ci: remove artifact encryption for public artifacts (#2776)

* ci: remove artifact encryption for public artifacts

* revert parts of  #2765

* ci: add unused action exception for encrypted artifact download

.github/actions/upload_terraform_module/action.yml

@@ -20,11 +20,10 @@ runs:
         zip -r terraform-module.zip terraform-module
 
     - name: Upload artifact
-      uses: ./.github/actions/artifact_upload
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: terraform-module
         path: terraform-module.zip
-        encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Cleanup Terraform module dir
       shell: bash

.github/workflows/build-os-image.yml

@@ -178,28 +178,25 @@ jobs:
           echo "::endgroup::"
 
       - name: Upload raw OS image as artifact
-        uses: ./.github/actions/artifact_upload
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
           path: ${{ steps.build.outputs.image-dir }}/constellation.raw
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Upload individual OS parts as artifacts
-        uses: ./.github/actions/artifact_upload
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: >
+          path: |
             ${{ steps.build.outputs.image-dir }}/constellation.efi
             ${{ steps.build.outputs.image-dir }}/constellation.initrd
             ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Upload sbom info as artifact
-        uses: ./.github/actions/artifact_upload
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
           path: ${{ steps.build.outputs.rpmdb }}
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
   upload-os-image:
     name: "Upload OS image to CSP"
@@ -244,11 +241,10 @@ jobs:
           useCache: "false"
 
       - name: Download OS image artifact
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
           path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Install tools
         shell: bash
@@ -316,7 +312,6 @@ jobs:
         working-directory: ${{ github.workspace }}/image
         run: |
           echo "::group::Upload Azure image"
-          chmod +w "${RAW_IMAGE_PATH}"
           upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
           bazel run //image/upload -- image azure \
             --verbose \
@@ -358,11 +353,10 @@ jobs:
           echo "::endgroup::"
 
       - name: Upload image lookup table as artifact
-        uses: ./.github/actions/artifact_upload
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: lookup-table
           path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
   calculate-pcrs:
     name: "Calculate PCRs"
@@ -396,10 +390,9 @@ jobs:
           ref: ${{ inputs.ref || github.head_ref }}
 
       - name: Download OS image artifact
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - uses: ./.github/actions/setup_bazel_nix
         with:
@@ -639,23 +632,18 @@ jobs:
       contents: read
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
       - name: Login to AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
           aws-region: eu-central-1
 
       - name: Download sbom
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           # downloading / using only the QEMU manifest is fine
           # since the images only differ in the ESP partition
           name: sbom-qemu-qemu-vtpm
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Upload SBOMs to S3
         shell: bash
@@ -683,10 +671,9 @@ jobs:
           useCache: "false"
 
       - name: Download image lookup table
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: lookup-table
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Login to AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@@ -696,7 +683,12 @@ jobs:
 
       - name: Upload lookup table to S3
         shell: bash
-        run: bazel run //image/upload -- info --verbose image-upload*.json
+        run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ inputs.ref || github.head_ref }}
 
       - name: Create CLI compatibility information artifact
         shell: bash

.github/workflows/draft-release.yml

@@ -229,10 +229,9 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: constellation.spdx.sbom
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Generate provenance subjects
         id: provenance-subjects
@@ -343,16 +342,14 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: constellation.spdx.sbom
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Download provenance
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Install slsa-verifier
         run: |
@@ -423,22 +420,19 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: constellation.spdx.sbom
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Download Constellation CLI SBOM's signature
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: constellation.spdx.sbom.sig
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Download Constellation provenance
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Rename provenance file
         run: |

.github/workflows/e2e-windows.yml

@@ -34,11 +34,10 @@ jobs:
           enterpriseCLI: true
 
       - name: Upload CLI artifact
-        uses: ./.github/actions/artifact_upload
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           path: "bazel-bin/cli/cli_enterprise_windows_amd64"
           name: "constell-exe"
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
   e2e-test:
     name: E2E Test Windows
@@ -51,10 +50,9 @@ jobs:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download CLI artifact
-        uses: ./.github/actions/artifact_download
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: "constell-exe"
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
       - name: Check CLI version
         shell: pwsh

bazel/ci/unused_gh_actions.sh.in

@@ -50,7 +50,7 @@ for action in ${actionNames}; do
     fi
   done
 
-  if ! ${used}; then
+  if [[ ${used} == "false" && ${action} != ".github/actions/artifact_download" ]]; then
     echo "Action ${action} is unused"
     exitcode=1
   fi