mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 19:35:32 +00:00
a678046d13
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
207 lines
6.2 KiB
YAML
207 lines
6.2 KiB
YAML
name: Release Kata Containers
|
|
on:
|
|
workflow_dispatch
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Create a new release
|
|
run: |
|
|
./tools/packaging/release/release.sh create-new-release
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
build-and-push-assets-amd64:
|
|
needs: release
|
|
uses: ./.github/workflows/release-amd64.yaml
|
|
with:
|
|
target-arch: amd64
|
|
secrets: inherit
|
|
|
|
build-and-push-assets-arm64:
|
|
needs: release
|
|
uses: ./.github/workflows/release-arm64.yaml
|
|
with:
|
|
target-arch: arm64
|
|
secrets: inherit
|
|
|
|
build-and-push-assets-s390x:
|
|
needs: release
|
|
uses: ./.github/workflows/release-s390x.yaml
|
|
with:
|
|
target-arch: s390x
|
|
secrets: inherit
|
|
|
|
build-and-push-assets-ppc64le:
|
|
needs: release
|
|
uses: ./.github/workflows/release-ppc64le.yaml
|
|
with:
|
|
target-arch: ppc64le
|
|
secrets: inherit
|
|
|
|
publish-multi-arch-images:
|
|
runs-on: ubuntu-22.04
|
|
needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Login to Kata Containers docker.io
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Login to Kata Containers quay.io
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
|
|
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
|
|
|
- name: Get the image tags
|
|
run: |
|
|
release_version=$(./tools/packaging/release/release.sh release-version)
|
|
echo "KATA_DEPLOY_IMAGE_TAGS=$release_version latest" >> "$GITHUB_ENV"
|
|
|
|
- name: Publish multi-arch manifest on docker.io and quay.io
|
|
run: |
|
|
./tools/packaging/release/release.sh publish-multiarch-manifest
|
|
env:
|
|
KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy docker.io/katadocker/kata-deploy"
|
|
|
|
upload-multi-arch-static-tarball:
|
|
needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set KATA_STATIC_TARBALL env var
|
|
run: |
|
|
tarball=$(pwd)/kata-static.tar.xz
|
|
echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
|
|
|
|
- name: Download amd64 artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: kata-static-tarball-amd64
|
|
|
|
- name: Upload amd64 static tarball to GitHub
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-kata-static-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
ARCHITECTURE: amd64
|
|
|
|
- name: Download arm64 artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: kata-static-tarball-arm64
|
|
|
|
- name: Upload arm64 static tarball to GitHub
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-kata-static-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
ARCHITECTURE: arm64
|
|
|
|
- name: Download s390x artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: kata-static-tarball-s390x
|
|
|
|
- name: Upload s390x static tarball to GitHub
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-kata-static-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
ARCHITECTURE: s390x
|
|
|
|
- name: Download ppc64le artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: kata-static-tarball-ppc64le
|
|
|
|
- name: Upload ppc64le static tarball to GitHub
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-kata-static-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
ARCHITECTURE: ppc64le
|
|
|
|
upload-versions-yaml:
|
|
needs: release
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Upload versions.yaml to GitHub
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-versions-yaml-file
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
upload-cargo-vendored-tarball:
|
|
needs: release
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Generate and upload vendored code tarball
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-vendored-code-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
upload-libseccomp-tarball:
|
|
needs: release
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Download libseccomp tarball and upload it to GitHub
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-libseccomp-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
upload-helm-chart-tarball:
|
|
needs: release
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install helm
|
|
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
|
id: install
|
|
|
|
- name: Generate and upload helm chart tarball
|
|
run: |
|
|
./tools/packaging/release/release.sh upload-helm-chart-tarball
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
publish-release:
|
|
needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Publish a release
|
|
run: |
|
|
./tools/packaging/release/release.sh publish-release
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|