diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 2fc4a0975..dcbeb3616 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -16,7 +16,6 @@ on: permissions: contents: read - id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 0acdedf85..22a4a8289 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -79,7 +79,12 @@ jobs: - name: build-and-push-kata-payload for ${{ inputs.arch }} id: build-and-push-kata-payload + env: + REGISTRY: ${{ inputs.registry }} + REPO: ${{ inputs.repo }} + TAG: ${{ inputs.tag }} run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ - "$(pwd)"/kata-static.tar.xz \ - ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }} + "$(pwd)/kata-static.tar.xz" \ + "${REGISTRY}/${REPO}" \ + "${TAG}" diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 8c09fa635..88af72c9f 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -57,6 +57,8 @@ jobs: - name: build-and-push-kata-deploy-ci-amd64 id: build-and-push-kata-deploy-ci-amd64 + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -70,8 +72,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index af68a3549..aa8176a58 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -57,6 +57,8 @@ jobs: - name: build-and-push-kata-deploy-ci-arm64 id: build-and-push-kata-deploy-ci-arm64 + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -70,8 +72,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index e01dc9dbc..a179273b6 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -57,6 +57,8 @@ jobs: - name: build-and-push-kata-deploy-ci-ppc64le id: build-and-push-kata-deploy-ci-ppc64le + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -70,8 +72,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index 0a184f108..4477bba40 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -61,6 +61,8 @@ jobs: - name: build-and-push-kata-deploy-ci-s390x id: build-and-push-kata-deploy-ci-s390x + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -74,8 +76,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8f385a7f6..c0723c819 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -251,9 +251,12 @@ jobs: GH_TOKEN: ${{ github.token }} - name: Login to the OCI registries + env: + QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }} + GITHUB_ACTOR: ${{ github.actor }} run: | - echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin - echo "${{ github.token }}" | helm registry login ghcr.io --username $ --password-stdin + echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin + echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin - name: Push helm chart to the OCI registries run: | diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index b16158930..a260a2286 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -4,7 +4,6 @@ on: push: branches: ["main"] pull_request: - paths: [".github/workflows/**"] permissions: contents: read diff --git a/tools/testing/gatekeeper/required-tests.yaml b/tools/testing/gatekeeper/required-tests.yaml index 3fc88816f..f8d508bff 100644 --- a/tools/testing/gatekeeper/required-tests.yaml +++ b/tools/testing/gatekeeper/required-tests.yaml @@ -6,7 +6,7 @@ required_tests: - Shellcheck required / shellcheck-required # TODO: cargo-deny-runner.yaml not yet treated as conditional - Cargo Crates Check Runner / cargo-deny-runner - + - GHA security analysis / zizmor required_regexps: # Always required regexps