azure resource group name"
-    value: ${{ steps.azure.outputs.resourceGroupName }}
-  azureRegion:
-    description: "Primary Azure region"
-    value: ${{ steps.azure.outputs.region }}
-  azureReplicationRegions:
-    description: "Azure regions to replicate the image to"
-    value: ${{ steps.azure.outputs.replicationRegions }}
-  azureVmgsRegion:
-    description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)"
-    value: ${{ steps.azure.outputs.vmgsRegion }}
-  azureSku:
-    description: "Azure SIG SKU"
-    value: ${{ steps.azure.outputs.sku }}
-  azurePublisher:
-    description: "Azure SIG publisher"
-    value: ${{ steps.azure.outputs.publisher }}
-  azureRawImagePath:
-    description: "Azure raw image path"
-    value: ${{ steps.azure.outputs.rawImagePath }}
-  azureImagePath:
-    description: "Azure image path"
-    value: ${{ steps.azure.outputs.imagePath }}
-  azureJsonOutput:
-    description: "Azure image json output path"
-    value: ${{ steps.azure.outputs.jsonOutput }}
-  azureSecurityType:
-    description: "Azure security type"
-    value: ${{ steps.azure.outputs.securityType }}
-  azureDiskName:
-    description: "Azure disk name"
-    value: ${{ steps.azure.outputs.diskName }}
-  azureImageDefinition:
-    description: "Azure image definition"
-    value: ${{ steps.azure.outputs.imageDefinition }}
-  azureImageOffer:
-    description: "Azure image offer"
-    value: ${{ steps.azure.outputs.imageOffer }}
-  azureImageVersion:
-    description: "Azure image version"
-    value: ${{ steps.azure.outputs.imageVersion }}
-  azureGalleryName:
-    description: "Azure gallery name"
-    value: ${{ steps.azure.outputs.galleryName }}
-  azureVmgsPath:
-    description: "Azure VMGS path"
-    value: ${{ steps.azure.outputs.vmgsPath }}
-  gcpProject:
-    description: "GCP project"
-    value: ${{ steps.gcp.outputs.project }}
-  gcpBucket:
-    description: "GCP bucket"
-    value: ${{ steps.gcp.outputs.bucket }}
-  gcpRegion:
-    description: "GCP region"
-    value: ${{ steps.gcp.outputs.region }}
-  gcpRawImagePath:
-    description: "GCP raw image path"
-    value: ${{ steps.gcp.outputs.rawImagePath }}
-  gcpImagePath:
-    description: "GCP image path"
-    value: ${{ steps.gcp.outputs.imagePath }}
-  gcpJsonOutput:
-    description: "GCP image json output path"
-    value: ${{ steps.gcp.outputs.jsonOutput }}
-  gcpImageName:
-    description: "GCP image name"
-    value: ${{ steps.gcp.outputs.imageName }}
-  gcpImageFilename:
-    description: "GCP image filename"
-    value: ${{ steps.gcp.outputs.imageFilename }}
-  gcpImageFamily:
-    description: "GCP image family"
-    value: ${{ steps.gcp.outputs.imageFamily }}
-  openStackJsonOutput:
-    description: "OpenStack image json output path"
-    value: ${{ steps.openstack.outputs.jsonOutput }}
-  openStackBucket:
-    description: "OpenStack S3 bucket"
-    value: ${{ steps.openstack.outputs.bucket }}
-  openStackBaseUrl:
-    description: "OpenStack raw image base URL"
-    value: ${{ steps.openstack.outputs.baseUrl }}
-  openStackImagePath:
-    description: "OpenStack image path"
-    value: ${{ steps.openstack.outputs.imagePath }}
-  qemuJsonOutput:
-    description: "QEMU image json output path"
-    value: ${{ steps.qemu.outputs.jsonOutput }}
-  qemuBucket:
-    description: "QEMU S3 bucket"
-    value: ${{ steps.qemu.outputs.bucket }}
-  qemuBaseUrl:
-    description: "QEMU raw image base URL"
-    value: ${{ steps.qemu.outputs.baseUrl }}
-  qemuImagePath:
-    description: "QEMU image path"
-    value: ${{ steps.qemu.outputs.imagePath }}
-
-runs:
-  using: "composite"
-  steps:
-    - name: Determine version
-      id: version
-      uses: ./.github/actions/pseudo_version
-
-    - name: Configure AWS input variables
-      id: aws
-      if: inputs.csp == 'aws'
-      shell: bash
-      env:
-        basePath: ${{ inputs.basePath }}
-        ref: ${{ inputs.ref }}
-        stream: ${{ inputs.stream }}
-        imageVersion: ${{ inputs.imageVersion }}
-        imageType: ${{ inputs.imageType }}
-        timestamp: ${{ steps.version.outputs.timestamp }}
-        semver: ${{ steps.version.outputs.semanticVersion }}
-      run: |
-        echo "region=eu-central-1" >> $GITHUB_OUTPUT
-        echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT
-        echo "bucket=constellation-images" >> $GITHUB_OUTPUT
-        echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~37/efivars.bin" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.aws/fedora~37/image.raw" >> $GITHUB_OUTPUT
-        echo "jsonOutput=${basePath}/mkosi.output.aws/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
-        echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT
-        if [[ "${stream}" = "stable" ]]
-        then
-          echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT
-          echo "publish=true" >> $GITHUB_OUTPUT
-        else
-          echo "imageName=constellation-${ref}-${stream}-${semver}-${timestamp}" >> $GITHUB_OUTPUT
-          echo "publish=false" >> $GITHUB_OUTPUT
-        fi
-
-    #    gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
-    #    image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
-    #    image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
-    - name: Configure Azure input variables
-      id: azure
-      if: inputs.csp == 'azure'
-      shell: bash
-      env:
-        basePath: ${{ inputs.basePath }}
-        ref: ${{ inputs.ref }}
-        stream: ${{ inputs.stream }}
-        imageVersion: ${{ inputs.imageVersion }}
-        imageType: ${{ inputs.imageType }}
-        timestamp: ${{ steps.version.outputs.timestamp }}
-        semver: ${{ steps.version.outputs.semanticVersion }}
-        uploadVariant: ${{ inputs.uploadVariant }}
-      run: |
-        echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT
-        echo "region=northeurope" >> $GITHUB_OUTPUT
-        echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT
-        echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT
-        echo "sku=constellation" >> $GITHUB_OUTPUT
-        echo "publisher=edgelesssys" >> $GITHUB_OUTPUT
-        echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~37/image.raw" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.azure/fedora~37/image.vhd" >> $GITHUB_OUTPUT
-        echo "jsonOutput=${basePath}/mkosi.output.azure/fedora~37/image-upload${uploadVariant}.json" >> $GITHUB_OUTPUT
-        # TODO: set default security type to "ConfidentialVM" once replication is possible
-        securityType=${{ inputs.uploadVariant }}
-        if [[ -z "${securityType}" ]]; then
-          securityType=ConfidentialVMSupported
-        fi
-        echo "securityType=${securityType}" >> $GITHUB_OUTPUT
-        echo "diskName=constellation-${stream}-${timestamp}-${securityType,,}" >> $GITHUB_OUTPUT
-        if [[ "${stream}" = "stable" ]]
-        then
-          echo "imageDefinition=constellation" >> $GITHUB_OUTPUT
-          echo "imageOffer=constellation" >> $GITHUB_OUTPUT
-          echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT
-          galleryName=Constellation
-        elif [[ "${imageType}" = "debug" && ( "${ref}" = "-" || "${ref}" = "main" ) ]]
-        then
-          echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
-          echo "imageOffer=${semver}" >> $GITHUB_OUTPUT
-          echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
-          galleryName=Constellation_Debug
-        else
-          echo "imageDefinition=${ref}-${stream}" >> $GITHUB_OUTPUT
-          echo "imageOffer=${ref}-${stream}" >> $GITHUB_OUTPUT
-          echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
-          galleryName=Constellation_Testing
-        fi
-        # TODO: enable VMGS upload for ConfidentialVM images once replication is possible
-        if [[ "${securityType}" == "ConfidentialVMSupported" ]]; then
-          echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT
-          echo "vmgsPath=" >> $GITHUB_OUTPUT
-        else
-          echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT
-          echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT
-        fi
-
-    #    image family and image name may include lowercase alphanumeric characters and dashes.
-    #    Must not end or begin with a dash
-    - name: Configure GCP input variables
-      id: gcp
-      if: inputs.csp == 'gcp'
-      shell: bash
-      env:
-        basePath: ${{ inputs.basePath }}
-        ref: ${{ inputs.ref }}
-        stream: ${{ inputs.stream }}
-        imageVersion: ${{ inputs.imageVersion }}
-        imageType: ${{ inputs.imageType }}
-        timestamp: ${{ steps.version.outputs.timestamp }}
-      run: |
-        echo "project=constellation-images" >> $GITHUB_OUTPUT
-        echo "bucket=constellation-images" >> $GITHUB_OUTPUT
-        echo "region=europe-west3" >> $GITHUB_OUTPUT
-        echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~37/image.raw" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.gcp/fedora~37/image.tar.gz" >> $GITHUB_OUTPUT
-        echo "jsonOutput=${basePath}/mkosi.output.gcp/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
-        echo "imageName=${imageVersion//./-}-${stream}" >> $GITHUB_OUTPUT
-        echo "imageFilename=${imageVersion//./-}-${stream}.tar.gz" >> $GITHUB_OUTPUT
-        if [[ "${stream}" = "stable" ]]
-        then
-          echo "imageFamily=constellation" >> $GITHUB_OUTPUT
-        else
-          echo "imageFamily=constellation-${ref::45}" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Configure OpenStack input variables
-      id: openstack
-      if: inputs.csp == 'openstack'
-      shell: bash
-      env:
-        basePath: ${{ inputs.basePath }}
-      run: |
-        echo "bucket=cdn-constellation-backend" >> $GITHUB_OUTPUT
-        echo "baseUrl=https://cdn.confidential.cloud" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.openstack/fedora~37/image.raw" >> $GITHUB_OUTPUT
-        echo "jsonOutput=${basePath}/mkosi.output.openstack/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
-
-    - name: Configure QEMU input variables
-      id: qemu
-      if: inputs.csp == 'qemu'
-      shell: bash
-      env:
-        basePath: ${{ inputs.basePath }}
-      run: |
-        echo "bucket=cdn-constellation-backend" >> $GITHUB_OUTPUT
-        echo "baseUrl=https://cdn.confidential.cloud" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.qemu/fedora~37/image.raw" >> $GITHUB_OUTPUT
-        echo "jsonOutput=${basePath}/mkosi.output.qemu/fedora~37/image-upload.json" >> $GITHUB_OUTPUT

.github/actions/pick_assignee/action.yml

@@ -0,0 +1,23 @@
+name: Pick an assignee
+description: "Pick an assignee"
+
+outputs:
+  assignee:
+    description: "GitHub login of the assignee"
+    value: ${{ steps.pick-assignee.outputs.assignee }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Pick an assignee
+      id: pick-assignee
+      shell: bash
+      run: |
+        possibleAssignees=(
+          "elchead"
+          "daniel-weisse"
+          "msanft"
+          "burgerdev"
+        )
+        assignee=${possibleAssignees[$RANDOM % ${#possibleAssignees[@]}]}
+        echo "assignee=$assignee" | tee -a "$GITHUB_OUTPUT"

.github/actions/pick_azure_region/action.yml

@@ -0,0 +1,42 @@
+name: Pick an Azure region
+description: "Pick an Azure region"
+
+inputs:
+  attestationVariant:
+    description: "Attestation variant to use. Not all regions support all variants."
+    required: true
+
+outputs:
+  region:
+    description: "One of the supported Azure regions"
+    value: ${{ steps.pick-region.outputs.region }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Pick a region
+      id: pick-region
+      shell: bash
+      run: |
+        possibleRegionsSNP=(
+          "westus"
+          "eastus"
+          "northeurope"
+          "westeurope"
+          "southeastasia"
+        )
+        possibleRegionsTDX=(
+          "centralus"
+          "eastus2"
+          "northeurope"
+          "westeurope"
+        )
+
+        if [[ "${{ inputs.attestationVariant }}" == "azure-tdx" ]]; then
+          possibleRegions=("${possibleRegionsTDX[@]}")
+        else
+          possibleRegions=("${possibleRegionsSNP[@]}")
+        fi
+
+        region=${possibleRegions[$RANDOM % ${#possibleRegions[@]}]}
+        echo "region=$region" | tee -a "$GITHUB_OUTPUT"

.github/actions/pseudo_version/action.yml

@@ -2,39 +2,23 @@ name: Determine pseudo version
 description: "Determine go-like pseudo version to use as container image tag."
 
 outputs:
-  semanticVersion:
-    description: "Semantic version based on the current HEAD"
-    value: ${{ steps.pseudo-version.outputs.semanticVersion }}
   version:
     description: "Version based on branch name"
     value: ${{ steps.pseudo-version.outputs.version }}
-  timestamp:
-    description: "Commit timestamp based on the current HEAD"
-    value: ${{ steps.pseudo-version.outputs.timestamp }}
   branchName:
     description: "Branch name"
     value: ${{ steps.pseudo-version.outputs.branchName }}
 
-# Linux runner only (homedir trick does not work on macOS, required for private runner)
 runs:
   using: "composite"
   steps:
     - name: get version
       id: pseudo-version
       shell: bash
-      working-directory: hack/pseudo-version
+      env:
+        WORKSPACE_STATUS_TOOL: ${{ github.workspace }}/tools/workspace_status.sh
       run: |
-        homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)"
-        export GOCACHE=${homedir}/.cache/go-build
-        export GOPATH=${homedir}/go
-        export GOMODCACHE=${homedir}/.cache/go-mod
-        
-        version=$(go run .)
-        semanticVersion=$(go run . -semantic-version)
-        timestamp=$(go run . -print-timestamp)
-        branchName=$(go run . -print-branch)
-
-        echo "version=${version}" >> $GITHUB_OUTPUT
-        echo "semanticVersion=${semanticVersion}" >> $GITHUB_OUTPUT
-        echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT
-        echo "branchName=${branchName}" >> $GITHUB_OUTPUT
+        version=$(${WORKSPACE_STATUS_TOOL} | grep STABLE_STAMP_VERSION | cut -d ' ' -f2)
+        branchName=$(git branch --show-current | tr '/' '-')
+        echo "version=v${version}" | tee -a "$GITHUB_OUTPUT"
+        echo "branchName=${branchName}" | tee -a "$GITHUB_OUTPUT"

.github/actions/publish_helmchart/action.yml

@@ -0,0 +1,46 @@
+name: Release Helm Chart
+description: "Creates a PR in edgelesssys/helm to publish a new Chart."
+
+inputs:
+  chartPath:
+    description: "Path to chart that should be published"
+    required: true
+  githubToken:
+    description: "GitHub token"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        repository: edgelesssys/helm
+        ref: main
+        path: helm
+
+    - name: Update s3proxy Chart version
+      id: update-chart-version
+      shell: bash
+      run: |
+        helm package ${{ inputs.chartPath }} --destination helm/stable
+        cd helm
+        helm repo index stable --url https://helm.edgeless.systems/stable
+        echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
+
+    - name: Create pull request
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      with:
+        path: helm
+        branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"
+        base: main
+        title: "s3proxy: release version ${{ steps.update-chart-version.outputs.version }}"
+        body: |
+          :robot: *This is an automated PR.* :robot:
+
+          This PR is triggered as part of the Constellation [release pipeline](https://github.com/edgelesssys/constellation/actions/runs/${{ github.run_id }}).
+          It adds a new packaged chart to the repo's stable stream.
+        commit-message: "s3proxy: release version ${{ steps.update-chart-version.outputs.version }}"
+        committer: edgelessci <edgelessci@users.noreply.github.com>
+        # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
+        token: ${{ !github.event.pull_request.head.repo.fork && inputs.githubToken || '' }}

.github/actions/select_image/action.yml

@@ -3,22 +3,22 @@ description: Resolve string presets and shortpaths to shortpaths only
 
 inputs:
   osImage:
-    description: "Shortpath or main-debug or release-stable"
+    description: "Shortpath, main-debug, main-nightly, or release-stable"
     required: true
 
 outputs:
   osImage:
-    description: "Shortpath of for input string, original input if that was already a shortpath"
+    description: "Shortpath of input string, original input if that was already a shortpath"
     value: ${{ steps.set-output.outputs.osImage }}
   isDebugImage:
-    description: "Input represents a debug image or not"
+    description: "Input is a debug image or not"
     value: ${{ steps.set-output.outputs.isDebugImage }}
 
 runs:
   using: "composite"
   steps:
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1
@@ -27,10 +27,10 @@ runs:
       id: input-is-preset
       shell: bash
       run: |
-        if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
-          echo "result=true" >> "$GITHUB_OUTPUT"
+        if [[ "${{ inputs.osImage }}" == "ref/main/stream/debug/?" || "${{ inputs.osImage }}" == "ref/main/stream/nightly/?" || "${{ inputs.osImage }}" == "ref/release/stream/stable/?" ]]; then
+          echo "result=true" | tee -a "$GITHUB_OUTPUT"
         else
-          echo "result=false" >> "$GITHUB_OUTPUT"
+          echo "result=false" | tee -a "$GITHUB_OUTPUT"
         fi
 
     - name: Separate ref and stream from matrix
@@ -43,6 +43,9 @@ runs:
         echo "ref=$(echo $REFSTREAM | cut -d/ -f2)" | tee -a "$GITHUB_OUTPUT"
         echo "stream=$(echo $REFSTREAM | cut -d/ -f4)" | tee -a "$GITHUB_OUTPUT"
 
+    - name: Setup Bazel & Nix
+      if: steps.input-is-preset.outputs.result == 'true'
+      uses: ./.github/actions/setup_bazel_nix
 
     - name: Find latest image
       if: steps.input-is-preset.outputs.result == 'true'
@@ -64,16 +67,16 @@ runs:
           export IMAGE=${{ inputs.osImage }}
         fi
 
-        echo "osImage=$IMAGE" >> $GITHUB_OUTPUT
+        echo "osImage=$IMAGE" | tee -a "$GITHUB_OUTPUT"
         echo "Using image: $IMAGE"
 
         case "$IMAGE" in
           *"/stream/debug/"*)
-            echo "isDebugImage=true" >> "$GITHUB_OUTPUT"
+            echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT"
             echo "Image is debug image."
             ;;
           *)
-            echo "isDebugImage=false" >> "$GITHUB_OUTPUT"
+            echo "isDebugImage=false" | tee -a "$GITHUB_OUTPUT"
             echo "Image is not debug image."
             ;;
         esac

.github/actions/setup_bazel/action.yml

@@ -1,70 +0,0 @@
-name: Setup bazel
-description: Setup Bazel for CI builds and tests
-
-inputs:
-  useCache:
-    description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, and 'false' to disable."
-    default: "false"
-    required: true
-  buildBuddyApiKey:
-    description: "BuildBuddy API key for caching Bazel artifacts"
-    required: false
-
-runs:
-  using: "composite"
-  steps:
-    - name: Check inputs
-      shell: bash
-      run: |
-        echo "::group::Check inputs"
-        if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "false" ]]; then
-          echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'."
-          exit 1
-        fi
-        if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then
-          echo "BuildBuddy API key is required when cache is enabled."
-          exit 1
-        fi
-        echo "::endgroup::"
-
-    - name: Bazel repository cache (Linux)
-      uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-      if: runner.os == 'Linux' && (inputs.useCache == 'true' || inputs.useCache == 'readonly')
-      with:
-        path: |
-          ${{ github.workspace }}/tools/pseudo-version
-          /home/runner/.cache/bazel
-          /home/runner/.cache/shared_bazel_repository_cache
-          /home/runner/.cache/shared_bazel_action_cache
-          /tmp/bazel-zig-cc
-        key: bazel
-
-    - name: Configure Bazel
-      shell: bash
-      if: inputs.useCache == 'true' || inputs.useCache == 'readonly'
-      env:
-        BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
-      run: |
-        echo "::group::Configure Bazel"
-        cat <<EOF >> ~/.bazelrc
-        build --bes_results_url=https://app.buildbuddy.io/invocation/
-        build --bes_backend=grpcs://remote.buildbuddy.io
-        build --remote_cache=grpcs://remote.buildbuddy.io
-        build --remote_timeout=3600
-        build --experimental_remote_build_event_upload=minimal
-        build --experimental_remote_cache_compression
-        build --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
-        EOF
-        echo "::endgroup::"
-
-    - name: Configure Bazel (readonly)
-      shell: bash
-      if: inputs.useCache == 'readonly'
-      run: |
-        echo "::group::Configure Bazel (readonly)"
-        echo "build --remote_upload_local_results=false" >> ~/.bazelrc
-        echo "::endgroup::"
-
-    - name: Check bazel version
-      shell: bash
-      run: bazel version

.github/actions/setup_bazel_nix/action.yml

@@ -0,0 +1,250 @@
+name: Setup bazel and Nix
+description: Setup Bazel and Nix for CI builds and tests
+
+inputs:
+  useCache:
+    description: "Cache Bazel artifacts. Use 'rbe' to enable with remote execution, and 'false' to disable."
+    default: "false"
+    required: true
+  rbePlatform:
+    description: "RBE platform to use. If empty, RBE will not be used."
+    required: false
+  nixTools:
+    description: "Nix tools to install as list of strings separated by newlines. If empty, no tools will be installed."
+    default: ""
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check inputs
+      id: check_inputs
+      shell: bash
+      run: |
+        echo "::group::Check inputs"
+        if [[ "${{ inputs.useCache }}" != "rbe" && "${{ inputs.useCache }}" != "false" ]]; then
+          echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'rbe', or 'false'."
+          exit 1
+        fi
+        if [[ "${{ inputs.useCache }}" == "rbe" && -z "${{ inputs.rbePlatform }}" ]]; then
+          echo "RBE platform is required when cache is enabled."
+          exit 1
+        fi
+        if [[ -n "${{inputs.rbePlatform}}" ]]; then
+        case "${{ inputs.rbePlatform }}" in
+          ubuntu-22.04)
+            echo "rbeConfig=build_barn_rbe_ubuntu_22_04" | tee -a "$GITHUB_OUTPUT"
+            ;;
+
+          *)
+            echo "Invalid value for 'rbePlatform' input: '${{ inputs.rbePlatform }}'. Must be 'ubuntu-22.04'."
+            exit 1
+            ;;
+        esac
+        fi
+        if command -v nix; then
+          echo "nixPreinstalled=true" | tee -a "$GITHUB_OUTPUT"
+        else
+          echo "nixPreinstalled=false" | tee -a "$GITHUB_OUTPUT"
+        fi
+        if command -v bazel; then
+          echo "bazelPreinstalled=true" | tee -a "$GITHUB_OUTPUT"
+        else
+          echo "bazelPreinstalled=false" | tee -a "$GITHUB_OUTPUT"
+        fi
+        if [[ -f /etc/NIXOS ]]; then
+          echo "nixOS=true" | tee -a "$GITHUB_OUTPUT"
+        else
+          echo "nixOS=false" | tee -a "$GITHUB_OUTPUT"
+        fi
+        if [[ "$RUNNER_OS" == "Linux" ]]; then
+          echo "os=linux" | tee -a "$GITHUB_OUTPUT"
+        elif [[ "$RUNNER_OS" == "Windows" ]]; then
+          echo "os=windows" | tee -a "$GITHUB_OUTPUT"
+         elif [[ "$RUNNER_OS" == "macOS" ]]; then
+          echo "os=darwin" | tee -a "$GITHUB_OUTPUT"
+        else
+            echo "$RUNNER_OS not supported"
+            exit 1
+        fi
+        if [[ "$RUNNER_ARCH" == "X64" ]]; then
+          echo "arch=amd64" | tee -a "$GITHUB_OUTPUT"
+        elif [[ "$RUNNER_ARCH" == "ARM64" ]]; then
+          echo "arch=arm64" | tee -a "$GITHUB_OUTPUT"
+        else
+            echo "$RUNNER_ARCH not supported"
+            exit 1
+        fi
+        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
+        echo "::endgroup::"
+
+    - name: Install current Bash on macOS
+      shell: bash
+      if: runner.os == 'macOS'
+      run: brew install bash
+
+    - name: Prepare to install tools
+      shell: bash
+      run: |
+        echo "::group::Prepare to install nix and bazel"
+        requiredTools=( "curl" "xz" "unzip" "git" )
+        declare -A packageNamesUbuntu=( ["curl"]="curl" ["xz"]="xz-utils" ["unzip"]="unzip" ["git"]="git" )
+        missingTools=()
+        for tool in "${requiredTools[@]}"; do
+          if ! command -v "$tool"; then
+            echo "$tool not found, installing..."
+            missingTools+=("$tool")
+          else
+            echo "$tool found $(command -v "$tool")"
+          fi
+        done
+        missingPackagesUbuntu=()
+        for tool in "${missingTools[@]}"; do
+          echo "Ubuntu name for $tool is ${packageNamesUbuntu[$tool]}"
+          missingPackagesUbuntu+=("${packageNamesUbuntu[$tool]}")
+        done
+        if [[ "${#missingTools[@]}" -gt 0 ]]; then
+          echo "Installing missing tools ${missingTools[*]}..."
+          if [[ "$RUNNER_OS" == "Linux" ]]; then
+            sudo apt-get update || true
+            sudo apt-get install -y ${missingPackagesUbuntu[*]} || true
+          fi
+        fi
+        echo "::endgroup::"
+
+    - name: Install nix
+      if: steps.check_inputs.outputs.nixPreinstalled == 'false'
+      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      with:
+        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
+
+    - name: Set $USER if not set
+      shell: bash
+      run: |
+        echo "::group::Set \$USER if not set"
+        if [[ -z "$USER" ]]; then
+          echo "USER=$(id -un)" | tee -a "$GITHUB_ENV"
+        fi
+        echo "::endgroup::"
+
+    - name: Install Bazelisk
+      if: steps.check_inputs.outputs.bazelPreinstalled == 'false' && steps.check_inputs.outputs.nixOS == 'false'
+      shell: bash
+      env:
+        OS: ${{ steps.check_inputs.outputs.os }}
+        ARCH: ${{ steps.check_inputs.outputs.arch }}
+      run: |
+        echo "::group::Install Bazelisk"
+        sudo mkdir -p /usr/local/bin
+        sudo chown -R "$USER" /usr/local/bin
+        curl -fsSLo /usr/local/bin/bazel "https://github.com/bazelbuild/bazelisk/releases/download/v1.18.0/bazelisk-${OS}-${ARCH}"
+        chmod +x /usr/local/bin/bazel
+        echo "::endgroup::"
+
+    - name: Free up space (Ubuntu)
+      shell: bash
+      if: startsWith(runner.name, 'GitHub Actions') && runner.os == 'Linux'
+      run: |
+        echo "::group::Free up space (Ubuntu)"
+        echo "Available storage (before):"
+        df -h
+
+        sudo apt-get update || true
+        sudo apt-get remove -y '^dotnet-.*' || true
+        sudo apt-get remove -y '^llvm-.*' || true
+        sudo apt-get remove -y 'php.*' || true
+        sudo apt-get remove -y '^mongodb-.*' || true
+        sudo apt-get remove -y '^mysql-.*' || true
+        sudo rm -rf /usr/share/dotnet
+        sudo rm -rf /usr/local/lib/android
+        sudo rm -rf /opt/ghc
+        sudo rm -rf /opt/hostedtoolcache/CodeQL
+        sudo docker image prune --all --force
+        sudo apt-get autoremove -y || true
+        sudo apt-get clean || true
+
+        echo "Available storage (after):"
+        df -h
+        echo "::endgroup::"
+
+    - name: Configure Bazel (general)
+      shell: bash
+      env:
+        WORKSPACE: ${{ github.workspace }}
+      run: |
+        echo "::group::Configure Bazel"
+        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
+        import %workspace%/bazel/bazelrc/ci.bazelrc
+        EOF
+        echo "::endgroup::"
+
+    - name: Configure Bazel (rbe)
+      if: inputs.useCache == 'rbe'
+      shell: bash
+      env:
+        RBE_CONFIG: ${{ steps.check_inputs.outputs.rbeConfig }}
+        WORKSPACE: ${{ github.workspace }}
+      run: |
+        echo "::group::Configure Bazel"
+        cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
+        common --config=${RBE_CONFIG}
+        common --repository_cache=/repository_cache
+        common --repo_env=GOPROXY=http://goproxy:3000
+        EOF
+        echo "::endgroup::"
+
+    - name: Disable disk cache on GitHub Actions runners
+      if: startsWith(runner.name , 'GitHub Actions')
+      shell: bash
+      env:
+        WORKSPACE: ${{ github.workspace }}
+      run: |
+        echo "::group::Configure Bazel (disk cache)"
+        echo "common --disk_cache=" >> "${WORKSPACE}/.bazeloverwriterc"
+        echo "common --repository_cache=" >> "${WORKSPACE}/.bazeloverwriterc"
+        echo "::endgroup::"
+
+    - name: Install nix tools
+      if: inputs.nixTools != ''
+      shell: bash
+      env:
+        NIXPKGS_ALLOW_UNFREE: 1
+        tools: ${{ inputs.nixTools }}
+        repository: ${{ github.repository }}
+        gitSha: ${{ github.sha }}
+      run: |
+        echo "::group::Install nix tools"
+        toolsNixList=$(printf ' "%s"' ${tools[@]})
+        toolsNixList="[ ${toolsNixList} ]"
+        expressionFile=$(mktemp)
+        cat << "EOF" > "${expressionFile}"
+        { tools, repository, rev }:
+        let
+          repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
+          nixpkgs = repoFlake.inputs.nixpkgs;
+          pkgs = import nixpkgs { system = builtins.currentSystem; };
+          toolPkgs = map (p: pkgs.${p}) tools;
+        in
+        {
+          tools = pkgs.symlinkJoin { name = "tools"; paths = [ toolPkgs ]; };
+          pathVar = pkgs.lib.makeBinPath toolPkgs;
+        }
+        EOF
+        # ensure the store paths are created
+        nix-build \
+          --no-out-link \
+          --arg tools "${toolsNixList}" \
+          --argstr repository "${repository}" \
+          --argstr rev "${gitSha}" \
+          --attr tools \
+          "${expressionFile}"
+        # evaluate the path expression
+        # EXTRA_PATH=/nix/store/...:/nix/store/...:/nix/store/...
+        EXTRA_PATH=$(nix eval --raw --file "${expressionFile}" \
+          --arg tools "${toolsNixList}" \
+          --argstr repository "${repository}" \
+          --argstr rev "${gitSha}" \
+          pathVar)
+        echo "EXTRA_PATH=${EXTRA_PATH}"
+        echo "${EXTRA_PATH}" >> "${GITHUB_PATH}"
+        echo "::endgroup::"

.github/actions/setup_crane/action.yaml

@@ -1,17 +0,0 @@
-name: Setup crane
-description: "Install crane (go-containerregistry)."
-runs:
-  using: composite
-  steps:
-    - name: Install
-      shell: bash
-      env:
-        VERSION: "0.12.1"
-        OS: ${{ runner.os == 'Linux' && 'Linux' || 'Darwin' }}
-        ARCH: ${{ runner.arch == 'X64' && 'x86_64' || runner.arch == 'ARM64' && 'arm64' }}
-      run: |
-        echo "::group::Install crane"
-        curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
-        tar -xzf go-containerregistry.tar.gz
-        sudo mv krane gcrane crane /usr/local/bin/
-        echo "::endgroup::"

.github/actions/setup_linux/action.yml

@@ -1,57 +0,0 @@
-name: Setup Linux build environment
-description: "Setup a Linux Build environment (for self-hosted runners)"
-runs:
-  using: "composite"
-  steps:
-    - name: Setup custom apt repositories (azure-cli & yq)
-      shell: bash
-      run: |
-        sudo apt-get update
-        sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg -y
-        curl -fsSL https://packages.microsoft.com/keys/microsoft.asc |
-          gpg --dearmor |
-          sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
-        AZ_REPO=$(lsb_release -cs)
-        echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" |
-            sudo tee /etc/apt/sources.list.d/azure-cli.list
-        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
-        sudo add-apt-repository ppa:rmescandon/yq
-
-    - name: Update apt repository information
-      shell: bash
-      run: |
-        sudo apt-get update
-
-    - name: Install build-essential & CMake
-      shell: bash
-      run: |
-        sudo apt-get install \
-          build-essential cmake \
-          -y
-
-    - name: Install curl gpg
-      shell: bash
-      run: |
-        sudo apt-get install curl gpg -y
-
-    - name: Install yq jq
-      shell: bash
-      run: |
-        sudo apt-get install yq jq -y
-
-    - name: Install AWS CLI
-      shell: bash
-      run: |
-        sudo apt-get -y install awscli
-
-    - name: Install az CLI
-      shell: bash
-      run: |
-        sudo apt-get install azure-cli -y
-
-    - name: Set up gcloud CLI
-      uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0
-
-    - name: Set up Docker Buildx
-      id: docker-setup
-      uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

.github/actions/setup_mkosi/action.yaml

@@ -1,42 +0,0 @@
-name: Setup mkosi
-description: Install mkosi and all its dependencies
-inputs:
-  version:
-    description: "Version (commit hash) of mkosi to install."
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: Dependencies
-      shell: bash
-      run: |
-        echo "::group::Dependencies"
-        echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
-        sudo apt-get update
-        sudo apt-get install --assume-yes --no-install-recommends \
-          dnf \
-          systemd-container \
-          qemu-system-x86 \
-          ovmf \
-          e2fsprogs \
-          squashfs-tools
-        echo "::endgroup::"
-
-    # Try to eliminate "Failed to dissect image: Connection timed out" errors from nspawn by compiling
-    # systemd-nspawn from v251 from source.
-    - name: Update systemd-nspawn
-      shell: bash
-      working-directory: ${{ github.action_path }}
-      run: |
-        echo "::group::Update systemd-nspawn"
-        sudo apt-get build-dep systemd
-        git clone https://github.com/systemd/systemd-stable --branch v251.2 --depth=1
-        meson systemd-stable/build systemd-stable
-        ninja -C systemd-stable/build systemd-nspawn
-        sudo ln -svf $PWD/systemd-stable/build/systemd-nspawn $(which systemd-nspawn)
-        systemd-nspawn --version
-        echo "::endgroup::"
-
-    - name: Install
-      shell: bash
-      run: sudo python3 -m pip install git+https://github.com/systemd/mkosi.git@${{ inputs.version }}

.github/actions/terraform_apply/action.yml

@@ -0,0 +1,176 @@
+name: Terraform provider apply
+description: "Create/Apply a Constellation cluster using the Terraform provider."
+
+inputs:
+  cloudProvider:
+    description: "The cloud provider the test runs on."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Create Terraform file
+      shell: bash
+      run: |
+        attestationVariant=""
+        case "$(yq '.attestation | keys | .[0]' constellation-conf.yaml)" in
+          "awsSEVSNP")
+            attestationVariant="aws-sev-snp"
+            ;;
+          "azureSEVSNP")
+            attestationVariant="azure-sev-snp"
+            ;;
+          "azureTDX")
+            attestationVariant="azure-tdx"
+            ;;
+          "gcpSEVES")
+            attestationVariant="gcp-sev-es"
+            ;;
+          "gcpSEVSNP")
+            attestationVariant="gcp-sev-snp"
+            ;;
+          "qemuVTPM")
+            attestationVariant="qemu-vtpm"
+            ;;
+          *)
+            echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
+            exit 1
+            ;;
+        esac
+
+        cat << EOF > main.tf
+        terraform {
+          required_providers {
+            constellation = {
+              source  = "edgelesssys/constellation"
+              version = "$(yq '.microserviceVersion' constellation-conf.yaml | sed 's/^v//')"
+            }
+            random = {
+              source  = "hashicorp/random"
+              version = "3.7.1"
+            }
+          }
+        }
+
+        resource "random_bytes" "master_secret" {
+          length = 32
+        }
+
+        resource "random_bytes" "master_secret_salt" {
+          length = 32
+        }
+
+        resource "random_bytes" "measurement_salt" {
+          length = 32
+        }
+
+        data "constellation_attestation" "con_attestation" {
+          csp                 = "${{ inputs.cloudProvider }}"
+          attestation_variant = "${attestationVariant}"
+          image               = data.constellation_image.con_image.image
+          maa_url             = "$(yq '.infrastructure.azure.attestationURL' constellation-state.yaml)"
+          insecure            = true
+        }
+
+        data "constellation_image" "con_image" {
+          version             = "$(yq '.image' constellation-conf.yaml)"
+          attestation_variant = "${attestationVariant}"
+          csp                 = "${{ inputs.cloudProvider }}"
+          region              = "$(yq '.provider.aws.region' constellation-conf.yaml)"
+        }
+
+        resource "constellation_cluster" "cluster" {
+          csp                                = "${{ inputs.cloudProvider }}"
+          constellation_microservice_version = "$(yq '.microserviceVersion' constellation-conf.yaml)"
+          name                               = "$(yq '.name' constellation-conf.yaml)"
+          uid                                = "$(yq '.infrastructure.uid' constellation-state.yaml)"
+          image                              = data.constellation_image.con_image.image
+          attestation                        = data.constellation_attestation.con_attestation.attestation
+          init_secret                        = "$(yq '.infrastructure.initSecret' constellation-state.yaml | xxd -r -p)"
+          master_secret                      = random_bytes.master_secret.hex
+          master_secret_salt                 = random_bytes.master_secret_salt.hex
+          measurement_salt                   = random_bytes.measurement_salt.hex
+          out_of_cluster_endpoint            = "$(yq '.infrastructure.clusterEndpoint' constellation-state.yaml)"
+          in_cluster_endpoint                = "$(yq '.infrastructure.inClusterEndpoint' constellation-state.yaml)"
+          kubernetes_version                 = "$(yq '.kubernetesVersion' constellation-conf.yaml)"
+          azure = {
+            count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "azure" ? 1 : 0
+            tenant_id                   = "$(yq '.provider.azure.tenant' constellation-conf.yaml)"
+            subscription_id             = "$(yq '.infrastructure.azure.subscriptionID' constellation-state.yaml)"
+            uami_client_id              = "$(yq '.infrastructure.azure.userAssignedIdentity' constellation-state.yaml)"
+            uami_resource_id            = "$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)"
+            location                    = "$(yq '.provider.azure.location' constellation-conf.yaml)"
+            resource_group              = "$(yq '.infrastructure.azure.resourceGroup' constellation-state.yaml)"
+            load_balancer_name          = "$(yq '.infrastructure.azure.loadBalancerName' constellation-state.yaml)"
+            network_security_group_name = "$(yq '.infrastructure.azure.networkSecurityGroupName' constellation-state.yaml)"
+          }
+          gcp = {
+            count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "gcp" ? 1 : 0
+            project_id          = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
+            service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
+          }
+          openstack = {
+            cloud                      = "stackit"
+            clouds_yaml_path           = "~/.config/openstack/clouds.yaml"
+            floating_ip_pool_id        = "970ace5c-458f-484a-a660-0903bcfd91ad"
+            deploy_yawol_load_balancer = true
+            yawol_image_id             = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
+            yawol_flavor_id            = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
+            network_id                 = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
+            subnet_id                  = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
+          }
+          network_config = {
+            ip_cidr_node    = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
+            ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
+            ip_cidr_pod     = "$(yq '.infrastructure.gcp.ipCidrPod' constellation-state.yaml)" # This is null for everything but GCP
+          }
+        }
+
+        output "master_secret" {
+          value = random_bytes.master_secret.base64
+          sensitive = true
+        }
+
+        output "master_secret_salt" {
+          value = random_bytes.master_secret_salt.base64
+          sensitive = true
+        }
+
+        output "measurement_salt" {
+          value = random_bytes.measurement_salt.hex
+          sensitive = true
+        }
+
+        output "cluster_id" {
+          value = constellation_cluster.cluster.cluster_id
+        }
+
+        output "owner_id" {
+          value = constellation_cluster.cluster.owner_id
+        }
+
+        output "kubeconfig" {
+          value = constellation_cluster.cluster.kubeconfig
+          sensitive = true
+        }
+        EOF
+
+    - name: Apply Terraform configuration
+      shell: bash
+      run: |
+        terraform init
+        terraform apply -auto-approve
+
+    - name: Write output
+      shell: bash
+      run: |
+        terraform output -raw kubeconfig > "$(pwd)/constellation-admin.conf"
+        yq -i ".clusterValues.measurementSalt = $(terraform output measurement_salt)" constellation-state.yaml
+        yq -i ".clusterValues.clusterID = $(terraform output cluster_id)" constellation-state.yaml
+        yq -i ".clusterValues.ownerID = $(terraform output owner_id)" constellation-state.yaml
+        cat << EOF > constellation-mastersecret.json
+        {
+          "key": "$(terraform output -raw master_secret)",
+          "salt": "$(terraform output -raw master_secret_salt)"
+        }
+        EOF

.github/actions/update_tfstate/action.yml

@@ -0,0 +1,64 @@
+name: Update TFState
+description: "Update the terraform state artifact. We use this to either delete an artifact if the e2e test was cleaned up successfully or to update the artifact with the latest terraform state."
+
+inputs:
+  name:
+    description: "The name of the artifact that contains the tfstate."
+    required: true
+  runID:
+    description: "The ID of your current run (github.run_id)."
+    required: true
+  encryptionSecret:
+    description: "The encryption secret for the artifacts."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check if uploaded tfstate can be deleted
+      if: always()
+      shell: bash
+      run: |
+        if [[ ! -d constellation-terraform ]] && [[ ! -d constellation-iam-terraform ]]; then
+          echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV"
+        else
+          echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV"
+        fi
+
+    - name: Delete tfstate artifact if necessary
+      if: always() && env.DELETE_TF_STATE == 'true'
+      uses: ./.github/actions/artifact_delete
+      with:
+        name: ${{ inputs.name }}
+        workflowID: ${{ inputs.runID }}
+
+    - name: Prepare left over terraform state folders
+      if: always() && env.DELETE_TF_STATE == 'false'
+      shell: bash
+      run: |
+        rm -rf to-zip/*
+        mkdir -p to-zip
+
+        to_upload=""
+        if [[ -d constellation-terraform ]]; then
+          cp -r constellation-terraform to-zip
+          rm -f to-zip/constellation-terraform/plan.zip
+          rm -rf to-zip/constellation-terraform/.terraform
+          to_upload+="to-zip/constellation-terraform"
+        fi
+        if [[ -d constellation-iam-terraform ]]; then
+          cp -r constellation-iam-terraform to-zip
+          rm -rf to-zip/constellation-iam-terraform/.terraform
+          to_upload+=" to-zip/constellation-iam-terraform"
+        fi
+        echo "TO_UPLOAD=$to_upload" >> "$GITHUB_ENV"
+
+    - name: Update tfstate
+      if: always() && env.TO_UPLOAD != ''
+      uses: ./.github/actions/artifact_upload
+      with:
+        name: ${{ inputs.name }}
+        path: >
+          ${{ env.TO_UPLOAD }}
+        encryptionSecret: ${{ inputs.encryptionSecret }}
+        overwrite: true