name: Run the Kata Containers CI on: workflow_call: inputs: commit-hash: required: true type: string pr-number: required: true type: string tag: required: true type: string target-branch: required: false type: string default: "" skip-test: required: false type: string default: no extensive-matrix-autogenerated-policy: required: false type: string default: no secrets: AUTHENTICATED_IMAGE_PASSWORD: required: true AZ_APPID: required: true AZ_TENANT_ID: required: true AZ_SUBSCRIPTION_ID: required: true CI_HKD_PATH: required: true ITA_KEY: required: true QUAY_DEPLOYER_PASSWORD: required: true NGC_API_KEY: required: true KBUILD_SIGN_PIN: required: true permissions: {} jobs: build-kata-static-tarball-amd64: permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} secrets: KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 permissions: contents: read packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-amd64 commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: ubuntu-22.04 arch: amd64 secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} build-kata-static-tarball-arm64: permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} secrets: KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} publish-kata-deploy-payload-arm64: needs: build-kata-static-tarball-arm64 permissions: contents: read packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-arm64 commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: ubuntu-24.04-arm arch: arm64 secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} build-kata-static-tarball-s390x: permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} secrets: CI_HKD_PATH: ${{ secrets.ci_hkd_path }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} build-kata-static-tarball-ppc64le: permissions: contents: read packages: write uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} publish-kata-deploy-payload-s390x: needs: build-kata-static-tarball-s390x permissions: contents: read packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-s390x commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: ubuntu-24.04-s390x arch: s390x secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} publish-kata-deploy-payload-ppc64le: needs: build-kata-static-tarball-ppc64le permissions: contents: read packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-ppc64le commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: ubuntu-24.04-ppc64le arch: ppc64le secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} build-and-publish-tee-confidential-unencrypted-image: name: build-and-publish-tee-confidential-unencrypted-image permissions: contents: read packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Login to Kata Containers ghcr.io uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker build and push uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }} push: true context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ platforms: linux/amd64, linux/s390x file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile publish-csi-driver-amd64: name: publish-csi-driver-amd64 needs: build-kata-static-tarball-amd64 permissions: contents: read packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tools-tarball uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-tools-static-tarball-amd64-${{ inputs.tag }} path: kata-tools-artifacts - name: Install kata-tools run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts - name: Copy binary into Docker context run: | # Copy to the location where the Dockerfile expects the binary. mkdir -p src/tools/csi-kata-directvolume/bin/ cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Login to Kata Containers ghcr.io uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker build and push uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }} push: true context: src/tools/csi-kata-directvolume/ platforms: linux/amd64 file: src/tools/csi-kata-directvolume/Dockerfile run-kata-monitor-tests: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-amd64 uses: ./.github/workflows/run-kata-monitor-tests.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} run-k8s-tests-on-aks: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-amd64 uses: ./.github/workflows/run-k8s-tests-on-aks.yaml permissions: contents: read id-token: write # Used for OIDC access to log into Azure with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-amd64 commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} secrets: AZ_APPID: ${{ secrets.AZ_APPID }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} run-k8s-tests-on-free-runner: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-amd64 permissions: contents: read uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-amd64 commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} run-k8s-tests-on-arm64: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-arm64 uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml with: registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-arm64 commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} run-k8s-tests-on-nvidia-gpu: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-amd64 uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-amd64 commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} secrets: NGC_API_KEY: ${{ secrets.NGC_API_KEY }} run-kata-coco-tests: if: ${{ inputs.skip-test != 'yes' }} needs: - publish-kata-deploy-payload-amd64 - build-and-publish-tee-confidential-unencrypted-image - publish-csi-driver-amd64 uses: ./.github/workflows/run-kata-coco-tests.yaml permissions: contents: read id-token: write # Used for OIDC access to log into Azure with: tarball-suffix: -${{ inputs.tag }} registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-amd64 commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }} secrets: AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AZ_APPID: ${{ secrets.AZ_APPID }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} ITA_KEY: ${{ secrets.ITA_KEY }} run-k8s-tests-on-zvsi: if: ${{ inputs.skip-test != 'yes' }} needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image] uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml with: registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-s390x commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} secrets: AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} run-k8s-tests-on-ppc64le: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-ppc64le uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml with: registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-ppc64le commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} run-kata-deploy-tests: if: ${{ inputs.skip-test != 'yes' }} needs: [publish-kata-deploy-payload-amd64] uses: ./.github/workflows/run-kata-deploy-tests.yaml with: registry: ghcr.io repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ inputs.tag }}-amd64 commit-hash: ${{ inputs.commit-hash }} pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} run-basic-amd64-tests: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-amd64 uses: ./.github/workflows/basic-ci-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} run-basic-s390x-tests: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-s390x uses: ./.github/workflows/basic-ci-s390x.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} run-cri-containerd-amd64: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-amd64 strategy: fail-fast: false matrix: params: [ { containerd_version: lts, vmm: clh }, { containerd_version: lts, vmm: dragonball }, { containerd_version: lts, vmm: qemu }, { containerd_version: lts, vmm: cloud-hypervisor }, { containerd_version: lts, vmm: qemu-runtime-rs }, { containerd_version: active, vmm: clh }, { containerd_version: active, vmm: dragonball }, { containerd_version: active, vmm: qemu }, { containerd_version: active, vmm: cloud-hypervisor }, { containerd_version: active, vmm: qemu-runtime-rs }, ] uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: ubuntu-22.04 arch: amd64 containerd_version: ${{ matrix.params.containerd_version }} vmm: ${{ matrix.params.vmm }} run-cri-containerd-s390x: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-s390x strategy: fail-fast: false matrix: params: [ { containerd_version: active, vmm: qemu }, { containerd_version: active, vmm: qemu-runtime-rs }, ] uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: s390x-large arch: s390x containerd_version: ${{ matrix.params.containerd_version }} vmm: ${{ matrix.params.vmm }} run-cri-containerd-tests-ppc64le: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-ppc64le strategy: fail-fast: false matrix: params: [ { containerd_version: active, vmm: qemu }, ] uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: ppc64le-small arch: ppc64le containerd_version: ${{ matrix.params.containerd_version }} vmm: ${{ matrix.params.vmm }} run-cri-containerd-tests-arm64: if: false needs: build-kata-static-tarball-arm64 strategy: fail-fast: false matrix: params: [ { containerd_version: active, vmm: qemu }, ] uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} runner: arm64-non-k8s arch: arm64 containerd_version: ${{ matrix.params.containerd_version }} vmm: ${{ matrix.params.vmm }}