Commit Graph

37 Commits

Author SHA1 Message Date
Fabiano Fidêncio
1f5ed27b99 release: tag per-arch images with the release version
The per-arch kata-deploy/kata-monitor build jobs derived their image tag
from $GITHUB_REF, which only resolves to the release version when the
release workflow is dispatched from main. The multi-arch manifest step,
however, always publishes using the release version, so dispatching the
release workflow from any other branch tagged the per-arch images with
the branch name and the manifest step failed with "<image>: not found".

Always tag the per-arch images with the release version so the build and
manifest steps stay in sync regardless of the dispatch branch. This also
subsumes the earlier "drop latest" tweak in these per-arch workflows.
2026-06-13 14:15:30 +02:00
Fabiano Fidêncio
a843844ccb ci: release: never move the "latest" image tag (testing)
Drop the "latest" tag from every release step that could publish it:
the per-arch kata-deploy images, the multi-arch kata-deploy manifest, and
the kata-monitor images/manifest. This guarantees a release run from this
branch can never move the "latest" tag of any published image while we test
the rest of the pipeline.
2026-06-13 12:52:30 +02:00
Fabiano Fidêncio
9a0acc6c4c kata-deploy: ship individual component tarballs; drop merged tarball
Update the Dockerfile to copy each kata-static-<name>.tar.zst directly
into the image alongside shim-components.json, replacing the old
artifact-extractor stage that unpacked a single merged tarball.

Update the publish-kata-deploy-payload and release CI workflows to
download individual per-component artifacts instead of waiting for a
merged tarball, and simplify kata-deploy-build-and-upload-payload.sh
accordingly.  The kata-deploy image build is no longer blocked on the
merge step.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-20 20:52:36 +02:00
stevenhorsman
9715a7cca2 release: fix release workflow concurrency deadlock
Architecture-specific release workflows were using the same concurrency
group when called from release.yaml, causing GitHub Actions to detect
a deadlock and cancel the builds.

Fix by appending architecture suffix to each workflow's concurrency
group, allowing parallel execution without conflicts.

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-02 20:13:17 +01:00
stevenhorsman
af4ced32f4 workflows: Add concurrency limits
It is good practice to add concurrency limits to automatically
cancel jobs that have been superceded and potentially stop
race conditions if we try and get artifacts by workflows and job id
rather than run id.

See https://docs.zizmor.sh/audits/#concurrency-limits

Assisted-by: IBM Bob

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-28 13:10:36 +01:00
Fabiano Fidêncio
c087eb92ec ci: Update GitHub Actions to Node.js 24 compatible versions
Node.js 20 is deprecated on GitHub Actions runners and will be
forced to Node.js 24 starting June 2nd, 2026. Update all affected
actions to versions that natively support Node.js 24:

- actions/upload-artifact: v4.6.2 -> v6.0.0
- actions/download-artifact: v4.3.0 -> v7.0.0
- docker/build-push-action: v5.4.0 -> v7.0.0
- docker/login-action: v3.4.0 -> v4.1.0
- docker/setup-buildx-action: v3.10.0 -> v4.0.0
- docker/setup-qemu-action: v3.6.0 -> v4.0.0
- geekyeggo/delete-artifact: v5.1.0 -> v6.0.0
- azure/login: v2.3.0 -> v3.0.0
- azure/setup-kubectl: v4.0.1 -> v5.0.0
- nick-fields/retry: v3.0.2 -> v4.0.0

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-14 15:48:45 +02:00
stevenhorsman
b3179bdd8e workflows: Update actions/checkout version
Update the action to resolve the following warning in GHA:
> Node.js 20 actions are deprecated. The following actions are running
> on Node.js 20 and may not work as expected:
> actions/checkout@11bd71901b.
> Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-03-30 10:45:28 +01:00
Amulyam24
43a004444a ci: re-enable IBM runners for ppc64le and s390x
This PR re-enables the IBM runners for ppc64le/s390x build jobs and s390x static checks.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-11-26 16:20:01 +05:30
Amulyam24
9876cbffd6 github: migrate k8s job to a different runner on ppc64le
Migrate the k8s job to a different runner and use a long running cluster
instead of creating the cluster on every run.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-10-24 18:20:11 +05:30
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Fabiano Fidêncio
ad240a39e6 kata-deploy: tools: tests: Use zstd instead of xz
Although the compress ratio is not as optimal as using xz, it's way
faster to compress / uncompress, and it's "good enough".

This change is not small, but it's still self-contained, and has to get
in at once, in order to help bisects in the future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-21 19:53:55 +02:00
Aurélien Bombo
bb2a427a8a security: ci: fix template injection
This fixes a Zizmor error where some variables are vulnerable to template
injection.

https://github.com/kata-containers/kata-containers/security/code-scanning/67

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-26 12:29:11 -05:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
9adf989555 workflows: Fix permissions
Add extra permissions for reusable workflow calls
that need them later on

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-19 08:44:18 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
stevenhorsman
66ef1c1198 workflows: Replace secrets: inherit
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass
through the minimal secrets that are needed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:56:46 +01:00
stevenhorsman
89d038d2b4 workflows: Switch QUAY_DEPLOYER_USERNAME to var
QUAY_DEPLOYER_USERNAME isn't sensitive, so update the secret for a var to simplify the workflows

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:49:14 +01:00
stevenhorsman
6c6e16eef3 workflows: Remove docker hub registry publishing
As docker hub has rate limiting issues, inside mirror
quay.io to ghcr.io instead

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-05 11:46:51 +01:00
stevenhorsman
c34416f53a workflows: Add explicit permissions where needed
We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-28 19:34:28 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
Amulyam24
becb760e32 gha: use runner hooks instead of pre/post scripts for ppc64le runners
This PR makes changes to remove steps to run scripts for
preparing and cleaning the runner and instead use runner
hooks env variables to manage them.

Fixes: #9934
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-03-14 17:12:54 +05:30
stevenhorsman
9b6fce9e96 workflows: Add more ppc64le timeouts
Unsurprisingly now we've got passed the containerd test
hangs on the ppc64le, we are hitting others  in the "Prepare the
self-hosted runner" stage, so add timeouts to all of them
to avoid CI blockages.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-20 17:31:24 +00:00
stevenhorsman
c2ba15c111 workflows: linting: Fix shellcheck SC2206
>  Quote to prevent word splitting/globbing

Double quote variables expanded in an array

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
007514154c workflows: linting: Fix shellcheck SC2068
> Double quote array expansions to avoid re-splitting elements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
935327b5aa workflows: linting: Fix shellcheck SC2046
> Quote this to prevent word splitting.

Quote around subshell

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
9113606d45 workflows: linting: Fix shellcheck SC2086
> Double quote to prevent globbing and word splitting.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
f271983aeb gha: release: Set inherit secrets on tarball builds
Now we have updated the release builds to push
artefacts to
our registry for the release, so we can cache the images, we need to
set `secrets: inherit` for all architecture's tarball builds
so that we can log into quay.io and ghcr in those steps

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-20 14:19:17 +01:00
stevenhorsman
d93156d84d gha: release: Push artifacts to registry on release
For other projects (e.g. CoCo projects) being able to
access the released versions of components is helpful,
so push these during the release process

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-15 16:55:55 +01:00
Greg Kurz
424a5e243f gha: Bump to actions/[down|up]load-artifact@v4 (all the rest)
`Node.js 19` is deprecated. Bump to a new version based on `Node.js 20`.

This fixes all remaining sites.

Fixes #9245

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-04-05 18:36:51 +02:00
Greg Kurz
0a43d26c94 gha: Bump to docker/login-action@v3
`Node.js 19` is deprecated. Bump to a new version based on `Node.js 20`.

Fixes #9245

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-04-05 18:36:50 +02:00
stevenhorsman
0ab8e61a64 release: Remove release type from arch release
Now we don't have minor and major releases and
we are now generating a new version
in the release workflow, we can
tidy up the arch specific releases workflows to remove
the extra required inputs

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-03-18 12:27:57 +00:00
Amulyam24
3f4b24be8b gha: ensure that self hosted runner is prepared before running the workflow
This PR ensures that the self hosted runner is prepared by taking
necesary actions before running the workflow. The script prepare_runner.sh
checks the following:
1. Ensure that containerd/docker is up and running
2. Make sure that the repository workspace is cleaned up and has no conflicts
3. Remove/cleanup any leftover files from the previous runs

Fixes: #9262

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2024-03-13 14:20:10 +05:30
Fabiano Fidêncio
658fb6972b release: Ensure the release-type is passed to workflows
We need to ensure the release type is passed down to workflows,
otherwise we'll fail to get the correct release version for tagging the
daemonset images.

Fixes: #9064 - part III

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-03-07 12:02:51 +00:00
Fabiano Fidêncio
757f958943 release: Adjust tags used to publish our deamonset
We need to adjust the tags as when this workflow ends up being called
from the release side, we'll receive "refs/tags/main"  as the
GITHUB_REF, and in that case we must use the release version.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-02-28 12:34:51 +01:00
Amulyam24
ae2c0c5696 github: add workflows for building and publishing kata artifacts on ppc64le
Adds workflows for building kata static tarball and releasing it.

Fixes: #8458

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2023-11-24 15:53:38 +05:30