From 7ced436829fcc9bb023cfb1a307aec92ba95b629 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 4 Apr 2023 15:57:19 +0200 Subject: [PATCH] gha: Split the Kata Containers CI workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We've been facing some issues in order to properly run, in a safe way, the workflows for the Kata Containers CI. This happens as the `pull_request` target doesn't allow passing any secrets to workflows; and the `pull_request_target` workflow, which allows passing the secrets, doesn't run on the PR itself but rather on the target PR branch. :-/ https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ proposes a reasonable solution, which I'm trying to mimic here. Signed-off-by: Fabiano FidĂȘncio --- .../workflows/build-kata-static-tarball.yaml | 9 +++++ .github/workflows/ci-on-push.yaml | 37 ------------------- .../publish-kata-deploy-payload.yaml | 18 +++++++++ .github/workflows/run-k8s-tests-on-aks.yaml | 23 +++++------- 4 files changed, 37 insertions(+), 50 deletions(-) create mode 100644 .github/workflows/build-kata-static-tarball.yaml delete mode 100644 .github/workflows/ci-on-push.yaml create mode 100644 .github/workflows/publish-kata-deploy-payload.yaml diff --git a/.github/workflows/build-kata-static-tarball.yaml b/.github/workflows/build-kata-static-tarball.yaml new file mode 100644 index 000000000000..22a5cf1c53b0 --- /dev/null +++ b/.github/workflows/build-kata-static-tarball.yaml @@ -0,0 +1,9 @@ +name: CI | Build Kata Containers artefacts +on: + pull_request + +jobs: + build-kata-static-tarball-amd64: + uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml + with: + tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml deleted file mode 100644 index cbab268372e3..000000000000 --- a/.github/workflows/ci-on-push.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: Kata Containers CI -on: - pull_request_target: - types: - - opened - - reopened - - labeled - - synchronize - -jobs: - build-kata-static-tarball-amd64: - if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') - uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml - with: - tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} - - publish-kata-deploy-payload-amd64: - if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') - needs: build-kata-static-tarball-amd64 - uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml - with: - tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} - registry: ghcr.io - repo: ${{ github.repository_owner }}/kata-deploy-ci - tag: ${{ github.event.pull_request.number }}-${{ github.sha }}-amd64 - quay-io-login-continue-on-error: true - secrets: inherit - - run-k8s-tests-on-aks: - if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') - needs: publish-kata-deploy-payload-amd64 - uses: ./.github/workflows/run-k8s-tests-on-aks.yaml - with: - registry: ghcr.io - repo: ${{ github.repository_owner }}/kata-deploy-ci - tag: ${{ github.event.pull_request.number }}-${{ github.sha }}-amd64 - secrets: inherit diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml new file mode 100644 index 000000000000..d8971dba00e3 --- /dev/null +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -0,0 +1,18 @@ +name: CI | Publish kata-deploy payload +on: + workflow_run: + workflows: + - CI | Build Kata Containers artefacts + types: + - completed + +jobs: + publish-kata-deploy-payload-amd64: + uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml + with: + tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} + registry: ghcr.io + repo: ${{ github.repository_owner }}/kata-deploy-ci + tag: ${{ github.event.pull_request.number }}-${{ github.sha }}-amd64 + quay-io-login-continue-on-error: true + secrets: inherit diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 83dd4ab7bb27..640d07a63133 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -1,16 +1,13 @@ name: CI | Run kubernetes tests on AKS on: - workflow_call: - inputs: - registry: - required: true - type: string - repo: - required: true - type: string - tag: - required: true - type: string + workflow_run: + workflows: + - CI | Publish kata-deploy payload + types: + - completed + +env: + ci_image: ghcr.io/kata-containers/kata-deploy-ci/${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64 jobs: create-aks: @@ -58,9 +55,9 @@ jobs: - name: Deploy kata-deploy run: | - sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml + sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|$ci_image|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml - cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image" + cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "$ci_image" || die "Failed to setup the tests image" kubectl apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml kubectl apply -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml