diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml index 5379c8ccd1..fbe42fdd62 100644 --- a/.github/workflows/ci-devel.yaml +++ b/.github/workflows/ci-devel.yaml @@ -39,7 +39,6 @@ jobs: AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} - ITA_KEY: ${{ secrets.ITA_KEY }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} NGC_API_KEY: ${{ secrets.NGC_API_KEY }} KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml index 72a2df154e..798c677cc6 100644 --- a/.github/workflows/ci-nightly.yaml +++ b/.github/workflows/ci-nightly.yaml @@ -30,7 +30,6 @@ jobs: AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} - ITA_KEY: ${{ secrets.ITA_KEY }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} NGC_API_KEY: ${{ secrets.NGC_API_KEY }} KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index e9ca81a0b4..8adb591b3b 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -48,7 +48,6 @@ jobs: AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} - ITA_KEY: ${{ secrets.ITA_KEY }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} NGC_API_KEY: ${{ secrets.NGC_API_KEY }} KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c40cc3523a..b039c07376 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -39,8 +39,6 @@ on: required: true CI_HKD_PATH: required: true - ITA_KEY: - required: true QUAY_DEPLOYER_PASSWORD: required: true NGC_API_KEY: @@ -339,7 +337,6 @@ jobs: AZ_APPID: ${{ secrets.AZ_APPID }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} - ITA_KEY: ${{ secrets.ITA_KEY }} run-k8s-tests-on-zvsi: if: ${{ inputs.skip-test != 'yes' }} diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index 12dc297741..3d730520b2 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -41,8 +41,6 @@ on: required: true AZ_SUBSCRIPTION_ID: required: true - ITA_KEY: - required: true concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco @@ -59,6 +57,8 @@ jobs: include: - runner: tdx vmm: qemu-tdx + - runner: tdx + vmm: qemu-tdx-runtime-rs - runner: sev-snp vmm: qemu-snp - runner: sev-snp @@ -81,67 +81,75 @@ jobs: PULL_TYPE: "guest-pull" AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} - GH_ITA_KEY: ${{ secrets.ITA_KEY }} AUTO_GENERATE_POLICY: "yes" steps: + - name: Skip non-nightly TDX runtime-rs + if: ${{ matrix.vmm == 'qemu-tdx-runtime-rs' && inputs.pr-number != 'nightly' }} + run: echo "SKIP_JOB=true" >> "${GITHUB_ENV}" + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + if: ${{ env.SKIP_JOB != 'true' }} with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 persist-credentials: false - name: Rebase atop of the latest target branch + if: ${{ env.SKIP_JOB != 'true' }} run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tools-tarball + if: ${{ env.SKIP_JOB != 'true' }} uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-tools-artifacts - name: Install kata-tools + if: ${{ env.SKIP_JOB != 'true' }} run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts - name: Deploy Kata + if: ${{ env.SKIP_JOB != 'true' }} timeout-minutes: 20 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata - name: Uninstall previous `kbs-client` + if: ${{ env.SKIP_JOB != 'true' }} timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client - name: Deploy CoCo KBS + if: ${{ env.SKIP_JOB != 'true' }} timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs - env: - ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }} - name: Install `kbs-client` + if: ${{ env.SKIP_JOB != 'true' }} timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client - name: Run tests + if: ${{ env.SKIP_JOB != 'true' }} timeout-minutes: 100 run: bash tests/integration/kubernetes/gha-run.sh run-tests - name: Report tests - if: always() + if: ${{ always() && env.SKIP_JOB != 'true' }} run: bash tests/integration/kubernetes/gha-run.sh report-tests - name: Delete kata-deploy - if: always() + if: ${{ always() && env.SKIP_JOB != 'true' }} timeout-minutes: 15 run: bash tests/integration/kubernetes/gha-run.sh cleanup - name: Delete CoCo KBS - if: always() + if: ${{ always() && env.SKIP_JOB != 'true' }} timeout-minutes: 10 - run: | - [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}" - bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs + run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs # Generate jobs for testing CoCo on non-TEE environments run-k8s-tests-coco-nontee: diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 80c1b7374f..5da1196983 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -30,7 +30,6 @@ export KBS="${KBS:-false}" export KBS_INGRESS="${KBS_INGRESS:-}" export KUBERNETES="${KUBERNETES:-}" export SNAPSHOTTER="${SNAPSHOTTER:-}" -export ITA_KEY="${ITA_KEY:-}" export HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}" export NO_PROXY="${NO_PROXY:-${no_proxy:-}}" export PULL_TYPE="${PULL_TYPE:-default}"