mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-03-18 10:44:10 +00:00
9dd3807467
This completely eliminates the Azure secret from the repo, following the below guidance: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure The federated identity is scoped to the `ci` environment, meaning: * I had to specify this environment in some YAMLs. I don't believe there's any downside to this. * As previously, the CI works seamlessly both from PRs and in the manual workflow. I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem to be used anymore, and it contains a reference to the secret. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
56 lines
1.9 KiB
YAML
56 lines
1.9 KiB
YAML
name: Kata Containers CI
|
|
on:
|
|
pull_request_target:
|
|
branches:
|
|
- 'main'
|
|
- 'stable-*'
|
|
types:
|
|
# Adding 'labeled' to the list of activity types that trigger this event
|
|
# (default: opened, synchronize, reopened) so that we can run this
|
|
# workflow when the 'ok-to-test' label is added.
|
|
# Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
- labeled
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
skipper:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
uses: ./.github/workflows/gatekeeper-skipper.yaml
|
|
with:
|
|
commit-hash: ${{ github.event.pull_request.head.sha }}
|
|
target-branch: ${{ github.event.pull_request.base.ref }}
|
|
|
|
kata-containers-ci-on-push:
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
attestations: write
|
|
uses: ./.github/workflows/ci.yaml
|
|
with:
|
|
commit-hash: ${{ github.event.pull_request.head.sha }}
|
|
pr-number: ${{ github.event.pull_request.number }}
|
|
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}
|
|
target-branch: ${{ github.event.pull_request.base.ref }}
|
|
skip-test: ${{ needs.skipper.outputs.skip_test }}
|
|
secrets:
|
|
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
|
|
AZ_APPID: ${{ secrets.AZ_APPID }}
|
|
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
|
|
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
|
|
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
|
|
ITA_KEY: ${{ secrets.ITA_KEY }}
|
|
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|