From a429ca50e7d489535b26a0e6a58772c1463d1f56 Mon Sep 17 00:00:00 2001 From: miampf Date: Wed, 20 Dec 2023 14:17:49 +0000 Subject: [PATCH] ci: encrypt artifacts (#2567) --- .github/actions/artifact_download/action.yml | 39 ++++++++++++ .github/actions/artifact_upload/action.yml | 60 +++++++++++++++++++ .../actions/constellation_create/action.yml | 11 ++-- .../download_release_binaries/action.yml | 34 +++++++---- .github/actions/e2e_benchmark/action.yml | 14 +++-- .github/actions/e2e_sonobuoy/action.yml | 6 +- .github/actions/e2e_test/action.yml | 7 +++ .../upload_terraform_module/action.yml | 8 ++- .github/workflows/build-os-image.yml | 32 ++++++---- .github/workflows/draft-release.yml | 30 +++++++--- .github/workflows/e2e-test-daily.yml | 1 + .github/workflows/e2e-test-release.yml | 1 + .github/workflows/e2e-test-weekly.yml | 1 + .github/workflows/e2e-test.yml | 1 + .github/workflows/e2e-upgrade.yml | 6 +- .github/workflows/e2e-windows.yml | 6 +- .github/workflows/reproducible-builds.yml | 12 ++-- .github/workflows/scorecard.yml | 3 +- 18 files changed, 224 insertions(+), 48 deletions(-) create mode 100644 .github/actions/artifact_download/action.yml create mode 100644 .github/actions/artifact_upload/action.yml diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml new file mode 100644 index 0000000000..36a885657a --- /dev/null +++ b/.github/actions/artifact_download/action.yml @@ -0,0 +1,39 @@ +name: Download artifact +description: Download and decrypt an artifact. + +inputs: + name: + description: 'The name of the artifact.' + required: true + path: + description: 'Download to a specified path.' + required: false + default: ./ + encryption-secret: + description: 'The secret to use for decrypting the artifact.' + required: true + +runs: + using: "composite" + steps: + - name: Install unzip + uses: ./.github/actions/setup_bazel_nix + with: + nixTools: | + unzip + + - name: Create temporary directory + id: tempdir + shell: bash + run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT" + + - name: Download the artifact + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.name }} + path: ${{ steps.tempdir.outputs.directory }} + + - name: Decrypt and unzip archive + shell: bash + run: | + unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml new file mode 100644 index 0000000000..fd850b3546 --- /dev/null +++ b/.github/actions/artifact_upload/action.yml @@ -0,0 +1,60 @@ +name: Upload artifact +description: Upload an encrypted zip archive as a github artifact. + +inputs: + path: + description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.' + required: true + name: + description: 'The name of the artifact.' + required: true + retention-days: + description: 'How long the artifact should be retained for.' + default: 60 + encryption-secret: + description: 'The secret to use for encrypting the files.' + required: true + +runs: + using: "composite" + steps: + - name: Install zip + uses: ./.github/actions/setup_bazel_nix + with: + nixTools: | + zip + + - name: Create temporary directory + id: tempdir + shell: bash + run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT" + + - name: Create archive + shell: bash + run: | + shopt -s extglob + + # Check if any file matches the given pattern(s). + something_exists=false + for pattern in ${{ inputs.path }}; do + if compgen -G $pattern > /dev/null; then + something_exists=true + fi + done + + # Create an archive if files exist. + # Don't create an archive file if no files are found + # and warn. + if $something_exists; then + zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }} + else + echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded." + fi + + - name: Upload archive as artifact + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.name }} + path: ${{ steps.tempdir.outputs.directory }}/archive.zip + retention-days: ${{ inputs.retention-days }} + if-no-files-found: ignore diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 6e72455feb..cb264283b6 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -59,6 +59,9 @@ inputs: force: description: "Set the force-flag on apply to ignore version mismatches." required: false + encryption-secret: + description: "The secret to use for encrypting the artifact." + required: true outputs: kubeconfig: @@ -259,9 +262,9 @@ runs: - name: Upload boot logs if: always() && !env.ACT continue-on-error: true - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: serial-logs-${{ inputs.artifactNameSuffix }} - path: | - *.log - !terraform.log + path: > + !(terraform).log + encryption-secret: ${{ inputs.encryption-secret }} diff --git a/.github/actions/download_release_binaries/action.yml b/.github/actions/download_release_binaries/action.yml index af8cfa398f..39bb748469 100644 --- a/.github/actions/download_release_binaries/action.yml +++ b/.github/actions/download_release_binaries/action.yml @@ -1,55 +1,69 @@ name: Download release binaries description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline." +inputs: + encryption-secret: + description: 'The secret to use for decrypting the artifact.' + required: true runs: using: "composite" steps: - name: Download CLI binaries darwin-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation-darwin-amd64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries darwin-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation-darwin-arm64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries linux-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation-linux-amd64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries linux-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation-linux-arm64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries windows-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation-windows-amd64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform module - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: terraform-module + encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary darwin-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: terraform-provider-constellation-darwin-amd64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary darwin-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: terraform-provider-constellation-darwin-arm64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary linux-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: terraform-provider-constellation-linux-amd64 + encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary linux-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: terraform-provider-constellation-linux-arm64 + encryption-secret: ${{ inputs.encryption-secret }} diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml index a9b9c1b827..1a4353f1a0 100644 --- a/.github/actions/e2e_benchmark/action.yml +++ b/.github/actions/e2e_benchmark/action.yml @@ -17,6 +17,9 @@ inputs: awsOpenSearchPwd: description: "AWS OpenSearch Password to upload the results." required: false + encryption-secret: + description: 'The secret to use for encrypting the artifact.' + required: true runs: using: "composite" @@ -93,10 +96,11 @@ runs: - name: Upload raw FIO benchmark results if: (!env.ACT) - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: path: "out/fio-constellation-${{ inputs.cloudProvider }}.json" name: "fio-constellation-${{ inputs.cloudProvider }}.json" + encryption-secret: ${{ inputs.encryption-secret }} - name: Run knb benchmark shell: bash @@ -114,10 +118,11 @@ runs: - name: Upload raw knb benchmark results if: (!env.ACT) - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: path: "out/knb-constellation-${{ inputs.cloudProvider }}.json" name: "knb-constellation-${{ inputs.cloudProvider }}.json" + encryption-secret: ${{ inputs.encryption-secret }} - name: Assume AWS role to retrieve and update benchmarks in S3 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -166,11 +171,12 @@ runs: - name: Upload benchmark results to action run if: (!env.ACT) - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: - path: | + path: > benchmarks/constellation-${{ inputs.cloudProvider }}.json name: "benchmarks" + encryption-secret: ${{ inputs.encryption-secret }} - name: Upload benchmark results to opensearch if: (!env.ACT) diff --git a/.github/actions/e2e_sonobuoy/action.yml b/.github/actions/e2e_sonobuoy/action.yml index 56decfbe87..6d8a1905d0 100644 --- a/.github/actions/e2e_sonobuoy/action.yml +++ b/.github/actions/e2e_sonobuoy/action.yml @@ -11,6 +11,9 @@ inputs: kubeconfig: description: "The kubeconfig of the cluster to test." required: true + encryption-secret: + description: 'The secret to use for encrypting the artifact.' + required: true runs: using: "composite" @@ -44,10 +47,11 @@ runs: - name: Upload test results if: always() && !env.ACT - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz" path: "*_sonobuoy_*.tar.gz" + encryption-secret: ${{ inputs.encryption-secret }} # Only works on "sonobuoy full" tests (e2e plugin) - name: Extract test results diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index fe8f29d5ed..baed7cc748 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -86,6 +86,9 @@ inputs: force: description: "Set the force-flag on apply to ignore version mismatches." required: false + encryption-secret: + description: 'The secret to use for decrypting the artifact.' + required: true outputs: kubeconfig: @@ -296,6 +299,7 @@ runs: clusterCreation: ${{ inputs.clusterCreation }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Deploy log- and metrics-collection (Kubernetes) id: deploy-logcollection @@ -330,6 +334,7 @@ runs: sonobuoyTestSuiteCmd: "--mode quick" kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} + encryption-secret: ${{ inputs.encryption-secret }} - name: Run sonobuoy full test if: inputs.test == 'sonobuoy full' @@ -339,6 +344,7 @@ runs: sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml' kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} + encryption-secret: ${{ inputs.encryption-secret }} - name: Run autoscaling test if: inputs.test == 'autoscaling' @@ -361,6 +367,7 @@ runs: awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }} awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }} awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }} + encryption-secret: ${{ inputs.encryption-secret }} - name: Run constellation verify test if: inputs.test == 'verify' diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml index 49c016e9f5..ab6a7794ff 100644 --- a/.github/actions/upload_terraform_module/action.yml +++ b/.github/actions/upload_terraform_module/action.yml @@ -1,5 +1,10 @@ name: Upload Terraform infrastructure module description: "Upload the Terraform infrastructure module as an artifact." +inputs: + encryption-secret: + description: 'The secret to use for encrypting the artifact.' + required: true + runs: using: "composite" @@ -15,10 +20,11 @@ runs: zip -r terraform-module.zip terraform-module - name: Upload artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 + uses: ./.github/actions/artifact_upload with: name: terraform-module path: terraform-module.zip + encryption-secret: ${{ inputs.encryption-secret }} - name: Cleanup Terraform module dir shell: bash diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 38804419db..f636ca9c44 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -178,25 +178,28 @@ jobs: echo "::endgroup::" - name: Upload raw OS image as artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ steps.build.outputs.image-dir }}/constellation.raw + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload individual OS parts as artifacts - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: | + path: > ${{ steps.build.outputs.image-dir }}/constellation.efi ${{ steps.build.outputs.image-dir }}/constellation.initrd ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload sbom info as artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: ./.github/actions/artifact_upload with: name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ steps.build.outputs.rpmdb }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} upload-os-image: name: "Upload OS image to CSP" @@ -241,10 +244,11 @@ jobs: useCache: "false" - name: Download OS image artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Install tools shell: bash @@ -353,10 +357,11 @@ jobs: echo "::endgroup::" - name: Upload image lookup table as artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: lookup-table path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} calculate-pcrs: name: "Calculate PCRs" @@ -390,9 +395,10 @@ jobs: ref: ${{ inputs.ref || github.head_ref }} - name: Download OS image artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - uses: ./.github/actions/setup_bazel_nix with: @@ -535,10 +541,11 @@ jobs: echo "::endgroup::" - name: Upload expected measurements as artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: measurements path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} upload-pcrs: name: "Sign & upload PCRs" @@ -558,9 +565,10 @@ jobs: useCache: "false" - name: Download measurements - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: measurements + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -639,11 +647,12 @@ jobs: aws-region: eu-central-1 - name: Download sbom - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: # downloading / using only the QEMU manifest is fine # since the images only differ in the ESP partition name: sbom-qemu-qemu-vtpm + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload SBOMs to S3 shell: bash @@ -671,9 +680,10 @@ jobs: useCache: "false" - name: Download image lookup table - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 + uses: ./.github/actions/artifact_download with: name: lookup-table + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index c2bb03acb0..6c182c5d20 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -96,7 +96,7 @@ jobs: if : ${{ matrix.os != 'windows' }} with: name: constellation-${{ matrix.os }}-${{ matrix.arch }} - path: | + path: > build/constellation-${{ matrix.os }}-${{ matrix.arch }} build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig @@ -105,7 +105,7 @@ jobs: if : ${{ matrix.os == 'windows' }} with: name: constellation-${{ matrix.os }}-${{ matrix.arch }} - path: | + path: > build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig @@ -175,6 +175,8 @@ jobs: - name: Upload Terraform infrastructure module uses: ./.github/actions/upload_terraform_module + with: + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} push-containers: runs-on: ubuntu-22.04 @@ -225,11 +227,14 @@ jobs: - name: Download release binaries uses: ./.github/actions/download_release_binaries + with: + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download CLI SBOM - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Generate provenance subjects id: provenance-subjects @@ -338,16 +343,20 @@ jobs: - name: Download release binaries uses: ./.github/actions/download_release_binaries + with: + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download CLI SBOM - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download provenance - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: ${{ needs.provenance.outputs.provenance-name }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Install slsa-verifier run: | @@ -416,21 +425,26 @@ jobs: - name: Download binaries uses: ./.github/actions/download_release_binaries + with: + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download CLI SBOM - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download Constellation CLI SBOM's signature - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: constellation.spdx.sbom.sig + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download Constellation provenance - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: ${{ needs.provenance.outputs.provenance-name }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Rename provenance file run: | diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 45efd049d6..873dc52e00 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -91,6 +91,7 @@ jobs: awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} clusterCreation: "cli" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index d55219d952..74e547c4e1 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -265,6 +265,7 @@ jobs: clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index b6ad9233c7..230724881e 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -305,6 +305,7 @@ jobs: clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index c345926e29..04a442d28a 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -246,6 +246,7 @@ jobs: s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index e7374414e8..09369e89a0 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -183,6 +183,7 @@ jobs: awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} clusterCreation: "cli" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Build CLI uses: ./.github/actions/build_cli @@ -275,13 +276,14 @@ jobs: - name: Always upload logs if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: upgrade-logs - path: | + path: > node-operator.logs node-maintenance-operator.logs constellation-version.yaml + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-windows.yml b/.github/workflows/e2e-windows.yml index 5cd322c5ec..03ea104f18 100644 --- a/.github/workflows/e2e-windows.yml +++ b/.github/workflows/e2e-windows.yml @@ -34,10 +34,11 @@ jobs: enterpriseCLI: true - name: Upload CLI artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: path: "bazel-bin/cli/cli_enterprise_windows_amd64" name: "constell-exe" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} e2e-test: name: E2E Test Windows @@ -50,9 +51,10 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download CLI artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: "constell-exe" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Check CLI version shell: pwsh diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index 8fd53ba69c..65bf0b5e89 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -53,16 +53,18 @@ jobs: run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: "binaries-${{ matrix.target }}" path: "${{ env.binary }}" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload hash artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: "sha256sums" path: "${{ env.binary }}.sha256" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} build-osimages: strategy: @@ -134,9 +136,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Download binaries - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: "binaries-${{ matrix.target }}" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Hash shell: bash @@ -163,9 +166,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Download os images - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: ./.github/actions/artifact_download with: name: "osimages-${{ matrix.target }}" + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Hash shell: bash diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 90efc76fc9..d5c2d738d4 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,11 +30,12 @@ jobs: publish_results: true - name: Upload artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: ./.github/actions/artifact_upload with: name: SARIF file path: results.sarif retention-days: 5 + encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1