Commit Graph

24 Commits

Author SHA1 Message Date
Fabiano Fidêncio
59883a2d99 actions: Remove unused USING_NFD
There's no reason to keep the env var / input as it's never been used
and now kata-deploy detects automatically whether NFD is deployed or
not.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-28 21:24:27 +01:00
Aurélien Bombo
b7f542443e ci: Always refresh OIDC token before cluster deletion
This forces OIDC token refresh even if the tests step failed, so that we
also have proper credentials to delete the cluster in that case.

I first noticed the original issue here:
https://github.com/kata-containers/kata-containers/actions/runs/18659064688/job/53215379040?pr=11950

Fixes: #11953

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-21 09:35:52 -05:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
Aurélien Bombo
f39517a18a ci: aks: Refresh OIDC token in case access token expired
It's possible that tests take a long time to run and hence that the access
token expires before we delete the cluster. In this case `az cli` will try
to refresh the access token using the OIDC token (which will have
definitely also expired because its lifetime is ~5 minutes).

To address this we refresh the OIDC token manually instead. Automatic
refresh isn't supported per Azure/azure-cli#28708.

Fixes: #11758

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-04 12:44:02 -05:00
stevenhorsman
f79e453313 workflows: Tighten up workflow permissions
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Aurélien Bombo
96f1d95de5 gha: Remove unnecessary install-azure-cli step
az cli is already installed by the azure/login action.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-30 10:42:56 -05:00
Wainer dos Santos Moschetta
e4da3b84a3 workflows: adopting azure/setup-kubectl
There are workflows that rely on `az aks install-cli` to get kubectl
installed. There is a well-known problem on install-cli, related with
API usage rate limit, that has recently caused the command to fail
quite often.

This is replacing install-cli with the azure/setup-kubectl github
action which has no such as rate limit problem.

While here, removed the install_cli() function from gha-run-k8s-common.sh
so avoid developers using it by mistake in the future.

Fixes #11463
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-07-08 15:15:54 -03:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
Steve Horsman
64c95cb996 Merge pull request #11389 from kata-containers/checkout-persist-credentials-false
workflows: Set persist-credentials: false on checkout
2025-06-16 09:58:22 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
Aurélien Bombo
9dd3807467 ci: Use OIDC to log into Azure
This completely eliminates the Azure secret from the repo, following the below
guidance:

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure

The federated identity is scoped to the `ci` environment, meaning:

 * I had to specify this environment in some YAMLs. I don't believe there's any
   downside to this.
 * As previously, the CI works seamlessly both from PRs and in the manual
   workflow.

I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem
to be used anymore, and it contains a reference to the secret.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-06 15:26:10 -05:00
stevenhorsman
66ef1c1198 workflows: Replace secrets: inherit
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass
through the minimal secrets that are needed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:56:46 +01:00
stevenhorsman
2eda21180a workflows: Switch AUTHENTICATED_IMAGE_USER to var
AUTHENTICATED_IMAGE_USER isn't sensitive, so
update the secret for a var to simplify the workflows

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:49:14 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
Ruoqing He
373a388844 ci: Retry on failure of Create AKS cluster
The `Create AKS cluster` step in `run-k8s-tests-on-aks.yaml` is likely
to fail fail since we are trying to issue `PUT` to `aks` in a relatively
high frequency, while the `aks` end has it's limit on `bucket-size` and
`refill-rate`, documented here [1].

Use `nick-fields/retry@v3` to retry in 10 seconds after request fail,
based on observations that AKS were request 7, or 8 second delays
before retry as part of their 429 response

[1] https://learn.microsoft.com/en-us/azure/aks/quotas-skus-regions#throttling-limits-on-aks-resource-provider-apis

Fixes: #10772

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-22 13:24:51 +00:00
stevenhorsman
d4bd314d52 workflows: linting: Fix incorrect properties
These properties are currently invalid, so either
fix, or remove them

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
GabyCT
06fe459e52 Merge pull request #10508 from GabyCT/topic/installartsta
gha: Get artifacts when installing kata tools in stability workflow
2024-11-11 15:59:06 -06:00
Aurélien Bombo
19e972151f gha: Hardcode ubuntu-22.04 instead of latest
GHA is migrating ubuntu-latest to Ubuntu 24 so
let's hardcode the current 22.04 LTS.

https://github.blog/changelog/2024-11-05-notice-of-breaking-changes-for-github-actions/

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-11-08 11:00:15 -06:00
Gabriela Cervantes
4274198664 gha: Get artifacts when installing kata tools in stability workflow
This PR adds the get artifacts which are needed when installing kata
tools in stability workflow to avoid failures saying that artifacts
are missing.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-11-07 16:20:41 +00:00
Gabriela Cervantes
13e27331ef gha: Add install kata tools as part of the stability workflow
This PR adds the install kata tools step as part of the k8s stability workflow.
To avoid the failures saying that certain kata components are not installed it.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-11-06 20:07:06 +00:00
Gabriela Cervantes
c2aa288498 gha: Increase time to run Kata CoCo stability tests
This PR increases the time to run the Kata CoCo stability tests as
this tests are design to run for more than 2 hours.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-09-02 16:40:47 +00:00
Gabriela Cervantes
ca3d778479 gha: Add Kata CoCo Stability workflow
This PR adds the Kata CoCo Stability workflow that will setup the
environment to run the k8s tests on a non-tee environment.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-08-20 16:34:33 +00:00
Gabriela Cervantes
6ea34f13e1 gha: Add k8s stability Kata CoCo GHA workflow
This PR adds the k8s stability Kata CoCo GHA workflow to run weekly
the k8s stability tests.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-08-16 16:14:15 +00:00