Commit Graph

115 Commits

Author SHA1 Message Date
marvelshan
516d62d717 ci: add Firecracker testing (k8s with blockfile snapshotter)
Firecracker currently has no testing CI, only build CI. Add fc
hypervisor to the test matrices for stability, CRI containerd,
nerdctl, and Kubernetes tests.

For the Kubernetes test matrix, configure the blockfile snapshotter
instead of devmapper as devmapper requires 10G+ loop devices which
is too space costly. The blockfile snapshotter uses a 500MB ext4
scratch file. Firecracker requires shared_fs=none in the kata
configuration when using block-based rootfs; this is set by the
_configure_fc_shared_fs helper which searches all three possible
FC config paths and warns if none is found.

The other test matrices (stability, CRI containerd, nerdctl) run
FC with the default overlayfs snapshotter, which validates basic
FC functionality (boot, agent, container lifecycle) without
requiring snapshotter pre-configuration in those workflows.

Refactor configure_snapshotter to extract the shared containerd
configuration flow (config path resolution, tomlq install/uninstall,
arch mapping, config update, service restart) into a reusable
_configure_containerd_snapshotter helper so that adding new
snapshotters does not require duplicating the entire function.

Related #7996, #7872

Signed-off-by: marvelshan <reborn7875@gmail.com>
2026-06-08 09:15:44 +02:00
Hyounggyu Choi
3175bf683e GHA: Remove secret CI_HKD_PATH from workflows
As the boot-image-se builds a fake image, the secret
CI_HKD_PATH is not necessary anymore.
Remove it from the workflows.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-05-29 11:35:40 +02:00
Fabiano Fidêncio
3d43259463 Merge pull request #12974 from fidencio/topic/ci-tdx-nightly-run-with-runtime-rs
ci: tdx: Remove ITA key usage and run qemu-tdx-runtime-rs on nightly
2026-05-04 19:04:03 +02:00
Fabiano Fidêncio
8655d87892 ci: nvidia: Disable NVRC trace logging on nightly runs
On nightly CI, run the NVIDIA GPU tests without setting nvrc.log=trace.
This gives us end-to-end test coverage that more closely matches how
users would actually run Kata Containers with NVIDIA GPUs, since trace
logging is not enabled by default in production.

NVRC trace logging remains enabled for PR runs, where the extra
verbosity is useful for debugging failures.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-03 18:13:07 +02:00
Fabiano Fidêncio
8c3c7aa871 ci: Drop ITA_KEY usage from CI workflows
The ITA_KEY secret was conditionally passed to TDX jobs for Intel
Trust Authority attestation, but it is no longer needed. Remove it
from all workflow files and the test helper export.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-03 18:05:51 +02:00
Fabiano Fidêncio
ef15324b04 Revert "ci: Only run arm64 k8s tests on nightly builds"
This reverts commit c5b159c556, as now we
have 3 runners plugged into the CI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-29 07:38:12 +02:00
Aurélien Bombo
e4fbddb91a ci: rename cloud-hypervisor to clh-runtime-rs
This aligns on qemu-runtime-rs and makes more sense.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-04-28 10:58:01 -05:00
stevenhorsman
d5411e00f6 workflows: Fix version on pinned action
docker/build-push-action@bcafcacb16
seemed to be given the wrong version in the comment, so
update this to be correct

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-28 13:10:36 +01:00
stevenhorsman
af4ced32f4 workflows: Add concurrency limits
It is good practice to add concurrency limits to automatically
cancel jobs that have been superceded and potentially stop
race conditions if we try and get artifacts by workflows and job id
rather than run id.

See https://docs.zizmor.sh/audits/#concurrency-limits

Assisted-by: IBM Bob

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-28 13:10:36 +01:00
Fabiano Fidêncio
c5b159c556 ci: Only run arm64 k8s tests on nightly builds
The arm64 k8s tests are expensive and consume self-hosted runner
resources. Restrict both run-k8s-tests-on-arm64 and
run-kata-coco-tests-on-arm64 to nightly CI runs by gating on
inputs.pr-number == 'nightly'.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 09:38:13 +02:00
Fabiano Fidêncio
e0d98fafe3 ci: remove disabled run-cri-containerd-tests-arm64 job
This job in ci.yaml has been unconditionally disabled (if: false)
with no tracking issue or path to re-enablement.

Made-with: Cursor
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-23 08:46:12 +02:00
Fabiano Fidêncio
35e48fdfd1 ci: run qemu-coco-dev-runtime-rs tests on arm64
Add qemu-coco-dev-runtime-rs to the arm64 k8s test matrix so that the
CoCo non-TEE configuration is exercised on aarch64 runners.

Also enable auto-generated policy for qemu-coco-dev on aarch64 (matching
the existing x86_64 behavior) and register the new job as a required
gatekeeper check.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-18 00:48:13 +02:00
Fabiano Fidêncio
c087eb92ec ci: Update GitHub Actions to Node.js 24 compatible versions
Node.js 20 is deprecated on GitHub Actions runners and will be
forced to Node.js 24 starting June 2nd, 2026. Update all affected
actions to versions that natively support Node.js 24:

- actions/upload-artifact: v4.6.2 -> v6.0.0
- actions/download-artifact: v4.3.0 -> v7.0.0
- docker/build-push-action: v5.4.0 -> v7.0.0
- docker/login-action: v3.4.0 -> v4.1.0
- docker/setup-buildx-action: v3.10.0 -> v4.0.0
- docker/setup-qemu-action: v3.6.0 -> v4.0.0
- geekyeggo/delete-artifact: v5.1.0 -> v6.0.0
- azure/login: v2.3.0 -> v3.0.0
- azure/setup-kubectl: v4.0.1 -> v5.0.0
- nick-fields/retry: v3.0.2 -> v4.0.0

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-14 15:48:45 +02:00
Fabiano Fidêncio
4c567a9c05 ci: Reduce TEE test scope for PR runs
TEE hardware (TDX, SEV-SNP) is very limited in CI. Running the full
test suite on every PR consumes these resources unnecessarily, since
most tests exercises what is already exercised by the -coco-dev CIs.

Introduce a `tee-test-scope` workflow input (small/full) and a new
`baremetal-small-tee` K8S_TEST_HOST_TYPE that runs only the 12 tests
that are TEE-relevant: attestation tests (encrypted/authenticated/
signed image pull, confidential attestation) plus policy and trusted
ephemeral data storage tests.

PR runs default to "small" (12 tests), nightly runs use "full" (59
tests), and manual dispatch offers a dropdown to choose.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-13 20:26:46 +02:00
stevenhorsman
b3179bdd8e workflows: Update actions/checkout version
Update the action to resolve the following warning in GHA:
> Node.js 20 actions are deprecated. The following actions are running
> on Node.js 20 and may not work as expected:
> actions/checkout@11bd71901b.
> Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-03-30 10:45:28 +01:00
Aurélien Bombo
aae54f704c ci: Stop deploying the CSI driver
The design moved away from CSI driver so stop deploying that.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-03-09 14:52:17 -05:00
Fabiano Fidêncio
fa3c3eb2ce ci: Add autogenerated policy tests on k0s, k3s, rke2 and microk8s
These tests run only on nightly and when triggering the dev CI manually.
They cover both nydus snapshotter with guest-pull and experimental-force-guest-pull,
using qemu-coco-dev and qemu-coco-dev-runtime-rs, and are included in the
run-kata-coco-tests workflow behind the extensive-matrix-autogenerated-policy flag.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-03-03 12:55:10 +01:00
Fabiano Fidêncio
1fa3475e36 tests: k8s: rely more on free runners
We were running most of the k8s integration tests on AKS. The ones that
don't actually depend on AKS's environment now run on normal
ubuntu-24.04 GitHub runners instead: we bring up a kubeadm cluster
there, test with both containerd lts and active, and skip attestation
tests since those runtimes don't need them. AKS is left only for the
jobs that do depend on it.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 08:44:47 +01:00
Fabiano Fidêncio
d7aa793dde Revert "ci: Run a nightly job using the kata-deploy rust"
This reverts commit 6130d7330f, as we're
officially swithcing to the rust version of kata-deploy.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-01-19 14:07:49 +01:00
Fabiano Fidêncio
6130d7330f ci: Run a nightly job using the kata-deploy rust
Let's shamelessly duplicate the nightly job to have at least nightly
runs using the rust implementation of kata-deploy.

The reason for doing that is to be pragmatic, as pragmatic as possible,
and avoid switching away of the scripts before 3.24.0 release, while
still testing both ways till the switch happens.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
Fabiano Fidêncio
830d15d4c8 tests: Adapt to using kata-tools
Instead of relying and the fully bloated kata tarball.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 12:55:07 +01:00
Fabiano Fidêncio
46c7d6c9f8 ci: arm64-non-k8s: temporarily skip the tests
The runner is down for a few weeks. I may end up bringing in my personal
runner, but I'm not confident I can easily do this before the holidays,
thus I'm skipping the tests for now.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-11 12:14:32 +01:00
Manuel Huber
3427b5c00e ci: nvidia: Install kata-artifacts
In preparation for Kata agent security policy testing, installing
Kata tools to provide genpolicy.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-01 17:59:19 +00:00
Amulyam24
43a004444a ci: re-enable IBM runners for ppc64le and s390x
This PR re-enables the IBM runners for ppc64le/s390x build jobs and s390x static checks.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-11-26 16:20:01 +05:30
stevenhorsman
ba56a2c372 workflows: Switch to ubuntu-22.04-arm runner
As the arm 22.04 runner isn't working at the moment, let's test the
24.04 version to see if that is better.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-12 15:37:09 +00:00
Fabiano Fidêncio
6d3c20bc45 riscv: Introduce its own nightly tests
By doing this, the ones interested on RISC-V support can still have a
ood visibility of its state, without the extra noise in our CI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-12 09:46:17 +01:00
Fabiano Fidêncio
1dfbb14093 tests: Stop testing on stratovirt
Stratovirt has been failing for a considerable amount of time, with no
sign of someone watching it and being actively working on a fix.

With this we also stop building and shipping stratovirt as part of our
release as we cannot test it.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-04 10:22:46 +01:00
Fabiano Fidêncio
e30e2b5f45 tests: k8s: Remove tests running on GitHub provided runner
We have 2 tests running on GitHub provided runners:
* devmapper
* CRI-O

- devmapper situation

For devmapper, we're currently testing devmapper with s390x as part of
one of its jobs.

More than that, this test has been failing here due to a lack of space
in the machine for quite some time, and no-action was taken to bring it
back either via GARM or some other way.

With that said, let's rely on the s390x CI to test devmapper and avoid
one extra failure on our CI by removing this one.

- cri-o situation

CRI-O is being tested with a fixed version of kubernetes that's already
reached its EOL, and a CRI-O version that matches that k8s version.

There has been attempts to raise issues, and also to provide a PR that
does at least part of the work ... leaving the debugging part for the
maintainers of the CI. However, there was no action on those from the
maintainers.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-30 11:46:59 +01:00
Hyounggyu Choi
7d2fe5e187 revert: Enable new ibm runners for s390x
This partially reverts 8dcd91c for the s390x because the
CI jobs are currently blocking the release. The new runners
will be re-introduced once they are stable and no longer
impact critical paths.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-10-28 11:11:51 +01:00
Amulyam24
9876cbffd6 github: migrate k8s job to a different runner on ppc64le
Migrate the k8s job to a different runner and use a long running cluster
instead of creating the cluster on every run.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-10-24 18:20:11 +05:30
Zvonko Kaiser
0b11190fcf gpu: Add Arm64 kernel signing
Adopt working amd64 workflow to arm64

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-22 21:05:32 +02:00
stevenhorsman
8dcd91cf5f ci: Enable new ibm runners
We have some scalable s390x and ppc runners, so
start to use them for build and test, to improve
the throughput of our CI

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-10-10 09:42:06 +01:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
f79e453313 workflows: Tighten up workflow permissions
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Zvonko Kaiser
fbb0e7f2f2 gpu: Add secrets passthrough to the workflow
We need to pass-through the secrets in all the needed workflows
ci, ci-on-push, ci-nightly, ci-devel

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:51:01 +00:00
Zvonko Kaiser
7669f1fbd1 gpu: Add NVIDIA GPU test block for amd64
Once we have the amd64 artifacts we can run some arm64 k8s tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:59 +00:00
Zvonko Kaiser
97d7575d41 gpu: Disable metrics tests
We are not running the metrics tests anyway for now
lets make room to run the GPU tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:58 +00:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
73d7b4f258 workflows: Add fail-fast: false to cri-containerd tests
At the moment if any of the tests in the matric fails
then the rest of the jobs are cancelled, so we have to
re-run everything. Add `fail-fast: false` to stop this
behaviour.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 14:20:16 +01:00
Seunguk Shin
4f9b7e4d4f ci: Enable cri-containerd-tests for arm64
This change enables cri-containerd-test for arm64.

Signed-off-by: Seunguk Shin <seunguk.shin@arm.com>
Reviewed-by: Nick Connolly <nick.connolly@arm.com>
2025-06-16 15:12:17 +01:00
Steve Horsman
64c95cb996 Merge pull request #11389 from kata-containers/checkout-persist-credentials-false
workflows: Set persist-credentials: false on checkout
2025-06-16 09:58:22 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
Aurélien Bombo
9dd3807467 ci: Use OIDC to log into Azure
This completely eliminates the Azure secret from the repo, following the below
guidance:

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure

The federated identity is scoped to the `ci` environment, meaning:

 * I had to specify this environment in some YAMLs. I don't believe there's any
   downside to this.
 * As previously, the CI works seamlessly both from PRs and in the manual
   workflow.

I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem
to be used anymore, and it contains a reference to the secret.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-06 15:26:10 -05:00
stevenhorsman
66ef1c1198 workflows: Replace secrets: inherit
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass
through the minimal secrets that are needed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:56:46 +01:00
stevenhorsman
586d9adfe5 workflow: add packages: write to csi-driver publish
This one was missed in the earlier PR

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-29 15:57:07 +01:00
stevenhorsman
c34416f53a workflows: Add explicit permissions where needed
We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-28 19:34:28 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Jakob Naucke
1c3b1f5adb ci: Extend basic s390x tests
Currently, s390x only tests cri-containerd. Partially converge to the
feature set of basic-ci-amd64:

- containerd-sandboxapi
- containerd-stability
- docker

with the appropriate hypervisors.
Do not run tests currently skipped on amd64, as well as

- agent-ctl, which we don't package for s390x
- nerdctl, does not package the `full` image for s390x
- nydus, does not package for s390x

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Co-authored-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-04-22 21:34:02 +02:00
stevenhorsman
e6cca9da6d ci: Remove metric jobs
The metrics runner is broken, so skip the metrics
jobs to stop the CI being stuck waiting.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-08 17:55:07 +01:00
Ruoqing He
96e43fbee5 ci: Enable build-kata-static-tarball-riscv64.yaml
Previously we introduced `build-kata-static-tarball-riscv64.yaml`,
enable that workflow in `ci.yaml`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-04-01 16:35:14 +08:00