Commit Graph

55 Commits

Author SHA1 Message Date
Fabiano Fidêncio
620d641458 ci: rename kata-deploy publish jobs
These jobs build and push the kata-deploy OCI image, so call them
publish-kata-deploy-image-* instead of *-payload-*, matching the
kata-monitor image jobs and making the workflow easier to read.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-06-09 14:33:30 +02:00
Fabiano Fidêncio
0d6234e7be ci: share kata image publishing workflows
Unify kata-deploy and kata-monitor image publishing behind a single
reusable workflow, and rename workflow files to generic kata-images
names.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-09 14:33:30 +02:00
Greg Kurz
8a49ecb159 Merge pull request #13097 from BbolroC/fix-shim-components-for-s390x
ci: Refactor boot-image-se build and update shim components
2026-06-01 11:43:42 +02:00
Zvonko Kaiser
7f906ec95d build: add kata-deploy-publish target
Mirror the CI payload publish flow in local builds, including image and
helm chart publishing, while reusing the same chart upload helper in
payload-after-push to avoid duplicated chart packaging logic.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-05-29 16:22:12 +02:00
Hyounggyu Choi
3175bf683e GHA: Remove secret CI_HKD_PATH from workflows
As the boot-image-se builds a fake image, the secret
CI_HKD_PATH is not necessary anymore.
Remove it from the workflows.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-05-29 11:35:40 +02:00
Fabiano Fidêncio
c087eb92ec ci: Update GitHub Actions to Node.js 24 compatible versions
Node.js 20 is deprecated on GitHub Actions runners and will be
forced to Node.js 24 starting June 2nd, 2026. Update all affected
actions to versions that natively support Node.js 24:

- actions/upload-artifact: v4.6.2 -> v6.0.0
- actions/download-artifact: v4.3.0 -> v7.0.0
- docker/build-push-action: v5.4.0 -> v7.0.0
- docker/login-action: v3.4.0 -> v4.1.0
- docker/setup-buildx-action: v3.10.0 -> v4.0.0
- docker/setup-qemu-action: v3.6.0 -> v4.0.0
- geekyeggo/delete-artifact: v5.1.0 -> v6.0.0
- azure/login: v2.3.0 -> v3.0.0
- azure/setup-kubectl: v4.0.1 -> v5.0.0
- nick-fields/retry: v3.0.2 -> v4.0.0

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-14 15:48:45 +02:00
stevenhorsman
b3179bdd8e workflows: Update actions/checkout version
Update the action to resolve the following warning in GHA:
> Node.js 20 actions are deprecated. The following actions are running
> on Node.js 20 and may not work as expected:
> actions/checkout@11bd71901b.
> Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-03-30 10:45:28 +01:00
Fabiano Fidêncio
d7aa793dde Revert "ci: Run a nightly job using the kata-deploy rust"
This reverts commit 6130d7330f, as we're
officially swithcing to the rust version of kata-deploy.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-01-19 14:07:49 +01:00
Amulyam24
859313d904 ci: move the job payload after push to an alternate runner for ppc64le
To unlock the release, move the job to publish kata payload after push to an alternate runner(IBM owned) for ppc64le.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2026-01-16 11:14:42 +05:30
Fabiano Fidêncio
6130d7330f ci: Run a nightly job using the kata-deploy rust
Let's shamelessly duplicate the nightly job to have at least nightly
runs using the rust implementation of kata-deploy.

The reason for doing that is to be pragmatic, as pragmatic as possible,
and avoid switching away of the scripts before 3.24.0 release, while
still testing both ways till the switch happens.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
stevenhorsman
ba56a2c372 workflows: Switch to ubuntu-22.04-arm runner
As the arm 22.04 runner isn't working at the moment, let's test the
24.04 version to see if that is better.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-12 15:37:09 +00:00
Fabiano Fidêncio
157b2c32ce scripts: release: Run helm dependencies update
Otherwise we'll face issues like:
```
Error: found in Chart.yaml, but missing in charts/ directory: node-feature-discovery
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-01 17:54:58 +01:00
Amulyam24
9876cbffd6 github: migrate k8s job to a different runner on ppc64le
Migrate the k8s job to a different runner and use a long running cluster
instead of creating the cluster on every run.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-10-24 18:20:11 +05:30
Fabiano Fidêncio
ebc1d64096 actions: Push a 0.0.0-dev chart package to the registries
This will help immensely projects consuming the kata-deploy helm chart
to use configuration options added during the development cycle that are
waiting for a release to be out ... allowing very early tests of the
stack.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-24 11:44:27 +02:00
Zvonko Kaiser
0b11190fcf gpu: Add Arm64 kernel signing
Adopt working amd64 workflow to arm64

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-22 21:05:32 +02:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Zvonko Kaiser
fbb0e7f2f2 gpu: Add secrets passthrough to the workflow
We need to pass-through the secrets in all the needed workflows
ci, ci-on-push, ci-nightly, ci-devel

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:51:01 +00:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
stevenhorsman
66ef1c1198 workflows: Replace secrets: inherit
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass
through the minimal secrets that are needed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:56:46 +01:00
stevenhorsman
89d038d2b4 workflows: Switch QUAY_DEPLOYER_USERNAME to var
QUAY_DEPLOYER_USERNAME isn't sensitive, so update the secret for a var to simplify the workflows

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:49:14 +01:00
stevenhorsman
c34416f53a workflows: Add explicit permissions where needed
We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-28 19:34:28 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
stevenhorsman
3ff602c1e8 workflows: Add explicit permissions for attestation
We have a number of jobs that nest the build-static-tarball
workflows later on. Due to these doing attest build provenance,
and pushing to ghcr.io, t hey need write permissions on
`packages`, `id-token` and `attestations`, so we need to set
these permissions on the top-level jobs (along with `contents: read`),
so they are not blocked.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-28 12:56:52 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
stevenhorsman
23434791f2 workflows: Refactor publish workflows
Replace the four different publish workflows with
a single one that take input parameters of the arch
and runner, so reduce the amount of duplicated code
and try and avoid the
```
too many workflows are referenced, total: 21, limit: 20
```
error
2025-02-25 10:49:09 +00:00
Aurélien Bombo
de98e467b4 ci: Use ubuntu-22.04 instead of ubuntu-latest
22.04 is the default today:
23da668261/README.md

Being more specific will avoid unexpected errors when Github updates the
default.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-08-27 16:44:39 +00:00
Fabiano Fidêncio
388b5b0e58 Revert "ci: Temporarily remove arm64 builds"
This reverts commit e9710332e7, as there
are now 2 arm64-builders (to be expanded to 4 really soon).

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-08-02 13:53:50 +02:00
Fabiano Fidêncio
e9710332e7 ci: Temporarily remove arm64 builds
It's been a reasonable time that we're not able to even build arm64
artefacts.

For now I am removing the builds as it doesn't make sense to keep
running failing builds, and those can be re-enabled once we have arm64
machines plugged in that can be used for building the stuff, and
maintainers for those machines.

The `arm-jetson-xavier-nx-01` is also being removed from the runners.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-08-01 13:30:47 +02:00
Greg Kurz
0a43d26c94 gha: Bump to docker/login-action@v3
`Node.js 19` is deprecated. Bump to a new version based on `Node.js 20`.

Fixes #9245

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-04-05 18:36:50 +02:00
Fabiano Fidêncio
8faab965a7 gh: Fix payload-after-push tags
We now expect the arch specific images to be tagged as
kata-containers-latest-${arch}.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-03-07 12:02:51 +00:00
Fabiano Fidêncio
c9dfe49152 gha: payload: Fix env var declarations
This was introduced by a45988766c, but
didn't follow the correct format for the env declaration.

Fixes: #9064 - part II

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-02-29 10:52:49 +01:00
Fabiano Fidêncio
1c3a769822 gha: payload: Don't use concurrency for this job
We want all payloads to be built and published, regardless if there's a
new PR merged.

This will help people to easily trace / debug issues.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-02-29 10:52:45 +01:00
Fabiano Fidêncio
02af62b66c gha: payload: Stop generating payloads for the stable branches
We've decided to not maintain stable branches anymore, thus we can only
trigger this workflow for the `main` branch.

For more details, please, see:
https://github.com/kata-containers/kata-containers/issues/9064

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-02-29 10:42:25 +01:00
Fabiano Fidêncio
a45988766c release: Add _publish_multiarch_manifest()
This function, as it names says, will be used to publish multiarch
manifests for the Kata Containers CI and Kata Containers releases.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-02-27 08:34:01 +01:00
Amulyam24
ae2c0c5696 github: add workflows for building and publishing kata artifacts on ppc64le
Adds workflows for building kata static tarball and releasing it.

Fixes: #8458

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2023-11-24 15:53:38 +05:30
Fabiano Fidêncio
c5cfad7023 actions: Move all the checkout actions to v4
It's been released for a while now, and we need to keep consistency
between what we used.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-10-23 14:01:53 +02:00
Fabiano Fidêncio
0c95697cc4 ci: Trigger payload-after-push on workflow_dispatch
This will allow us to easily test failures and fixes on that workflows.

Fixes: #8031

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-09-21 09:24:13 +02:00
Fabiano Fidêncio
f811b064ca ci: use github.ref_name instead of $GITHUB_REF_NAME
As, regardless of what's mentioned in the documentation, it seems that
$GITHUB_REF_NAME is passed down as a literal string.

Fixes: #7414

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-09-11 22:14:55 +02:00
Fabiano Fidêncio
6d795c089e ci: Add more target-branch related fixes
The ones for the payload-after-push.yamland ci-nightly.yaml are not that
much important right now, but they're needed for when we start running
those on stable branches as well.

The other ones were missed during
bd24afcf73.

Fixes: #7414

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-09-11 20:42:57 +02:00
Fabiano Fidêncio
fbc2a91ab5 gha: Cancel previous jobs if a PR is updated
Let's make sure we cancel previous runs, mainly as we have some of those
that take a lot of time to run, whenever the PR is updated.

This is based on the following stack overflow suggestion:
https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre

This is very much needed as we don't want to wait for a long time to
have access to a runner because of other runners are still being used
performing a task that's meaningless due to the PR update.

Fixes: #7298

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-11 14:37:10 +02:00
Fabiano Fidêncio
0c1cbd01d8 gha: ci: after-push: Use github.sha to get the last commit reference
As we need to pass down the commit sha to the jobs that will be
triggered from the `push` event, we must be careful on what exactly
we're using there.

At first we were using ${{ github.ref }}, but this turns out to be the
**branch name**, rather than the commit hash.  In order to actually get
the commit hash, Let's use ${{ github.sha }} instead.

Fixes: #7247

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-10 09:39:33 +02:00
Fabiano Fidêncio
86904909aa gha: ci: Avoid using env also in the ci-nightly and payload-after-push
The latter workflow is breaking as it doesn't recognise ${GITHUB_REF},
the former would most likely break as well, but it didn't get triggered
yet.

The error we're facing is:
```
Determining the checkout info
  /usr/bin/git branch --list --remote origin/${GITHUB_REF}
  /usr/bin/git tag --list ${GITHUB_REF}
  Error: A branch or tag with the name '${GITHUB_REF}' could not be found
```

Fixes: #7247

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-07 14:46:30 +02:00
Fabiano Fidêncio
11e3ccfa4d gha: ci: Avoid using env unless it's really needed
de83cd9de7 tried to solve an issue, but it
clearly seems that I'm using env wrongly, as what ended up being passed
as input was "$VAR", instead of the content of the VAR variable.

As we can simply avoid using those here, let's do it and save us a
headache.

Fixes: #7247

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-07 07:31:10 +02:00
Fabiano Fidêncio
de83cd9de7 gha: ci: Use $VAR instead of ${{ env.VAR }}
Otherwise we'll get the following error from the workflow:
```
The workflow is not valid. .github/workflows/ci-on-push.yaml (Line: 24,
Col: 20): Unrecognized named-value: 'env'. Located at position 1 within
expression: env.COMMIT_HASH .github/workflows/ci-on-push.yaml (Line: 25,
Col: 18): Unrecognized named-value: 'env'. Located at position 1 within
expression: env.PR_NUMBER
```

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-06 22:02:08 +02:00
Fabiano Fidêncio
cc3993d860 gha: Pass event specific info from the caller workflow
Let's ensure we're not relying, on any of the called workflows, on event
specific information.

Right now, the two information we've been relying on are:
* PR number, coming from github.event.pull_request.number
* Commit hash, coming from github.event.pull_request.head.sha

As we want to, in the future, add nightly jobs, which will be triggered
by a different event (thus, having different fields populated), we
should ensure that those are not used unless it's in the "top action"
that's trigerred by the event.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-06 11:23:17 +02:00
Fabiano Fidêncio
cfd8f4ff76 gha: payload-after-push: Pass secrets down
The "build-assets-${arch}" jobs need to have access to the secrets in
order to log into the container registry in the cases where
"push-to-registry", which is used to push the builder containers to
quay.io, is set to "yes".

Now that "build-assets-${arch}" pass the secrets down, we need to log
into the container registry in the "build-kata-static-tarball-${arch}"
files, in case "push-to-registry" is set to "yes".

Fixes: #6899

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-05-19 15:00:06 +02:00
Fabiano Fidêncio
2550d4462d gha: build-kata-static-tarball: Only push to registry after merge
56331bd7bc oversaw the fact that we
mistakenly tried to push the build containers to the registry for a PR,
rather than doing so only when the code is merged.

As the workflow is now shared between different actions, let's introduce
an input variable to specify which are the cases we actually need to
perform a push to the registry.

Fixes: #6592

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-04-05 13:57:26 +02:00
Fabiano Fidêncio
41026f003e gha: payload-after-push: Pass registry / repo as inputs
We made registry / repo mandatory, but we only adapted that to the amd64
job.  Let's fix it now and make sure this is also passed to the arm64
and s390x jobs.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-04-05 12:54:44 +02:00