name: Make updated OS images available on release on: release: types: [published] workflow_dispatch: inputs: tag: description: "Semantic version tag of the release (vX.Y.Z)." required: true latest: description: "Whether to update the latest tag." type: boolean default: false jobs: complete-release-branch-transaction: runs-on: ubuntu-22.04 permissions: id-token: write contents: write env: FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }} outputs: RELEASE_BRANCH: ${{ env.RELEASE_BRANCH }} WORKING_BRANCH: ${{ env.WORKING_BRANCH }} steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 # fetch all history - name: Determine branch names run: | RELEASE_BRANCH="release/${FULL_VERSION%.*}" WORKING_BRANCH="tmp/${FULL_VERSION}" echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV" echo "WORKING_BRANCH=${WORKING_BRANCH}" | tee -a "$GITHUB_ENV" - name: Create or update release branch run: | git fetch git checkout "${WORKING_BRANCH}" # ensure branch exists locally git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}" update: runs-on: ubuntu-22.04 outputs: latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }} steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Override latest if: github.event.inputs.latest == 'true' id: input-passthrough run: echo "latest=true" | tee -a "$GITHUB_OUTPUT" - name: Check if should mark latest if: github.event.inputs.latest != 'true' id: check-last-release env: REPO: edgelesssys/constellation GH_TOKEN: ${{ github.token }} run: | latest_release_tag=$( gh api \ -H "Accept: application/vnd.github+json" \ "/repos/${REPO}/releases/latest" \ | jq -r '.tag_name' ) current_tag=${{ github.event.release.tag_name }}${{ github.event.inputs.tag }} echo "Latest release tag: ${latest_release_tag}" echo "Current tag: ${current_tag}" if [[ "${latest_release_tag}" == "${current_tag}" ]]; then echo "latest=true" | tee -a "$GITHUB_OUTPUT" else echo "latest=false" | tee -a "$GITHUB_OUTPUT" fi add-image-version-to-versionsapi: needs: [update] name: "Add image version to versionsapi" permissions: contents: read id-token: write uses: ./.github/workflows/versionsapi.yml with: command: add add_release: true stream: stable version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }} kind: image add_latest: ${{ needs.update.outputs.latest == 'true' }} add-cli-version-to-versionsapi: needs: [update, add-image-version-to-versionsapi] # run workflow calls after each other name: "Add CLI version to versionsapi" permissions: contents: read id-token: write uses: ./.github/workflows/versionsapi.yml with: command: add add_release: true stream: stable version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }} kind: cli add_latest: ${{ needs.update.outputs.latest == 'true' }} remove-temporary-branch: needs: [ complete-release-branch-transaction, add-image-version-to-versionsapi, add-cli-version-to-versionsapi, ] runs-on: ubuntu-22.04 permissions: id-token: write contents: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Remove temporary branch run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}" mirror-gcp-mpi: name: "Mirror GCP Marketplace Image" needs: [add-image-version-to-versionsapi] runs-on: ubuntu-22.04 permissions: id-token: write contents: read steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/setup_bazel_nix with: useCache: "false" - name: Login to AWS uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Fetch latest release version id: fetch-version uses: ./.github/actions/versionsapi with: command: latest stream: stable ref: "-" - name: Fetch GCP image reference id: fetch-reference shell: bash run: | # TODO(msanft): Implement marketplace images for GCP SEV-SNP aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json . FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json) IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5) echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT" - name: Login to GCP uses: ./.github/actions/login_gcp with: service_account: "mp-image-uploader@edgeless-systems-public.iam.gserviceaccount.com" - name: Mirror shell: bash run: | gcloud --project=edgeless-systems-public compute images create ${{ steps.fetch-reference.outputs.reference }} \ --source-image=${{ steps.fetch-reference.outputs.reference }} \ --source-image-project=constellation-images \ --licenses=projects/edgeless-systems-public/global/licenses/cloud-marketplace-c3d24830a0502e29-df1ebeb69c0ba664