ci: Drop ITA_KEY usage from CI workflows

The ITA_KEY secret was conditionally passed to TDX jobs for Intel Trust Authority attestation, but it is no longer needed. Remove it from all workflow files and the test helper export. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-17 13:04:23 +00:00 · 2026-05-03 18:04:19 +02:00
parent 86e5975ad6
commit 8c3c7aa871
6 changed files with 1 additions and 15 deletions
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -39,7 +39,6 @@ jobs:
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -30,7 +30,6 @@ jobs:
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -48,7 +48,6 @@ jobs:
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -39,8 +39,6 @@ on:
        required: true
      CI_HKD_PATH:
        required: true
-      ITA_KEY:
-        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
      NGC_API_KEY:
@@ -338,7 +336,6 @@ jobs:
      AZ_APPID: ${{ secrets.AZ_APPID }}
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}

  run-k8s-tests-on-zvsi:
    if: ${{ inputs.skip-test != 'yes' }}
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -41,8 +41,6 @@ on:
        required: true
      AZ_SUBSCRIPTION_ID:
        required: true
-      ITA_KEY:
-        required: true

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco
@@ -81,7 +79,6 @@ jobs:
      PULL_TYPE: "guest-pull"
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      GH_ITA_KEY: ${{ secrets.ITA_KEY }}
      AUTO_GENERATE_POLICY: "yes"
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -116,8 +113,6 @@ jobs:
      - name: Deploy CoCo KBS
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-        env:
-          ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}

      - name: Install `kbs-client`
        timeout-minutes: 10
@@ -139,9 +134,7 @@ jobs:
      - name: Delete CoCo KBS
        if: always()
        timeout-minutes: 10
-        run: |
-          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
-          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

  # Generate jobs for testing CoCo on non-TEE environments
  run-k8s-tests-coco-nontee: