Commit Graph

29 Commits

Author SHA1 Message Date
Amulyam24
9876cbffd6 github: migrate k8s job to a different runner on ppc64le
Migrate the k8s job to a different runner and use a long running cluster
instead of creating the cluster on every run.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-10-24 18:20:11 +05:30
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Fabiano Fidêncio
ad240a39e6 kata-deploy: tools: tests: Use zstd instead of xz
Although the compress ratio is not as optimal as using xz, it's way
faster to compress / uncompress, and it's "good enough".

This change is not small, but it's still self-contained, and has to get
in at once, in order to help bisects in the future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-21 19:53:55 +02:00
Aurélien Bombo
bb2a427a8a security: ci: fix template injection
This fixes a Zizmor error where some variables are vulnerable to template
injection.

https://github.com/kata-containers/kata-containers/security/code-scanning/67

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-26 12:29:11 -05:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
9adf989555 workflows: Fix permissions
Add extra permissions for reusable workflow calls
that need them later on

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-19 08:44:18 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
stevenhorsman
66ef1c1198 workflows: Replace secrets: inherit
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass
through the minimal secrets that are needed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:56:46 +01:00
stevenhorsman
89d038d2b4 workflows: Switch QUAY_DEPLOYER_USERNAME to var
QUAY_DEPLOYER_USERNAME isn't sensitive, so update the secret for a var to simplify the workflows

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:49:14 +01:00
stevenhorsman
6c6e16eef3 workflows: Remove docker hub registry publishing
As docker hub has rate limiting issues, inside mirror
quay.io to ghcr.io instead

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-05 11:46:51 +01:00
stevenhorsman
c34416f53a workflows: Add explicit permissions where needed
We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-28 19:34:28 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
Amulyam24
becb760e32 gha: use runner hooks instead of pre/post scripts for ppc64le runners
This PR makes changes to remove steps to run scripts for
preparing and cleaning the runner and instead use runner
hooks env variables to manage them.

Fixes: #9934
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-03-14 17:12:54 +05:30
stevenhorsman
9b6fce9e96 workflows: Add more ppc64le timeouts
Unsurprisingly now we've got passed the containerd test
hangs on the ppc64le, we are hitting others  in the "Prepare the
self-hosted runner" stage, so add timeouts to all of them
to avoid CI blockages.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-20 17:31:24 +00:00
stevenhorsman
c2ba15c111 workflows: linting: Fix shellcheck SC2206
>  Quote to prevent word splitting/globbing

Double quote variables expanded in an array

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
007514154c workflows: linting: Fix shellcheck SC2068
> Double quote array expansions to avoid re-splitting elements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
935327b5aa workflows: linting: Fix shellcheck SC2046
> Quote this to prevent word splitting.

Quote around subshell

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
9113606d45 workflows: linting: Fix shellcheck SC2086
> Double quote to prevent globbing and word splitting.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
f271983aeb gha: release: Set inherit secrets on tarball builds
Now we have updated the release builds to push
artefacts to
our registry for the release, so we can cache the images, we need to
set `secrets: inherit` for all architecture's tarball builds
so that we can log into quay.io and ghcr in those steps

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-20 14:19:17 +01:00
stevenhorsman
d93156d84d gha: release: Push artifacts to registry on release
For other projects (e.g. CoCo projects) being able to
access the released versions of components is helpful,
so push these during the release process

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-15 16:55:55 +01:00
Greg Kurz
424a5e243f gha: Bump to actions/[down|up]load-artifact@v4 (all the rest)
`Node.js 19` is deprecated. Bump to a new version based on `Node.js 20`.

This fixes all remaining sites.

Fixes #9245

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-04-05 18:36:51 +02:00
Greg Kurz
0a43d26c94 gha: Bump to docker/login-action@v3
`Node.js 19` is deprecated. Bump to a new version based on `Node.js 20`.

Fixes #9245

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-04-05 18:36:50 +02:00
stevenhorsman
0ab8e61a64 release: Remove release type from arch release
Now we don't have minor and major releases and
we are now generating a new version
in the release workflow, we can
tidy up the arch specific releases workflows to remove
the extra required inputs

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-03-18 12:27:57 +00:00
Amulyam24
3f4b24be8b gha: ensure that self hosted runner is prepared before running the workflow
This PR ensures that the self hosted runner is prepared by taking
necesary actions before running the workflow. The script prepare_runner.sh
checks the following:
1. Ensure that containerd/docker is up and running
2. Make sure that the repository workspace is cleaned up and has no conflicts
3. Remove/cleanup any leftover files from the previous runs

Fixes: #9262

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2024-03-13 14:20:10 +05:30
Fabiano Fidêncio
658fb6972b release: Ensure the release-type is passed to workflows
We need to ensure the release type is passed down to workflows,
otherwise we'll fail to get the correct release version for tagging the
daemonset images.

Fixes: #9064 - part III

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-03-07 12:02:51 +00:00
Fabiano Fidêncio
757f958943 release: Adjust tags used to publish our deamonset
We need to adjust the tags as when this workflow ends up being called
from the release side, we'll receive "refs/tags/main"  as the
GITHUB_REF, and in that case we must use the release version.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-02-28 12:34:51 +01:00
Amulyam24
ae2c0c5696 github: add workflows for building and publishing kata artifacts on ppc64le
Adds workflows for building kata static tarball and releasing it.

Fixes: #8458

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2023-11-24 15:53:38 +05:30