diff --git a/.github/actions/build_ami/action.yaml b/.github/actions/build_ami/action.yaml index 4a88376b9..3b32626ce 100644 --- a/.github/actions/build_ami/action.yaml +++ b/.github/actions/build_ami/action.yaml @@ -56,7 +56,7 @@ runs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout full history - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get EIF for Release ${{ inputs.operator_release }} uses: ./.github/actions/download_release_artifact @@ -71,7 +71,7 @@ runs: - name: Get EIF for Run ${{ inputs.operator_run_number }} id: get_eif_for_run - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 + uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21 if: ${{ inputs.operator_release == '' }} with: name: 'aws-${{ inputs.identity_scope }}-deployment-files-.*' @@ -94,14 +94,14 @@ runs: ls ./scripts/aws/uid2-operator-ami/artifacts/ -al - name: Configure UID2 AWS credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.identity_scope == 'uid2' }} with: aws-region: ${{ inputs.uid2_aws_region }} role-to-assume: ${{ inputs.uid2_aws_role }} - name: Configure EUID AWS credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.identity_scope == 'euid' }} with: aws-region: ${{ inputs.euid_aws_region }} @@ -190,7 +190,7 @@ runs: ls -al - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ inputs.identity_scope }}_AMI_measurement path: ./scripts/aws/uid2-operator-ami/${{ inputs.identity_scope }}_AMI_measurement.txt diff --git a/.github/actions/build_aws_eif/action.yaml b/.github/actions/build_aws_eif/action.yaml index ddd525855..df3529d75 100644 --- a/.github/actions/build_aws_eif/action.yaml +++ b/.github/actions/build_aws_eif/action.yaml @@ -31,7 +31,7 @@ runs: steps: - name: Checkout full history at commit sha ${{ inputs.commit_sha }} - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.commit_sha }} # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml index aecfab69d..9ec50bab3 100644 --- a/.github/actions/build_eks_docker_image/action.yaml +++ b/.github/actions/build_eks_docker_image/action.yaml @@ -39,7 +39,7 @@ runs: steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Make output dir shell: bash @@ -59,7 +59,7 @@ runs: - name: Get EIF for Run ${{ inputs.operator_run_number }} id: get_eif_for_run - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 + uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21 if: ${{ inputs.operator_release == '' }} with: name: 'aws-${{ inputs.identity_scope }}-deployment-files-.*' @@ -112,7 +112,7 @@ runs: df -h - name: Log in to the Docker container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -120,14 +120,14 @@ runs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-eks-${{ inputs.identity_scope }} tags: | type=raw,value=${{ steps.versionNumber.outputs.VERSION_NUMBER }}.${{ github.run_number }} - name: Build and export to Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ inputs.artifacts_output_dir }} load: true @@ -140,7 +140,7 @@ runs: - name: Push to Docker id: push-to-docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ inputs.artifacts_output_dir }} push: true diff --git a/.github/actions/download_release_artifact/action.yaml b/.github/actions/download_release_artifact/action.yaml index 3ad54d6bf..dbba87e13 100644 --- a/.github/actions/download_release_artifact/action.yaml +++ b/.github/actions/download_release_artifact/action.yaml @@ -27,7 +27,7 @@ runs: steps: - name: Get Artifact Ids id: get_asset_id - uses: actions/github-script@v7 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: github-token: ${{ inputs.github_token }} result-encoding: string diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index ef3756589..4ae4406a5 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -65,14 +65,14 @@ runs: IS_RELEASE: ${{ steps.checkRelease.outputs.is_release }} - name: Checkout full history on Main - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ inputs.version_number_input == '' }} with: # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. fetch-depth: 0 - name: Checkout full history at tag v${{ inputs.version_number_input }} - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ inputs.version_number_input != '' }} with: ref: v${{ inputs.version_number_input }} diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index fcc375978..8c1d39148 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -38,7 +38,7 @@ jobs: enclave_id: ${{ steps.buildAMI.outputs.enclave_id }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build UID2 Operator AMI id: buildAMI @@ -78,7 +78,7 @@ jobs: enclave_id: ${{ steps.buildAMI.outputs.enclave_id }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Pre-cleanup shell: bash @@ -123,13 +123,13 @@ jobs: needs: [buildUID2, testUID2Ami, testEUIDAmi] steps: - name: Download UID2 artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: uid2_AMI_measurement path: ./artifacts - name: Download EUID artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: euid_AMI_measurement path: ./artifacts @@ -142,7 +142,7 @@ jobs: euid_AMI_measurement - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-ami-ids-${{ needs.buildUID2.outputs.version_number }} path: ./artifacts/ diff --git a/.github/workflows/check-stable-dependency.yaml b/.github/workflows/check-stable-dependency.yaml index f8a417b55..38aea7689 100644 --- a/.github/workflows/check-stable-dependency.yaml +++ b/.github/workflows/check-stable-dependency.yaml @@ -3,5 +3,5 @@ on: [pull_request, workflow_dispatch] jobs: check_dependency: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@v2 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@v3 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 6c92b3429..71897f94a 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -65,7 +65,7 @@ jobs: release_type: ${{ inputs.release_type }} - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -156,54 +156,54 @@ jobs: needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI] steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Download public manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: public-image-* path: ./manifests/public_operator - name: Download GCP manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: gcp-oidc-enclave-ids-* path: ./manifests/gcp_oidc_operator - name: Download Azure CC manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: azure-cc-enclave-id-* path: ./manifests/azure_cc_operator - name: Download Azure AKS manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: azure-aks-enclave-id-* path: ./manifests/azure_aks_operator - name: Download EIF manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: 'aws-eif-enclave-ids-*' path: ./manifests/aws_eif - name: Download AWS AMI manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: 'aws-ami-ids-*' path: ./manifests/aws_ami - name: Download Deployment Files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: '*-deployment-files-*' path: ./deployment - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: uid2-operator-release-${{ needs.start.outputs.new_version }}-manifests path: ./manifests @@ -231,7 +231,7 @@ jobs: (cd manifests && zip -r ../uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip .) - name: Create draft release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: v${{ needs.start.outputs.new_version }} body: ${{ steps.changelog.outputs.changelog }} @@ -255,4 +255,4 @@ jobs: SLACK_MESSAGE: ':x: Operator Pipeline failed' SLACK_TITLE: Pipeline Failed in ${{ github.workflow }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2 + uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # v2 diff --git a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml index 0de600aac..6595665eb 100644 --- a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml +++ b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml @@ -37,7 +37,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build Docker Image for EKS Pod id: build_docker_image_uid @@ -65,7 +65,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build Docker Image for EKS Pod id: build_docker_image_euid @@ -128,7 +128,7 @@ jobs: echo "Enclave ID (maybe shared by other images): " ${{ needs.buildEUIDImage.outputs.enclave_id }} >> ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests/aws-eks-euid-enclave-id-${{ needs.buildEUIDImage.outputs.image_tag }}.txt - name: Save Manifests as build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-eks-enclave-ids-${{ needs.buildUID2Image.outputs.image_tag }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml index 29c4f5f14..9dae6b4a9 100644 --- a/.github/workflows/publish-aws-nitro-eif.yaml +++ b/.github/workflows/publish-aws-nitro-eif.yaml @@ -50,7 +50,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Update Operator Version id: update_version @@ -74,7 +74,7 @@ jobs: needs: start steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build UID2 AWS EIF id: build_uid2_eif @@ -93,7 +93,7 @@ jobs: df -h - name: Save UID2 eif artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2 @@ -113,7 +113,7 @@ jobs: needs: start steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build EUID AWS EIF id: build_euid_eif @@ -132,7 +132,7 @@ jobs: df -h - name: Save EUID eif artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-euid-deployment-files-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid @@ -157,12 +157,12 @@ jobs: df -h - name: Download UID2 artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2 - name: Download EUID artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid @@ -173,7 +173,7 @@ jobs: echo ${{ needs.buildEUIDEIF.outputs.euid_enclave_id }} >> ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests/aws-euid-enclave-id-${{ needs.start.outputs.new_version }}.txt - name: Save Manifests as build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-eif-enclave-ids-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests @@ -194,7 +194,7 @@ jobs: - name: Create release if: ${{ inputs.version_number_input == '' && needs.start.outputs.is_release == 'true' }} - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: ${{ needs.start.outputs.new_version }} body: ${{ steps.github_release.outputs.changelog }} diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index 288fc5b36..ad0f170ae 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -75,7 +75,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Update Operator Version id: update_version @@ -88,7 +88,7 @@ jobs: github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '21' @@ -103,7 +103,7 @@ jobs: cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ - name: Log in to the Docker container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -111,14 +111,14 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=raw,value=${{ steps.update_version.outputs.image_tag }} - name: Build and export to Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ env.DOCKER_CONTEXT_PATH }} load: true @@ -130,7 +130,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'sarif' @@ -141,12 +141,12 @@ jobs: hide-progress: true - name: Upload Trivy scan report to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@c3f298df8c1fea2fefe20c785e6aa00f32df8260 # v4.35.3 with: sarif_file: 'trivy-results.sarif' - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'table' @@ -157,7 +157,7 @@ jobs: - name: Push to Docker id: push-to-docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ env.DOCKER_CONTEXT_PATH }} push: true @@ -174,7 +174,7 @@ jobs: needs: buildImage steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Azure CLI uses: ./.github/actions/install_az_cli @@ -193,14 +193,14 @@ jobs: bash ./scripts/azure-cc/deployment/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-cc-deployment-files-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-cc-enclave-id-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} @@ -222,7 +222,7 @@ jobs: needs: buildImage steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Azure CLI uses: ./.github/actions/install_az_cli @@ -241,14 +241,14 @@ jobs: bash ./scripts/azure-aks/deployment/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-aks-deployment-files-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-aks-enclave-id-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 45d68ba8a..7b51aa5b6 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -1,245 +1,245 @@ -name: Publish GCP OIDC Operator -run-name: ${{ format('Publish {0} GCP OIDC Operator', inputs.release_type) }} -on: - workflow_dispatch: - inputs: - release_type: - type: choice - description: The type of release - options: - - Snapshot - - Patch - - Minor - - Major - version_number_input: - description: If set, the version number will not be incremented and the given number will be used. - type: string - default: '' - vulnerability_severity: - description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. - type: choice - options: - - CRITICAL,HIGH - - CRITICAL,HIGH,MEDIUM - - CRITICAL (DO NOT use if JIRA ticket not raised) - workflow_call: - inputs: - release_type: - description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major] - required: true - type: string - version_number_input: - description: If set, the version number will not be incremented and the given number will be used. - type: string - default: '' - commit_sha: - description: The commit SHA for committing the new version for pom.xml. - type: string - default: '' - vulnerability_severity: - description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between). - type: string - default: 'CRITICAL,HIGH' - - outputs: - image_tag: - description: The tag used to describe the image in Docker - value: ${{ jobs.buildImage.outputs.image_tag }} - -env: - REGISTRY: ghcr.io - GCP_REGISTRY: us-docker.pkg.dev - GCP_GAR_PROJECT: uid2-prod-project - MAVEN_PROFILE: gcp - ENCLAVE_PROTOCOL: gcp-oidc - IMAGE_NAME: ${{ github.repository }} - DOCKER_CONTEXT_PATH: scripts/gcp-oidc - ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts - MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifests - -jobs: - buildImage: - name: Build Image - runs-on: ubuntu-latest - environment: ${{ github.ref_protected && 'ci-auto-merge' || '' }} - permissions: - contents: write - security-events: write - packages: write - id-token: write - pull-requests: write - outputs: - jar_version: ${{ steps.update_version.outputs.new_version }} - image_tag: ${{ steps.update_version.outputs.image_tag }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Update Operator Version - id: update_version - uses: ./.github/actions/update_operator_version - with: - release_type: ${{ inputs.release_type }} - version_number_input: ${{ inputs.version_number_input }} - image_tag_suffix: ${{ env.ENCLAVE_PROTOCOL }} - commit_sha: ${{ inputs.commit_sha }} - github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} - - - name: Set up JDK - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - - - name: Package JAR - id: package - run: | - mvn -B package -P ${{ env.MAVEN_PROFILE }} - echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT - echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT - cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/ - cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ - - - name: Log in to the Docker container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Authenticate with Google Cloud - id: gcp_auth - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 - with: - token_format: access_token - workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }} - service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} - access_token_lifetime: 300s - - - name: Log in to the GCP Registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 - with: - registry: ${{ env.GCP_REGISTRY }} - username: oauth2accesstoken - password: ${{ steps.gcp_auth.outputs.access_token }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=${{ steps.update_version.outputs.image_tag }} - - - name: Extract metadata (tags, labels) for GCP image - id: meta-gcp - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 - with: - images: ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=${{ steps.update_version.outputs.image_tag }} - - - name: Extract metadata (tags, labels) for all Docker images - id: meta-all - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 - with: - images: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=${{ steps.update_version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }} - - - name: Build and export to Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 - with: - context: ${{ env.DOCKER_CONTEXT_PATH }} - load: true - tags: ${{ steps.meta-all.outputs.tags }} - labels: ${{ steps.meta-all.outputs.labels }} - build-args: | - JAR_VERSION=${{ steps.update_version.outputs.new_version }} - IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} - BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - - - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 - with: - image_ref: ${{ steps.meta.outputs.tags }} - scan_type: 'image' - skip_files: '/venv/lib/python3.12/site-packages/google/auth/crypt/__pycache__/_python_rsa.cpython-312.pyc' # Skip scanning this file as per UID2-4968 - failure_severity: ${{ (inputs.vulnerability_severity == 'CRITICAL (DO NOT use if JIRA ticket not raised)' && 'CRITICAL') || inputs.vulnerability_severity }} - - - name: Push to Docker - id: push-to-docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 - with: - context: ${{ env.DOCKER_CONTEXT_PATH }} - push: true - tags: ${{ steps.meta-all.outputs.tags }} - labels: ${{ steps.meta-all.outputs.labels }} - build-args: | - JAR_VERSION=${{ steps.update_version.outputs.new_version }} - IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} - - - name: Generate GCP deployment artifacts - env: - IMAGE: ${{ steps.meta-gcp.outputs.tags }} - IMAGE_DIGEST: ${{ steps.push-to-docker.outputs.digest }} - OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }} - MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR}} - VERSION_NUMBER: ${{ steps.update_version.outputs.new_version }} - run: | - bash ./scripts/gcp-oidc/generate-deployment-artifacts.sh - - - name: Upload deployment artifacts - uses: actions/upload-artifact@v4 - with: - name: gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }} - path: ${{ env.ARTIFACTS_OUTPUT_DIR }} - if-no-files-found: error - - - name: Upload manifest artifacts - uses: actions/upload-artifact@v4 - with: - name: gcp-oidc-enclave-ids-${{ steps.update_version.outputs.new_version }} - path: ${{ env.MANIFEST_OUTPUT_DIR }} - if-no-files-found: error - - - name: Generate release archive - if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - run: | - zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/* - - - name: Build changelog - id: github_release - if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4 - with: - configurationJson: | - { - "template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ steps.meta.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ steps.update_version.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}", - "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" - } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Create release - if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 - with: - name: ${{ steps.update_version.outputs.new_version }} - body: ${{ steps.github_release.outputs.changelog }} - draft: true - files: | - ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip - ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-${{ steps.update_version.outputs.new_version }}.txt - ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-debug-${{ steps.update_version.outputs.new_version }}.txt - - e2e: - name: E2E - uses: ./.github/workflows/run-e2e-tests-on-operator.yaml - needs: buildImage - with: - operator_type: gcp - operator_image_version: ${{ needs.buildImage.outputs.image_tag }} - secrets: inherit +name: Publish GCP OIDC Operator +run-name: ${{ format('Publish {0} GCP OIDC Operator', inputs.release_type) }} +on: + workflow_dispatch: + inputs: + release_type: + type: choice + description: The type of release + options: + - Snapshot + - Patch + - Minor + - Major + version_number_input: + description: If set, the version number will not be incremented and the given number will be used. + type: string + default: '' + vulnerability_severity: + description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. + type: choice + options: + - CRITICAL,HIGH + - CRITICAL,HIGH,MEDIUM + - CRITICAL (DO NOT use if JIRA ticket not raised) + workflow_call: + inputs: + release_type: + description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major] + required: true + type: string + version_number_input: + description: If set, the version number will not be incremented and the given number will be used. + type: string + default: '' + commit_sha: + description: The commit SHA for committing the new version for pom.xml. + type: string + default: '' + vulnerability_severity: + description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between). + type: string + default: 'CRITICAL,HIGH' + + outputs: + image_tag: + description: The tag used to describe the image in Docker + value: ${{ jobs.buildImage.outputs.image_tag }} + +env: + REGISTRY: ghcr.io + GCP_REGISTRY: us-docker.pkg.dev + GCP_GAR_PROJECT: uid2-prod-project + MAVEN_PROFILE: gcp + ENCLAVE_PROTOCOL: gcp-oidc + IMAGE_NAME: ${{ github.repository }} + DOCKER_CONTEXT_PATH: scripts/gcp-oidc + ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts + MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifests + +jobs: + buildImage: + name: Build Image + runs-on: ubuntu-latest + environment: ${{ github.ref_protected && 'ci-auto-merge' || '' }} + permissions: + contents: write + security-events: write + packages: write + id-token: write + pull-requests: write + outputs: + jar_version: ${{ steps.update_version.outputs.new_version }} + image_tag: ${{ steps.update_version.outputs.image_tag }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Update Operator Version + id: update_version + uses: ./.github/actions/update_operator_version + with: + release_type: ${{ inputs.release_type }} + version_number_input: ${{ inputs.version_number_input }} + image_tag_suffix: ${{ env.ENCLAVE_PROTOCOL }} + commit_sha: ${{ inputs.commit_sha }} + github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} + + - name: Set up JDK + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: 'temurin' + java-version: '21' + + - name: Package JAR + id: package + run: | + mvn -B package -P ${{ env.MAVEN_PROFILE }} + echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT + echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT + cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/ + cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ + + - name: Log in to the Docker container registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Authenticate with Google Cloud + id: gcp_auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + access_token_lifetime: 300s + + - name: Log in to the GCP Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ${{ env.GCP_REGISTRY }} + username: oauth2accesstoken + password: ${{ steps.gcp_auth.outputs.access_token }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.update_version.outputs.image_tag }} + + - name: Extract metadata (tags, labels) for GCP image + id: meta-gcp + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.update_version.outputs.image_tag }} + + - name: Extract metadata (tags, labels) for all Docker images + id: meta-all + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.update_version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }} + + - name: Build and export to Docker + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: ${{ env.DOCKER_CONTEXT_PATH }} + load: true + tags: ${{ steps.meta-all.outputs.tags }} + labels: ${{ steps.meta-all.outputs.labels }} + build-args: | + JAR_VERSION=${{ steps.update_version.outputs.new_version }} + IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} + BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} + + - name: Vulnerability Scan + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + with: + image_ref: ${{ steps.meta.outputs.tags }} + scan_type: 'image' + skip_files: '/venv/lib/python3.12/site-packages/google/auth/crypt/__pycache__/_python_rsa.cpython-312.pyc' # Skip scanning this file as per UID2-4968 + failure_severity: ${{ (inputs.vulnerability_severity == 'CRITICAL (DO NOT use if JIRA ticket not raised)' && 'CRITICAL') || inputs.vulnerability_severity }} + + - name: Push to Docker + id: push-to-docker + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: ${{ env.DOCKER_CONTEXT_PATH }} + push: true + tags: ${{ steps.meta-all.outputs.tags }} + labels: ${{ steps.meta-all.outputs.labels }} + build-args: | + JAR_VERSION=${{ steps.update_version.outputs.new_version }} + IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} + + - name: Generate GCP deployment artifacts + env: + IMAGE: ${{ steps.meta-gcp.outputs.tags }} + IMAGE_DIGEST: ${{ steps.push-to-docker.outputs.digest }} + OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }} + MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR}} + VERSION_NUMBER: ${{ steps.update_version.outputs.new_version }} + run: | + bash ./scripts/gcp-oidc/generate-deployment-artifacts.sh + + - name: Upload deployment artifacts + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }} + path: ${{ env.ARTIFACTS_OUTPUT_DIR }} + if-no-files-found: error + + - name: Upload manifest artifacts + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: gcp-oidc-enclave-ids-${{ steps.update_version.outputs.new_version }} + path: ${{ env.MANIFEST_OUTPUT_DIR }} + if-no-files-found: error + + - name: Generate release archive + if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} + run: | + zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/* + + - name: Build changelog + id: github_release + if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} + uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4 + with: + configurationJson: | + { + "template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ steps.meta.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ steps.update_version.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}", + "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" + } + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Create release + if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 + with: + name: ${{ steps.update_version.outputs.new_version }} + body: ${{ steps.github_release.outputs.changelog }} + draft: true + files: | + ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip + ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-${{ steps.update_version.outputs.new_version }}.txt + ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-debug-${{ steps.update_version.outputs.new_version }}.txt + + e2e: + name: E2E + uses: ./.github/workflows/run-e2e-tests-on-operator.yaml + needs: buildImage + with: + operator_type: gcp + operator_image_version: ${{ needs.buildImage.outputs.image_tag }} + secrets: inherit diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 9c2898ce0..5c0d4a2c6 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -91,7 +91,7 @@ jobs: echo $IMAGE > image-details/public-image-$IMAGE_TAG.json - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: public-image-${{ needs.image.outputs.image_tag }} path: image-details/