diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml index 4ca96c3698..5db482d3d1 100644 --- a/.github/actions/artifact_download/action.yml +++ b/.github/actions/artifact_download/action.yml @@ -9,7 +9,7 @@ inputs: description: 'Download to a specified path.' required: false default: ./ - encryption-secret: + encryptionSecret: description: 'The secret to use for decrypting the artifact.' required: true @@ -36,4 +36,5 @@ runs: - name: Decrypt and unzip archive shell: bash run: | - unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip + mkdir -p ${{ inputs.path }} + unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml index d60b0a61f5..8de9b113ae 100644 --- a/.github/actions/artifact_upload/action.yml +++ b/.github/actions/artifact_upload/action.yml @@ -3,7 +3,7 @@ description: Upload an encrypted zip archive as a github artifact. inputs: path: - description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.' + description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.' required: true name: description: 'The name of the artifact.' @@ -11,7 +11,7 @@ inputs: retention-days: description: 'How long the artifact should be retained for.' default: 60 - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the files.' required: true @@ -34,10 +34,14 @@ runs: run: | shopt -s extglob + paths="${{ inputs.path }}" + paths=${paths%$'\n'} # Remove trailing newline + # Check if any file matches the given pattern(s). something_exists=false - for pattern in ${{ inputs.path }}; do - if compgen -G $pattern > /dev/null; then + for pattern in ${paths} + do + if compgen -G "${pattern}" > /dev/null; then something_exists=true fi done @@ -45,12 +49,19 @@ runs: # Create an archive if files exist. # Don't create an archive file if no files are found # and warn. - if $something_exists; then - zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }} - else - echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded." + if ! ${something_exists} + then + echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded." + exit 0 fi + for target in ${paths} + do + pushd "$(dirname "${target}")" || exit 1 + zip -e -P '${{ inputs.encryptionSecret }}' -r "${{ steps.tempdir.outputs.directory }}/archive.zip" "$(basename "${target}")" + popd || exit 1 + done + - name: Upload archive as artifact uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index cb264283b6..e009803c94 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -59,7 +59,7 @@ inputs: force: description: "Set the force-flag on apply to ignore version mismatches." required: false - encryption-secret: + encryptionSecret: description: "The secret to use for encrypting the artifact." required: true @@ -267,4 +267,4 @@ runs: name: serial-logs-${{ inputs.artifactNameSuffix }} path: > !(terraform).log - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml index 1536c8ea26..88631a62a2 100644 --- a/.github/actions/e2e_benchmark/action.yml +++ b/.github/actions/e2e_benchmark/action.yml @@ -17,7 +17,7 @@ inputs: awsOpenSearchPwd: description: "AWS OpenSearch Password to upload the results." required: false - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the artifact.' required: true @@ -100,7 +100,7 @@ runs: with: path: "out/fio-constellation-${{ inputs.cloudProvider }}.json" name: "fio-constellation-${{ inputs.cloudProvider }}.json" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run knb benchmark shell: bash @@ -122,7 +122,7 @@ runs: with: path: "out/knb-constellation-${{ inputs.cloudProvider }}.json" name: "knb-constellation-${{ inputs.cloudProvider }}.json" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Assume AWS role to retrieve and update benchmarks in S3 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -176,7 +176,7 @@ runs: path: > benchmarks/constellation-${{ inputs.cloudProvider }}.json name: "benchmarks" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Upload benchmark results to opensearch if: (!env.ACT) diff --git a/.github/actions/e2e_sonobuoy/action.yml b/.github/actions/e2e_sonobuoy/action.yml index 6d8a1905d0..1628dadb8b 100644 --- a/.github/actions/e2e_sonobuoy/action.yml +++ b/.github/actions/e2e_sonobuoy/action.yml @@ -11,7 +11,7 @@ inputs: kubeconfig: description: "The kubeconfig of the cluster to test." required: true - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the artifact.' required: true @@ -51,7 +51,7 @@ runs: with: name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz" path: "*_sonobuoy_*.tar.gz" - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} # Only works on "sonobuoy full" tests (e2e plugin) - name: Extract test results diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index baed7cc748..c0b336fe5b 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -86,7 +86,7 @@ inputs: force: description: "Set the force-flag on apply to ignore version mismatches." required: false - encryption-secret: + encryptionSecret: description: 'The secret to use for decrypting the artifact.' required: true @@ -299,7 +299,7 @@ runs: clusterCreation: ${{ inputs.clusterCreation }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Deploy log- and metrics-collection (Kubernetes) id: deploy-logcollection @@ -334,7 +334,7 @@ runs: sonobuoyTestSuiteCmd: "--mode quick" kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run sonobuoy full test if: inputs.test == 'sonobuoy full' @@ -344,7 +344,7 @@ runs: sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml' kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run autoscaling test if: inputs.test == 'autoscaling' @@ -367,7 +367,7 @@ runs: awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }} awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }} awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }} - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Run constellation verify test if: inputs.test == 'verify' diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml index ab6a7794ff..a2c78f5651 100644 --- a/.github/actions/upload_terraform_module/action.yml +++ b/.github/actions/upload_terraform_module/action.yml @@ -1,7 +1,7 @@ name: Upload Terraform infrastructure module description: "Upload the Terraform infrastructure module as an artifact." inputs: - encryption-secret: + encryptionSecret: description: 'The secret to use for encrypting the artifact.' required: true @@ -24,7 +24,7 @@ runs: with: name: terraform-module path: terraform-module.zip - encryption-secret: ${{ inputs.encryption-secret }} + encryptionSecret: ${{ inputs.encryptionSecret }} - name: Cleanup Terraform module dir shell: bash diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 7150148c54..7ac1f75da7 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -182,7 +182,7 @@ jobs: with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ steps.build.outputs.image-dir }}/constellation.raw - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload individual OS parts as artifacts uses: ./.github/actions/artifact_upload @@ -192,14 +192,14 @@ jobs: ${{ steps.build.outputs.image-dir }}/constellation.efi ${{ steps.build.outputs.image-dir }}/constellation.initrd ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload sbom info as artifact uses: ./.github/actions/artifact_upload with: name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ steps.build.outputs.rpmdb }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} upload-os-image: name: "Upload OS image to CSP" @@ -248,7 +248,7 @@ jobs: with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Install tools shell: bash @@ -316,6 +316,7 @@ jobs: working-directory: ${{ github.workspace }}/image run: | echo "::group::Upload Azure image" + chmod +w "${RAW_IMAGE_PATH}" upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" bazel run //image/upload -- image azure \ --verbose \ @@ -361,7 +362,7 @@ jobs: with: name: lookup-table path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} calculate-pcrs: name: "Calculate PCRs" @@ -398,7 +399,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - uses: ./.github/actions/setup_bazel_nix with: @@ -545,7 +546,7 @@ jobs: with: name: measurements path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} upload-pcrs: name: "Sign & upload PCRs" @@ -568,7 +569,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: measurements - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -640,6 +641,10 @@ jobs: contents: read runs-on: ubuntu-22.04 steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ inputs.ref || github.head_ref }} + - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -652,7 +657,7 @@ jobs: # downloading / using only the QEMU manifest is fine # since the images only differ in the ESP partition name: sbom-qemu-qemu-vtpm - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload SBOMs to S3 shell: bash @@ -683,7 +688,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: lookup-table - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -693,12 +698,7 @@ jobs: - name: Upload lookup table to S3 shell: bash - run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.ref || github.head_ref }} + run: bazel run //image/upload -- info --verbose image-upload*.json - name: Create CLI compatibility information artifact shell: bash diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 018d59d554..2a02c98157 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -176,7 +176,7 @@ jobs: - name: Upload Terraform infrastructure module uses: ./.github/actions/upload_terraform_module with: - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} push-containers: runs-on: ubuntu-22.04 @@ -232,7 +232,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Generate provenance subjects id: provenance-subjects @@ -346,13 +346,13 @@ jobs: uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download provenance uses: ./.github/actions/artifact_download with: name: ${{ needs.provenance.outputs.provenance-name }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Install slsa-verifier run: | @@ -426,19 +426,19 @@ jobs: uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download Constellation CLI SBOM's signature uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom.sig - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download Constellation provenance uses: ./.github/actions/artifact_download with: name: ${{ needs.provenance.outputs.provenance-name }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Rename provenance file run: | diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 72c29adc91..5d03095eb6 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -91,7 +91,7 @@ jobs: awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} clusterCreation: "cli" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index a048922a5c..a159944697 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -265,7 +265,7 @@ jobs: clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index d875f56914..c5706ad34d 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -305,7 +305,7 @@ jobs: clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index d298728133..d2682a3bd1 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -246,7 +246,7 @@ jobs: s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index a71c7d7a9e..1a0311f7dd 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -183,7 +183,7 @@ jobs: awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} clusterCreation: "cli" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Build CLI uses: ./.github/actions/build_cli @@ -283,7 +283,7 @@ jobs: node-operator.logs node-maintenance-operator.logs constellation-version.yaml - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-windows.yml b/.github/workflows/e2e-windows.yml index 4ce861c34a..33bf4d41fb 100644 --- a/.github/workflows/e2e-windows.yml +++ b/.github/workflows/e2e-windows.yml @@ -38,7 +38,7 @@ jobs: with: path: "bazel-bin/cli/cli_enterprise_windows_amd64" name: "constell-exe" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} e2e-test: name: E2E Test Windows @@ -54,7 +54,7 @@ jobs: uses: ./.github/actions/artifact_download with: name: "constell-exe" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Check CLI version shell: pwsh diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index d279090698..f6a1c462cf 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -57,14 +57,14 @@ jobs: with: name: "binaries-${{ matrix.target }}" path: "${{ env.binary }}" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload hash artifact uses: ./.github/actions/artifact_upload with: name: "sha256sums" path: "${{ env.binary }}.sha256" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} build-osimages: strategy: @@ -135,23 +135,27 @@ jobs: - "cli_enterprise_windows_amd64" runs-on: ubuntu-22.04 steps: - - name: Download binaries - uses: ./.github/actions/artifact_download - with: - name: "binaries-${{ matrix.target }}" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - - - name: Hash - shell: bash - if: runner.os == 'Linux' - run: sha256sum cli_enterprise* - - - name: Compare binaries - shell: bash - run: | - # shellcheck disable=SC2207,SC2116 - list=($(echo "cli_enterprise*")) - diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + + - name: Download binaries + uses: ./.github/actions/artifact_download + with: + name: "binaries-${{ matrix.target }}" + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + + - name: Hash + shell: bash + if: runner.os == 'Linux' + run: sha256sum cli_enterprise* + + - name: Compare binaries + shell: bash + run: | + # shellcheck disable=SC2207,SC2116 + list=($(echo "cli_enterprise*")) + diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" compare-osimages: needs: build-osimages @@ -165,20 +169,24 @@ jobs: - "gcp_gcp-sev-snp_nightly" runs-on: ubuntu-22.04 steps: - - name: Download os images - uses: ./.github/actions/artifact_download - with: - name: "osimages-${{ matrix.target }}" - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - - - name: Hash - shell: bash - if: runner.os == 'Linux' - run: sha256sum osimage-* - - - name: Compare os images - shell: bash - run: | - # shellcheck disable=SC2207,SC2116 - list=($(echo "osimage-*")) - diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + + - name: Download os images + uses: ./.github/actions/artifact_download + with: + name: "osimages-${{ matrix.target }}" + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + + - name: Hash + shell: bash + if: runner.os == 'Linux' + run: sha256sum osimage-* + + - name: Compare os images + shell: bash + run: | + # shellcheck disable=SC2207,SC2116 + list=($(echo "osimage-*")) + diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 46cfd8b90b..8a3fb4f961 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -35,7 +35,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} + encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1