mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 11:31:05 +00:00
a678046d13
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
134 lines
3.9 KiB
YAML
134 lines
3.9 KiB
YAML
name: CI | Run kubernetes tests on AKS
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
tarball-suffix:
|
|
required: false
|
|
type: string
|
|
registry:
|
|
required: true
|
|
type: string
|
|
repo:
|
|
required: true
|
|
type: string
|
|
tag:
|
|
required: true
|
|
type: string
|
|
pr-number:
|
|
required: true
|
|
type: string
|
|
commit-hash:
|
|
required: false
|
|
type: string
|
|
target-branch:
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
|
|
jobs:
|
|
run-k8s-tests:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
host_os:
|
|
- ubuntu
|
|
vmm:
|
|
- clh
|
|
- dragonball
|
|
- qemu
|
|
- qemu-runtime-rs
|
|
- stratovirt
|
|
- cloud-hypervisor
|
|
instance-type:
|
|
- small
|
|
- normal
|
|
include:
|
|
- host_os: cbl-mariner
|
|
vmm: clh
|
|
instance-type: small
|
|
genpolicy-pull-method: oci-distribution
|
|
auto-generate-policy: yes
|
|
- host_os: cbl-mariner
|
|
vmm: clh
|
|
instance-type: small
|
|
genpolicy-pull-method: containerd
|
|
auto-generate-policy: yes
|
|
- host_os: cbl-mariner
|
|
vmm: clh
|
|
instance-type: normal
|
|
auto-generate-policy: yes
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
DOCKER_REGISTRY: ${{ inputs.registry }}
|
|
DOCKER_REPO: ${{ inputs.repo }}
|
|
DOCKER_TAG: ${{ inputs.tag }}
|
|
GH_PR_NUMBER: ${{ inputs.pr-number }}
|
|
KATA_HOST_OS: ${{ matrix.host_os }}
|
|
KATA_HYPERVISOR: ${{ matrix.vmm }}
|
|
KUBERNETES: "vanilla"
|
|
USING_NFD: "false"
|
|
K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
|
|
GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
|
|
AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ inputs.commit-hash }}
|
|
fetch-depth: 0
|
|
|
|
- name: Rebase atop of the latest target branch
|
|
run: |
|
|
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
|
env:
|
|
TARGET_BRANCH: ${{ inputs.target-branch }}
|
|
|
|
- name: get-kata-tarball
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
|
|
path: kata-artifacts
|
|
|
|
- name: Install kata
|
|
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
|
|
|
|
- name: Download Azure CLI
|
|
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
|
|
|
|
- name: Log into the Azure account
|
|
run: bash tests/integration/kubernetes/gha-run.sh login-azure
|
|
env:
|
|
AZ_APPID: ${{ secrets.AZ_APPID }}
|
|
AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
|
|
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
|
|
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
|
|
|
|
- name: Create AKS cluster
|
|
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
|
|
with:
|
|
timeout_minutes: 15
|
|
max_attempts: 20
|
|
retry_on: error
|
|
retry_wait_seconds: 10
|
|
command: bash tests/integration/kubernetes/gha-run.sh create-cluster
|
|
|
|
- name: Install `bats`
|
|
run: bash tests/integration/kubernetes/gha-run.sh install-bats
|
|
|
|
- name: Install `kubectl`
|
|
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
|
|
|
|
- name: Download credentials for the Kubernetes CLI to use them
|
|
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
|
|
|
|
- name: Deploy Kata
|
|
timeout-minutes: 10
|
|
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
|
|
|
|
- name: Run tests
|
|
timeout-minutes: 60
|
|
run: bash tests/integration/kubernetes/gha-run.sh run-tests
|
|
|
|
- name: Delete AKS cluster
|
|
if: always()
|
|
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
|