mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-07 05:38:03 -05:00
d76c9ac82d
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
180 lines
6.0 KiB
YAML
180 lines
6.0 KiB
YAML
name: Make updated OS images available on release
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: "Semantic version tag of the release (vX.Y.Z)."
|
|
required: true
|
|
latest:
|
|
description: "Whether to update the latest tag."
|
|
type: boolean
|
|
default: false
|
|
|
|
jobs:
|
|
complete-release-branch-transaction:
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: write
|
|
env:
|
|
FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
|
outputs:
|
|
RELEASE_BRANCH: ${{ env.RELEASE_BRANCH }}
|
|
WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
|
|
with:
|
|
fetch-depth: 0 # fetch all history
|
|
|
|
- name: Determine branch names
|
|
run: |
|
|
RELEASE_BRANCH="release/${FULL_VERSION%.*}"
|
|
WORKING_BRANCH="tmp/${FULL_VERSION}"
|
|
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
|
|
echo "WORKING_BRANCH=${WORKING_BRANCH}" | tee -a "$GITHUB_ENV"
|
|
|
|
- name: Create or update release branch
|
|
run: |
|
|
git fetch
|
|
git checkout "${WORKING_BRANCH}" # ensure branch exists locally
|
|
git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"
|
|
|
|
update:
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
|
|
|
|
- name: Override latest
|
|
if: github.event.inputs.latest == 'true'
|
|
id: input-passthrough
|
|
run: echo "latest=true" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Check if should mark latest
|
|
if: github.event.inputs.latest != 'true'
|
|
id: check-last-release
|
|
env:
|
|
REPO: edgelesssys/constellation
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
latest_release_tag=$(
|
|
gh api \
|
|
-H "Accept: application/vnd.github+json" \
|
|
"/repos/${REPO}/releases/latest" \
|
|
| jq -r '.tag_name'
|
|
)
|
|
|
|
current_tag=${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
|
echo "Latest release tag: ${latest_release_tag}"
|
|
echo "Current tag: ${current_tag}"
|
|
|
|
if [[ "${latest_release_tag}" == "${current_tag}" ]]; then
|
|
echo "latest=true" | tee -a "$GITHUB_OUTPUT"
|
|
else
|
|
echo "latest=false" | tee -a "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
add-image-version-to-versionsapi:
|
|
needs: [update]
|
|
name: "Add image version to versionsapi"
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
add_release: true
|
|
stream: stable
|
|
version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
|
kind: image
|
|
add_latest: ${{ needs.update.outputs.latest == 'true' }}
|
|
|
|
add-cli-version-to-versionsapi:
|
|
needs: [update, add-image-version-to-versionsapi] # run workflow calls after each other
|
|
name: "Add CLI version to versionsapi"
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
add_release: true
|
|
stream: stable
|
|
version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
|
|
kind: cli
|
|
add_latest: ${{ needs.update.outputs.latest == 'true' }}
|
|
|
|
remove-temporary-branch:
|
|
needs:
|
|
[
|
|
complete-release-branch-transaction,
|
|
add-image-version-to-versionsapi,
|
|
add-cli-version-to-versionsapi,
|
|
]
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
|
|
|
|
- name: Remove temporary branch
|
|
run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
|
|
|
|
mirror-gcp-mpi:
|
|
name: "Mirror GCP Marketplace Image"
|
|
needs: [add-image-version-to-versionsapi]
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Fetch latest release version
|
|
id: fetch-version
|
|
uses: ./.github/actions/versionsapi
|
|
with:
|
|
command: latest
|
|
stream: stable
|
|
ref: "-"
|
|
|
|
- name: Fetch GCP image reference
|
|
id: fetch-reference
|
|
shell: bash
|
|
run: |
|
|
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
|
|
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
|
|
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
|
|
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
|
|
echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Login to GCP
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: "mp-image-uploader@edgeless-systems-public.iam.gserviceaccount.com"
|
|
|
|
- name: Mirror
|
|
shell: bash
|
|
run: |
|
|
gcloud --project=edgeless-systems-public compute images create ${{ steps.fetch-reference.outputs.reference }} \
|
|
--source-image=${{ steps.fetch-reference.outputs.reference }} \
|
|
--source-image-project=constellation-images \
|
|
--licenses=projects/edgeless-systems-public/global/licenses/cloud-marketplace-c3d24830a0502e29-df1ebeb69c0ba664
|