From 8c3c7aa87189e66fa88b697cd0f569ed970f4eaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Sun, 3 May 2026 18:04:19 +0200
Subject: [PATCH 1/2] ci: Drop ITA_KEY usage from CI workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ITA_KEY secret was conditionally passed to TDX jobs for Intel
Trust Authority attestation, but it is no longer needed. Remove it
from all workflow files and the test helper export.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
---
 .github/workflows/ci-devel.yaml            | 1 -
 .github/workflows/ci-nightly.yaml          | 1 -
 .github/workflows/ci-on-push.yaml          | 1 -
 .github/workflows/ci.yaml                  | 3 ---
 .github/workflows/run-kata-coco-tests.yaml | 9 +--------
 tests/integration/kubernetes/gha-run.sh    | 1 -
 6 files changed, 1 insertion(+), 15 deletions(-)

diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml
index 5379c8ccd1..fbe42fdd62 100644
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -39,7 +39,6 @@ jobs:
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
       KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml
index 72a2df154e..798c677cc6 100644
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -30,7 +30,6 @@ jobs:
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
       KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml
index e9ca81a0b4..8adb591b3b 100644
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -48,7 +48,6 @@ jobs:
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
       KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 64aa1a71f8..0cb50777f8 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -39,8 +39,6 @@ on:
         required: true
       CI_HKD_PATH:
         required: true
-      ITA_KEY:
-        required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
       NGC_API_KEY:
@@ -338,7 +336,6 @@ jobs:
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
 
   run-k8s-tests-on-zvsi:
     if: ${{ inputs.skip-test != 'yes' }}
diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml
index 12dc297741..4fdf1cd909 100644
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -41,8 +41,6 @@ on:
         required: true
       AZ_SUBSCRIPTION_ID:
         required: true
-      ITA_KEY:
-        required: true
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco
@@ -81,7 +79,6 @@ jobs:
       PULL_TYPE: "guest-pull"
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      GH_ITA_KEY: ${{ secrets.ITA_KEY }}
       AUTO_GENERATE_POLICY: "yes"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -116,8 +113,6 @@ jobs:
       - name: Deploy CoCo KBS
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-        env:
-          ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}
 
       - name: Install `kbs-client`
         timeout-minutes: 10
@@ -139,9 +134,7 @@ jobs:
       - name: Delete CoCo KBS
         if: always()
         timeout-minutes: 10
-        run: |
-          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
-          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
 
   # Generate jobs for testing CoCo on non-TEE environments
   run-k8s-tests-coco-nontee:
diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
index 80c1b7374f..5da1196983 100755
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -30,7 +30,6 @@ export KBS="${KBS:-false}"
 export KBS_INGRESS="${KBS_INGRESS:-}"
 export KUBERNETES="${KUBERNETES:-}"
 export SNAPSHOTTER="${SNAPSHOTTER:-}"
-export ITA_KEY="${ITA_KEY:-}"
 export HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}"
 export NO_PROXY="${NO_PROXY:-${no_proxy:-}}"
 export PULL_TYPE="${PULL_TYPE:-default}"

From 51d5f2ea7bb7c8aef44f04d63644420f6795e2fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Sun, 3 May 2026 18:05:17 +0200
Subject: [PATCH 2/2] ci: Run runtime-rs tests for TDX on nightly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As we're in the process to stabilise runtime-rs for the coming 4.0.0
release, we better start running as many tests as possible with that.

The TDX runtime-rs job is gated to nightly runs only (pr-number ==
"nightly") since we only have a single TDX machine and cannot afford
to run both qemu-tdx and qemu-tdx-runtime-rs on every PR.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
---
 .github/workflows/run-kata-coco-tests.yaml | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml
index 4fdf1cd909..3d730520b2 100644
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -57,6 +57,8 @@ jobs:
         include:
           - runner: tdx
             vmm: qemu-tdx
+          - runner: tdx
+            vmm: qemu-tdx-runtime-rs
           - runner: sev-snp
             vmm: qemu-snp
           - runner: sev-snp
@@ -81,58 +83,71 @@ jobs:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AUTO_GENERATE_POLICY: "yes"
     steps:
+      - name: Skip non-nightly TDX runtime-rs
+        if: ${{ matrix.vmm == 'qemu-tdx-runtime-rs' && inputs.pr-number != 'nightly' }}
+        run: echo "SKIP_JOB=true" >> "${GITHUB_ENV}"
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        if: ${{ env.SKIP_JOB != 'true' }}
         with:
           ref: ${{ inputs.commit-hash }}
           fetch-depth: 0
           persist-credentials: false
 
       - name: Rebase atop of the latest target branch
+        if: ${{ env.SKIP_JOB != 'true' }}
         run: |
           ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
       - name: get-kata-tools-tarball
+        if: ${{ env.SKIP_JOB != 'true' }}
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
           path: kata-tools-artifacts
 
       - name: Install kata-tools
+        if: ${{ env.SKIP_JOB != 'true' }}
         run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Deploy Kata
+        if: ${{ env.SKIP_JOB != 'true' }}
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
       - name: Uninstall previous `kbs-client`
+        if: ${{ env.SKIP_JOB != 'true' }}
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
 
       - name: Deploy CoCo KBS
+        if: ${{ env.SKIP_JOB != 'true' }}
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
 
       - name: Install `kbs-client`
+        if: ${{ env.SKIP_JOB != 'true' }}
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
 
       - name: Run tests
+        if: ${{ env.SKIP_JOB != 'true' }}
         timeout-minutes: 100
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
       - name: Report tests
-        if: always()
+        if: ${{ always() && env.SKIP_JOB != 'true' }}
         run: bash tests/integration/kubernetes/gha-run.sh report-tests
 
       - name: Delete kata-deploy
-        if: always()
+        if: ${{ always() && env.SKIP_JOB != 'true' }}
         timeout-minutes: 15
         run: bash tests/integration/kubernetes/gha-run.sh cleanup
 
       - name: Delete CoCo KBS
-        if: always()
+        if: ${{ always() && env.SKIP_JOB != 'true' }}
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs