github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-04-10 14:02:59 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:topic/runtime-rs-coldplug-gpu
Branches Tags
github:main github:zizmor-update-to-1.20 github:topic/runtime-rs-coldplug-gpu github:dependabot/go_modules/src/runtime/go.opentelemetry.io/otel/sdk-1.43.0 github:fsmerged-erofs-rs github:burgerdev/pr2 github:burgerdev/pr3 github:dependabot/cargo/src/tools/agent-ctl/tracing-e6cc94977c github:dependabot/cargo/src/tools/agent-ctl/clap-ac7866a113 github:dependabot/cargo/src/agent/tracing-95423bd0ce github:dependabot/cargo/src/agent/clap-f572f62cb7 github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/clap-e796154cfe github:dependabot/cargo/src/tools/kata-ctl/tracing-0d2b5df27c github:topic/arm-add-qemu-coco-dev github:mahuber/storage-multi-cpu-pull github:topic/docker-with-runtime-rs github:fix/runtime-rs-net-fc github:dependabot/github_actions/actions/download-artifact-8.0.1 github:fix/docker26-networking-9340 github:zvonkok-patch-1 github:dependabot/github_actions/docker/login-action-4.0.0 github:dependabot/github_actions/actions/attest-build-provenance-4.1.0 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.3 github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.3 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.7 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/github_actions/docker/setup-buildx-action-4.0.0 github:bump_rust_vmms github:fupan_debug_nydus github:saulparedes/test-mariner-runtime-rs github:sprt/fix-rust-1.94-errors github:dependabot/cargo/src/agent/const_format-0.2.35 github:topic/re-enable-sandbox-api-tests github:sprt/fidencio/conf-local-storage github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.28.0 github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0
..
compare: github:sprt-patch-1
Branches Tags
github:zizmor-update-to-1.20 github:topic/runtime-rs-coldplug-gpu github:dependabot/go_modules/src/runtime/go.opentelemetry.io/otel/sdk-1.43.0 github:fsmerged-erofs-rs github:main github:burgerdev/pr2 github:burgerdev/pr3 github:dependabot/cargo/src/tools/agent-ctl/tracing-e6cc94977c github:dependabot/cargo/src/tools/agent-ctl/clap-ac7866a113 github:dependabot/cargo/src/agent/tracing-95423bd0ce github:dependabot/cargo/src/agent/clap-f572f62cb7 github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/clap-e796154cfe github:dependabot/cargo/src/tools/kata-ctl/tracing-0d2b5df27c github:topic/arm-add-qemu-coco-dev github:mahuber/storage-multi-cpu-pull github:topic/docker-with-runtime-rs github:fix/runtime-rs-net-fc github:dependabot/github_actions/actions/download-artifact-8.0.1 github:fix/docker26-networking-9340 github:zvonkok-patch-1 github:dependabot/github_actions/docker/login-action-4.0.0 github:dependabot/github_actions/actions/attest-build-provenance-4.1.0 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.3 github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.3 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.7 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/github_actions/docker/setup-buildx-action-4.0.0 github:bump_rust_vmms github:fupan_debug_nydus github:saulparedes/test-mariner-runtime-rs github:sprt/fix-rust-1.94-errors github:dependabot/cargo/src/agent/const_format-0.2.35 github:topic/re-enable-sandbox-api-tests github:sprt/fidencio/conf-local-storage github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.28.0 github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0

1 Commits
topic/runt ... sprt-patch

Author SHA1 Message Date
Aurélien Bombo
7c4baba87b Update README.md 2025-06-10 13:09:37 -05:00
2778 changed files with 113720 additions and 229240 deletions
Expand all files Collapse all files

37
.cspell.yaml
View File

@@ -1,37 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json
version: "0.2"
language: en,en-GB
dictionaryDefinitions:
- name: kata-terms
path: ./tests/spellcheck/kata-dictionary.txt
addWords: true
dictionaries:
- en-GB
- en_US
- bash
- git
- golang
- k8s
- python
- rust
- companies
- mnemonics
- peopleNames
- softwareTerms
- networking-terms
- kata-terms
ignoreRegExpList:
- /@[a-z\d](?:[a-z\d]|-(?=[a-z\d])){0,38}/gi # Ignores github handles
# Ignore code blocks
- /^\s*`{3,}[\s\S]*?^\s*`{3,}/gm
- /`[^`\n]+`/g
ignorePaths:
- "**/vendor/**" # vendor files aren't owned by us
- "**/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/**" # Generated files
- "**/requirements.txt"
useGitignore: true

13
.dockerignore
View File

@@ -1,13 +0,0 @@
# Context for tools/packaging/kata-deploy/Dockerfile (build from repo root: -f tools/packaging/kata-deploy/Dockerfile .)
#
# The Dockerfile only needs: Cargo.toml, Cargo.lock, src/, tools/packaging/kata-deploy/,
# and versions.yaml. Exclude heavy or irrelevant trees to keep context small.
.git
.github
target
kata-artifacts
docs
tests
utils
tools/packaging/kata-deploy/local-build
tools/packaging/kata-deploy/binary/target

7
.editorconfig
View File

@@ -1,7 +0,0 @@
root = true
[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true

30
.editorconfig-checker.json
View File

@@ -1,30 +0,0 @@
{
"Verbose": false,
"Debug": false,
"IgnoreDefaults": false,
"SpacesAfterTabs": false,
"NoColor": false,
"Exclude": [
"src/runtime/vendor",
"src/tools/log-parser/vendor",
"tests/metrics/cmd/checkmetrics/vendor",
"tests/vendor",
"src/runtime/virtcontainers/pkg/cloud-hypervisor/client",
"\\.img$",
"\\.dtb$",
"\\.drawio$",
"\\.svg$",
"\\.patch$"
],
"AllowedContentTypes": [],
"PassedFiles": [],
"Disable": {
"EndOfLine": false,
"Indentation": false,
"IndentSize": false,
"InsertFinalNewline": false,
"TrimTrailingWhitespace": false,
"MaxLineLength": false,
"Charset": false
}
}

18
.github/actionlint.yaml vendored
View File

@@ -7,30 +7,20 @@
self-hosted-runner: self-hosted-runner:
# Labels of self-hosted runner that linter should ignore # Labels of self-hosted runner that linter should ignore
labels: labels:
- amd64-nvidia-a100
- amd64-nvidia-h100-snp
- arm64-k8s - arm64-k8s
- ubuntu-22.04-arm
- garm-ubuntu-2004 - garm-ubuntu-2004
- garm-ubuntu-2004-smaller - garm-ubuntu-2004-smaller
- garm-ubuntu-2204 - garm-ubuntu-2204
- garm-ubuntu-2304 - garm-ubuntu-2304
- garm-ubuntu-2304-smaller - garm-ubuntu-2304-smaller
- garm-ubuntu-2204-smaller - garm-ubuntu-2204-smaller
- ppc64le - k8s-ppc64le
- ppc64le-k8s
- ppc64le-small
- ubuntu-24.04-ppc64le
- ubuntu-24.04-s390x
- metrics - metrics
- ppc64le
- riscv-builder - riscv-builder
- sev
- sev-snp - sev-snp
- s390x - s390x
- s390x-large - s390x-large
- tdx - tdx
- ubuntu-24.04-arm
paths:
.github/workflows/**/*.{yml,yaml}:
ignore:
# We use if: false to "temporarily" skip jobs with issues
- 'constant expression "false" in condition'

4
.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in vendored
View File

@@ -14,10 +14,10 @@ runs:
using: "composite" using: "composite"
steps: steps:
- name: Install Rust - name: Install Rust
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 uses: actions-rs/toolchain@v1
with: with:
profile: minimal profile: minimal
toolchain: nightly toolchain: nightly
override: true override: true
- name: Cache - name: Cache

32
.github/dependabot.yml vendored
View File

@@ -12,34 +12,30 @@ updates:
- "/src/tools/agent-ctl" - "/src/tools/agent-ctl"
- "/src/tools/genpolicy" - "/src/tools/genpolicy"
- "/src/tools/kata-ctl" - "/src/tools/kata-ctl"
- "/src/tools/runk"
- "/src/tools/trace-forwarder" - "/src/tools/trace-forwarder"
schedule: schedule:
interval: "daily" interval: "daily"
cooldown:
default-days: 7
ignore: ignore:
# rust-vmm repos might cause incompatibilities on patch versions, so # rust-vmm repos might cause incompatibilities on patch versions, so
# lets handle them manually for now. # lets handle them manually for now.
- dependency-name: "event-manager" - dependency-name: "vhost"
- dependency-name: "kvm-bindings" - dependency-name: "vhost-user-backend"
- dependency-name: "kvm-ioctls"
- dependency-name: "linux-loader"
- dependency-name: "seccompiler"
- dependency-name: "vfio-bindings"
- dependency-name: "vfio-ioctls"
- dependency-name: "virtio-bindings" - dependency-name: "virtio-bindings"
- dependency-name: "virtio-queue" - dependency-name: "virtio-queue"
- dependency-name: "vm-fdt" - dependency-name: "virtio-vsock"
- dependency-name: "vm-memory" - dependency-name: "vm-memory"
- dependency-name: "vm-superio"
- dependency-name: "vmm-sys-util" - dependency-name: "vmm-sys-util"
# As we often have up to 8/9 components that need the same versions bumps # As we often have up to 8/9 components that need the same versions bumps
# create groups for common dependencies, so they can all go in a single PR # create groups for common dependencies, so they can all go in a single PR
# We can extend this as we see more frequent groups # We can extend this as we see more frequent groups
groups: groups:
aws-libcrypto: atty:
patterns: patterns:
- aws-lc-* - atty
bit-vec:
patterns:
- bit-vec
bumpalo: bumpalo:
patterns: patterns:
- bumpalo - bumpalo
@@ -67,12 +63,6 @@ updates:
rustix: rustix:
patterns: patterns:
- rustix - rustix
rustls-webpki:
patterns:
- rustls-webpki
slab:
patterns:
- slab
time: time:
patterns: patterns:
- time - time
@@ -90,12 +80,8 @@ updates:
- "src/tools/csi-kata-directvolume" - "src/tools/csi-kata-directvolume"
schedule: schedule:
interval: "daily" interval: "daily"
cooldown:
default-days: 7
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: "monthly" interval: "monthly"
cooldown:
default-days: 7

4
.github/workflows/PR-wip-checks.yaml vendored
View File

@@ -9,7 +9,8 @@ on:
- labeled - labeled
- unlabeled - unlabeled
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -21,6 +22,7 @@ jobs:
name: WIP Check name: WIP Check
steps: steps:
- name: WIP Check - name: WIP Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10) uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10)
with: with:
labels: '["do-not-merge", "wip", "rfc"]' labels: '["do-not-merge", "wip", "rfc"]'

23
.github/workflows/actionlint.yaml vendored
View File

@@ -3,8 +3,16 @@ name: Lint GHA workflows
on: on:
workflow_dispatch: workflow_dispatch:
pull_request: pull_request:
types:
- opened
- edited
- reopened
- synchronize
paths:
- '.github/workflows/**'
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -12,16 +20,17 @@ concurrency:
jobs: jobs:
run-actionlint: run-actionlint:
name: run-actionlint env:
GH_TOKEN: ${{ github.token }}
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Install actionlint gh extension
run: gh extension install https://github.com/cschleiden/gh-actionlint
- name: Run actionlint - name: Run actionlint
uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518 # v2.1.1 run: gh actionlint
with:
version: '1.7.12'

195
.github/workflows/basic-ci-amd64.yaml vendored
View File

@@ -13,11 +13,53 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-cri-containerd:
strategy:
# We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail
# all the tests due to a single flaky instance.
fail-fast: false
matrix:
containerd_version: ['lts', 'active']
vmm: ['clh', 'dragonball', 'qemu', 'stratovirt', 'cloud-hypervisor', 'qemu-runtime-rs']
runs-on: ubuntu-22.04
env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
- name: Run cri-containerd tests
timeout-minutes: 10
run: bash tests/integration/cri-containerd/gha-run.sh run
run-containerd-sandboxapi: run-containerd-sandboxapi:
name: run-containerd-sandboxapi
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail # the all the tests are not flaky, otherwise we'll fail
@@ -26,8 +68,6 @@ jobs:
matrix: matrix:
containerd_version: ['active'] containerd_version: ['active']
vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs'] vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
# TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
if: false
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
env: env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }} CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -35,11 +75,10 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "shim" SANDBOXER: "shim"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -47,30 +86,11 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install yq
run: |
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install dependencies - name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -83,12 +103,11 @@ jobs:
run: bash tests/integration/cri-containerd/gha-run.sh run run: bash tests/integration/cri-containerd/gha-run.sh run
run-containerd-stability: run-containerd-stability:
name: run-containerd-stability
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
containerd_version: ['lts', 'active'] containerd_version: ['lts', 'active']
vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'qemu-runtime-rs'] vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'stratovirt']
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
env: env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }} CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -96,11 +115,11 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "podsandbox" SANDBOXER: "podsandbox"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
@@ -109,11 +128,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/stability/gha-run.sh install-dependencies run: bash tests/stability/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -126,7 +143,6 @@ jobs:
run: bash tests/stability/gha-run.sh run run: bash tests/stability/gha-run.sh run
run-nydus: run-nydus:
name: run-nydus
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail # the all the tests are not flaky, otherwise we'll fail
@@ -134,18 +150,17 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
containerd_version: ['lts', 'active'] containerd_version: ['lts', 'active']
vmm: ['clh', 'qemu', 'dragonball', 'qemu-runtime-rs'] vmm: ['clh', 'qemu', 'dragonball', 'stratovirt']
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
env: env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }} CONTAINERD_VERSION: ${{ matrix.containerd_version }}
GOPATH: ${{ github.workspace }} GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -155,33 +170,55 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/integration/nydus/gha-run.sh install-dependencies run: bash tests/integration/nydus/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata - name: Install kata
run: bash tests/integration/nydus/gha-run.sh install-kata kata-artifacts run: bash tests/integration/nydus/gha-run.sh install-kata kata-artifacts
- name: Install kata-tools
run: bash tests/integration/nydus/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Run nydus tests - name: Run nydus tests
timeout-minutes: 10 timeout-minutes: 10
run: bash tests/integration/nydus/gha-run.sh run run: bash tests/integration/nydus/gha-run.sh run
run-runk:
# Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
if: false
runs-on: ubuntu-22.04
env:
CONTAINERD_VERSION: lts
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
run: bash tests/integration/runk/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/runk/gha-run.sh install-kata kata-artifacts
- name: Run runk tests
timeout-minutes: 10
run: bash tests/integration/runk/gha-run.sh run
run-tracing: run-tracing:
name: run-tracing
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -195,11 +232,10 @@ jobs:
env: env:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -209,11 +245,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/functional/tracing/gha-run.sh install-dependencies run: bash tests/functional/tracing/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -226,7 +260,6 @@ jobs:
run: bash tests/functional/tracing/gha-run.sh run run: bash tests/functional/tracing/gha-run.sh run
run-vfio: run-vfio:
name: run-vfio
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -242,11 +275,10 @@ jobs:
GOPATH: ${{ github.workspace }} GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -256,11 +288,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/functional/vfio/gha-run.sh install-dependencies run: bash tests/functional/vfio/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -270,7 +300,6 @@ jobs:
run: bash tests/functional/vfio/gha-run.sh run run: bash tests/functional/vfio/gha-run.sh run
run-docker-tests: run-docker-tests:
name: run-docker-tests
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# all the tests are not flaky, otherwise we'll fail them # all the tests are not flaky, otherwise we'll fail them
@@ -278,16 +307,18 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
vmm: vmm:
- clh
- qemu - qemu
- dragonball
- cloud-hypervisor
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
env: env:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -297,11 +328,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/integration/docker/gha-run.sh install-dependencies run: bash tests/integration/docker/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -314,7 +343,6 @@ jobs:
run: bash tests/integration/docker/gha-run.sh run run: bash tests/integration/docker/gha-run.sh run
run-nerdctl-tests: run-nerdctl-tests:
name: run-nerdctl-tests
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# all the tests are not flaky, otherwise we'll fail them # all the tests are not flaky, otherwise we'll fail them
@@ -326,16 +354,14 @@ jobs:
- dragonball - dragonball
- qemu - qemu
- cloud-hypervisor - cloud-hypervisor
- qemu-runtime-rs
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
env: env:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -346,11 +372,10 @@ jobs:
- name: Install dependencies - name: Install dependencies
env: env:
GITHUB_API_TOKEN: ${{ github.token }} GITHUB_API_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
run: bash tests/integration/nerdctl/gha-run.sh install-dependencies run: bash tests/integration/nerdctl/gha-run.sh install-dependencies
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -368,21 +393,21 @@ jobs:
continue-on-error: true continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }} - name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: nerdctl-tests-garm-${{ matrix.vmm }} name: nerdctl-tests-garm-${{ matrix.vmm }}
path: /tmp/artifacts path: /tmp/artifacts
retention-days: 1 retention-days: 1
run-kata-agent-apis: run-kata-agent-apis:
name: run-kata-agent-apis strategy:
fail-fast: false
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -392,25 +417,15 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
- name: get-kata-tools-tarball - name: Install kata
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 run: bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata & kata-tools
run: |
bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
bash tests/functional/kata-agent-apis/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Run kata agent api tests with agent-ctl - name: Run kata agent api tests with agent-ctl
run: bash tests/functional/kata-agent-apis/gha-run.sh run run: bash tests/functional/kata-agent-apis/gha-run.sh run

83
.github/workflows/basic-ci-s390x.yaml vendored
View File

@@ -13,11 +13,52 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-cri-containerd:
strategy:
# We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail
# all the tests due to a single flaky instance
fail-fast: false
matrix:
containerd_version: ['active']
vmm: ['qemu', 'qemu-runtime-rs']
runs-on: s390x-large
env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
- name: Run cri-containerd tests
run: bash tests/integration/cri-containerd/gha-run.sh run
run-containerd-sandboxapi: run-containerd-sandboxapi:
name: run-containerd-sandboxapi
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail # the all the tests are not flaky, otherwise we'll fail
@@ -26,8 +67,6 @@ jobs:
matrix: matrix:
containerd_version: ['active'] containerd_version: ['active']
vmm: ['qemu-runtime-rs'] vmm: ['qemu-runtime-rs']
# TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
if: false
runs-on: s390x-large runs-on: s390x-large
env: env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }} CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -35,11 +74,10 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "shim" SANDBOXER: "shim"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -47,30 +85,11 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install yq
run: |
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install dependencies - name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -83,7 +102,6 @@ jobs:
run: bash tests/integration/cri-containerd/gha-run.sh run run: bash tests/integration/cri-containerd/gha-run.sh run
run-containerd-stability: run-containerd-stability:
name: run-containerd-stability
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -96,11 +114,10 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "podsandbox" SANDBOXER: "podsandbox"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -112,7 +129,7 @@ jobs:
run: bash tests/stability/gha-run.sh install-dependencies run: bash tests/stability/gha-run.sh install-dependencies
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -125,7 +142,6 @@ jobs:
run: bash tests/stability/gha-run.sh run run: bash tests/stability/gha-run.sh run
run-docker-tests: run-docker-tests:
name: run-docker-tests
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# all the tests are not flaky, otherwise we'll fail them # all the tests are not flaky, otherwise we'll fail them
@@ -137,11 +153,10 @@ jobs:
env: env:
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -153,7 +168,7 @@ jobs:
run: bash tests/integration/docker/gha-run.sh install-dependencies run: bash tests/integration/docker/gha-run.sh install-dependencies
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts

25
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@@ -12,12 +12,12 @@ on:
required: true required: true
type: string type: string
permissions: {} permissions:
contents: read
name: Build checks preview riscv64 name: Build checks preview riscv64
jobs: jobs:
check: check:
name: check
runs-on: ${{ inputs.instance }} runs-on: ${{ inputs.instance }}
strategy: strategy:
fail-fast: false fail-fast: false
@@ -72,27 +72,20 @@ jobs:
sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed() sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed()
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Install yq - name: Install yq
run: | run: |
./ci/install_yq.sh ./ci/install_yq.sh
env: env:
INSTALL_IN_GOPATH: false INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml - name: Install golang
if: contains(matrix.component.needs, 'golang') if: contains(matrix.component.needs, 'golang')
run: | run: |
go_version="$(yq '.languages.golang.version' versions.yaml)" ./tests/install_go.sh -f -p
[ -n "$go_version" ] echo "/usr/local/go/bin" >> "$GITHUB_PATH"
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
if: contains(matrix.component.needs, 'golang')
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup rust - name: Setup rust
if: contains(matrix.component.needs, 'rust') if: contains(matrix.component.needs, 'rust')
run: | run: |
@@ -130,11 +123,9 @@ jobs:
echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV" echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
- name: Running `${{ matrix.command }}` for ${{ matrix.component.name }} - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
run: | run: |
cd "${COMPONENT_PATH}" cd ${{ matrix.component.path }}
${COMMAND} ${{ matrix.command }}
env: env:
COMMAND: ${{ matrix.command }}
COMPONENT_PATH: ${{ matrix.component.path }}
RUST_BACKTRACE: "1" RUST_BACKTRACE: "1"
RUST_LIB_BACKTRACE: "0" RUST_LIB_BACKTRACE: "0"
SKIP_GO_VERSION_CHECK: "1" SKIP_GO_VERSION_CHECK: "1"

43
.github/workflows/build-checks.yaml vendored
View File

@@ -5,19 +5,13 @@ on:
required: true required: true
type: string type: string
permissions: {} permissions:
contents: read
name: Build checks name: Build checks
jobs: jobs:
check: check:
name: check runs-on: ${{ inputs.instance }}
runs-on: >-
${{
( contains(inputs.instance, 's390x') && matrix.component.name == 'runtime' ) && 's390x' ||
( contains(inputs.instance, 'ppc64le') && (matrix.component.name == 'runtime' || matrix.component.name == 'agent') ) && 'ppc64le' ||
inputs.instance
}}
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -48,11 +42,6 @@ jobs:
path: src/runtime-rs path: src/runtime-rs
needs: needs:
- rust - rust
- name: libs
path: src/libs
needs:
- rust
- protobuf-compiler
- name: agent-ctl - name: agent-ctl
path: src/tools/agent-ctl path: src/tools/agent-ctl
needs: needs:
@@ -63,7 +52,6 @@ jobs:
path: src/tools/kata-ctl path: src/tools/kata-ctl
needs: needs:
- rust - rust
- protobuf-compiler
- name: trace-forwarder - name: trace-forwarder
path: src/tools/trace-forwarder path: src/tools/trace-forwarder
needs: needs:
@@ -73,8 +61,6 @@ jobs:
needs: needs:
- rust - rust
- protobuf-compiler - protobuf-compiler
instance:
- ${{ inputs.instance }}
steps: steps:
- name: Adjust a permission for repo - name: Adjust a permission for repo
@@ -84,29 +70,20 @@ jobs:
sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed() sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed()
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Install yq - name: Install yq
run: | run: |
./ci/install_yq.sh ./ci/install_yq.sh
env: env:
INSTALL_IN_GOPATH: false INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml - name: Install golang
if: contains(matrix.component.needs, 'golang') if: contains(matrix.component.needs, 'golang')
run: | run: |
go_version="$(yq '.languages.golang.version' versions.yaml)" ./tests/install_go.sh -f -p
[ -n "$go_version" ] echo "/usr/local/go/bin" >> "$GITHUB_PATH"
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
if: contains(matrix.component.needs, 'golang')
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
# Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
- name: Setup rust - name: Setup rust
if: contains(matrix.component.needs, 'rust') if: contains(matrix.component.needs, 'rust')
run: | run: |
@@ -144,11 +121,9 @@ jobs:
echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV" echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
- name: Running `${{ matrix.command }}` for ${{ matrix.component.name }} - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
run: | run: |
cd "${COMPONENT_PATH}" cd ${{ matrix.component.path }}
eval "${COMMAND}" ${{ matrix.command }}
env: env:
COMMAND: ${{ matrix.command }}
COMPONENT_PATH: ${{ matrix.component.path }}
RUST_BACKTRACE: "1" RUST_BACKTRACE: "1"
RUST_LIB_BACKTRACE: "0" RUST_LIB_BACKTRACE: "0"
SKIP_GO_VERSION_CHECK: "1" SKIP_GO_VERSION_CHECK: "1"

202
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -23,14 +23,12 @@ on:
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: false required: false
KBUILD_SIGN_PIN:
required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
name: build-asset
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: read contents: read
@@ -41,23 +39,30 @@ jobs:
matrix: matrix:
asset: asset:
- agent - agent
- agent-ctl
- busybox - busybox
- cloud-hypervisor - cloud-hypervisor
- cloud-hypervisor-glibc - cloud-hypervisor-glibc
- coco-guest-components - coco-guest-components
- csi-kata-directvolume
- firecracker - firecracker
- genpolicy
- kata-ctl
- kata-manager
- kernel - kernel
- kernel-debug - kernel-confidential
- kernel-dragonball-experimental - kernel-dragonball-experimental
- kernel-nvidia-gpu - kernel-nvidia-gpu
- kernel-nvidia-gpu-confidential
- nydus - nydus
- ovmf - ovmf
- ovmf-sev - ovmf-sev
- ovmf-tdx
- pause-image - pause-image
- qemu - qemu
- qemu-snp-experimental - qemu-snp-experimental
- qemu-tdx-experimental - qemu-tdx-experimental
- stratovirt
- trace-forwarder
- virtiofsd - virtiofsd
stage: stage:
- ${{ inputs.stage }} - ${{ inputs.stage }}
@@ -75,11 +80,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -103,19 +107,16 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
- name: Parse OCI image name and digest - name: Parse OCI image name and digest
id: parse-oci-segments id: parse-oci-segments
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
env:
KATA_ASSET: ${{ matrix.asset }}
run: | run: |
oci_image="$(<"build/${KATA_ASSET}-oci-image")" oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with: with:
version: "1.2.0" version: "1.2.0"
@@ -128,7 +129,7 @@ jobs:
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 - uses: actions/attest-build-provenance@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with: with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -136,24 +137,23 @@ jobs:
push-to-registry: true push-to-registry: true
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
- name: store-extratarballs-artifact ${{ matrix.asset }} - name: store-extratarballs-artifact ${{ matrix.asset }}
if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-amd64-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }} name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-modules.tar.zst path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
build-asset-rootfs: build-asset-rootfs:
name: build-asset-rootfs
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-asset needs: build-asset
permissions: permissions:
@@ -165,10 +165,10 @@ jobs:
- rootfs-image - rootfs-image
- rootfs-image-confidential - rootfs-image-confidential
- rootfs-image-mariner - rootfs-image-mariner
- rootfs-image-nvidia-gpu
- rootfs-image-nvidia-gpu-confidential
- rootfs-initrd - rootfs-initrd
- rootfs-initrd-confidential - rootfs-initrd-confidential
- rootfs-nvidia-gpu-initrd
- rootfs-nvidia-gpu-confidential-initrd
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@@ -178,11 +178,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -191,7 +190,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -214,19 +213,17 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts: remove-rootfs-binary-artifacts:
name: remove-rootfs-binary-artifacts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-asset-rootfs needs: build-asset-rootfs
strategy: strategy:
@@ -234,7 +231,8 @@ jobs:
asset: asset:
- busybox - busybox
- coco-guest-components - coco-guest-components
- kernel-nvidia-gpu-modules - kernel-nvidia-gpu-headers
- kernel-nvidia-gpu-confidential-headers
- pause-image - pause-image
steps: steps:
- uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
@@ -243,7 +241,6 @@ jobs:
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts-for-release: remove-rootfs-binary-artifacts-for-release:
name: remove-rootfs-binary-artifacts-for-release
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-asset-rootfs needs: build-asset-rootfs
strategy: strategy:
@@ -257,7 +254,6 @@ jobs:
name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }} name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
build-asset-shim-v2: build-asset-shim-v2:
name: build-asset-shim-v2
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
permissions: permissions:
@@ -272,11 +268,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -285,7 +280,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -311,34 +306,31 @@ jobs:
MEASURED_ROOTFS: yes MEASURED_ROOTFS: yes
- name: store-artifact shim-v2 - name: store-artifact shim-v2
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }} name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.zst path: kata-build/kata-static-shim-v2.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
create-kata-tarball: create-kata-tarball:
name: create-kata-tarball
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions: permissions:
contents: read contents: read
packages: write packages: write
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -346,132 +338,10 @@ jobs:
- name: merge-artifacts - name: merge-artifacts
run: | run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Check kata tarball size (GitHub release asset limit)
run: |
# https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
GITHUB_ASSET_MAX_BYTES=2147483648
tarball_size=$(stat -c "%s" kata-static.tar.zst)
if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
exit 1
fi
echo "tarball size: ${tarball_size} bytes"
- name: store-artifacts - name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-static.tar.zst path: kata-static.tar.xz
retention-days: 15
if-no-files-found: error
build-tools-asset:
name: build-tools-asset
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
strategy:
matrix:
asset:
- agent-ctl
- genpolicy
- kata-ctl
- kata-manager
- trace-forwarder
stage:
- ${{ inputs.stage }}
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Build ${{ matrix.asset }}
id: build
run: |
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-tools-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
create-kata-tools-tarball:
name: create-kata-tools-tarball
runs-on: ubuntu-22.04
needs: [build-tools-asset]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-tools-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
merge-multiple: true
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Check kata-tools tarball size (GitHub release asset limit)
run: |
# https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
GITHUB_ASSET_MAX_BYTES=2147483648
tarball_size=$(stat -c "%s" kata-tools-static.tar.zst)
if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
exit 1
fi
echo "tarball size: ${tarball_size} bytes"
- name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-static.tar.zst
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error

93
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -23,15 +23,13 @@ on:
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: false required: false
KBUILD_SIGN_PIN:
required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
name: build-asset runs-on: ubuntu-22.04-arm
runs-on: ubuntu-24.04-arm
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -45,13 +43,12 @@ jobs:
- cloud-hypervisor - cloud-hypervisor
- firecracker - firecracker
- kernel - kernel
- kernel-debug
- kernel-dragonball-experimental - kernel-dragonball-experimental
- kernel-nvidia-gpu - kernel-nvidia-gpu
- kernel-cca-confidential
- nydus - nydus
- ovmf - ovmf
- qemu - qemu
- stratovirt
- virtiofsd - virtiofsd
env: env:
PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
@@ -64,11 +61,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -91,19 +87,16 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
- name: Parse OCI image name and digest - name: Parse OCI image name and digest
id: parse-oci-segments id: parse-oci-segments
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
env:
KATA_ASSET: ${{ matrix.asset }}
run: | run: |
oci_image="$(<"build/${KATA_ASSET}-oci-image")" oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with: with:
version: "1.2.0" version: "1.2.0"
@@ -116,7 +109,7 @@ jobs:
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 - uses: actions/attest-build-provenance@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with: with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -124,25 +117,24 @@ jobs:
push-to-registry: true push-to-registry: true
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
- name: store-extratarballs-artifact ${{ matrix.asset }} - name: store-extratarballs-artifact ${{ matrix.asset }}
if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-arm64-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }} name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-modules.tar.zst path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
build-asset-rootfs: build-asset-rootfs:
name: build-asset-rootfs runs-on: ubuntu-22.04-arm
runs-on: ubuntu-24.04-arm
needs: build-asset needs: build-asset
permissions: permissions:
contents: read contents: read
@@ -151,8 +143,8 @@ jobs:
matrix: matrix:
asset: asset:
- rootfs-image - rootfs-image
- rootfs-image-nvidia-gpu
- rootfs-initrd - rootfs-initrd
- rootfs-nvidia-gpu-initrd
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@@ -162,11 +154,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -175,7 +166,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -197,26 +188,24 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts: remove-rootfs-binary-artifacts:
name: remove-rootfs-binary-artifacts runs-on: ubuntu-22.04-arm
runs-on: ubuntu-24.04-arm
needs: build-asset-rootfs needs: build-asset-rootfs
strategy: strategy:
matrix: matrix:
asset: asset:
- busybox - busybox
- kernel-nvidia-gpu-modules - kernel-nvidia-gpu-headers
steps: steps:
- uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
with: with:
@@ -224,8 +213,7 @@ jobs:
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts-for-release: remove-rootfs-binary-artifacts-for-release:
name: remove-rootfs-binary-artifacts-for-release runs-on: ubuntu-22.04-arm
runs-on: ubuntu-24.04-arm
needs: build-asset-rootfs needs: build-asset-rootfs
strategy: strategy:
matrix: matrix:
@@ -238,8 +226,7 @@ jobs:
name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }} name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
build-asset-shim-v2: build-asset-shim-v2:
name: build-asset-shim-v2 runs-on: ubuntu-22.04-arm
runs-on: ubuntu-24.04-arm
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
permissions: permissions:
contents: read contents: read
@@ -253,11 +240,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -266,7 +252,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -290,34 +276,31 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact shim-v2 - name: store-artifact shim-v2
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }} name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.zst path: kata-build/kata-static-shim-v2.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
create-kata-tarball: create-kata-tarball:
name: create-kata-tarball runs-on: ubuntu-22.04-arm
runs-on: ubuntu-24.04-arm
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions: permissions:
contents: read contents: read
packages: write packages: write
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -325,22 +308,10 @@ jobs:
- name: merge-artifacts - name: merge-artifacts
run: | run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Check kata tarball size (GitHub release asset limit)
run: |
# https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
GITHUB_ASSET_MAX_BYTES=2147483648
tarball_size=$(stat -c "%s" kata-static.tar.zst)
if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
exit 1
fi
echo "tarball size: ${tarball_size} bytes"
- name: store-artifacts - name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-static-tarball-arm64${{ inputs.tarball-suffix }} name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
path: kata-static.tar.zst path: kata-static.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error

63
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -24,15 +24,15 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
name: build-asset
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ubuntu-24.04-ppc64le runs-on: ppc64le
strategy: strategy:
matrix: matrix:
asset: asset:
@@ -51,11 +51,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -80,16 +79,15 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
build-asset-rootfs: build-asset-rootfs:
name: build-asset-rootfs runs-on: ppc64le
runs-on: ubuntu-24.04-ppc64le
needs: build-asset needs: build-asset
permissions: permissions:
contents: read contents: read
@@ -109,11 +107,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -122,7 +119,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -146,16 +143,15 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts: remove-rootfs-binary-artifacts:
name: remove-rootfs-binary-artifacts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-asset-rootfs needs: build-asset-rootfs
strategy: strategy:
@@ -169,8 +165,7 @@ jobs:
name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }} name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}
build-asset-shim-v2: build-asset-shim-v2:
name: build-asset-shim-v2 runs-on: ppc64le
runs-on: ubuntu-24.04-ppc64le
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions: permissions:
contents: read contents: read
@@ -184,11 +179,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -197,7 +191,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -221,16 +215,15 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact shim-v2 - name: store-artifact shim-v2
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }} name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.zst path: kata-build/kata-static-shim-v2.tar.xz
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
create-kata-tarball: create-kata-tarball:
name: create-kata-tarball runs-on: ppc64le
runs-on: ubuntu-24.04-ppc64le
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions: permissions:
contents: read contents: read
@@ -240,19 +233,17 @@ jobs:
run: | run: |
sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE" sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -260,22 +251,10 @@ jobs:
- name: merge-artifacts - name: merge-artifacts
run: | run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Check kata tarball size (GitHub release asset limit)
run: |
# https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
GITHUB_ASSET_MAX_BYTES=2147483648
tarball_size=$(stat -c "%s" kata-static.tar.zst)
if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
exit 1
fi
echo "tarball size: ${tarball_size} bytes"
- name: store-artifacts - name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }} name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
path: kata-static.tar.zst path: kata-static.tar.xz
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error

24
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@@ -20,12 +20,15 @@ on:
required: false required: false
type: string type: string
default: "" default: ""
secrets:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
name: build-asset
runs-on: riscv-builder runs-on: riscv-builder
permissions: permissions:
contents: read contents: read
@@ -38,11 +41,18 @@ jobs:
- kernel - kernel
- virtiofsd - virtiofsd
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -67,9 +77,9 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 3 retention-days: 15
if-no-files-found: error if-no-files-found: error

80
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -27,12 +27,12 @@ on:
required: true required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
name: build-asset runs-on: s390x
runs-on: ubuntu-24.04-s390x
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -44,6 +44,7 @@ jobs:
- agent - agent
- coco-guest-components - coco-guest-components
- kernel - kernel
- kernel-confidential
- pause-image - pause-image
- qemu - qemu
- virtiofsd - virtiofsd
@@ -58,11 +59,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -90,10 +90,8 @@ jobs:
- name: Parse OCI image name and digest - name: Parse OCI image name and digest
id: parse-oci-segments id: parse-oci-segments
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
env:
ASSET: ${{ matrix.asset }}
run: | run: |
oci_image="$(<"build/${ASSET}-oci-image")" oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
@@ -105,7 +103,7 @@ jobs:
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 - uses: actions/attest-build-provenance@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }} if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with: with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -113,15 +111,14 @@ jobs:
push-to-registry: true push-to-registry: true
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
build-asset-rootfs: build-asset-rootfs:
name: build-asset-rootfs
runs-on: s390x runs-on: s390x
needs: build-asset needs: build-asset
permissions: permissions:
@@ -143,11 +140,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -156,7 +152,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -181,24 +177,22 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
build-asset-boot-image-se: build-asset-boot-image-se:
name: build-asset-boot-image-se
runs-on: s390x runs-on: s390x
needs: [build-asset, build-asset-rootfs] needs: [build-asset, build-asset-rootfs]
permissions: permissions:
contents: read contents: read
packages: write packages: write
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
@@ -206,7 +200,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -230,16 +224,15 @@ jobs:
HKD_PATH: "host-key-document" HKD_PATH: "host-key-document"
- name: store-artifact boot-image-se - name: store-artifact boot-image-se
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-s390x${{ inputs.tarball-suffix }} name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
path: kata-build/kata-static-boot-image-se.tar.zst path: kata-build/kata-static-boot-image-se.tar.xz
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts: remove-rootfs-binary-artifacts:
name: remove-rootfs-binary-artifacts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: [build-asset-rootfs, build-asset-boot-image-se] needs: [build-asset-rootfs, build-asset-boot-image-se]
strategy: strategy:
@@ -255,8 +248,7 @@ jobs:
name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }} name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}
build-asset-shim-v2: build-asset-shim-v2:
name: build-asset-shim-v2 runs-on: s390x
runs-on: ubuntu-24.04-s390x
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions: permissions:
contents: read contents: read
@@ -270,11 +262,10 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -283,7 +274,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -309,16 +300,15 @@ jobs:
MEASURED_ROOTFS: no MEASURED_ROOTFS: no
- name: store-artifact shim-v2 - name: store-artifact shim-v2
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }} name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.zst path: kata-build/kata-static-shim-v2.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error
create-kata-tarball: create-kata-tarball:
name: create-kata-tarball runs-on: s390x
runs-on: ubuntu-24.04-s390x
needs: needs:
- build-asset - build-asset
- build-asset-rootfs - build-asset-rootfs
@@ -328,19 +318,17 @@ jobs:
contents: read contents: read
packages: write packages: write
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts - name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts
@@ -348,22 +336,10 @@ jobs:
- name: merge-artifacts - name: merge-artifacts
run: | run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Check kata tarball size (GitHub release asset limit)
run: |
# https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
GITHUB_ASSET_MAX_BYTES=2147483648
tarball_size=$(stat -c "%s" kata-static.tar.zst)
if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
exit 1
fi
echo "tarball size: ${tarball_size} bytes"
- name: store-artifacts - name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-static.tar.zst path: kata-static.tar.xz
retention-days: 15 retention-days: 15
if-no-files-found: error if-no-files-found: error

75
.github/workflows/build-kubectl-image.yaml vendored
View File

@@ -1,75 +0,0 @@
name: Build kubectl multi-arch image
on:
schedule:
# Run every Sunday at 00:00 UTC
- cron: '0 0 * * 0'
workflow_dispatch:
# Allow manual triggering
push:
branches:
- main
paths:
- 'tools/packaging/kubectl/Dockerfile'
- '.github/workflows/build-kubectl-image.yaml'
permissions: {}
env:
REGISTRY: quay.io
IMAGE_NAME: kata-containers/kubectl
jobs:
build-and-push:
name: Build and push multi-arch image
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to Quay.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- name: Get kubectl version
id: kubectl-version
run: |
KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt)
echo "version=${KUBECTL_VERSION}" >> "$GITHUB_OUTPUT"
- name: Generate image metadata
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest
type=raw,value={{date 'YYYYMMDD'}}
type=raw,value=${{ steps.kubectl-version.outputs.version }}
type=sha,prefix=
- name: Build and push multi-arch image
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
with:
context: tools/packaging/kubectl/
file: tools/packaging/kubectl/Dockerfile
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

11
.github/workflows/cargo-deny-runner.yaml vendored
View File

@@ -11,22 +11,23 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {} permissions:
contents: read
jobs: jobs:
cargo-deny-runner: cargo-deny-runner:
name: cargo-deny-runner
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
with: uses: actions/checkout@v4
persist-credentials: false
- name: Generate Action - name: Generate Action
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: bash cargo-deny-generator.sh run: bash cargo-deny-generator.sh
working-directory: ./.github/cargo-deny-composite-action/ working-directory: ./.github/cargo-deny-composite-action/
env: env:
GOPATH: ${{ github.workspace }}/kata-containers GOPATH: ${{ github.workspace }}/kata-containers
- name: Run Action - name: Run Action
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: ./.github/cargo-deny-composite-action uses: ./.github/cargo-deny-composite-action

9
.github/workflows/ci-coco-stability.yaml vendored
View File

@@ -1,15 +1,15 @@
name: Kata Containers CoCo Stability Tests Weekly name: Kata Containers CoCo Stability Tests Weekly
on: on:
# Note: This workload is not currently maintained, so skipping it's scheduled runs schedule:
# schedule: - cron: '0 0 * * 0'
# - cron: '0 0 * * 0'
workflow_dispatch: workflow_dispatch:
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {} permissions:
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
@@ -30,4 +30,3 @@ jobs:
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

6
.github/workflows/ci-devel.yaml vendored
View File

@@ -2,7 +2,8 @@ name: Kata Containers CI (manually triggered)
on: on:
workflow_dispatch: workflow_dispatch:
permissions: {} permissions:
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
@@ -17,7 +18,6 @@ jobs:
pr-number: "dev" pr-number: "dev"
tag: ${{ github.sha }}-dev tag: ${{ github.sha }}-dev
target-branch: ${{ github.ref_name }} target-branch: ${{ github.ref_name }}
extensive-matrix-autogenerated-policy: "yes"
secrets: secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
@@ -27,8 +27,6 @@ jobs:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }} ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-checks: build-checks:
uses: ./.github/workflows/build-checks.yaml uses: ./.github/workflows/build-checks.yaml

34
.github/workflows/ci-nightly-riscv.yaml vendored
View File

@@ -1,34 +0,0 @@
on:
schedule:
- cron: '0 5 * * *'
name: Nightly CI for RISC-V
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
build-kata-static-tarball-riscv:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
with:
tarball-suffix: -${{ github.sha }}
commit-hash: ${{ github.sha }}
target-branch: ${{ github.ref_name }}
build-checks-preview:
strategy:
fail-fast: false
matrix:
instance:
- "riscv-builder"
uses: ./.github/workflows/build-checks-preview-riscv64.yaml
with:
instance: ${{ matrix.instance }}

7
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@@ -4,11 +4,11 @@ on:
name: Nightly CI for s390x name: Nightly CI for s390x
permissions: {} permissions:
contents: read
jobs: jobs:
check-internal-test-result: check-internal-test-result:
name: check-internal-test-result
runs-on: s390x runs-on: s390x
strategy: strategy:
fail-fast: false fail-fast: false
@@ -16,8 +16,7 @@ jobs:
test_title: test_title:
- kata-vfio-ap-e2e-tests - kata-vfio-ap-e2e-tests
- cc-vfio-ap-e2e-tests - cc-vfio-ap-e2e-tests
- cc-se-e2e-tests-go - cc-se-e2e-tests
- cc-se-e2e-tests-rs
steps: steps:
- name: Fetch a test result for {{ matrix.test_title }} - name: Fetch a test result for {{ matrix.test_title }}
run: | run: |

6
.github/workflows/ci-nightly.yaml vendored
View File

@@ -7,7 +7,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {} permissions:
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
@@ -22,7 +23,6 @@ jobs:
pr-number: "nightly" pr-number: "nightly"
tag: ${{ github.sha }}-nightly tag: ${{ github.sha }}-nightly
target-branch: ${{ github.ref_name }} target-branch: ${{ github.ref_name }}
extensive-matrix-autogenerated-policy: "yes"
secrets: secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AZ_APPID: ${{ secrets.AZ_APPID }} AZ_APPID: ${{ secrets.AZ_APPID }}
@@ -31,5 +31,3 @@ jobs:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }} ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

9
.github/workflows/ci-on-push.yaml vendored
View File

@@ -1,8 +1,9 @@
name: Kata Containers CI name: Kata Containers CI
on: on:
pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332. pull_request_target:
branches: branches:
- 'main' - 'main'
- 'stable-*'
types: types:
# Adding 'labeled' to the list of activity types that trigger this event # Adding 'labeled' to the list of activity types that trigger this event
# (default: opened, synchronize, reopened) so that we can run this # (default: opened, synchronize, reopened) so that we can run this
@@ -13,7 +14,9 @@ on:
- reopened - reopened
- labeled - labeled
permissions: {} permissions:
contents: read
id-token: write
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -50,5 +53,3 @@ jobs:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }} ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

14
.github/workflows/ci-weekly.yaml vendored
View File

@@ -27,10 +27,9 @@ on:
required: true required: true
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
KBUILD_SIGN_PIN:
required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
@@ -44,8 +43,6 @@ jobs:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
secrets:
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
publish-kata-deploy-payload-amd64: publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
@@ -66,18 +63,16 @@ jobs:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-and-publish-tee-confidential-unencrypted-image: build-and-publish-tee-confidential-unencrypted-image:
name: build-and-publish-tee-confidential-unencrypted-image
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -123,6 +118,3 @@ jobs:
AZ_APPID: ${{ secrets.AZ_APPID }} AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
permissions:
contents: read
id-token: write

218
.github/workflows/ci.yaml vendored
View File

@@ -19,10 +19,6 @@ on:
required: false required: false
type: string type: string
default: no default: no
extensive-matrix-autogenerated-policy:
required: false
type: string
default: no
secrets: secrets:
AUTHENTICATED_IMAGE_PASSWORD: AUTHENTICATED_IMAGE_PASSWORD:
required: true required: true
@@ -39,12 +35,10 @@ on:
required: true required: true
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
NGC_API_KEY:
required: true
KBUILD_SIGN_PIN:
required: true
permissions: {} permissions:
contents: read
id-token: write
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
@@ -58,8 +52,6 @@ jobs:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
secrets:
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
publish-kata-deploy-payload-amd64: publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
@@ -90,8 +82,6 @@ jobs:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
secrets:
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
publish-kata-deploy-payload-arm64: publish-kata-deploy-payload-arm64:
needs: build-kata-static-tarball-arm64 needs: build-kata-static-tarball-arm64
@@ -106,7 +96,7 @@ jobs:
tag: ${{ inputs.tag }}-arm64 tag: ${{ inputs.tag }}-arm64
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
runner: ubuntu-24.04-arm runner: ubuntu-22.04-arm
arch: arm64 arch: arm64
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -138,6 +128,20 @@ jobs:
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-riscv64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-kata-deploy-payload-s390x: publish-kata-deploy-payload-s390x:
needs: build-kata-static-tarball-s390x needs: build-kata-static-tarball-s390x
permissions: permissions:
@@ -151,7 +155,7 @@ jobs:
tag: ${{ inputs.tag }}-s390x tag: ${{ inputs.tag }}-s390x
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
runner: ubuntu-24.04-s390x runner: s390x
arch: s390x arch: s390x
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -169,24 +173,22 @@ jobs:
tag: ${{ inputs.tag }}-ppc64le tag: ${{ inputs.tag }}-ppc64le
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
runner: ubuntu-24.04-ppc64le runner: ppc64le
arch: ppc64le arch: ppc64le
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-and-publish-tee-confidential-unencrypted-image: build-and-publish-tee-confidential-unencrypted-image:
name: build-and-publish-tee-confidential-unencrypted-image
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -216,6 +218,59 @@ jobs:
platforms: linux/amd64, linux/s390x platforms: linux/amd64, linux/s390x
file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
publish-csi-driver-amd64:
needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-amd64-${{ inputs.tag }}
path: kata-artifacts
- name: Install tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Copy binary into Docker context
run: |
# Copy to the location where the Dockerfile expects the binary.
mkdir -p src/tools/csi-kata-directvolume/bin/
cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker build and push
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
with:
tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
push: true
context: src/tools/csi-kata-directvolume/
platforms: linux/amd64
file: src/tools/csi-kata-directvolume/Dockerfile
run-kata-monitor-tests: run-kata-monitor-tests:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
@@ -229,10 +284,6 @@ jobs:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64 needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io registry: ghcr.io
@@ -246,14 +297,11 @@ jobs:
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
run-k8s-tests-on-free-runner: run-k8s-tests-on-amd64:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64 needs: publish-kata-deploy-payload-amd64
permissions: uses: ./.github/workflows/run-k8s-tests-on-amd64.yaml
contents: read
uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml
with: with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64 tag: ${{ inputs.tag }}-amd64
@@ -273,31 +321,13 @@ jobs:
pr-number: ${{ inputs.pr-number }} pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
run-k8s-tests-on-nvidia-gpu:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
run-kata-coco-tests: run-kata-coco-tests:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: needs:
- publish-kata-deploy-payload-amd64 - publish-kata-deploy-payload-amd64
- build-and-publish-tee-confidential-unencrypted-image - build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
uses: ./.github/workflows/run-kata-coco-tests.yaml uses: ./.github/workflows/run-kata-coco-tests.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io registry: ghcr.io
@@ -306,7 +336,6 @@ jobs:
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }} pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
secrets: secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AZ_APPID: ${{ secrets.AZ_APPID }} AZ_APPID: ${{ secrets.AZ_APPID }}
@@ -352,6 +381,20 @@ jobs:
pr-number: ${{ inputs.pr-number }} pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
run-metrics-tests:
# Skip metrics tests whilst runner is broken
if: false
# if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/run-metrics.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
run-basic-amd64-tests: run-basic-amd64-tests:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
@@ -370,88 +413,11 @@ jobs:
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
run-cri-containerd-amd64:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: lts, vmm: clh },
{ containerd_version: lts, vmm: dragonball },
{ containerd_version: lts, vmm: qemu },
{ containerd_version: lts, vmm: cloud-hypervisor },
{ containerd_version: lts, vmm: qemu-runtime-rs },
{ containerd_version: active, vmm: clh },
{ containerd_version: active, vmm: dragonball },
{ containerd_version: active, vmm: qemu },
{ containerd_version: active, vmm: cloud-hypervisor },
{ containerd_version: active, vmm: qemu-runtime-rs },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-22.04
arch: amd64
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
run-cri-containerd-s390x:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-s390x
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
{ containerd_version: active, vmm: qemu-runtime-rs },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: s390x-large
arch: s390x
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-ppc64le: run-cri-containerd-tests-ppc64le:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-ppc64le needs: build-kata-static-tarball-ppc64le
strategy: uses: ./.github/workflows/run-cri-containerd-tests-ppc64le.yaml
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }} commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
runner: ppc64le-small
arch: ppc64le
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-arm64:
if: false
needs: build-kata-static-tarball-arm64
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: arm64-non-k8s
arch: arm64
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}

15
.github/workflows/cleanup-resources.yaml vendored
View File

@@ -4,21 +4,16 @@ on:
- cron: "0 0 * * *" - cron: "0 0 * * *"
workflow_dispatch: workflow_dispatch:
permissions: {} permissions:
contents: read
id-token: write
jobs: jobs:
cleanup-resources: cleanup-resources:
name: cleanup-resources
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: environment: ci
id-token: write # Used for OIDC access to log into Azure
environment:
name: ci
deployment: false
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Log into Azure - name: Log into Azure
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

12
.github/workflows/codeql.yml vendored
View File

@@ -19,8 +19,8 @@ on:
schedule: schedule:
- cron: '45 0 * * 1' - cron: '45 0 * * 1'
permissions: {} permissions:
contents: read
jobs: jobs:
analyze: analyze:
@@ -60,9 +60,7 @@ jobs:
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
# Add any setup steps before running the `github/codeql-action/init` action. # Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node` # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -72,7 +70,7 @@ jobs:
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10 uses: github/codeql-action/init@v3
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }} build-mode: ${{ matrix.build-mode }}
@@ -95,6 +93,6 @@ jobs:
make -C src/runtime make -C src/runtime
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10 uses: github/codeql-action/analyze@v3
with: with:
category: "/language:${{matrix.language}}" category: "/language:${{matrix.language}}"

15
.github/workflows/commit-message-check.yaml vendored
View File

@@ -6,7 +6,8 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -26,6 +27,7 @@ jobs:
name: Commit Message Check name: Commit Message Check
steps: steps:
- name: Get PR Commits - name: Get PR Commits
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
id: 'get-pr-commits' id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0 uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
with: with:
@@ -41,18 +43,19 @@ jobs:
filter_out_pattern: '^Revert "|^Reapply "' filter_out_pattern: '^Revert "|^Reapply "'
- name: DCO Check - name: DCO Check
uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # v1.1.0 if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
with: with:
commits: ${{ steps.get-pr-commits.outputs.commits }} commits: ${{ steps.get-pr-commits.outputs.commits }}
- name: Commit Body Missing Check - name: Commit Body Missing Check
if: ${{ success() || failure() }} if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2 uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
with: with:
commits: ${{ steps.get-pr-commits.outputs.commits }} commits: ${{ steps.get-pr-commits.outputs.commits }}
- name: Check Subject Line Length - name: Check Subject Line Length
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }} if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1 uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with: with:
commits: ${{ steps.get-pr-commits.outputs.commits }} commits: ${{ steps.get-pr-commits.outputs.commits }}
@@ -61,7 +64,7 @@ jobs:
post_error: ${{ env.error_msg }} post_error: ${{ env.error_msg }}
- name: Check Body Line Length - name: Check Body Line Length
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }} if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1 uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with: with:
commits: ${{ steps.get-pr-commits.outputs.commits }} commits: ${{ steps.get-pr-commits.outputs.commits }}
@@ -92,7 +95,7 @@ jobs:
post_error: ${{ env.error_msg }} post_error: ${{ env.error_msg }}
- name: Check Subsystem - name: Check Subsystem
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }} if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1 uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with: with:
commits: ${{ steps.get-pr-commits.outputs.commits }} commits: ${{ steps.get-pr-commits.outputs.commits }}

41
.github/workflows/darwin-tests.yaml vendored
View File

@@ -6,7 +6,8 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -15,41 +16,13 @@ concurrency:
name: Darwin tests name: Darwin tests
jobs: jobs:
test: test:
name: test
runs-on: macos-latest runs-on: macos-latest
steps: steps:
- name: Install Protoc - name: Install Go
run: | uses: actions/setup-go@v5
f=$(mktemp) with:
curl -sSLo "$f" https://github.com/protocolbuffers/protobuf/releases/download/v28.2/protoc-28.2-osx-aarch_64.zip go-version: 1.23.7
mkdir -p "$HOME/.local"
unzip -d "$HOME/.local" "$f"
echo "$HOME/.local/bin" >> "${GITHUB_PATH}"
- name: Checkout code - name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install yq
run: |
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install Rust
run: ./tests/install_rust.sh
- name: Build utils - name: Build utils
run: ./ci/darwin-test.sh run: ./ci/darwin-test.sh

39
.github/workflows/docs-url-alive-check.yaml vendored
View File

@@ -1,46 +1,35 @@
on: on:
schedule: schedule:
- cron: '0 23 * * 0' - cron: '0 23 * * 0'
workflow_dispatch:
permissions: {} permissions:
contents: read
name: Docs URL Alive Check name: Docs URL Alive Check
jobs: jobs:
test: test:
name: test
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
# don't run this action on forks # don't run this action on forks
if: github.repository_owner == 'kata-containers' if: github.repository_owner == 'kata-containers'
env: env:
target_branch: ${{ github.base_ref }} target_branch: ${{ github.base_ref }}
steps: steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.23.7
env:
GOPATH: ${{ github.workspace }}/kata-containers
- name: Set env - name: Set env
run: | run: |
echo "GOPATH=${GITHUB_WORKSPACE}" >> "$GITHUB_ENV" echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Checkout code - name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false path: ./src/github.com/${{ github.repository }}
# docs url alive check
- name: Install yq
run: |
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Docs URL Alive Check - name: Docs URL Alive Check
run: | run: |
make docs-url-alive-check cd "${GOPATH}/src/github.com/${{ github.repository }}" && make docs-url-alive-check

53
.github/workflows/docs.yaml vendored
View File

@@ -1,53 +0,0 @@
name: Documentation
on:
push:
branches:
- main
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-24.04
name: Build docs
permissions:
contents: read
pages: write
id-token: write
steps:
- uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
persist-credentials: false
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: 3.x
- run: pip install -r docs/requirements.txt
- run: python3 -m mkdocs build --config-file ./mkdocs.yaml --site-dir site/
id: build
- uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
id: deployment
with:
path: site/
name: github-pages
deploy:
needs: build
runs-on: ubuntu-24.04
name: Deploy docs
permissions:
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
id: deployment
with:
artifact_name: github-pages

29
.github/workflows/editorconfig-checker.yaml vendored
View File

@@ -1,29 +0,0 @@
name: EditorConfig checker
on:
pull_request:
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
editorconfig-checker:
name: editorconfig-checker
runs-on: ubuntu-24.04
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Set up editorconfig-checker
uses: editorconfig-checker/action-editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 # v2.1.0
with:
version: v3.6.1
- name: Run editorconfig-checker
run: editorconfig-checker

7
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@@ -31,22 +31,21 @@ on:
skip_static: skip_static:
value: ${{ jobs.skipper.outputs.skip_static }} value: ${{ jobs.skipper.outputs.skip_static }}
permissions: {} permissions:
contents: read
jobs: jobs:
skipper: skipper:
name: skipper
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
outputs: outputs:
skip_build: ${{ steps.skipper.outputs.skip_build }} skip_build: ${{ steps.skipper.outputs.skip_build }}
skip_test: ${{ steps.skipper.outputs.skip_test }} skip_test: ${{ steps.skipper.outputs.skip_test }}
skip_static: ${{ steps.skipper.outputs.skip_static }} skip_static: ${{ steps.skipper.outputs.skip_static }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- id: skipper - id: skipper
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}

11
.github/workflows/gatekeeper.yaml vendored
View File

@@ -5,16 +5,15 @@ name: Gatekeeper
# reporting the status. # reporting the status.
on: on:
pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332. pull_request_target:
types: types:
- opened - opened
- synchronize - synchronize
- reopened - reopened
- edited
- labeled - labeled
- unlabeled
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -22,7 +21,6 @@ concurrency:
jobs: jobs:
gatekeeper: gatekeeper:
name: gatekeeper
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
actions: read actions: read
@@ -30,11 +28,10 @@ jobs:
issues: read issues: read
pull-requests: read pull-requests: read
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- id: gatekeeper - id: gatekeeper
env: env:
TARGET_BRANCH: ${{ github.event.pull_request.base.ref }} TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}

65
.github/workflows/govulncheck.yaml vendored
View File

@@ -1,65 +0,0 @@
on:
workflow_call:
name: Govulncheck
permissions: {}
jobs:
govulncheck:
name: govulncheck
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- binary: "kata-runtime"
make_target: "runtime"
- binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2"
- binary: "kata-monitor"
make_target: "monitor"
fail-fast: false
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
persist-credentials: false
- name: Install yq
run: |
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
echo "${HOME}/go/bin" >> "${GITHUB_PATH}"
- name: Build runtime binaries
run: |
cd src/runtime
make "${MAKE_TARGET}"
env:
MAKE_TARGET: ${{ matrix.make_target }}
SKIP_GO_VERSION_CHECK: "1"
- name: Run govulncheck on ${{ matrix.binary }}
env:
BINARY: ${{ matrix.binary }}
run: |
cd src/runtime
bash ../../tests/govulncheck-runner.sh "./${BINARY}"

39
.github/workflows/kata-runtime-classes-sync.yaml vendored Normal file
View File

@@ -0,0 +1,39 @@
on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
kata-deploy-runtime-classes-check:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Ensure the split out runtime classes match the all-in-one file
run: |
pushd tools/packaging/kata-deploy/runtimeclasses/
echo "::group::Combine runtime classes"
for runtimeClass in $(find . -type f \( -name "*.yaml" -and -not -name "kata-runtimeClasses.yaml" \) | sort); do
echo "Adding ${runtimeClass} to the resultingRuntimeClasses.yaml"
cat "${runtimeClass}" >> resultingRuntimeClasses.yaml;
done
echo "::endgroup::"
echo "::group::Displaying the content of resultingRuntimeClasses.yaml"
cat resultingRuntimeClasses.yaml
echo "::endgroup::"
echo ""
echo "::group::Displaying the content of kata-runtimeClasses.yaml"
cat kata-runtimeClasses.yaml
echo "::endgroup::"
echo ""
diff resultingRuntimeClasses.yaml kata-runtimeClasses.yaml

45
.github/workflows/osv-scanner.yaml vendored
View File

@@ -1,45 +0,0 @@
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner
on:
workflow_dispatch:
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 1 * * 0'
push:
branches: [ "main" ]
permissions: {}
jobs:
scan-scheduled:
name: Scan of whole repo
permissions:
actions: read # # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
with:
scan-args: |-
-r
./
scan-pr:
name: Scan of just PR code
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'pull_request' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
with:
# Example of specifying custom arguments
scan-args: |-
-r
./

53
.github/workflows/payload-after-push.yaml vendored
View File

@@ -5,7 +5,8 @@ on:
- main - main
workflow_dispatch: workflow_dispatch:
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -24,7 +25,6 @@ jobs:
target-branch: ${{ github.ref_name }} target-branch: ${{ github.ref_name }}
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-assets-arm64: build-assets-arm64:
permissions: permissions:
@@ -39,7 +39,6 @@ jobs:
target-branch: ${{ github.ref_name }} target-branch: ${{ github.ref_name }}
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-assets-s390x: build-assets-s390x:
permissions: permissions:
@@ -97,7 +96,7 @@ jobs:
repo: kata-containers/kata-deploy-ci repo: kata-containers/kata-deploy-ci
tag: kata-containers-latest-arm64 tag: kata-containers-latest-arm64
target-branch: ${{ github.ref_name }} target-branch: ${{ github.ref_name }}
runner: ubuntu-24.04-arm runner: ubuntu-22.04-arm
arch: arm64 arch: arm64
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -131,13 +130,12 @@ jobs:
repo: kata-containers/kata-deploy-ci repo: kata-containers/kata-deploy-ci
tag: kata-containers-latest-ppc64le tag: kata-containers-latest-ppc64le
target-branch: ${{ github.ref_name }} target-branch: ${{ github.ref_name }}
runner: ubuntu-24.04-ppc64le runner: ppc64le
arch: ppc64le arch: ppc64le
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-manifest: publish-manifest:
name: publish-manifest
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: read contents: read
@@ -145,9 +143,7 @@ jobs:
needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -162,42 +158,3 @@ jobs:
env: env:
KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest" KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest"
KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci" KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci"
upload-helm-chart-tarball:
name: upload-helm-chart-tarball
needs: publish-manifest
runs-on: ubuntu-22.04
permissions:
packages: write # needed to push the helm chart to ghcr.io
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
id: install
- name: Login to the OCI registries
env:
QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
GITHUB_TOKEN: ${{ github.token }}
run: |
echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
- name: Push helm chart to the OCI registries
run: |
echo "Adjusting the Chart.yaml and values.yaml"
yq eval '.version = "0.0.0-dev" | .appVersion = "0.0.0-dev"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml
yq eval '.image.reference = "quay.io/kata-containers/kata-deploy-ci" | .image.tag = "kata-containers-latest"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
echo "Generating the chart package"
helm dependencies update tools/packaging/kata-deploy/helm-chart/kata-deploy
helm package tools/packaging/kata-deploy/helm-chart/kata-deploy
echo "Pushing the chart to the OCI registries"
helm push "kata-deploy-0.0.0-dev.tgz" oci://quay.io/kata-containers/kata-deploy-charts
helm push "kata-deploy-0.0.0-dev.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts

36
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -34,39 +34,20 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: {} permissions:
contents: read
jobs: jobs:
kata-payload: kata-payload:
name: kata-payload
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ${{ inputs.runner }} runs-on: ${{ inputs.runner }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -75,7 +56,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball for ${{ inputs.arch }} - name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }} name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }}
@@ -97,12 +78,7 @@ jobs:
- name: build-and-push-kata-payload for ${{ inputs.arch }} - name: build-and-push-kata-payload for ${{ inputs.arch }}
id: build-and-push-kata-payload id: build-and-push-kata-payload
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repo }}
TAG: ${{ inputs.tag }}
run: | run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)/kata-static.tar.zst" \ "$(pwd)"/kata-static.tar.xz \
"${REGISTRY}/${REPO}" \ ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
"${TAG}"

43
.github/workflows/push-oras-tarball-cache.yaml vendored
View File

@@ -1,43 +0,0 @@
# Push gperf and busybox tarballs to the ORAS cache (ghcr.io) so that
# download-with-oras-cache.sh can pull them instead of hitting upstream.
# Runs when versions.yaml changes on main (e.g. after a PR merge) or manually.
name: CI | Push ORAS tarball cache
on:
push:
branches:
- main
paths:
- 'versions.yaml'
workflow_dispatch:
permissions: {}
jobs:
push-oras-cache:
name: push-oras-cache
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Install yq
run: ./ci/install_yq.sh
- name: Install ORAS
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
with:
version: "1.2.0"
- name: Populate ORAS tarball cache
run: ./tools/packaging/scripts/populate-oras-tarball-cache.sh all
env:
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REPOSITORY: kata-containers
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

28
.github/workflows/release-amd64.yaml vendored
View File

@@ -8,10 +8,9 @@ on:
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
KBUILD_SIGN_PIN:
required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
@@ -21,15 +20,8 @@ jobs:
stage: release stage: release
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
permissions:
contents: read
packages: write
id-token: write
attestations: write
kata-deploy: kata-deploy:
name: kata-deploy
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
permissions: permissions:
contents: read contents: read
@@ -50,18 +42,14 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64 name: kata-static-tarball-amd64
- name: build-and-push-kata-deploy-ci-amd64 - name: build-and-push-kata-deploy-ci-amd64
id: build-and-push-kata-deploy-ci-amd64 id: build-and-push-kata-deploy-ci-amd64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@@ -74,9 +62,9 @@ jobs:
fi fi
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
done done

30
.github/workflows/release-arm64.yaml vendored
View File

@@ -8,10 +8,9 @@ on:
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
KBUILD_SIGN_PIN:
required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-arm64: build-kata-static-tarball-arm64:
@@ -21,20 +20,13 @@ jobs:
stage: release stage: release
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
permissions:
contents: read
packages: write
id-token: write
attestations: write
kata-deploy: kata-deploy:
name: kata-deploy
needs: build-kata-static-tarball-arm64 needs: build-kata-static-tarball-arm64
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ubuntu-24.04-arm runs-on: ubuntu-22.04-arm
steps: steps:
- name: Login to Kata Containers ghcr.io - name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -50,18 +42,14 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-arm64 name: kata-static-tarball-arm64
- name: build-and-push-kata-deploy-ci-arm64 - name: build-and-push-kata-deploy-ci-arm64
id: build-and-push-kata-deploy-ci-arm64 id: build-and-push-kata-deploy-ci-arm64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@@ -74,9 +62,9 @@ jobs:
fi fi
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
done done

27
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -9,7 +9,8 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-ppc64le: build-kata-static-tarball-ppc64le:
@@ -19,19 +20,13 @@ jobs:
stage: release stage: release
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
permissions:
contents: read
packages: write
id-token: write
attestations: write
kata-deploy: kata-deploy:
name: kata-deploy
needs: build-kata-static-tarball-ppc64le needs: build-kata-static-tarball-ppc64le
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ubuntu-24.04-ppc64le runs-on: ppc64le
steps: steps:
- name: Login to Kata Containers ghcr.io - name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -47,18 +42,14 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-ppc64le name: kata-static-tarball-ppc64le
- name: build-and-push-kata-deploy-ci-ppc64le - name: build-and-push-kata-deploy-ci-ppc64le
id: build-and-push-kata-deploy-ci-ppc64le id: build-and-push-kata-deploy-ci-ppc64le
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@@ -71,9 +62,9 @@ jobs:
fi fi
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
done done

27
.github/workflows/release-s390x.yaml vendored
View File

@@ -11,7 +11,8 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: {} permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-s390x: build-kata-static-tarball-s390x:
@@ -22,20 +23,14 @@ jobs:
secrets: secrets:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
permissions:
contents: read
packages: write
id-token: write
attestations: write
kata-deploy: kata-deploy:
name: kata-deploy
needs: build-kata-static-tarball-s390x needs: build-kata-static-tarball-s390x
permissions: permissions:
contents: read contents: read
packages: write packages: write
runs-on: ubuntu-24.04-s390x runs-on: s390x
steps: steps:
- name: Login to Kata Containers ghcr.io - name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -51,18 +46,14 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }} username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-s390x name: kata-static-tarball-s390x
- name: build-and-push-kata-deploy-ci-s390x - name: build-and-push-kata-deploy-ci-s390x
id: build-and-push-kata-deploy-ci-s390x id: build-and-push-kata-deploy-ci-s390x
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@@ -75,9 +66,9 @@ jobs:
fi fi
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}" "${tag}-${{ inputs.target-arch }}"
done done

101
.github/workflows/release.yaml vendored
View File

@@ -2,20 +2,17 @@ name: Release Kata Containers
on: on:
workflow_dispatch workflow_dispatch
permissions: {} permissions:
contents: read
jobs: jobs:
release: release:
name: release
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write # needed for the `gh release create` command
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Create a new release - name: Create a new release
run: | run: |
@@ -35,7 +32,6 @@ jobs:
target-arch: amd64 target-arch: amd64
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-and-push-assets-arm64: build-and-push-assets-arm64:
needs: release needs: release
@@ -49,7 +45,6 @@ jobs:
target-arch: arm64 target-arch: arm64
secrets: secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-and-push-assets-s390x: build-and-push-assets-s390x:
needs: release needs: release
@@ -70,8 +65,6 @@ jobs:
permissions: permissions:
contents: read contents: read
packages: write packages: write
id-token: write
attestations: write
uses: ./.github/workflows/release-ppc64le.yaml uses: ./.github/workflows/release-ppc64le.yaml
with: with:
target-arch: ppc64le target-arch: ppc64le
@@ -79,17 +72,11 @@ jobs:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-multi-arch-images: publish-multi-arch-images:
name: publish-multi-arch-images
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le] needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
permissions:
contents: write # needed for the `gh release` commands
packages: write # needed to push the multi-arch manifest to ghcr.io
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Login to Kata Containers ghcr.io - name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -117,24 +104,19 @@ jobs:
KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy" KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy"
upload-multi-arch-static-tarball: upload-multi-arch-static-tarball:
name: upload-multi-arch-static-tarball
needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le] needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
permissions:
contents: write # needed for the `gh release` commands
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set KATA_STATIC_TARBALL env var - name: Set KATA_STATIC_TARBALL env var
run: | run: |
tarball=$(pwd)/kata-static.tar.zst tarball=$(pwd)/kata-static.tar.xz
echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV" echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 artifacts - name: Download amd64 artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64 name: kata-static-tarball-amd64
@@ -146,7 +128,7 @@ jobs:
ARCHITECTURE: amd64 ARCHITECTURE: amd64
- name: Download arm64 artifacts - name: Download arm64 artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-arm64 name: kata-static-tarball-arm64
@@ -158,7 +140,7 @@ jobs:
ARCHITECTURE: arm64 ARCHITECTURE: arm64
- name: Download s390x artifacts - name: Download s390x artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-s390x name: kata-static-tarball-s390x
@@ -170,7 +152,7 @@ jobs:
ARCHITECTURE: s390x ARCHITECTURE: s390x
- name: Download ppc64le artifacts - name: Download ppc64le artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-ppc64le name: kata-static-tarball-ppc64le
@@ -181,34 +163,12 @@ jobs:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
ARCHITECTURE: ppc64le ARCHITECTURE: ppc64le
- name: Set KATA_TOOLS_STATIC_TARBALL env var
run: |
tarball=$(pwd)/kata-tools-static.tar.zst
echo "KATA_TOOLS_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 tools artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64
- name: Upload amd64 static tarball tools to GitHub
run: |
./tools/packaging/release/release.sh upload-kata-tools-static-tarball
env:
GH_TOKEN: ${{ github.token }}
ARCHITECTURE: amd64
upload-versions-yaml: upload-versions-yaml:
name: upload-versions-yaml
needs: release needs: release
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write # needed for the `gh release` commands
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Upload versions.yaml to GitHub - name: Upload versions.yaml to GitHub
run: | run: |
@@ -217,16 +177,11 @@ jobs:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
upload-cargo-vendored-tarball: upload-cargo-vendored-tarball:
name: upload-cargo-vendored-tarball
needs: release needs: release
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write # needed for the `gh release` commands
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Generate and upload vendored code tarball - name: Generate and upload vendored code tarball
run: | run: |
@@ -235,16 +190,11 @@ jobs:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
upload-libseccomp-tarball: upload-libseccomp-tarball:
name: upload-libseccomp-tarball
needs: release needs: release
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write # needed for the `gh release` commands
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Download libseccomp tarball and upload it to GitHub - name: Download libseccomp tarball and upload it to GitHub
run: | run: |
@@ -253,17 +203,11 @@ jobs:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
upload-helm-chart-tarball: upload-helm-chart-tarball:
name: upload-helm-chart-tarball
needs: release needs: release
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write # needed for the `gh release` commands
packages: write # needed to push the helm chart to ghcr.io
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install helm - name: Install helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
@@ -276,31 +220,22 @@ jobs:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
- name: Login to the OCI registries - name: Login to the OCI registries
env:
QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
GITHUB_TOKEN: ${{ github.token }}
run: | run: |
echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin
echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin echo "${{ github.token }}" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
- name: Push helm chart to the OCI registries - name: Push helm chart to the OCI registries
run: | run: |
release_version=$(./tools/packaging/release/release.sh release-version) release_version=$(./tools/packaging/release/release.sh release-version)
helm push "kata-deploy-${release_version}.tgz" oci://quay.io/kata-containers/kata-deploy-charts helm push "kata-deploy-${release_version}.tgz" oci://quay.io/kata-containers/kata-deploy-charts
helm push "kata-deploy-${release_version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts helm push "kata-deploy-${release-version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts
publish-release: publish-release:
name: publish-release
needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ] needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write # needed for the `gh release` commands
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Publish a release - name: Publish a release
run: | run: |

61
.github/workflows/run-cri-containerd-tests-ppc64le.yaml vendored Normal file
View File

@@ -0,0 +1,61 @@
name: CI | Run cri-containerd tests on ppc64le
permissions:
contents: read
on:
workflow_call:
inputs:
tarball-suffix:
required: false
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
jobs:
run-cri-containerd:
strategy:
# We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail
# all the tests due to a single flaky instance
fail-fast: false
matrix:
containerd_version: ['active']
vmm: ['qemu']
runs-on: ppc64le
env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
timeout-minutes: 15
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
- name: Run cri-containerd tests
run: bash tests/integration/cri-containerd/gha-run.sh run

92
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@@ -1,92 +0,0 @@
name: CI | Run cri-containerd tests
permissions: {}
on:
workflow_call:
inputs:
tarball-suffix:
required: false
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
runner:
description: The runner to execute the workflow on.
required: true
type: string
arch:
description: The arch of the tarball.
required: true
type: string
containerd_version:
description: The version of containerd for testing.
required: true
type: string
vmm:
description: The kata hypervisor for testing.
required: true
type: string
jobs:
run-cri-containerd:
name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
runs-on: ${{ inputs.runner }}
env:
CONTAINERD_VERSION: ${{ inputs.containerd_version }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ inputs.vmm }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install yq
run: |
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
# Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
architecture: ${{ inputs.arch == 'ppc64le' && 'ppc64le' || '' }}
- name: Install dependencies
timeout-minutes: 15
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
- name: Run cri-containerd tests for ${{ inputs.arch }}
timeout-minutes: 10
run: bash tests/integration/cri-containerd/gha-run.sh run

67
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@@ -34,33 +34,44 @@ on:
required: true required: true
permissions: {} permissions:
contents: read
id-token: write
jobs: jobs:
run-k8s-tests: run-k8s-tests:
name: run-k8s-tests
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
host_os:
- ubuntu
vmm:
- clh
- dragonball
- qemu
- qemu-runtime-rs
- stratovirt
- cloud-hypervisor
instance-type:
- small
- normal
include: include:
- host_os: cbl-mariner - host_os: cbl-mariner
vmm: clh vmm: clh
instance-type: small instance-type: small
genpolicy-pull-method: oci-distribution genpolicy-pull-method: oci-distribution
auto-generate-policy: yes
- host_os: cbl-mariner - host_os: cbl-mariner
vmm: clh vmm: clh
instance-type: small instance-type: small
genpolicy-pull-method: containerd genpolicy-pull-method: containerd
auto-generate-policy: yes
- host_os: cbl-mariner - host_os: cbl-mariner
vmm: clh vmm: clh
instance-type: normal instance-type: normal
auto-generate-policy: yes
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: environment: ci
contents: read
id-token: write # Used for OIDC access to log into Azure
environment:
name: ci
deployment: false
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}
@@ -69,15 +80,15 @@ jobs:
KATA_HOST_OS: ${{ matrix.host_os }} KATA_HOST_OS: ${{ matrix.host_os }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla" KUBERNETES: "vanilla"
USING_NFD: "false"
K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }} K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }} GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
RUNS_ON_AKS: "true" AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -85,19 +96,17 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts path: kata-artifacts
- name: Install kata-tools - name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Download Azure CLI - name: Download Azure CLI
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
with:
version: 'latest'
- name: Log into the Azure account - name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -119,33 +128,19 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl` - name: Install `kubectl`
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them - name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
- name: Deploy Kata - name: Deploy Kata
timeout-minutes: 20 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
- name: Run tests - name: Run tests
timeout-minutes: 60 timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
if: always()
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster - name: Delete AKS cluster
if: always() if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster run: bash tests/integration/kubernetes/gha-run.sh delete-cluster

112
.github/workflows/run-k8s-tests-on-amd64.yaml vendored Normal file
View File

@@ -0,0 +1,112 @@
name: CI | Run kubernetes tests on amd64
on:
workflow_call:
inputs:
registry:
required: true
type: string
repo:
required: true
type: string
tag:
required: true
type: string
pr-number:
required: true
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
permissions:
contents: read
jobs:
run-k8s-tests-amd64:
strategy:
fail-fast: false
matrix:
vmm:
- clh #cloud-hypervisor
- dragonball
- fc #firecracker
- qemu
- cloud-hypervisor
container_runtime:
- containerd
snapshotter:
- devmapper
k8s:
- k3s
include:
- vmm: qemu
container_runtime: crio
snapshotter: ""
k8s: k0s
runs-on: ubuntu-22.04
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }}
KUBERNETES_EXTRA_PARAMS: ${{ matrix.container_runtime != 'crio' && '' || '--cri-socket remote:unix:///var/run/crio/crio.sock --kubelet-extra-args --cgroup-driver="systemd"' }}
SNAPSHOTTER: ${{ matrix.snapshotter }}
USING_NFD: "false"
K8S_TEST_HOST_TYPE: all
CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Configure CRI-O
if: matrix.container_runtime == 'crio'
run: bash tests/integration/kubernetes/gha-run.sh setup-crio
- name: Deploy ${{ matrix.k8s }}
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
- name: Configure the ${{ matrix.snapshotter }} snapshotter
if: matrix.snapshotter != ''
run: bash tests/integration/kubernetes/gha-run.sh configure-snapshotter
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Run tests
timeout-minutes: 30
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Collect artifacts ${{ matrix.vmm }}
if: always()
run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@v4
with:
name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }}
path: /tmp/artifacts
retention-days: 1
- name: Delete kata-deploy
if: always()
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh cleanup

19
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@@ -22,17 +22,16 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-k8s-tests-on-arm64: run-k8s-tests-on-arm64:
name: run-k8s-tests-on-arm64
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
vmm: vmm:
- qemu - qemu
- qemu-runtime-rs
k8s: k8s:
- kubeadm - kubeadm
runs-on: arm64-k8s runs-on: arm64-k8s
@@ -43,14 +42,14 @@ jobs:
GH_PR_NUMBER: ${{ inputs.pr-number }} GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }} KUBERNETES: ${{ matrix.k8s }}
USING_NFD: "false"
K8S_TEST_HOST_TYPE: all K8S_TEST_HOST_TYPE: all
TARGET_ARCH: "aarch64" TARGET_ARCH: "aarch64"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -59,7 +58,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Deploy Kata - name: Deploy Kata
timeout-minutes: 20 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
- name: Install `bats` - name: Install `bats`
@@ -69,17 +68,13 @@ jobs:
timeout-minutes: 30 timeout-minutes: 30
run: bash tests/integration/kubernetes/gha-run.sh run-tests run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Collect artifacts ${{ matrix.vmm }} - name: Collect artifacts ${{ matrix.vmm }}
if: always() if: always()
run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
continue-on-error: true continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }} - name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }} name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
path: /tmp/artifacts path: /tmp/artifacts
@@ -87,5 +82,5 @@ jobs:
- name: Delete kata-deploy - name: Delete kata-deploy
if: always() if: always()
timeout-minutes: 15 timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh cleanup run: bash tests/integration/kubernetes/gha-run.sh cleanup

126
.github/workflows/run-k8s-tests-on-free-runner.yaml vendored
View File

@@ -1,126 +0,0 @@
# Run Kubernetes integration tests on free GitHub runners with a locally
# deployed cluster (kubeadm).
name: CI | Run kubernetes tests on free runner
on:
workflow_call:
inputs:
tarball-suffix:
required: false
type: string
registry:
required: true
type: string
repo:
required: true
type: string
tag:
required: true
type: string
pr-number:
required: true
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
permissions: {}
jobs:
run-k8s-tests:
name: run-k8s-tests
strategy:
fail-fast: false
matrix:
environment: [
{ vmm: clh, containerd_version: lts },
{ vmm: clh, containerd_version: active },
{ vmm: dragonball, containerd_version: lts },
{ vmm: dragonball, containerd_version: active },
{ vmm: qemu, containerd_version: lts },
{ vmm: qemu, containerd_version: active },
{ vmm: qemu-runtime-rs, containerd_version: lts },
{ vmm: qemu-runtime-rs, containerd_version: active },
{ vmm: cloud-hypervisor, containerd_version: lts },
{ vmm: cloud-hypervisor, containerd_version: active },
]
runs-on: ubuntu-24.04
permissions:
contents: read
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HOST_OS: ubuntu
KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
KUBERNETES: vanilla
K8S_TEST_HOST_TYPE: baremetal-no-attestation
CONTAINER_ENGINE: containerd
CONTAINER_ENGINE_VERSION: ${{ matrix.environment.containerd_version }}
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Deploy k8s (kubeadm)
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Deploy Kata
timeout-minutes: 20
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
- name: Run tests
timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy
if: always()
timeout-minutes: 15
run: bash tests/integration/kubernetes/gha-run.sh cleanup

135
.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml vendored
View File

@@ -1,135 +0,0 @@
name: CI | Run NVIDIA GPU kubernetes tests on amd64
on:
workflow_call:
inputs:
tarball-suffix:
required: true
type: string
registry:
required: true
type: string
repo:
required: true
type: string
tag:
required: true
type: string
pr-number:
required: true
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
secrets:
NGC_API_KEY:
required: true
permissions: {}
jobs:
run-nvidia-gpu-tests-on-amd64:
name: run-${{ matrix.environment.name }}-tests-on-amd64
strategy:
fail-fast: false
matrix:
environment: [
{ name: nvidia-gpu, vmm: qemu-nvidia-gpu, runner: amd64-nvidia-a100, coco: false },
{ name: nvidia-gpu (runtime-rs), vmm: qemu-nvidia-gpu-runtime-rs, runner: amd64-nvidia-a100, coco: false },
{ name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp, coco: true },
{ name: nvidia-gpu-snp (runtime-rs), vmm: qemu-nvidia-gpu-snp-runtime-rs, runner: amd64-nvidia-h100-snp, coco: true },
]
runs-on: ${{ matrix.environment.runner }}
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
KUBERNETES: kubeadm
KBS: ${{ matrix.environment.coco && 'true' || 'false' }}
SNAPSHOTTER: ${{ matrix.environment.coco && 'nydus' || '' }}
USE_EXPERIMENTAL_SNAPSHOTTER_SETUP: ${{ matrix.environment.coco && 'true' || 'false' }}
K8S_TEST_HOST_TYPE: baremetal
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Uninstall previous `kbs-client`
if: matrix.environment.coco
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Deploy CoCo KBS
if: matrix.environment.coco
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
env:
NVIDIA_VERIFIER_MODE: remote
KBS_INGRESS: nodeport
- name: Install `kbs-client`
if: matrix.environment.coco
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Deploy Kata
timeout-minutes: 20
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Run tests ${{ matrix.environment.vmm }}
timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
env:
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Collect artifacts ${{ matrix.environment.vmm }}
if: always()
run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
continue-on-error: true
- name: Archive artifacts ${{ matrix.environment.vmm }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: k8s-tests-${{ matrix.environment.vmm }}-kubeadm-${{ inputs.tag }}
path: /tmp/artifacts
retention-days: 1
- name: Delete kata-deploy
if: always()
timeout-minutes: 15
run: bash tests/integration/kubernetes/gha-run.sh cleanup
- name: Delete CoCo KBS
if: always() && matrix.environment.coco
timeout-minutes: 10
run: |
bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

45
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@@ -22,11 +22,11 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:
name: run-k8s-tests
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -34,7 +34,7 @@ jobs:
- qemu - qemu
k8s: k8s:
- kubeadm - kubeadm
runs-on: ppc64le-k8s runs-on: k8s-ppc64le
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}
@@ -43,13 +43,13 @@ jobs:
GOPATH: ${{ github.workspace }} GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }} KUBERNETES: ${{ matrix.k8s }}
USING_NFD: "false"
TARGET_ARCH: "ppc64le" TARGET_ARCH: "ppc64le"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -57,39 +57,24 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install yq - name: Install golang
run: | run: |
./ci/install_yq.sh ./tests/install_go.sh -f -p
env: echo "/usr/local/go/bin" >> "$GITHUB_PATH"
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml - name: Prepare the runner for k8s cluster creation
run: | run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }} - name: Create k8s cluster using kubeadm
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 run: bash "${HOME}/scripts/k8s_cluster_create.sh"
with:
go-version: ${{ env.GO_VERSION }}
# Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
architecture: 'ppc64le'
- name: Prepare the runner for k8s test suite
run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"
- name: Check if cluster is healthy to run the tests
run: bash "${HOME}/scripts/k8s_cluster_check.sh"
- name: Deploy Kata - name: Deploy Kata
timeout-minutes: 20 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-kubeadm run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-kubeadm
- name: Run tests - name: Run tests
timeout-minutes: 30 timeout-minutes: 30
run: bash tests/integration/kubernetes/gha-run.sh run-tests run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests - name: Delete cluster and post cleanup actions
if: always() run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
run: bash tests/integration/kubernetes/gha-run.sh report-tests

22
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@@ -25,11 +25,11 @@ on:
AUTHENTICATED_IMAGE_PASSWORD: AUTHENTICATED_IMAGE_PASSWORD:
required: true required: true
permissions: {} permissions:
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:
name: run-k8s-tests
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -46,9 +46,11 @@ jobs:
include: include:
- snapshotter: devmapper - snapshotter: devmapper
pull-type: default pull-type: default
using-nfd: true
deploy-cmd: configure-snapshotter deploy-cmd: configure-snapshotter
- snapshotter: nydus - snapshotter: nydus
pull-type: guest-pull pull-type: guest-pull
using-nfd: false
deploy-cmd: deploy-snapshotter deploy-cmd: deploy-snapshotter
exclude: exclude:
- snapshotter: overlayfs - snapshotter: overlayfs
@@ -74,15 +76,15 @@ jobs:
KUBERNETES: ${{ matrix.k8s }} KUBERNETES: ${{ matrix.k8s }}
PULL_TYPE: ${{ matrix.pull-type }} PULL_TYPE: ${{ matrix.pull-type }}
SNAPSHOTTER: ${{ matrix.snapshotter }} SNAPSHOTTER: ${{ matrix.snapshotter }}
USING_NFD: ${{ matrix.using-nfd }}
TARGET_ARCH: "s390x" TARGET_ARCH: "s390x"
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -103,13 +105,11 @@ jobs:
# qemu-runtime-rs only works with overlayfs # qemu-runtime-rs only works with overlayfs
# See: https://github.com/kata-containers/kata-containers/issues/10066 # See: https://github.com/kata-containers/kata-containers/issues/10066
- name: Configure the ${{ matrix.snapshotter }} snapshotter - name: Configure the ${{ matrix.snapshotter }} snapshotter
env: run: bash tests/integration/kubernetes/gha-run.sh ${{ matrix.deploy-cmd }}
DEPLOY_CMD: ${{ matrix.deploy-cmd }}
run: bash tests/integration/kubernetes/gha-run.sh "${DEPLOY_CMD}"
if: ${{ matrix.snapshotter != 'overlayfs' }} if: ${{ matrix.snapshotter != 'overlayfs' }}
- name: Deploy Kata - name: Deploy Kata
timeout-minutes: 20 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi
- name: Uninstall previous `kbs-client` - name: Uninstall previous `kbs-client`
@@ -131,18 +131,12 @@ jobs:
timeout-minutes: 60 timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy - name: Delete kata-deploy
if: always() if: always()
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi
- name: Delete CoCo KBS - name: Delete CoCo KBS
if: always() if: always()
timeout-minutes: 10
run: | run: |
if [ "${KBS}" == "true" ]; then if [ "${KBS}" == "true" ]; then
bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

48
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@@ -35,29 +35,24 @@ on:
AUTHENTICATED_IMAGE_PASSWORD: AUTHENTICATED_IMAGE_PASSWORD:
required: true required: true
permissions: {} permissions:
contents: read
id-token: write
jobs: jobs:
# Generate jobs for testing CoCo on non-TEE environments # Generate jobs for testing CoCo on non-TEE environments
run-stability-k8s-tests-coco-nontee: run-stability-k8s-tests-coco-nontee:
name: run-stability-k8s-tests-coco-nontee
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
vmm: vmm:
- qemu-coco-dev - qemu-coco-dev
- qemu-coco-dev-runtime-rs
snapshotter: snapshotter:
- nydus - nydus
pull-type: pull-type:
- guest-pull - guest-pull
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: environment: ci
id-token: write # Used for OIDC access to log into Azure
environment:
name: ci
deployment: false
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}
@@ -73,12 +68,12 @@ jobs:
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
SNAPSHOTTER: ${{ matrix.snapshotter }} SNAPSHOTTER: ${{ matrix.snapshotter }}
USING_NFD: "false"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -86,14 +81,17 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts path: kata-artifacts
- name: Install kata-tools - name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Download Azure CLI
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
- name: Log into the Azure account - name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -115,9 +113,7 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl` - name: Install `kubectl`
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them - name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
@@ -142,18 +138,6 @@ jobs:
timeout-minutes: 300 timeout-minutes: 300
run: bash tests/stability/gha-stability-run.sh run-tests run: bash tests/stability/gha-stability-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
if: always()
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster - name: Delete AKS cluster
if: always() if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster run: bash tests/integration/kubernetes/gha-run.sh delete-cluster

513
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@@ -24,10 +24,6 @@ on:
required: false required: false
type: string type: string
default: "" default: ""
extensive-matrix-autogenerated-policy:
required: false
type: string
default: no
secrets: secrets:
AUTHENTICATED_IMAGE_PASSWORD: AUTHENTICATED_IMAGE_PASSWORD:
required: true required: true
@@ -40,22 +36,22 @@ on:
ITA_KEY: ITA_KEY:
required: true required: true
permissions: {} permissions:
contents: read
id-token: write
jobs: jobs:
run-k8s-tests-on-tee: run-k8s-tests-on-tdx:
name: run-k8s-tests-on-tee
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
include: vmm:
- runner: tdx - qemu-tdx
vmm: qemu-tdx snapshotter:
- runner: sev-snp - nydus
vmm: qemu-snp pull-type:
- runner: sev-snp - guest-pull
vmm: qemu-snp-runtime-rs runs-on: tdx
runs-on: ${{ matrix.runner }}
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}
@@ -63,21 +59,21 @@ jobs:
GH_PR_NUMBER: ${{ inputs.pr-number }} GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla" KUBERNETES: "vanilla"
USING_NFD: "true"
KBS: "true" KBS: "true"
K8S_TEST_HOST_TYPE: "baremetal" K8S_TEST_HOST_TYPE: "baremetal"
KBS_INGRESS: "nodeport" KBS_INGRESS: "nodeport"
SNAPSHOTTER: "nydus" SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: "guest-pull" PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
GH_ITA_KEY: ${{ secrets.ITA_KEY }} ITA_KEY: ${{ secrets.ITA_KEY }}
AUTO_GENERATE_POLICY: "yes" AUTO_GENERATE_POLICY: "yes"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -85,18 +81,13 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball - name: Deploy Snapshotter
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 timeout-minutes: 5
with: run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Deploy Kata - name: Deploy Kata
timeout-minutes: 20 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
- name: Uninstall previous `kbs-client` - name: Uninstall previous `kbs-client`
timeout-minutes: 10 timeout-minutes: 10
@@ -105,289 +96,133 @@ jobs:
- name: Deploy CoCo KBS - name: Deploy CoCo KBS
timeout-minutes: 10 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
env:
ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}
- name: Install `kbs-client` - name: Install `kbs-client`
timeout-minutes: 10 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Run tests - name: Run tests
timeout-minutes: 100 timeout-minutes: 100
run: bash tests/integration/kubernetes/gha-run.sh run-tests run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy - name: Delete kata-deploy
if: always() if: always()
timeout-minutes: 15 run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
run: bash tests/integration/kubernetes/gha-run.sh cleanup
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete CoCo KBS - name: Delete CoCo KBS
if: always() if: always()
timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# AMD has deprecated SEV support on Kata and henceforth SNP will be the only feature supported for Kata Containers.
run-k8s-tests-sev-snp:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-snp
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: sev-snp
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBECONFIG: /home/kata/.kube/config
KUBERNETES: "vanilla"
USING_NFD: "false"
KBS: "true"
KBS_INGRESS: "nodeport"
K8S_TEST_HOST_TYPE: "baremetal"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: | run: |
[[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}" ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
- name: Uninstall previous `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Run tests
timeout-minutes: 50
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete CoCo KBS
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# Generate jobs for testing CoCo on non-TEE environments # Generate jobs for testing CoCo on non-TEE environments
run-k8s-tests-coco-nontee: run-k8s-tests-coco-nontee:
name: run-k8s-tests-coco-nontee
strategy:
fail-fast: false
matrix:
environment: [
{ vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
{ vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
{ vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
]
runs-on: ubuntu-24.04
permissions:
contents: read
environment:
name: ci
deployment: false
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
# Some tests rely on that variable to run (or not)
KBS: "true"
# Set the KBS ingress handler (empty string disables handling)
KBS_INGRESS: "nodeport"
KUBERNETES: "vanilla"
PULL_TYPE: ${{ matrix.environment.pull_type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
AUTO_GENERATE_POLICY: "yes"
K8S_TEST_HOST_TYPE: "all"
CONTAINER_ENGINE: "containerd"
CONTAINER_ENGINE_VERSION: "active"
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Deploy kubernetes
timeout-minutes: 15
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Deploy Kata
timeout-minutes: 20
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
env:
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Run tests
timeout-minutes: 80
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy
if: always()
timeout-minutes: 15
run: bash tests/integration/kubernetes/gha-run.sh cleanup
- name: Delete CoCo KBS
if: always()
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
# Extensive matrix: autogenerated policy tests (nydus + experimental-force-guest-pull) on k0s, k3s, rke2, microk8s with qemu-coco-dev / qemu-coco-dev-runtime-rs
run-k8s-tests-coco-nontee-extensive-matrix:
if: ${{ inputs.extensive-matrix-autogenerated-policy == 'yes' }}
name: run-k8s-tests-coco-nontee-extensive-matrix
strategy:
fail-fast: false
matrix:
environment: [
{ k8s: k0s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
{ k8s: k0s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
{ k8s: k0s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
{ k8s: k3s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
{ k8s: k3s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
{ k8s: k3s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
{ k8s: rke2, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
{ k8s: rke2, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
{ k8s: rke2, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
{ k8s: microk8s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
{ k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
{ k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
]
runs-on: ubuntu-24.04
permissions:
contents: read
environment:
name: ci
deployment: false
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
KBS: "true"
KBS_INGRESS: "nodeport"
KUBERNETES: ${{ matrix.environment.k8s }}
SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
PULL_TYPE: ${{ matrix.environment.pull_type }}
EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AUTO_GENERATE_POLICY: "yes"
K8S_TEST_HOST_TYPE: "all"
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Deploy ${{ matrix.environment.k8s }}
timeout-minutes: 15
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Deploy Kata
timeout-minutes: 20
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
env:
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Run tests
timeout-minutes: 80
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy
if: always()
timeout-minutes: 15
run: bash tests/integration/kubernetes/gha-run.sh cleanup
- name: Delete CoCo KBS
if: always()
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
# Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
run-k8s-tests-coco-nontee-with-erofs-snapshotter:
name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
vmm: vmm:
- qemu-coco-dev - qemu-coco-dev
snapshotter: snapshotter:
- erofs - nydus
pull-type: pull-type:
- default - guest-pull
runs-on: ubuntu-24.04 runs-on: ubuntu-22.04
environment: environment: ci
name: ci
deployment: false
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}
@@ -395,26 +230,26 @@ jobs:
GH_PR_NUMBER: ${{ inputs.pr-number }} GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
# Some tests rely on that variable to run (or not) # Some tests rely on that variable to run (or not)
KBS: "false" KBS: "true"
# Set the KBS ingress handler (empty string disables handling) # Set the KBS ingress handler (empty string disables handling)
KBS_INGRESS: "" KBS_INGRESS: "aks"
KUBERNETES: "vanilla" KUBERNETES: "vanilla"
CONTAINER_ENGINE: "containerd"
CONTAINER_ENGINE_VERSION: "active"
PULL_TYPE: ${{ matrix.pull-type }} PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
SNAPSHOTTER: ${{ matrix.snapshotter }} SNAPSHOTTER: ${{ matrix.snapshotter }}
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true" # Caution: current ingress controller used to expose the KBS service
# requires much vCPUs, lefting only a few for the tests. Depending on the
# host type chose it will result on the creation of a cluster with
# insufficient resources.
K8S_TEST_HOST_TYPE: "all" K8S_TEST_HOST_TYPE: "all"
# We are skipping the auto generated policy tests for now, USING_NFD: "false"
# but those should be enabled as soon as we work on that. AUTO_GENERATE_POLICY: "yes"
AUTO_GENERATE_POLICY: "no"
GH_TOKEN: ${{ github.token }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -422,43 +257,62 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts path: kata-artifacts
- name: Install kata-tools - name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Remove unnecessary directories to free up space - name: Download Azure CLI
run: | run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Deploy kubernetes - name: Log into the Azure account
timeout-minutes: 15 uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
with:
timeout_minutes: 15
max_attempts: 20
retry_on: error
retry_wait_seconds: 10
command: bash tests/integration/kubernetes/gha-run.sh create-cluster
- name: Install `bats` - name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Kata - name: Deploy Kata
timeout-minutes: 20 timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Run tests - name: Run tests
timeout-minutes: 80 timeout-minutes: 80
@@ -468,7 +322,6 @@ jobs:
if: always() if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy - name: Delete AKS cluster
if: always() if: always()
timeout-minutes: 15 run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
run: bash tests/integration/kubernetes/gha-run.sh cleanup

34
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@@ -29,11 +29,12 @@ on:
AZ_SUBSCRIPTION_ID: AZ_SUBSCRIPTION_ID:
required: true required: true
permissions: {} permissions:
contents: read
id-token: write
jobs: jobs:
run-kata-deploy-tests: run-kata-deploy-tests:
name: run-kata-deploy-tests
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -48,11 +49,7 @@ jobs:
- host_os: cbl-mariner - host_os: cbl-mariner
vmm: clh vmm: clh
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
environment: environment: ci
name: ci
deployment: false
permissions:
id-token: write # Used for OIDC access to log into Azure
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}
@@ -61,12 +58,12 @@ jobs:
KATA_HOST_OS: ${{ matrix.host_os }} KATA_HOST_OS: ${{ matrix.host_os }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla" KUBERNETES: "vanilla"
USING_NFD: "false"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -74,6 +71,9 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Download Azure CLI
run: bash tests/functional/kata-deploy/gha-run.sh install-azure-cli
- name: Log into the Azure account - name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with: with:
@@ -94,9 +94,7 @@ jobs:
run: bash tests/functional/kata-deploy/gha-run.sh install-bats run: bash tests/functional/kata-deploy/gha-run.sh install-bats
- name: Install `kubectl` - name: Install `kubectl`
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 run: bash tests/functional/kata-deploy/gha-run.sh install-kubectl
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them - name: Download credentials for the Kubernetes CLI to use them
run: bash tests/functional/kata-deploy/gha-run.sh get-cluster-credentials run: bash tests/functional/kata-deploy/gha-run.sh get-cluster-credentials
@@ -104,18 +102,6 @@ jobs:
- name: Run tests - name: Run tests
run: bash tests/functional/kata-deploy/gha-run.sh run-tests run: bash tests/functional/kata-deploy/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
if: always()
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster - name: Delete AKS cluster
if: always() if: always()
run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster

30
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@@ -22,11 +22,11 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-kata-deploy-tests: run-kata-deploy-tests:
name: run-kata-deploy-tests
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -45,12 +45,12 @@ jobs:
GH_PR_NUMBER: ${{ inputs.pr-number }} GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }} KUBERNETES: ${{ matrix.k8s }}
USING_NFD: "false"
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -58,24 +58,6 @@ jobs:
env: env:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Deploy ${{ matrix.k8s }} - name: Deploy ${{ matrix.k8s }}
run: bash tests/functional/kata-deploy/gha-run.sh deploy-k8s run: bash tests/functional/kata-deploy/gha-run.sh deploy-k8s
@@ -84,7 +66,3 @@ jobs:
- name: Run tests - name: Run tests
run: bash tests/functional/kata-deploy/gha-run.sh run-tests run: bash tests/functional/kata-deploy/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/functional/kata-deploy/gha-run.sh report-tests

11
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -13,11 +13,11 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-monitor: run-monitor:
name: run-monitor
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -40,11 +40,10 @@ jobs:
#CONTAINERD_VERSION: ${{ matrix.containerd_version }} #CONTAINERD_VERSION: ${{ matrix.containerd_version }}
KATA_HYPERVISOR: ${{ matrix.vmm }} KATA_HYPERVISOR: ${{ matrix.vmm }}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -54,11 +53,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball - name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 uses: actions/download-artifact@v4
with: with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts path: kata-artifacts

10
.github/workflows/run-metrics.yaml vendored
View File

@@ -22,11 +22,11 @@ on:
type: string type: string
default: "" default: ""
permissions: {} permissions:
contents: read
jobs: jobs:
run-metrics: run-metrics:
name: run-metrics
strategy: strategy:
# We can set this to true whenever we're 100% sure that # We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail # the all the tests are not flaky, otherwise we'll fail
@@ -44,13 +44,13 @@ jobs:
DOCKER_TAG: ${{ inputs.tag }} DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }} GH_PR_NUMBER: ${{ inputs.pr-number }}
K8S_TEST_HOST_TYPE: "baremetal" K8S_TEST_HOST_TYPE: "baremetal"
USING_NFD: "false"
KUBERNETES: kubeadm KUBERNETES: kubeadm
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.commit-hash }} ref: ${{ inputs.commit-hash }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch - name: Rebase atop of the latest target branch
run: | run: |
@@ -115,7 +115,7 @@ jobs:
run: bash tests/metrics/gha-run.sh make-tarball-results run: bash tests/metrics/gha-run.sh make-tarball-results
- name: archive metrics results ${{ matrix.vmm }} - name: archive metrics results ${{ matrix.vmm }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@v4
with: with:
name: metrics-artifacts-${{ matrix.vmm }} name: metrics-artifacts-${{ matrix.vmm }}
path: results-${{ matrix.vmm }}.tar.gz path: results-${{ matrix.vmm }}.tar.gz

51
.github/workflows/run-runk-tests.yaml vendored Normal file
View File

@@ -0,0 +1,51 @@
name: CI | Run runk tests
on:
workflow_call:
inputs:
tarball-suffix:
required: false
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
permissions:
contents: read
jobs:
run-runk:
# Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
if: false
runs-on: ubuntu-22.04
env:
CONTAINERD_VERSION: lts
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
run: bash tests/integration/runk/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/runk/gha-run.sh install-kata kata-artifacts
- name: Run runk tests
run: bash tests/integration/runk/gha-run.sh run

60
.github/workflows/scorecard.yaml vendored
View File

@@ -1,60 +0,0 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
push:
branches: [ "main" ]
workflow_dispatch:
permissions: {}
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
with:
sarif_file: results.sarif

11
.github/workflows/shellcheck.yaml vendored
View File

@@ -10,7 +10,8 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -18,15 +19,15 @@ concurrency:
jobs: jobs:
shellcheck: shellcheck:
name: shellcheck
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- uses: actions/checkout@v4
- name: Run ShellCheck - name: Run ShellCheck
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
with: with:
ignore_paths: "**/vendor/**" ignore_paths: "**/vendor/**"

10
.github/workflows/shellcheck_required.yaml vendored
View File

@@ -11,7 +11,8 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -19,17 +20,16 @@ concurrency:
jobs: jobs:
shellcheck-required: shellcheck-required:
name: shellcheck-required
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- uses: actions/checkout@v4
- name: Run ShellCheck - name: Run ShellCheck
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
with: with:
severity: error severity: error
ignore_paths: "**/vendor/**" ignore_paths: "**/vendor/**"

30
.github/workflows/spellcheck.yaml vendored
View File

@@ -1,30 +0,0 @@
name: Spelling check
on: ["pull_request"]
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
check-spelling:
name: check-spelling
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Check Spelling
uses: streetsidesoftware/cspell-action@9cd41bb518a24fefdafd9880cbab8f0ceba04d28 # 8.3.0
with:
files: |
**/*.md
**/*.rst
**/*.txt
incremental_files_only: true
config: ".cspell.yaml"

15
.github/workflows/stale.yaml vendored
View File

@@ -4,23 +4,16 @@ on:
- cron: '0 0 * * *' - cron: '0 0 * * *'
workflow_dispatch: workflow_dispatch:
permissions: {} permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
stale: stale:
name: stale
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
actions: write # Needed to manage caches for state persistence across runs
pull-requests: write # Needed to add/remove labels, post comments, or close PRs
steps: steps:
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 - uses: actions/stale@v9
with: with:
stale-pr-message: 'This PR has been opened without activity for 180 days. Please comment on the issue or it will be closed in 7 days.' stale-pr-message: 'This PR has been opened without with no activity for 180 days. Comment on the issue otherwise it will be closed in 7 days'
days-before-pr-stale: 180 days-before-pr-stale: 180
days-before-pr-close: 7 days-before-pr-close: 7
days-before-issue-stale: -1 days-before-issue-stale: -1

42
.github/workflows/stale_issues.yaml vendored
View File

@@ -1,42 +0,0 @@
name: 'Stale issues with activity before a fixed date'
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
inputs:
date:
description: "Date of stale cut-off. All issues not updated since this date will be marked as stale. Format: YYYY-MM-DD e.g. 2022-10-09"
default: "2022-10-09"
required: false
type: string
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
stale:
name: stale
runs-on: ubuntu-24.04
permissions:
actions: write # Needed to manage caches for state persistence across runs
issues: write # Needed to add/remove labels, post comments, or close issues
steps:
- name: Calculate the age to stale
run: |
echo AGE=$(( ( $(date +%s) - $(date -d "${DATE:-2022-10-09}" +%s) ) / 86400 )) >> "$GITHUB_ENV"
env:
DATE: ${{ inputs.date }}
- name: Run the stale action
uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
with:
stale-pr-message: 'This issue has had no activity since before ${DATE}. Please comment on the issue, or it will be closed in 30 days'
days-before-pr-stale: -1
days-before-pr-close: -1
days-before-issue-stale: ${AGE}
days-before-issue-close: 30
env:
DATE: ${{ inputs.date }}

21
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@@ -6,7 +6,8 @@ on:
- reopened - reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added - labeled # a workflow runs only when the 'ok-to-test' label is added
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -28,9 +29,21 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
instance: instance:
- "ubuntu-24.04-arm" - "ubuntu-22.04-arm"
- "ubuntu-24.04-s390x" - "s390x"
- "ubuntu-24.04-ppc64le" - "ppc64le"
uses: ./.github/workflows/build-checks.yaml uses: ./.github/workflows/build-checks.yaml
with: with:
instance: ${{ matrix.instance }} instance: ${{ matrix.instance }}
build-checks-preview:
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
strategy:
fail-fast: false
matrix:
instance:
- "riscv-builder"
uses: ./.github/workflows/build-checks-preview-riscv64.yaml
with:
instance: ${{ matrix.instance }}

96
.github/workflows/static-checks.yaml vendored
View File

@@ -5,9 +5,9 @@ on:
- edited - edited
- reopened - reopened
- synchronize - synchronize
workflow_dispatch:
permissions: {} permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -22,16 +22,14 @@ jobs:
target-branch: ${{ github.event.pull_request.base.ref }} target-branch: ${{ github.event.pull_request.base.ref }}
check-kernel-config-version: check-kernel-config-version:
name: check-kernel-config-version
needs: skipper needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }} if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Ensure the kernel config version has been updated - name: Ensure the kernel config version has been updated
run: | run: |
kernel_dir="tools/packaging/kernel/" kernel_dir="tools/packaging/kernel/"
@@ -55,7 +53,6 @@ jobs:
instance: ubuntu-22.04 instance: ubuntu-22.04
build-checks-depending-on-kvm: build-checks-depending-on-kvm:
name: build-checks-depending-on-kvm
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: skipper needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }} if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -71,10 +68,9 @@ jobs:
component-path: src/dragonball component-path: src/dragonball
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Install system deps - name: Install system deps
run: | run: |
sudo apt-get update && sudo apt-get install -y build-essential musl-tools sudo apt-get update && sudo apt-get install -y build-essential musl-tools
@@ -90,16 +86,13 @@ jobs:
- name: Running `${{ matrix.command }}` for ${{ matrix.component }} - name: Running `${{ matrix.command }}` for ${{ matrix.component }}
run: | run: |
export PATH="$PATH:${HOME}/.cargo/bin" export PATH="$PATH:${HOME}/.cargo/bin"
cd "${COMPONENT_PATH}" cd ${{ matrix.component-path }}
eval "${COMMAND}" ${{ matrix.command }}
env: env:
COMMAND: ${{ matrix.command }}
COMPONENT_PATH: ${{ matrix.component-path }}
RUST_BACKTRACE: "1" RUST_BACKTRACE: "1"
RUST_LIB_BACKTRACE: "0" RUST_LIB_BACKTRACE: "0"
static-checks: static-checks:
name: static-checks
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: skipper needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }} if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -110,88 +103,27 @@ jobs:
- "make static-checks" - "make static-checks"
env: env:
GOPATH: ${{ github.workspace }} GOPATH: ${{ github.workspace }}
permissions:
contents: read # for checkout
packages: write # for push to ghcr.io
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
path: ./src/github.com/${{ github.repository }} path: ./src/github.com/${{ github.repository }}
- name: Install yq - name: Install yq
run: | run: |
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" cd "${GOPATH}/src/github.com/${{ github.repository }}"
./ci/install_yq.sh ./ci/install_yq.sh
env: env:
INSTALL_IN_GOPATH: false INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml - name: Install golang
run: | run: |
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" cd "${GOPATH}/src/github.com/${{ github.repository }}"
go_version="$(yq '.languages.golang.version' versions.yaml)" ./tests/install_go.sh -f -p
[ -n "$go_version" ] echo "/usr/local/go/bin" >> "$GITHUB_PATH"
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install system dependencies - name: Install system dependencies
run: | run: |
sudo apt-get update && sudo apt-get -y install moreutils sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
- name: Install open-policy-agent
run: |
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
./tests/install_opa.sh
- name: Install regorus
env:
ARTEFACT_REPOSITORY: "${{ github.repository }}"
ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
run: |
"${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
- name: Run check - name: Run check
env:
CMD: ${{ matrix.cmd }}
run: | run: |
export PATH="${PATH}:${GOPATH}/bin" export PATH="${PATH}:${GOPATH}/bin"
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD} cd "${GOPATH}/src/github.com/${{ github.repository }}" && ${{ matrix.cmd }}
govulncheck:
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
uses: ./.github/workflows/govulncheck.yaml
codegen:
name: codegen
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
permissions:
contents: read # for checkout
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: generate
run: make -C src/agent generate-protocols
- name: check for diff
run: |
diff=$(git diff)
if [[ -z "${diff}" ]]; then
echo "No diff detected."
exit 0
fi
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
Run \`make -C src/agent generate-protocols\` to update protobuf bindings.
\`\`\`diff
${diff}
\`\`\`
EOF
echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)."
exit 1

29
.github/workflows/zizmor.yaml vendored
View File

@@ -1,29 +0,0 @@
name: GHA security analysis
on:
pull_request:
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
zizmor:
name: zizmor
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1
with:
advanced-security: false
annotations: true
persona: auditor
version: v1.13.0

3
.github/zizmor.yml vendored
View File

@@ -1,3 +0,0 @@
rules:
undocumented-permissions:
disable: true

7
.gitignore vendored
View File

@@ -16,10 +16,3 @@ src/agent/protocols/src/*.rs
build build
src/tools/log-parser/kata-log-parser src/tools/log-parser/kata-log-parser
tools/packaging/static-build/agent/install_libseccomp.sh tools/packaging/static-build/agent/install_libseccomp.sh
.envrc
.direnv
**/.DS_Store
site/
opt/
tools/packaging/kernel/configs/**/.config
root_hash.txt

194
Cargo.toml
View File

@@ -1,194 +0,0 @@
[workspace.package]
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"
rust-version = "1.88"
[workspace]
members = [
# libs
"src/libs/kata-sys-util",
"src/libs/kata-types",
"src/libs/logging",
"src/libs/mem-agent",
"src/libs/pod-resources-rs",
"src/libs/protocols",
"src/libs/runtime-spec",
"src/libs/safe-path",
"src/libs/shim-interface",
"src/libs/test-utils",
# kata-agent
"src/agent",
"src/agent/rustjail",
"src/agent/policy",
"src/agent/vsock-exporter",
# Dragonball
"src/dragonball",
"src/dragonball/dbs_acpi",
"src/dragonball/dbs_address_space",
"src/dragonball/dbs_allocator",
"src/dragonball/dbs_arch",
"src/dragonball/dbs_boot",
"src/dragonball/dbs_device",
"src/dragonball/dbs_interrupt",
"src/dragonball/dbs_legacy_devices",
"src/dragonball/dbs_pci",
"src/dragonball/dbs_tdx",
"src/dragonball/dbs_upcall",
"src/dragonball/dbs_utils",
"src/dragonball/dbs_virtio_devices",
# genpolicy
"src/tools/genpolicy",
# kata-deploy (Kubernetes installer binary)
"tools/packaging/kata-deploy/binary",
# runtime-rs
"src/runtime-rs",
"src/runtime-rs/crates/agent",
"src/runtime-rs/crates/hypervisor",
"src/runtime-rs/crates/persist",
"src/runtime-rs/crates/resource",
"src/runtime-rs/crates/runtimes",
"src/runtime-rs/crates/service",
"src/runtime-rs/crates/shim",
"src/runtime-rs/crates/shim-ctl",
"src/runtime-rs/tests/utils",
]
resolver = "2"
# TODO: Add all excluded crates to root workspace
exclude = [
"src/tools",
# We are cloning and building rust packages under
# "tools/packaging/kata-deploy/local-build/build" folder, which may mislead
# those packages to think they are part of the kata root workspace
"tools/packaging/kata-deploy/local-build/build",
]
[workspace.dependencies]
# Rust-VMM crates
event-manager = "0.4.0"
kvm-bindings = "0.14.0"
kvm-ioctls = "0.24.0"
linux-loader = "0.13.0"
seccompiler = "0.5.0"
vfio-bindings = "0.6.2"
vfio-ioctls = "0.6.0"
virtio-bindings = "0.2.0"
virtio-queue = "0.17.0"
vm-fdt = "0.3.0"
vm-memory = "=0.17.1"
vm-superio = "0.8.0"
vmm-sys-util = "0.15.0"
# Local dependencies from Dragonball Sandbox crates
dragonball = { path = "src/dragonball" }
dbs-acpi = { path = "src/dragonball/dbs_acpi" }
dbs-address-space = { path = "src/dragonball/dbs_address_space" }
dbs-allocator = { path = "src/dragonball/dbs_allocator" }
dbs-arch = { path = "src/dragonball/dbs_arch" }
dbs-boot = { path = "src/dragonball/dbs_boot" }
dbs-device = { path = "src/dragonball/dbs_device" }
dbs-interrupt = { path = "src/dragonball/dbs_interrupt" }
dbs-legacy-devices = { path = "src/dragonball/dbs_legacy_devices" }
dbs-pci = { path = "src/dragonball/dbs_pci" }
dbs-tdx = { path = "src/dragonball/dbs_tdx" }
dbs-upcall = { path = "src/dragonball/dbs_upcall" }
dbs-utils = { path = "src/dragonball/dbs_utils" }
dbs-virtio-devices = { path = "src/dragonball/dbs_virtio_devices" }
# Local dependencies from runtime-rs
agent = { path = "src/runtime-rs/crates/agent" }
hypervisor = { path = "src/runtime-rs/crates/hypervisor" }
persist = { path = "src/runtime-rs/crates/persist" }
resource = { path = "src/runtime-rs/crates/resource" }
runtimes = { path = "src/runtime-rs/crates/runtimes" }
service = { path = "src/runtime-rs/crates/service" }
tests_utils = { path = "src/runtime-rs/tests/utils" }
ch-config = { path = "src/runtime-rs/crates/hypervisor/ch-config" }
common = { path = "src/runtime-rs/crates/runtimes/common" }
linux_container = { path = "src/runtime-rs/crates/runtimes/linux_container" }
virt_container = { path = "src/runtime-rs/crates/runtimes/virt_container" }
wasm_container = { path = "src/runtime-rs/crates/runtimes/wasm_container" }
# Local dependencies from `src/lib`
kata-sys-util = { path = "src/libs/kata-sys-util" }
pod-resources-rs = { path = "src/libs/pod-resources-rs" }
kata-types = { path = "src/libs/kata-types", features = ["safe-path"] }
logging = { path = "src/libs/logging" }
mem-agent = { path = "src/libs/mem-agent" }
protocols = { path = "src/libs/protocols", features = ["async"] }
runtime-spec = { path = "src/libs/runtime-spec" }
safe-path = { path = "src/libs/safe-path" }
shim-interface = { path = "src/libs/shim-interface" }
test-utils = { path = "src/libs/test-utils" }
# Local dependencies from `src/agent`
kata-agent-policy = { path = "src/agent/policy" }
rustjail = { path = "src/agent/rustjail" }
vsock-exporter = { path = "src/agent/vsock-exporter" }
# Outside dependencies
actix-rt = "2.7.0"
anyhow = "1.0"
async-recursion = "0.3.2"
async-trait = "0.1.48"
capctl = "0.2.0"
cfg-if = "1.0.0"
cgroups = { package = "cgroups-rs", git = "https://github.com/kata-containers/cgroups-rs", rev = "v0.3.5" }
clap = { version = "4.5.40", features = ["derive"] }
const_format = "0.2.30"
containerd-shim = { version = "0.10.0", features = ["async"] }
containerd-shim-protos = { version = "0.10.0", features = ["async"] }
derivative = "2.2.0"
futures = "0.3.30"
go-flag = "0.1.0"
hyper = "0.14.20"
hyperlocal = "0.8.0"
ipnetwork = "0.17.0"
lazy_static = "1.4"
libc = "0.2.94"
log = "0.4.14"
netlink-packet-core = "0.7.0"
netlink-packet-route = "0.19.0"
netlink-sys = { version = "0.7.0", features = ["tokio_socket"] }
netns-rs = "0.1.0"
# Note: nix needs to stay sync'd with libs versions
nix = "0.26.4"
oci-spec = { version = "0.8.1", features = ["runtime"] }
opentelemetry = { version = "0.17.0", features = ["rt-tokio"] }
procfs = "0.12.0"
prometheus = { version = "0.14.0", features = ["process"] }
protobuf = "3.7.2"
rand = "0.8.4"
regex = "1.10.5"
rstest = "0.18.0"
rtnetlink = "0.14.0"
scan_fmt = "0.2.6"
scopeguard = "1.0.0"
serde = { version = "1.0.145", features = ["derive"] }
serde_json = "1.0.91"
serial_test = "0.10.0"
sha2 = "0.10.9"
slog = "2.5.2"
slog-scope = "4.4.0"
slog-stdlog = "4.0.0"
slog-term = "2.9.0"
strum = { version = "0.24.0", features = ["derive"] }
strum_macros = "0.26.2"
tempfile = "3.19.1"
thiserror = "1.0.26"
tokio = "1.46.1"
tokio-vsock = "0.3.4"
toml = "0.5.8"
tracing = "0.1.41"
tracing-opentelemetry = "0.18.0"
tracing-subscriber = "0.3.20"
ttrpc = "0.8.4"
url = "2.5.4"
which = "4.3.0"

15
Makefile
View File

@@ -18,6 +18,7 @@ TOOLS =
TOOLS += agent-ctl TOOLS += agent-ctl
TOOLS += kata-ctl TOOLS += kata-ctl
TOOLS += log-parser TOOLS += log-parser
TOOLS += runk
TOOLS += trace-forwarder TOOLS += trace-forwarder
STANDARD_TARGETS = build check clean install static-checks-build test vendor STANDARD_TARGETS = build check clean install static-checks-build test vendor
@@ -41,19 +42,13 @@ generate-protocols:
# Some static checks rely on generated source files of components. # Some static checks rely on generated source files of components.
static-checks: static-checks-build static-checks: static-checks-build
bash tests/static-checks.sh bash tests/static-checks.sh github.com/kata-containers/kata-containers
docs-url-alive-check: docs-url-alive-check:
bash ci/docs-url-alive-check.sh bash ci/docs-url-alive-check.sh
build-and-publish-kata-debug: build-and-publish-kata-debug:
bash tools/packaging/kata-debug/kata-debug-build-and-upload-payload.sh ${KATA_DEBUG_REGISTRY} ${KATA_DEBUG_TAG} bash tools/packaging/kata-debug/kata-debug-build-and-upload-payload.sh ${KATA_DEBUG_REGISTRY} ${KATA_DEBUG_TAG}
docs-build:
docker build -t kata-docs:latest -f ./docs/Dockerfile ./docs
docs-serve: docs-build
docker run --rm -p 8000:8000 -v ${PWD}:/docs:ro kata-docs:latest serve --config-file /docs/mkdocs.yaml -a 0.0.0.0:8000
.PHONY: \ .PHONY: \
all \ all \
@@ -61,6 +56,4 @@ docs-serve: docs-build
install-tarball \ install-tarball \
default \ default \
static-checks \ static-checks \
docs-url-alive-check \ docs-url-alive-check
docs-build \
docs-serve

6
README.md
View File

@@ -1,7 +1,8 @@
foo
<img src="https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/kata/SVG/kata-1.svg" width="900"> <img src="https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/kata/SVG/kata-1.svg" width="900">
[![CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml) [![Kata Containers Nightly CI](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml) [![CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml) [![Kata Containers Nightly CI](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kata-containers/kata-containers/badge)](https://scorecard.dev/viewer/?uri=github.com/kata-containers/kata-containers)
# Kata Containers # Kata Containers
@@ -74,7 +75,7 @@ See the [official documentation](docs) including:
- [Developer guide](docs/Developer-Guide.md) - [Developer guide](docs/Developer-Guide.md)
- [Design documents](docs/design) - [Design documents](docs/design)
- [Architecture overview](docs/design/architecture) - [Architecture overview](docs/design/architecture)
- [Architecture 4.0 overview](docs/design/architecture_4.0/) - [Architecture 3.0 overview](docs/design/architecture_3.0/)
## Configuration ## Configuration
@@ -139,6 +140,7 @@ The table below lists the remaining parts of the project:
| [`agent-ctl`](src/tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. | | [`agent-ctl`](src/tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
| [`kata-ctl`](src/tools/kata-ctl) | utility | Tool that provides advanced commands and debug facilities. | | [`kata-ctl`](src/tools/kata-ctl) | utility | Tool that provides advanced commands and debug facilities. |
| [`trace-forwarder`](src/tools/trace-forwarder) | utility | Agent tracing helper. | | [`trace-forwarder`](src/tools/trace-forwarder) | utility | Agent tracing helper. |
| [`runk`](src/tools/runk) | utility | Standard OCI container runtime based on the agent. |
| [`ci`](.github/workflows) | CI | Continuous Integration configuration files and scripts. | | [`ci`](.github/workflows) | CI | Continuous Integration configuration files and scripts. |
| [`ocp-ci`](ci/openshift-ci/README.md) | CI | Continuous Integration configuration for the OpenShift pipelines. | | [`ocp-ci`](ci/openshift-ci/README.md) | CI | Continuous Integration configuration for the OpenShift pipelines. |
| [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. | | [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. |

2
VERSION
View File

@@ -1 +1 @@
3.28.0 3.17.0

14
ci/README.md
View File

@@ -306,7 +306,7 @@ tarball to the newly created VM that will be used for debugging purposes.
> [!NOTE] > [!NOTE]
> Those artifacts are only available (for 15 days) when all jobs are finished. > Those artifacts are only available (for 15 days) when all jobs are finished.
Once you have the `kata-static.tar.zst` in your VM, you can login to the VM with Once you have the `kata-static.tar.xz` in your VM, you can login to the VM with
`kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch `kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch
```bash ```bash
@@ -323,15 +323,15 @@ $ git config --global user.name "Your Name"
$ git rebase upstream/main $ git rebase upstream/main
``` ```
Now copy the `kata-static.tar.zst` into your `kata-containers/kata-artifacts` directory Now copy the `kata-static.tar.xz` into your `kata-containers/kata-artifacts` directory
```bash ```bash
$ mkdir kata-artifacts $ mkdir kata-artifacts
$ cp ../kata-static.tar.zst kata-artifacts/ $ cp ../kata-static.tar.xz kata-artifacts/
``` ```
> [!NOTE] > [!NOTE]
> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.zst` > If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.xz`
And finally run the tests following what's in the yaml file for the test you're And finally run the tests following what's in the yaml file for the test you're
debugging. debugging.
@@ -363,11 +363,11 @@ and have fun debugging and hacking!
Steps for debugging the Kubernetes tests are very similar to the ones for Steps for debugging the Kubernetes tests are very similar to the ones for
debugging non-Kubernetes tests, with the caveat that what you'll need, this debugging non-Kubernetes tests, with the caveat that what you'll need, this
time, is not the `kata-static.tar.zst` tarball, but rather a payload to be used time, is not the `kata-static.tar.xz` tarball, but rather a payload to be used
with kata-deploy. with kata-deploy.
In order to generate your own kata-deploy image you can generate your own In order to generate your own kata-deploy image you can generate your own
`kata-static.tar.zst` and then take advantage of the following script. Be aware `kata-static.tar.xz` and then take advantage of the following script. Be aware
that the image generated and uploaded must be accessible by the VM where you'll that the image generated and uploaded must be accessible by the VM where you'll
be performing your tests. be performing your tests.
@@ -378,7 +378,7 @@ that is used in the test" section. From there you can see exactly what you'll
have to use when deploying kata-deploy in your local cluster. have to use when deploying kata-deploy in your local cluster.
> [!NOTE] > [!NOTE]
> TODO: @wainersm TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI > TODO: WAINER TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI
## Adding new runners ## Adding new runners

9
ci/darwin-test.sh
View File

@@ -8,7 +8,6 @@ set -e
cidir=$(dirname "$0") cidir=$(dirname "$0")
runtimedir=${cidir}/../src/runtime runtimedir=${cidir}/../src/runtime
genpolicydir=${cidir}/../src/tools/genpolicy
build_working_packages() { build_working_packages() {
# working packages: # working packages:
@@ -41,11 +40,3 @@ build_working_packages() {
} }
build_working_packages build_working_packages
build_genpolicy() {
echo "building genpolicy"
pushd "${genpolicydir}" &>/dev/null
make TRIPLE=aarch64-apple-darwin build
}
build_genpolicy

25
ci/install_libseccomp.sh
View File

@@ -11,10 +11,6 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${script_dir}/../tests/common.bash" source "${script_dir}/../tests/common.bash"
# Path to the ORAS cache helper for downloading tarballs (sourced when needed)
# Use ORAS_CACHE_HELPER env var (set by build.sh in Docker) or fallback to repo path
oras_cache_helper="${ORAS_CACHE_HELPER:-${script_dir}/../tools/packaging/scripts/download-with-oras-cache.sh}"
# The following variables if set on the environment will change the behavior # The following variables if set on the environment will change the behavior
# of gperf and libseccomp configure scripts, that may lead this script to # of gperf and libseccomp configure scripts, that may lead this script to
# fail. So let's ensure they are unset here. # fail. So let's ensure they are unset here.
@@ -48,9 +44,6 @@ fi
gperf_tarball="gperf-${gperf_version}.tar.gz" gperf_tarball="gperf-${gperf_version}.tar.gz"
gperf_tarball_url="${gperf_url}/${gperf_tarball}" gperf_tarball_url="${gperf_url}/${gperf_tarball}"
# Use ORAS cache for gperf downloads (gperf upstream can be unreliable)
USE_ORAS_CACHE="${USE_ORAS_CACHE:-yes}"
# We need to build the libseccomp library from sources to create a static # We need to build the libseccomp library from sources to create a static
# library for the musl libc. # library for the musl libc.
# However, ppc64le, riscv64 and s390x have no musl targets in Rust. Hence, we do # However, ppc64le, riscv64 and s390x have no musl targets in Rust. Hence, we do
@@ -75,23 +68,7 @@ trap finish EXIT
build_and_install_gperf() { build_and_install_gperf() {
echo "Build and install gperf version ${gperf_version}" echo "Build and install gperf version ${gperf_version}"
mkdir -p "${gperf_install_dir}" mkdir -p "${gperf_install_dir}"
curl -sLO "${gperf_tarball_url}"
# Use ORAS cache if available and enabled
if [[ "${USE_ORAS_CACHE}" == "yes" ]] && [[ -f "${oras_cache_helper}" ]]; then
echo "Using ORAS cache for gperf download"
source "${oras_cache_helper}"
local cached_tarball
cached_tarball=$(download_component gperf "$(pwd)")
if [[ -f "${cached_tarball}" ]]; then
gperf_tarball="${cached_tarball}"
else
echo "ORAS cache download failed, falling back to direct download"
curl -sLO "${gperf_tarball_url}"
fi
else
curl -sLO "${gperf_tarball_url}"
fi
tar -xf "${gperf_tarball}" tar -xf "${gperf_tarball}"
pushd "gperf-${gperf_version}" pushd "gperf-${gperf_version}"
# Unset $CC for configure, we will always use native for gperf # Unset $CC for configure, we will always use native for gperf

6
ci/install_yq.sh
View File

@@ -73,12 +73,12 @@ function install_yq() {
goarch=arm64 goarch=arm64
;; ;;
"arm64") "arm64")
# If we're on an apple silicon machine, just assign amd64. # If we're on an apple silicon machine, just assign amd64.
# The version of yq we use doesn't have a darwin arm build, # The version of yq we use doesn't have a darwin arm build,
# but Rosetta can come to the rescue here. # but Rosetta can come to the rescue here.
if [[ ${goos} == "Darwin" ]]; then if [[ ${goos} == "Darwin" ]]; then
goarch=amd64 goarch=amd64
else else
goarch=arm64 goarch=arm64
fi fi
;; ;;

19
ci/openshift-ci/README.md
View File

@@ -37,23 +37,6 @@ oc adm policy add-scc-to-group anyuid system:authenticated system:serviceaccount
oc label --overwrite ns default pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline oc label --overwrite ns default pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline
``` ```
The e2e suite uses a combination of built-in (origin) and external tests. External
tests include Kubernetes upstream conformance tests from the `hyperkube` image.
To enable external tests, export a variable matching your cluster version:
```bash
export EXTENSIONS_PAYLOAD_OVERRIDE=$(oc get clusterversion version -o jsonpath='{.status.desired.image}')
# Optional: limit to hyperkube only (k8s conformance tests, avoids downloading all operator extensions)
export EXTENSION_BINARY_OVERRIDE_INCLUDE_TAGS="hyperkube"
```
Alternatively, skip external tests entirely (only OpenShift-specific tests from origin):
```bash
export OPENSHIFT_SKIP_EXTERNAL_TESTS=1
```
Now you should be ready to run the openshift-tests. Our CI only uses a subset Now you should be ready to run the openshift-tests. Our CI only uses a subset
of tests, to get the current ``TEST_SKIPS`` see of tests, to get the current ``TEST_SKIPS`` see
[the pipeline config](https://github.com/openshift/release/tree/master/ci-operator/config/kata-containers/kata-containers). [the pipeline config](https://github.com/openshift/release/tree/master/ci-operator/config/kata-containers/kata-containers).
@@ -115,7 +98,7 @@ Let's say the OCP pipeline passed running with
but failed running with but failed running with
``quay.io/kata-containers/kata-deploy-ci:kata-containers-9f512c016e75599a4a921bd84ea47559fe610057-amd64`` ``quay.io/kata-containers/kata-deploy-ci:kata-containers-9f512c016e75599a4a921bd84ea47559fe610057-amd64``
and you'd like to know which PR caused the regression. You can either run with and you'd like to know which PR caused the regression. You can either run with
all the 60 tags between or you can utilize the [`bisecter`](https://github.com/ldoktor/bisecter) all the 60 tags between or you can utilize the [bisecter](https://github.com/ldoktor/bisecter)
to optimize the number of steps in between. to optimize the number of steps in between.
Before running the bisection you need a reproducer script. Sample one called Before running the bisection you need a reproducer script. Sample one called

6
ci/openshift-ci/cleanup.sh
View File

@@ -46,12 +46,16 @@ fi
[[ ${SELINUX_PERMISSIVE} == "yes" ]] && oc delete -f "${deployments_dir}/machineconfig_selinux.yaml.in" [[ ${SELINUX_PERMISSIVE} == "yes" ]] && oc delete -f "${deployments_dir}/machineconfig_selinux.yaml.in"
# Delete kata-containers # Delete kata-containers
helm uninstall kata-deploy --wait --namespace kube-system pushd "${katacontainers_repo_dir}/tools/packaging/kata-deploy" || { echo "Failed to push to ${katacontainers_repo_dir}/tools/packaging/kata-deploy"; exit 125; }
oc delete -f kata-deploy/base/kata-deploy.yaml
oc -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod oc -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
oc apply -f kata-cleanup/base/kata-cleanup.yaml
echo "Wait for all related pods to be gone" echo "Wait for all related pods to be gone"
( repeats=1; for _ in $(seq 1 600); do ( repeats=1; for _ in $(seq 1 600); do
oc get pods -l name="kubelet-kata-cleanup" --no-headers=true -n kube-system 2>&1 | grep "No resources found" -q && ((repeats++)) || repeats=1 oc get pods -l name="kubelet-kata-cleanup" --no-headers=true -n kube-system 2>&1 | grep "No resources found" -q && ((repeats++)) || repeats=1
[[ "${repeats}" -gt 5 ]] && echo kata-cleanup finished && break [[ "${repeats}" -gt 5 ]] && echo kata-cleanup finished && break
sleep 1 sleep 1
done) || { echo "There are still some kata-cleanup related pods after 600 iterations"; oc get all -n kube-system; exit 1; } done) || { echo "There are still some kata-cleanup related pods after 600 iterations"; oc get all -n kube-system; exit 1; }
oc delete -f kata-cleanup/base/kata-cleanup.yaml
oc delete -f kata-rbac/base/kata-rbac.yaml
oc delete -f runtimeclasses/kata-runtimeClasses.yaml oc delete -f runtimeclasses/kata-runtimeClasses.yaml

29
ci/openshift-ci/cluster/install_kata.sh
View File

@@ -43,22 +43,19 @@ WORKAROUND_9206_CRIO=${WORKAROUND_9206_CRIO:-no}
# Leverage kata-deploy to install Kata Containers in the cluster. # Leverage kata-deploy to install Kata Containers in the cluster.
# #
apply_kata_deploy() { apply_kata_deploy() {
if ! command -v helm &>/dev/null; then local deploy_file="tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml"
echo "Helm not installed, installing in current location..." pushd "${katacontainers_repo_dir}" || die
PATH=".:${PATH}" sed -ri "s#(\s+image:) .*#\1 ${KATA_DEPLOY_IMAGE}#" "${deploy_file}"
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | HELM_INSTALL_DIR='.' bash -s -- --no-sudo
fi
info "Applying kata-deploy"
oc apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
oc label --overwrite ns kube-system pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline oc label --overwrite ns kube-system pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline
local version chart oc apply -f "${deploy_file}"
version='0.0.0-dev' oc -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
chart="oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy"
# Ensure any potential leftover is cleaned up ... and this secret usually is not in case of previous failures info "Adding the kata runtime classes"
oc delete secret sh.helm.release.v1.kata-deploy.v1 -n kube-system || true oc apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
popd || die
echo "Installing kata using helm ${chart} ${version} (sha printed in helm output)"
helm install kata-deploy --wait --namespace kube-system --set "image.reference=${KATA_DEPLOY_IMAGE%%:*},image.tag=${KATA_DEPLOY_IMAGE##*:}" "${chart}" --version "${version}"
} }
@@ -177,13 +174,13 @@ wait_for_app_pods_message() {
local namespace="$5" local namespace="$5"
[[ -z "${pod_count}" ]] && pod_count=1 [[ -z "${pod_count}" ]] && pod_count=1
[[ -z "${timeout}" ]] && timeout=60 [[ -z "${timeout}" ]] && timeout=60
[[ -n "${namespace}" ]] && namespace=("-n" "${namespace}") [[ -n "${namespace}" ]] && namespace=" -n ${namespace} "
local pod local pod
local pods local pods
local i local i
SECONDS=0 SECONDS=0
while :; do while :; do
mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace[@]}" | awk '{print $1}') mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace}" | awk '{print $1}')
[[ "${#pods}" -ge "${pod_count}" ]] && break [[ "${#pods}" -ge "${pod_count}" ]] && break
if [[ "${SECONDS}" -gt "${timeout}" ]]; then if [[ "${SECONDS}" -gt "${timeout}" ]]; then
printf "Unable to find ${pod_count} pods for '-l app=\"${app}\"' in ${SECONDS}s (%s)" "${pods[@]}" printf "Unable to find ${pod_count} pods for '-l app=\"${app}\"' in ${SECONDS}s (%s)" "${pods[@]}"
@@ -193,7 +190,7 @@ wait_for_app_pods_message() {
local log local log
for pod in "${pods[@]}"; do for pod in "${pods[@]}"; do
while :; do while :; do
log=$(oc logs "${namespace[@]}" "${pod}") log=$(oc logs "${namespace}" "${pod}")
echo "${log}" | grep "${message}" -q && echo "Found $(echo "${log}" | grep "${message}") in ${pod}'s log (${SECONDS})" && break; echo "${log}" | grep "${message}" -q && echo "Found $(echo "${log}" | grep "${message}") in ${pod}'s log (${SECONDS})" && break;
if [[ "${SECONDS}" -gt "${timeout}" ]]; then if [[ "${SECONDS}" -gt "${timeout}" ]]; then
echo -n "Message '${message}' not present in '${pod}' pod of the '-l app=\"${app}\"' " echo -n "Message '${message}' not present in '${pod}' pod of the '-l app=\"${app}\"' "

208
ci/openshift-ci/peer-pods-azure.sh
View File

@@ -12,48 +12,6 @@
SCRIPT_DIR=$(dirname "$0") SCRIPT_DIR=$(dirname "$0")
##################
# Helper functions
##################
# Sparse "git clone" supporting old git version
# $1 - origin
# $2 - revision
# $3- - sparse checkout paths
# Note: uses pushd to change into the clonned directory!
git_sparse_clone() {
local origin="$1"
local revision="$2"
shift 2
local sparse_paths=("$@")
local repo
repo=$(basename -s .git "${origin}")
git init "${repo}"
pushd "${repo}" || exit 1
git remote add origin "${origin}"
git fetch --depth 1 origin "${revision}"
git sparse-checkout init --cone
git sparse-checkout set "${sparse_paths[@]}"
git checkout FETCH_HEAD
}
#######################
# Install prerequisites
#######################
if ! command -v helm &>/dev/null; then
echo "Helm not installed, installing in current location..."
PATH="${PWD}:${PATH}"
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | HELM_INSTALL_DIR='.' bash -s -- --no-sudo
fi
if ! command -v yq &>/dev/null; then
echo "yq not installed, installing in current location..."
PATH="${PWD}:${PATH}"
curl -fsSL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -o ./yq
chmod +x yq
fi
############################### ###############################
# Disable security to allow e2e # Disable security to allow e2e
############################### ###############################
@@ -98,6 +56,7 @@ AZURE_REGION=$(az group show --resource-group "${AZURE_RESOURCE_GROUP}" --query
# Create workload identity # Create workload identity
AZURE_WORKLOAD_IDENTITY_NAME="caa-${AZURE_CLIENT_ID}" AZURE_WORKLOAD_IDENTITY_NAME="caa-${AZURE_CLIENT_ID}"
az identity create --name "${AZURE_WORKLOAD_IDENTITY_NAME}" --resource-group "${AZURE_RESOURCE_GROUP}" --location "${AZURE_REGION}" az identity create --name "${AZURE_WORKLOAD_IDENTITY_NAME}" --resource-group "${AZURE_RESOURCE_GROUP}" --location "${AZURE_REGION}"
USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${AZURE_RESOURCE_GROUP}" --name "${AZURE_WORKLOAD_IDENTITY_NAME}" --query 'clientId' -otsv)"
############################# #############################
@@ -157,83 +116,118 @@ az network vnet subnet update \
for NODE_NAME in $(kubectl get nodes -o jsonpath='{.items[*].metadata.name}'); do [[ "${NODE_NAME}" =~ 'worker' ]] && kubectl label node "${NODE_NAME}" node.kubernetes.io/worker=; done for NODE_NAME in $(kubectl get nodes -o jsonpath='{.items[*].metadata.name}'); do [[ "${NODE_NAME}" =~ 'worker' ]] && kubectl label node "${NODE_NAME}" node.kubernetes.io/worker=; done
# CAA artifacts # CAA artifacts
if [[ -z "${CAA_TAG}" ]]; then CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor"
if [[ -n "${CAA_IMAGE}" ]]; then TAGS="$(curl https://quay.io/api/v1/repository/confidential-containers/cloud-api-adaptor/tag/?onlyActiveTags=true)"
echo "CAA_IMAGE (${CAA_IMAGE}) is set but CAA_TAG isn't, which is not supported. Please specify both or none" DIGEST=$(echo "${TAGS}" | jq -r '.tags[] | select(.name | contains("latest-amd64")) | .manifest_digest')
exit 1 CAA_TAG="$(echo "${TAGS}" | jq -r '.tags[] | select(.manifest_digest | contains("'"${DIGEST}"'")) | .name' | grep -v "latest")"
fi
TAGS="$(curl https://quay.io/api/v1/repository/confidential-containers/cloud-api-adaptor/tag/?onlyActiveTags=true)"
DIGEST=$(echo "${TAGS}" | jq -r '.tags[] | select(.name | contains("latest-amd64")) | .manifest_digest')
CAA_TAG="$(echo "${TAGS}" | jq -r '.tags[] | select(.manifest_digest | contains("'"${DIGEST}"'")) | .name' | grep -v "latest")"
fi
if [[ -z "${CAA_IMAGE}" ]]; then
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor"
fi
# Get latest PP image # Get latest PP image
# SUCCESS_TIME=$(curl -s \
# You can list the CI images by: -H "Accept: application/vnd.github+json" \
# az sig image-version list-community --location "eastus" --public-gallery-name "cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85" --gallery-image-definition "podvm_image0" --output table "https://api.github.com/repos/confidential-containers/cloud-api-adaptor/actions/workflows/azure-nightly-build.yml/runs?status=success" \
# or the release images by: | jq -r '.workflow_runs[0].updated_at')
# az sig image-version list-community --location "eastus" --public-gallery-name "cococommunity-42d8482d-92cd-415b-b332-7648bd978eff" --gallery-image-definition "peerpod-podvm-fedora" --output table PP_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/$(date -u -jf "%Y-%m-%dT%H:%M:%SZ" "${SUCCESS_TIME}" "+%Y.%m.%d" 2>/dev/null || date -d "${SUCCESS_TIME}" +%Y.%m.%d)"
# or the release debug images by:
# az sig image-version list-community --location "eastus" --public-gallery-name "cococommunity-42d8482d-92cd-415b-b332-7648bd978eff" --gallery-image-definition "peerpod-podvm-fedora-debug" --output table
#
# Note there are other flavours of the released images, you can list them by:
# az sig image-definition list-community --location "eastus" --public-gallery-name "cococommunity-42d8482d-92cd-415b-b332-7648bd978eff" --output table
if [[ -z "${PP_IMAGE_ID}" ]]; then
SUCCESS_TIME=$(curl -s \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/confidential-containers/cloud-api-adaptor/actions/workflows/azure-nightly-build.yml/runs?status=success" \
| jq -r '.workflow_runs[0].updated_at')
PP_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/$(date -u -jf "%Y-%m-%dT%H:%M:%SZ" "${SUCCESS_TIME}" "+%Y.%m.%d" 2>/dev/null || date -d "${SUCCESS_TIME}" +%Y.%m.%d)"
fi
echo "AZURE_REGION=\"${AZURE_REGION}\"" echo "AZURE_REGION: \"${AZURE_REGION}\""
echo "PP_REGION=\"${PP_REGION}\"" echo "PP_REGION: \"${PP_REGION}\""
echo "AZURE_RESOURCE_GROUP=\"${AZURE_RESOURCE_GROUP}\"" echo "AZURE_RESOURCE_GROUP: \"${AZURE_RESOURCE_GROUP}\""
echo "PP_RESOURCE_GROUP=\"${PP_RESOURCE_GROUP}\"" echo "PP_RESOURCE_GROUP: \"${PP_RESOURCE_GROUP}\""
echo "PP_SUBNET_ID=\"${PP_SUBNET_ID}\"" echo "PP_SUBNET_ID: \"${PP_SUBNET_ID}\""
echo "CAA_IMAGE=\"${CAA_IMAGE}\"" echo "CAA_TAG: \"${CAA_TAG}\""
echo "CAA_TAG=\"${CAA_TAG}\"" echo "PP_IMAGE_ID: \"${PP_IMAGE_ID}\""
echo "PP_IMAGE_ID=\"${PP_IMAGE_ID}\""
# Install cert-manager (prerequisit)
helm install cert-manager oci://quay.io/jetstack/charts/cert-manager --namespace cert-manager --create-namespace --set crds.enabled=true
# Clone and configure caa # Clone and configure caa
git_sparse_clone "https://github.com/confidential-containers/cloud-api-adaptor.git" "${CAA_GIT_SHA:-main}" "src/cloud-api-adaptor/install/charts/" "src/peerpod-ctrl/chart" "src/webhook/chart" git clone --depth 1 --no-checkout https://github.com/confidential-containers/cloud-api-adaptor.git
echo "CAA_GIT_SHA=\"$(git rev-parse HEAD)\"" pushd cloud-api-adaptor
pushd src/cloud-api-adaptor/install/charts/peerpods git sparse-checkout init --cone
# Use the latest kata-deploy git sparse-checkout set src/cloud-api-adaptor/install/
yq -i '( .dependencies[] | select(.name == "kata-deploy") ) .version = "0.0.0-dev"' Chart.yaml git checkout
helm dependency update . echo "CAA_GIT_SHA: \"$(git rev-parse HEAD)\""
# Create secrets pushd src/cloud-api-adaptor
kubectl apply -f - << EOF cat <<EOF > install/overlays/azure/workload-identity.yaml
apiVersion: v1 apiVersion: apps/v1
kind: Namespace kind: DaemonSet
metadata: metadata:
name: confidential-containers-system name: cloud-api-adaptor-daemonset
labels: namespace: confidential-containers-system
app.kubernetes.io/managed-by: Helm spec:
annotations: template:
meta.helm.sh/release-name: peerpods metadata:
meta.helm.sh/release-namespace: confidential-containers-system labels:
azure.workload.identity/use: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-api-adaptor
namespace: confidential-containers-system
annotations:
azure.workload.identity/client-id: "${USER_ASSIGNED_CLIENT_ID}"
EOF EOF
kubectl create secret generic my-provider-creds \ PP_INSTANCE_SIZE="Standard_D2as_v5"
-n confidential-containers-system \ DISABLECVM="true"
--from-literal=AZURE_CLIENT_ID="$AZURE_CLIENT_ID" \ cat <<EOF > install/overlays/azure/kustomization.yaml
--from-literal=AZURE_CLIENT_SECRET="$AZURE_CLIENT_SECRET" \ apiVersion: kustomize.config.k8s.io/v1beta1
--from-literal=AZURE_TENANT_ID="$AZURE_TENANT_ID" kind: Kustomization
helm install peerpods . -f providers/azure.yaml --set secrets.mode=reference --set secrets.existingSecretName=my-provider-creds --set providerConfigs.azure.AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}" --set providerConfigs.azure.AZURE_REGION="${PP_REGION}" --set providerConfigs.azure.AZURE_INSTANCE_SIZE="Standard_D2as_v5" --set providerConfigs.azure.AZURE_RESOURCE_GROUP="${PP_RESOURCE_GROUP}" --set providerConfigs.azure.AZURE_SUBNET_ID="${PP_SUBNET_ID}" --set providerConfigs.azure.AZURE_IMAGE_ID="${PP_IMAGE_ID}" --set providerConfigs.azure.DISABLECVM="true" --set providerConfigs.azure.PEERPODS_LIMIT_PER_NODE="50" --set kata-deploy.snapshotter.setup= --dependency-update -n confidential-containers-system --create-namespace --wait bases:
popd # charts - ../../yamls
popd # git_sparse_clone CAA images:
- name: cloud-api-adaptor
newName: "${CAA_IMAGE}"
newTag: "${CAA_TAG}"
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: peer-pods-cm
namespace: confidential-containers-system
literals:
- CLOUD_PROVIDER="azure"
- AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}"
- AZURE_REGION="${PP_REGION}"
- AZURE_INSTANCE_SIZE="${PP_INSTANCE_SIZE}"
- AZURE_RESOURCE_GROUP="${PP_RESOURCE_GROUP}"
- AZURE_SUBNET_ID="${PP_SUBNET_ID}"
- AZURE_IMAGE_ID="${PP_IMAGE_ID}"
- DISABLECVM="${DISABLECVM}"
- PEERPODS_LIMIT_PER_NODE="50"
secretGenerator:
- name: peer-pods-secret
namespace: confidential-containers-system
envs:
- service-principal.env
- name: ssh-key-secret
namespace: confidential-containers-system
files:
- id_rsa.pub
patchesStrategicMerge:
- workload-identity.yaml
EOF
ssh-keygen -t rsa -f install/overlays/azure/id_rsa -N ''
echo "AZURE_CLIENT_ID=${AZURE_CLIENT_ID}" > install/overlays/azure/service-principal.env
echo "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" >> install/overlays/azure/service-principal.env
echo "AZURE_TENANT_ID=${AZURE_TENANT_ID}" >> install/overlays/azure/service-principal.env
# Deploy Operator
git clone --depth 1 --no-checkout https://github.com/confidential-containers/operator
pushd operator
git sparse-checkout init --cone
git sparse-checkout set "config/"
git checkout
echo "OPERATOR_SHA: \"$(git rev-parse HEAD)\""
oc apply -k "config/release"
oc apply -k "config/samples/ccruntime/peer-pods"
popd
# Deploy CAA
kubectl apply -k "install/overlays/azure"
popd
popd
# Wait for runtimeclass # Wait for runtimeclass
SECONDS=0 SECONDS=0
( while [[ "${SECONDS}" -lt 360 ]]; do ( while [[ "${SECONDS}" -lt 360 ]]; do
kubectl get runtimeclass | grep -q kata-remote && exit 0 kubectl get runtimeclass | grep -q kata-remote && exit 0
done; exit 1 ) || { echo "kata-remote runtimeclass not initialized in 60s"; kubectl -n confidential-containers-system get all; echo; echo "kubectl -n confidential-containers-system describe all"; kubectl -n confidential-containers-system describe all; echo; echo CAA; kubectl -n confidential-containers-system logs daemonset.apps/cloud-api-adaptor-daemonset; echo pre-install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-pre-install-daemon; echo install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-daemon-install; exit 1; } done; exit 1 ) || { echo "kata-remote runtimeclass not initialized in 60s"; kubectl -n confidential-containers-system get all; echo; echo CAA; kubectl -n confidential-containers-system logs daemonset.apps/cloud-api-adaptor-daemonset; echo pre-install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-pre-install-daemon; echo install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-daemon-install; exit 1; }
################ ################

18
docs/.nav.yml
View File

@@ -1,18 +0,0 @@
# https://lukasgeiter.github.io/mkdocs-awesome-nav/
nav:
- Home: index.md
- Getting Started:
- prerequisites.md
- installation.md
- Configuration:
- helm-configuration.md
- runtime-configuration.md
- Platform Support:
- hypervisors.md
- Guides:
- Use Cases:
- NVIDIA GPU Passthrough: use-cases/NVIDIA-GPU-passthrough-and-Kata-QEMU.md
- NVIDIA vGPU: use-cases/NVIDIA-GPU-passthrough-and-Kata.md
- Intel Discrete GPU: use-cases/Intel-Discrete-GPU-passthrough-and-Kata.md
- Misc:
- Architecture: design/architecture/

2
docs/Blog-Post-Submission-Guide.md
View File

@@ -83,4 +83,4 @@ files to the repository and create a pull request when you are ready.
If you have an idea for a blog post and would like to get feedback from the If you have an idea for a blog post and would like to get feedback from the
community about it or have any questions about the process, please reach out community about it or have any questions about the process, please reach out
on one of the community's [communication channels](https://katacontainers.io/community/). on one of the community's [communication channels](https://katacontainers.io/community/).

20
docs/Developer-Guide.md
View File

@@ -125,7 +125,7 @@ If you want to enable SELinux in Permissive mode, add `enforcing=0` to the kerne
Enable full debug as follows: Enable full debug as follows:
```bash ```bash
$ sudo sed -i -E 's/^(\s*enable_debug\s*=\s*)false/\1true/' /etc/kata-containers/configuration.toml $ sudo sed -i -e 's/^# *\(enable_debug\).*=.*$/\1 = true/g' /etc/kata-containers/configuration.toml
$ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.log=debug initcall_debug"/g' /etc/kata-containers/configuration.toml $ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.log=debug initcall_debug"/g' /etc/kata-containers/configuration.toml
``` ```
@@ -289,14 +289,14 @@ provided by your distribution.
As a prerequisite, you need to install Docker. Otherwise, you will not be As a prerequisite, you need to install Docker. Otherwise, you will not be
able to run the `rootfs.sh` script with `USE_DOCKER=true` as expected in able to run the `rootfs.sh` script with `USE_DOCKER=true` as expected in
the following example. Specifying the `OS_VERSION` is required when using `distro="ubuntu"`. the following example.
```bash ```bash
$ export distro="ubuntu" # example $ export distro="ubuntu" # example
$ export ROOTFS_DIR="$(realpath kata-containers/tools/osbuilder/rootfs-builder/rootfs)" $ export ROOTFS_DIR="$(realpath kata-containers/tools/osbuilder/rootfs-builder/rootfs)"
$ sudo rm -rf "${ROOTFS_DIR}" $ sudo rm -rf "${ROOTFS_DIR}"
$ pushd kata-containers/tools/osbuilder/rootfs-builder $ pushd kata-containers/tools/osbuilder/rootfs-builder
$ script -fec 'sudo -E USE_DOCKER=true OS_VERSION=noble ./rootfs.sh "${distro}"' $ script -fec 'sudo -E USE_DOCKER=true ./rootfs.sh "${distro}"'
$ popd $ popd
``` ```
@@ -450,7 +450,7 @@ You can build and install the guest kernel image as shown [here](../tools/packag
# Install a hypervisor # Install a hypervisor
When setting up Kata using a [packaged installation method](install/README.md#installing-on-a-linux-system), the When setting up Kata using a [packaged installation method](install/README.md#installing-on-a-linux-system), the
`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/helm-chart/README.md). `QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/README.md).
You may choose to manually build your VMM/hypervisor. You may choose to manually build your VMM/hypervisor.
## Build a custom QEMU ## Build a custom QEMU
@@ -522,18 +522,10 @@ $ sudo kata-runtime check
If your system is *not* able to run Kata Containers, the previous command will error out and explain why. If your system is *not* able to run Kata Containers, the previous command will error out and explain why.
# Run Kata Containers with Containerd # Run Kata Containers with Containerd
Refer to the [How to use Kata Containers and Containerd](how-to/containerd-kata.md) how-to guide. Refer to the [How to use Kata Containers and Containerd](how-to/containerd-kata.md) how-to guide.
# Run Kata Containers with Kubernetes # Run Kata Containers with Kubernetes
Refer to the [Run Kata Containers with Kubernetes](how-to/run-kata-with-k8s.md) how-to guide.
- Containerd
Refer to the [How to use Kata Containers and Containerd with Kubernetes](how-to/how-to-use-k8s-with-containerd-and-kata.md) how-to guide.
- CRI-O
Refer to the [How to use Kata Containers and CRI-O with Kubernetes](how-to/how-to-use-k8s-with-crio-and-kata.md) how-to guide.
# Troubleshoot Kata Containers # Troubleshoot Kata Containers
@@ -738,7 +730,7 @@ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.debug_cons
##### Connecting to the debug console ##### Connecting to the debug console
Next, connect to the debug console. The VSOCK paths vary slightly between each Next, connect to the debug console. The VSOCKS paths vary slightly between each
VMM solution. VMM solution.
In case of cloud-hypervisor, connect to the `vsock` as shown: In case of cloud-hypervisor, connect to the `vsock` as shown:

11
docs/Dockerfile
View File

@@ -1,11 +0,0 @@
# Copyright 2026 Kata Contributors
#
# SPDX-License-Identifier: Apache-2.0
#
FROM python:3.12-slim
WORKDIR /
COPY ./requirements.txt requirements.txt
RUN pip install --no-cache-dir -r requirements.txt
ENTRYPOINT ["python3", "-m", "mkdocs"]

9
docs/Documentation-Requirements.md
View File

@@ -188,14 +188,15 @@ and compare them with standard tools (e.g. `diff(1)`).
# Spelling # Spelling
Since this project uses a number of terms not found in conventional Since this project uses a number of terms not found in conventional
dictionaries, we have a [kata-dictionary](../tests/spellcheck/kata-dictionary.txt) dictionaries, we have a
that contains some project specific terms we use. [spell checking tool](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-spelling)
that checks both dictionary words and the additional terms we use.
You can run the `cspell` checking tool on your document before raising a PR to ensure it Run the spell checking tool on your document before raising a PR to ensure it
is free of mistakes. is free of mistakes.
If your document introduces new terms, you need to update the custom If your document introduces new terms, you need to update the custom
dictionary to incorporate the new words. dictionary used by the spell checking tool to incorporate the new words.
# Names # Names

90
docs/Limitations.md
View File

@@ -166,95 +166,19 @@ moment.
See [this issue](https://github.com/kata-containers/runtime/issues/2812) for more details. See [this issue](https://github.com/kata-containers/runtime/issues/2812) for more details.
[Another issue](https://github.com/kata-containers/kata-containers/issues/1728) focuses on the case of `emptyDir`. [Another issue](https://github.com/kata-containers/kata-containers/issues/1728) focuses on the case of `emptyDir`.
### Kubernetes [hostPath][k8s-hostpath] volumes ## Host resource sharing
In Kata, Kubernetes hostPath volumes can mount host directories and ### Privileged containers
regular files into the guest VM via filesystem sharing, if it is enabled
through the `shared_fs` [configuration][runtime-config] flag.
By default:
- Non-TEE environment: Filesystem sharing is used to mount host files.
- TEE environment: Filesystem sharing is disabled. Instead, host files
are copied into the guest VM when the container starts, and file
changes are *not* synchronized between the host and the guest.
In some cases, the behavior of hostPath volumes in Kata is further
different compared to `runc` containers:
**Mounting host block devices**: When a hostPath volume is of type
[`BlockDevice`][k8s-blockdevice], Kata hotplugs the host block device
into the guest and exposes it directly to the container.
**Mounting guest devices**: When the source path of a hostPath volume is
under `/dev` (or `/dev` itself), and the path corresponds to a
non-regular file (i.e., a device, directory, or any other special file)
or is not accessible by the Kata shim, the Kata agent bind mounts the
source path directly from the *guest* filesystem into the container.
[runtime-config]: /src/runtime/README.md#configuration
[k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
[k8s-blockdevice]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types
### Mounting `procfs` and `sysfs`
For security reasons, the following mounts are disallowed:
| Type | Source | Destination | Rationale |
|-------------------|-----------|----------------------------------|----------------|
| `bind` | `!= proc` | `/proc` | CVE-2019-16884 |
| `bind` | `*` | `/proc/*` (see exceptions below) | CVE-2019-16884 |
| `proc \|\| sysfs` | `*` | not a directory (e.g. symlink) | CVE-2019-19921 |
For bind mounts under /proc, these destinations are allowed:
* `/proc/cpuinfo`
* `/proc/diskstats`
* `/proc/meminfo`
* `/proc/stat`
* `/proc/swaps`
* `/proc/uptime`
* `/proc/loadavg`
* `/proc/net/dev`
## Privileged containers
Privileged support in Kata is essentially different from `runc` containers. Privileged support in Kata is essentially different from `runc` containers.
The container runs with elevated capabilities within the guest. The container runs with elevated capabilities within the guest and is granted
access to guest devices instead of the host devices.
This is also true with using `securityContext privileged=true` with Kubernetes. This is also true with using `securityContext privileged=true` with Kubernetes.
Importantly, the default behavior to pass the host devices to a The container may also be granted full access to a subset of host devices
privileged container is not supported in Kata Containers and needs to be (https://github.com/kata-containers/runtime/issues/1568).
disabled, see [Privileged Kata Containers](how-to/privileged.md).
## Guest pulled container images See [Privileged Kata Containers](how-to/privileged.md) for how to configure some of this behavior.
When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec.
If the ID values are omitted:
- Your workload might be executed with unexpected user/group ID values, because image layers
may be unavailable to containerd, so image config (including user/group) is not applied.
- If using policy or genpolicy, the generated policy may detect these unexpected values and
reject the creation of workload containers.
Set `securityContext` explicitly. Use **pod-level** `spec.securityContext` (for Pods) or
`spec.template.spec.securityContext` (for controllers like Deployments) and/or **container-level**
`spec.containers[].securityContext`. Include at least:
- `runAsUser` — primary user ID
- `runAsGroup` — primary group ID
- `fsGroup` — volume group ownership (often reflected as a supplemental group)
- `supplementalGroups` — list of additional group IDs (if needed)
Example:
```yaml
# Explicit user/group/supplementary groups to support nydus guest-pull
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: [1, 2, 3, 4, 6, 10, 11, 20, 26, 27]
```
# Appendices # Appendices

4
docs/README.md
View File

@@ -83,7 +83,3 @@ Documents that help to understand and contribute to Kata Containers.
If you have a suggestion for how we can improve the If you have a suggestion for how we can improve the
[website](https://katacontainers.io), please raise an issue (or a PR) on [website](https://katacontainers.io), please raise an issue (or a PR) on
[the repository that holds the source for the website](https://github.com/OpenStackweb/kata-netlify-refresh). [the repository that holds the source for the website](https://github.com/OpenStackweb/kata-netlify-refresh).
### Toolchain Guidance
* [Toolchain Guidance](./Toochain-Guidance.md)

101
docs/Release-Process.md
View File

@@ -1,69 +1,59 @@
# How to do a Kata Containers Release # How to do a Kata Containers Release
This document lists the tasks required to create a Kata Release. This document lists the tasks required to create a Kata Release.
## Requirements ## Requirements
- GitHub permissions to run workflows. - GitHub permissions to run workflows.
## Release Model ## Versioning
Kata Containers follows a rolling release model with monthly snapshots. The Kata Containers project uses [semantic versioning](http://semver.org/) for all releases.
New features, bug fixes, and improvements are continuously integrated into Semantic versions are comprised of three fields in the form:
`main`. Each month, a snapshot is tagged as a new `MINOR` release.
### Versioning ```
MAJOR.MINOR.PATCH
```
Releases use the `MAJOR.MINOR.PATCH` scheme. Monthly snapshots increment When `MINOR` increases, the new release adds **new features** but *without changing the existing behavior*.
`MINOR`; `PATCH` is typically `0`. Major releases are rare (years apart) and
signal significant architectural changes that may require updates to container
managers (Containerd, CRI-O) or other infrastructure. Breaking changes in
`MINOR` releases are avoided where possible, but may occasionally occur as
features are deprecated or removed.
### No Stable Branches When `MAJOR` increases, the new release adds **new features, bug fixes, or
both** and which **changes the behavior from the previous release** (incompatible with previous releases).
The Kata Containers project does not maintain stable branches (see A major release will also likely require a change of the container manager version used,
[#9064](https://github.com/kata-containers/kata-containers/issues/9064)). -for example Containerd or CRI-O. Please refer to the release notes for further details.
Bug fixes land on `main` and ship in the next monthly snapshot rather than
being backported. Downstream projects that need extended support or compliance **Important** : the Kata Containers project doesn't have stable branches (see
certifications should select a monthly snapshot as their stable base and manage [this issue](https://github.com/kata-containers/kata-containers/issues/9064) for details).
their own validation and patch backporting from there. Bug fixes are released as part of `MINOR` or `MAJOR` releases only. `PATCH` is always `0`.
## Release Process ## Release Process
### Lock the `main` branch and announce release process
In order to prevent any PRs getting merged during the release process, and
slowing the release process down, by impacting the payload caches, we have
recently trialed setting the `main` branch to read-only.
Once the `kata-containers/kata-containers` repository is ready for a new
release, lock the main branch until the release action has completed.
Notify the #kata-dev Slack channel about the ongoing release process.
Ideally, CI usage by others should be reduced to a minimum during the
ongoing release process.
> [!NOTE]
> Admin permission is needed to lock/unlock the `main` branch.
### Bump the `VERSION` and `Chart.yaml` file ### Bump the `VERSION` and `Chart.yaml` file
Create a PR to set the release in the [`VERSION`](./../VERSION) file and to When the `kata-containers/kata-containers` repository is ready for a new release,
update the `version` and `appVersion` fields in the first create a PR to set the release in the [`VERSION`](./../VERSION) file and update the
[`Chart.yaml`](./../tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml) `version` and `appVersion` in the
file. Temporarily unlock the main branch to merge the PR. [`Chart.yaml`](./../tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml) file and
have it merged.
### Lock the `main` branch
In order to prevent any PRs getting merged during the release process, and slowing the release
process down, by impacting the payload caches, we have recently trailed setting the `main`
branch to read only whilst the release action runs.
> [!NOTE]
> Admin permission is needed to complete this task.
### Wait for the `VERSION` bump PR payload publish to complete ### Wait for the `VERSION` bump PR payload publish to complete
To reduce the chance of need to re-run the release workflow, check the [CI | To reduce the chance of need to re-run the release workflow, check the
Publish Kata Containers [CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml)
payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml)
once the `VERSION` PR bump has merged to check that the assets build correctly once the `VERSION` PR bump has merged to check that the assets build correctly
and are cached, so that the release process can just download these artifacts and are cached, so that the release process can just download these artifacts
rather than needing to build them all, which takes time and can reveal errors in rather than needing to build them all, which takes time and can reveal errors in infra.
infra.
### Trigger the `Release Kata Containers` GitHub Action ### Check GitHub Actions
We make use of [GitHub actions](https://github.com/features/actions) in the We make use of [GitHub actions](https://github.com/features/actions) in the
[release](https://github.com/kata-containers/kata-containers/actions/workflows/release.yaml) [release](https://github.com/kata-containers/kata-containers/actions/workflows/release.yaml)
@@ -73,10 +63,11 @@ release artifacts.
> [!NOTE] > [!NOTE]
> Write permissions to trigger the action. > Write permissions to trigger the action.
The action is manually triggered and is responsible for generating a new release The action is manually triggered and is responsible for generating a new
(including a new tag), pushing those to the `kata-containers/kata-containers` release (including a new tag), pushing those to the
repository. The new release is initially created as a draft. It is promoted to `kata-containers/kata-containers` repository. The new release is initially
an official release when the whole workflow has completed successfully. created as a draft. It is promoted to an official release when the whole
workflow has completed successfully.
Check the [actions status Check the [actions status
page](https://github.com/kata-containers/kata-containers/actions) to verify all page](https://github.com/kata-containers/kata-containers/actions) to verify all
@@ -84,13 +75,12 @@ steps in the actions workflow have completed successfully. On success, a static
tarball containing Kata release artifacts will be uploaded to the [Release tarball containing Kata release artifacts will be uploaded to the [Release
page](https://github.com/kata-containers/kata-containers/releases). page](https://github.com/kata-containers/kata-containers/releases).
If the workflow fails because of some external environmental causes, e.g. If the workflow fails because of some external environmental causes, e.g. network
network timeout, simply re-run the failed jobs until they eventually succeed. timeout, simply re-run the failed jobs until they eventually succeed.
If for some reason you need to cancel the workflow or re-run it entirely, go If for some reason you need to cancel the workflow or re-run it entirely, go first
first to the [Release to the [Release page](https://github.com/kata-containers/kata-containers/releases) and
page](https://github.com/kata-containers/kata-containers/releases) and delete delete the draft release from the previous run.
the draft release from the previous run.
### Unlock the `main` branch ### Unlock the `main` branch
@@ -100,8 +90,9 @@ an admin to do it.
### Improve the release notes ### Improve the release notes
Release notes are auto-generated by the GitHub CLI tool used as part of our Release notes are auto-generated by the GitHub CLI tool used as part of our
release workflow. However, some manual tweaking may still be necessary in order release workflow. However, some manual tweaking may still be necessary in
to highlight the most important features and bug fixes in a specific release. order to highlight the most important features and bug fixes in a specific
release.
With this in mind, please, poke @channel on #kata-dev and people who worked on With this in mind, please, poke @channel on #kata-dev and people who worked on
the release will be able to contribute to that. the release will be able to contribute to that.

39
docs/Toochain-Guidance.md
View File

@@ -1,39 +0,0 @@
# Toolchains
As a community we want to strike a balance between having up-to-date toolchains, to receive the
latest security fixes and to be able to benefit from new features and packages, whilst not being
too bleeding edge and disrupting downstream and other consumers. As a result we have the following
guidelines (note, not hard rules) for our go and rust toolchains that we are attempting to try out:
## Go toolchain
Go is released [every six months](https://go.dev/wiki/Go-Release-Cycle) with support for the
[last two major release versions](https://go.dev/doc/devel/release#policy). We always want to
ensure that we are on a supported version so we receive security fixes. To try and make
things easier for some of our users, we aim to be using the older of the two supported major
versions, unless there is a compelling reason to adopt the newer version.
In practice this means that we bump our major version of the go toolchain every six months to
version (1.x-1) in response to a new version (1.x) coming out, which makes our current version
(1.x-2) no longer supported. We will bump the minor version whenever required to satisfy
dependency updates, or security fixes.
Our go toolchain version is recorded in [`versions.yaml`](../versions.yaml) under
`.languages.golang.version` and should match with the version in our `go.mod` files.
## Rust toolchain
Rust has a [six week](https://doc.rust-lang.org/book/appendix-05-editions.html#:~:text=The%20Rust%20language%20and%20compiler,these%20tiny%20changes%20add%20up.)
release cycle and they only support the latest stable release, so if we wanted to remain on a
supported release we would only ever build with the latest stable and bump every 6 weeks.
However feedback from our community has indicated that this is a challenge as downstream consumers
often want to get rust from their distro, or downstream fork and these struggle to keep up with
the six week release schedule. As a result the community has agreed to try out a policy of
"stable-2", where we aim to build with a rust version that is two versions behind the latest stable
version.
In practice this should mean that we bump our rust toolchain every six weeks, to version
1.x-2 when 1.x is released as stable and we should be picking up the latest point release
of that version, if there were any.
The rust-toolchain that we are using is recorded in [`rust-toolchain.toml`](../rust-toolchain.toml).

10
docs/Unit-Test-Advice.md
View File

@@ -198,7 +198,7 @@ fn join_params_with_dash(str: &str, num: i32) -> Result<String> {
return Err("number must be positive"); return Err("number must be positive");
} }
let result = format!("{str}-{num}"); let result = format!("{}-{}", str, num);
Ok(result) Ok(result)
} }
@@ -253,13 +253,13 @@ mod tests {
// Run the tests // Run the tests
for (i, d) in tests.iter().enumerate() { for (i, d) in tests.iter().enumerate() {
// Create a string containing details of the test // Create a string containing details of the test
let msg = format!("test[{i}]: {d:?}"); let msg = format!("test[{}]: {:?}", i, d);
// Call the function under test // Call the function under test
let result = join_params_with_dash(d.str, d.num); let result = join_params_with_dash(d.str, d.num);
// Update the test details string with the results of the call // Update the test details string with the results of the call
let msg = format!("{msg}, result: {result:?}"); let msg = format!("{}, result: {:?}", msg, result);
// Perform the checks // Perform the checks
if d.result.is_ok() { if d.result.is_ok() {
@@ -267,8 +267,8 @@ mod tests {
continue; continue;
} }
let expected_error = format!("{d.result.as_ref().unwrap_err()}"); let expected_error = format!("{}", d.result.as_ref().unwrap_err());
let actual_error = format!("{result.unwrap_err()}"); let actual_error = format!("{}", result.unwrap_err());
assert!(actual_error == expected_error, msg); assert!(actual_error == expected_error, msg);
} }
} }

9
docs/assets/images/favicon.svg
View File

@@ -1,9 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
<!-- Dark background matching the site -->
<rect width="32" height="32" rx="4" fill="#1a1a2e"/>
<!-- Kata logo scaled and centered -->
<g transform="translate(-27, -2) scale(0.75)">
<path d="M70.925 25.22L58.572 37.523 46.27 25.22l2.192-2.192 10.11 10.11 10.11-10.11zm-6.575-.2l-3.188-3.188 3.188-3.188 3.188 3.188zm-4.93-2.54l3.736 3.736-3.736 3.736zm-1.694 7.422l-8.07-8.07 8.07-8.07zm1.694-16.14l3.686 3.686-3.686 3.686zm-13.15 4.682L58.572 6.143l12.353 12.303-2.192 2.192-10.16-10.11-10.11 10.11zm26.997 0L58.572 3.752 43.878 18.446l3.387 3.387-3.387 3.387 14.694 14.694L73.266 25.22l-3.337-3.387z" fill="#f15b3e"/>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 710 B

6
docs/code-pr-advice.md
View File

@@ -231,6 +231,12 @@ Run the
[markdown checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-markdown) [markdown checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-markdown)
on your documentation changes. on your documentation changes.
### Spell check
Run the
[spell checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-spelling)
on your documentation changes.
## Finally ## Finally
You may wish to read the documentation that the You may wish to read the documentation that the

4
docs/design/agent-systemd-cgroup.md
View File

@@ -4,7 +4,7 @@ As we know, we can interact with cgroups in two ways, **`cgroupfs`** and **`syst
## usage ## usage
For systemd, kata agent configures cgroups according to the following `linux.cgroupsPath` format standard provided by `runc` (`[slice]:[prefix]:[name]`). If you don't provide a valid `linux.cgroupsPath`, kata agent will treat it as `"system.slice:kata_agent:<container-id>"`. For systemd, kata agent configures cgroups according to the following `linux.cgroupsPath` format standard provided by `runc` (`[slice]:[prefix]:[name]`). If you don't provide a valid `linux.cgroupsPath`, kata agent will treat it as `"system.slice:kata_agent:<container-id>"`.
> Here slice is a systemd slice under which the container is placed. If empty, it defaults to system.slice, except when cgroup v2 is used and rootless container is created, in which case it defaults to user.slice. > Here slice is a systemd slice under which the container is placed. If empty, it defaults to system.slice, except when cgroup v2 is used and rootless container is created, in which case it defaults to user.slice.
> >
@@ -65,7 +65,7 @@ The kata agent will translate the parameters in the `linux.resources` of `config
## Systemd Interface ## Systemd Interface
`session.rs` and `system.rs` in `src/agent/rustjail/src/cgroups/systemd/interface` are automatically generated by `zbus-xmlgen`, which is is an accompanying tool provided by `zbus` to generate Rust code from `D-Bus XML interface descriptions`. The specific commands to generate these two files are as follows: `session.rs` and `system.rs` in `src/agent/rustjail/src/cgroups/systemd/interface` are automatically generated by `zbus-xmlgen`, which is is an accompanying tool provided by `zbus` to generate Rust code from `D-Bus XML interface descriptions`. The specific commands to generate these two files are as follows:
```shell ```shell
// system.rs // system.rs

Some files were not shown because too many files have changed in this diff Show More