name: Determine OS image upload variables description: "Determine parameters used for image upload to various CSPs." inputs: csp: description: "Cloud Service Provider" required: true uploadVariant: description: "Upload variant" required: true basePath: description: "Base path to the image build directory" required: true ref: description: "Branch of the image to be built (or '-' for releases)" required: true stream: description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)" required: true imageVersion: description: "Semantic version including patch e.g. v.. or pseudo version" required: false imageType: description: "Type of image to build" required: true debug: description: "Build debug image" required: false default: "false" outputs: awsRegion: description: "Primary AWS region" value: ${{ steps.aws.outputs.region }} awsReplicationRegions: description: "AWS regions to replicate the image to" value: ${{ steps.aws.outputs.replicationRegions }} awsBucket: description: "AWS S3 bucket to upload the image to" value: ${{ steps.aws.outputs.bucket }} awsEfivarsPath: description: "AWS efivars path" value: ${{ steps.aws.outputs.efivarsPath }} awsImagePath: description: "AWS image path" value: ${{ steps.aws.outputs.imagePath }} awsJsonOutput: description: "AWS ami json output path" value: ${{ steps.aws.outputs.jsonOutput }} awsImageFilename: description: "AWS raw image filename" value: ${{ steps.aws.outputs.imageFilename }} awsImageName: description: "AWS image name" value: ${{ steps.aws.outputs.imageName }} awsPublish: description: "Should AWS AMI be published" value: ${{ steps.aws.outputs.publish }} azureResourceGroupName: description: "Azure resource group name" value: ${{ steps.azure.outputs.resourceGroupName }} azureRegion: description: "Primary Azure region" value: ${{ steps.azure.outputs.region }} azureReplicationRegions: description: "Azure regions to replicate the image to" value: ${{ steps.azure.outputs.replicationRegions }} azureVmgsRegion: description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)" value: ${{ steps.azure.outputs.vmgsRegion }} azureSku: description: "Azure SIG SKU" value: ${{ steps.azure.outputs.sku }} azurePublisher: description: "Azure SIG publisher" value: ${{ steps.azure.outputs.publisher }} azureRawImagePath: description: "Azure raw image path" value: ${{ steps.azure.outputs.rawImagePath }} azureImagePath: description: "Azure image path" value: ${{ steps.azure.outputs.imagePath }} azureJsonOutput: description: "Azure image json output path" value: ${{ steps.azure.outputs.jsonOutput }} azureSecurityType: description: "Azure security type" value: ${{ steps.azure.outputs.securityType }} azureDiskName: description: "Azure disk name" value: ${{ steps.azure.outputs.diskName }} azureImageDefinition: description: "Azure image definition" value: ${{ steps.azure.outputs.imageDefinition }} azureImageOffer: description: "Azure image offer" value: ${{ steps.azure.outputs.imageOffer }} azureImageVersion: description: "Azure image version" value: ${{ steps.azure.outputs.imageVersion }} azureGalleryName: description: "Azure gallery name" value: ${{ steps.azure.outputs.galleryName }} azureVmgsPath: description: "Azure VMGS path" value: ${{ steps.azure.outputs.vmgsPath }} gcpProject: description: "GCP project" value: ${{ steps.gcp.outputs.project }} gcpBucket: description: "GCP bucket" value: ${{ steps.gcp.outputs.bucket }} gcpRegion: description: "GCP region" value: ${{ steps.gcp.outputs.region }} gcpRawImagePath: description: "GCP raw image path" value: ${{ steps.gcp.outputs.rawImagePath }} gcpImagePath: description: "GCP image path" value: ${{ steps.gcp.outputs.imagePath }} gcpJsonOutput: description: "GCP image json output path" value: ${{ steps.gcp.outputs.jsonOutput }} gcpImageName: description: "GCP image name" value: ${{ steps.gcp.outputs.imageName }} gcpImageFilename: description: "GCP image filename" value: ${{ steps.gcp.outputs.imageFilename }} gcpImageFamily: description: "GCP image family" value: ${{ steps.gcp.outputs.imageFamily }} openStackJsonOutput: description: "OpenStack image json output path" value: ${{ steps.openstack.outputs.jsonOutput }} openStackBucket: description: "OpenStack S3 bucket" value: ${{ steps.openstack.outputs.bucket }} openStackBaseUrl: description: "OpenStack raw image base URL" value: ${{ steps.openstack.outputs.baseUrl }} openStackImagePath: description: "OpenStack image path" value: ${{ steps.openstack.outputs.imagePath }} qemuJsonOutput: description: "QEMU image json output path" value: ${{ steps.qemu.outputs.jsonOutput }} qemuBucket: description: "QEMU S3 bucket" value: ${{ steps.qemu.outputs.bucket }} qemuBaseUrl: description: "QEMU raw image base URL" value: ${{ steps.qemu.outputs.baseUrl }} qemuImagePath: description: "QEMU image path" value: ${{ steps.qemu.outputs.imagePath }} runs: using: "composite" steps: - name: Determine version id: version uses: ./.github/actions/pseudo_version - name: Configure AWS input variables id: aws if: inputs.csp == 'aws' shell: bash env: basePath: ${{ inputs.basePath }} ref: ${{ inputs.ref }} stream: ${{ inputs.stream }} imageVersion: ${{ inputs.imageVersion }} imageType: ${{ inputs.imageType }} timestamp: ${{ steps.version.outputs.timestamp }} semver: ${{ steps.version.outputs.semanticVersion }} run: | echo "region=eu-central-1" >> $GITHUB_OUTPUT echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT echo "bucket=constellation-images" >> $GITHUB_OUTPUT echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~37/efivars.bin" >> $GITHUB_OUTPUT echo "imagePath=${basePath}/mkosi.output.aws/fedora~37/image.raw" >> $GITHUB_OUTPUT echo "jsonOutput=${basePath}/mkosi.output.aws/fedora~37/image-upload.json" >> $GITHUB_OUTPUT echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT if [[ "${stream}" = "stable" ]] then echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT echo "publish=true" >> $GITHUB_OUTPUT else echo "imageName=constellation-${ref}-${stream}-${semver}-${timestamp}" >> $GITHUB_OUTPUT echo "publish=false" >> $GITHUB_OUTPUT fi # gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character # image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character # image version has to be semantic version in the form .. . uint may not be larger than 2,147,483,647 - name: Configure Azure input variables id: azure if: inputs.csp == 'azure' shell: bash env: basePath: ${{ inputs.basePath }} ref: ${{ inputs.ref }} stream: ${{ inputs.stream }} imageVersion: ${{ inputs.imageVersion }} imageType: ${{ inputs.imageType }} timestamp: ${{ steps.version.outputs.timestamp }} semver: ${{ steps.version.outputs.semanticVersion }} pseudover: ${{ steps.version.outputs.pseudoVersion }} branchName: ${{ steps.version.outputs.branchName }} uploadVariant: ${{ inputs.uploadVariant }} run: | echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT echo "region=northeurope" >> $GITHUB_OUTPUT echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT echo "sku=constellation" >> $GITHUB_OUTPUT echo "publisher=edgelesssys" >> $GITHUB_OUTPUT echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~37/image.raw" >> $GITHUB_OUTPUT echo "imagePath=${basePath}/mkosi.output.azure/fedora~37/image.vhd" >> $GITHUB_OUTPUT echo "jsonOutput=${basePath}/mkosi.output.azure/fedora~37/image-upload${uploadVariant}.json" >> $GITHUB_OUTPUT # TODO: set default security type to "ConfidentialVM" once replication is possible securityType=${{ inputs.uploadVariant }} if [[ -z "${securityType}" ]]; then securityType=ConfidentialVMSupported fi echo "securityType=${securityType}" >> $GITHUB_OUTPUT echo "diskName=constellation-${stream}-${timestamp}-${securityType,,}" >> $GITHUB_OUTPUT if [[ "${stream}" = "stable" ]] then echo "imageDefinition=constellation" >> $GITHUB_OUTPUT echo "imageOffer=constellation" >> $GITHUB_OUTPUT echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT galleryName=Constellation elif [[ "${imageType}" = "debug" && ( "${ref}" = "-" || "${ref}" = "main" ) ]] then echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT echo "imageOffer=${semver}" >> $GITHUB_OUTPUT echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT galleryName=Constellation_Debug else echo "imageDefinition=${ref}-${stream}" >> $GITHUB_OUTPUT echo "imageOffer=${ref}-${stream}" >> $GITHUB_OUTPUT echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT galleryName=Constellation_Testing fi # TODO: enable VMGS upload for ConfidentialVM images once replication is possible if [[ "${securityType}" == "ConfidentialVMSupported" ]]; then echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT echo "vmgsPath=" >> $GITHUB_OUTPUT else echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT fi # image family and image name may include lowercase alphanumeric characters and dashes. # Must not end or begin with a dash - name: Configure GCP input variables id: gcp if: inputs.csp == 'gcp' shell: bash env: basePath: ${{ inputs.basePath }} ref: ${{ inputs.ref }} stream: ${{ inputs.stream }} imageVersion: ${{ inputs.imageVersion }} imageType: ${{ inputs.imageType }} timestamp: ${{ steps.version.outputs.timestamp }} semver: ${{ steps.version.outputs.semanticVersion }} run: | echo "project=constellation-images" >> $GITHUB_OUTPUT echo "bucket=constellation-images" >> $GITHUB_OUTPUT echo "region=europe-west3" >> $GITHUB_OUTPUT echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~37/image.raw" >> $GITHUB_OUTPUT echo "imagePath=${basePath}/mkosi.output.gcp/fedora~37/image.tar.gz" >> $GITHUB_OUTPUT echo "jsonOutput=${basePath}/mkosi.output.gcp/fedora~37/image-upload.json" >> $GITHUB_OUTPUT echo "imageName=${imageVersion//./-}-${stream}" >> $GITHUB_OUTPUT echo "imageFilename=${imageVersion//./-}-${stream}.tar.gz" >> $GITHUB_OUTPUT if [[ "${stream}" = "stable" ]] then echo "imageFamily=constellation" >> $GITHUB_OUTPUT else echo "imageFamily=constellation-${ref::45}" >> $GITHUB_OUTPUT fi - name: Configure OpenStack input variables id: openstack if: inputs.csp == 'openstack' shell: bash env: basePath: ${{ inputs.basePath }} run: | echo "bucket=cdn-constellation-backend" >> $GITHUB_OUTPUT echo "baseUrl=https://cdn.confidential.cloud" >> $GITHUB_OUTPUT echo "imagePath=${basePath}/mkosi.output.openstack/fedora~37/image.raw" >> $GITHUB_OUTPUT echo "jsonOutput=${basePath}/mkosi.output.openstack/fedora~37/image-upload.json" >> $GITHUB_OUTPUT - name: Configure QEMU input variables id: qemu if: inputs.csp == 'qemu' shell: bash env: basePath: ${{ inputs.basePath }} run: | echo "bucket=cdn-constellation-backend" >> $GITHUB_OUTPUT echo "baseUrl=https://cdn.confidential.cloud" >> $GITHUB_OUTPUT echo "imagePath=${basePath}/mkosi.output.qemu/fedora~37/image.raw" >> $GITHUB_OUTPUT echo "jsonOutput=${basePath}/mkosi.output.qemu/fedora~37/image-upload.json" >> $GITHUB_OUTPUT