Publish Snapshot Azure CC Operator #234
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Azure CC Operator | |
| run-name: ${{ format('Publish {0} Azure CC Operator', inputs.release_type) }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_type: | |
| type: choice | |
| description: The type of release | |
| options: | |
| - Snapshot | |
| - Patch | |
| - Minor | |
| - Major | |
| version_number_input: | |
| description: If set, the version number will not be incremented and the given number will be used. | |
| type: string | |
| default: '' | |
| vulnerability_severity: | |
| description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. | |
| type: choice | |
| options: | |
| - CRITICAL,HIGH | |
| - CRITICAL,HIGH,MEDIUM | |
| - CRITICAL (DO NOT use if JIRA ticket not raised) | |
| workflow_call: | |
| inputs: | |
| release_type: | |
| description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major] | |
| required: true | |
| type: string | |
| version_number_input: | |
| description: If set, the version number will not be incremented and the given number will be used. | |
| type: string | |
| default: '' | |
| commit_sha: | |
| description: The commit SHA for committing the new version for pom.xml. | |
| type: string | |
| default: '' | |
| vulnerability_severity: | |
| description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between). | |
| type: string | |
| default: 'CRITICAL,HIGH' | |
| outputs: | |
| image_tag: | |
| description: The tag used to describe the image in Docker | |
| value: ${{ jobs.buildImage.outputs.image_tag }} | |
| env: | |
| REGISTRY: ghcr.io | |
| MAVEN_PROFILE: azure | |
| ENCLAVE_PROTOCOL: azure-cc | |
| IMAGE_NAME: ${{ github.repository }} | |
| DOCKER_CONTEXT_PATH: scripts/azure-cc | |
| ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts | |
| MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifest | |
| jobs: | |
| buildImage: | |
| name: Build Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| security-events: write | |
| packages: write | |
| id-token: write | |
| pull-requests: write | |
| outputs: | |
| # jar_version: ${{ steps.update_version.outputs.new_version }} | |
| # docker_version: ${{ steps.meta.outputs.version }} | |
| # image_tag: ${{ steps.update_version.outputs.image_tag }} | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # is_release: ${{ steps.update_version.outputs.is_release }} | |
| jar_version: 5.49.9-alpha-224-SNAPSHOT | |
| docker_version: 5.49.9-alpha-224-SNAPSHOT-azure-cc | |
| image_tag: 5.49.9-alpha-224-SNAPSHOT-azure-cc | |
| tags: ghcr.io/iabtechlab/uid2-operator:5.49.9-alpha-224-SNAPSHOT-azure-cc | |
| is_release: false | |
| steps: | |
| # - name: Update Operator Version | |
| # id: update_version | |
| # uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@main | |
| # with: | |
| # release_type: ${{ inputs.release_type }} | |
| # version_number_input: ${{ inputs.version_number_input }} | |
| # image_tag_suffix: ${{ env.ENCLAVE_PROTOCOL }} | |
| # commit_sha: ${{ inputs.commit_sha }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| cache: 'maven' | |
| # - name: Package JAR | |
| # id: package | |
| # run: | | |
| # mvn -B package -P ${{ env.MAVEN_PROFILE }} | |
| # echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT | |
| # echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT | |
| # cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/ | |
| # cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ | |
| # - name: Log in to the Docker container registry | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ env.REGISTRY }} | |
| # username: ${{ github.actor }} | |
| # password: ${{ secrets.GITHUB_TOKEN }} | |
| # - name: Extract metadata (tags, labels) for Docker | |
| # id: meta | |
| # uses: docker/metadata-action@v5 | |
| # with: | |
| # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # tags: | | |
| # type=raw,value=${{ steps.update_version.outputs.image_tag }} | |
| # - name: Build and export to Docker | |
| # uses: docker/build-push-action@v5 | |
| # with: | |
| # context: ${{ env.DOCKER_CONTEXT_PATH }} | |
| # load: true | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # labels: ${{ steps.meta.outputs.labels }} | |
| # build-args: | | |
| # JAR_VERSION=${{ steps.update_version.outputs.new_version }} | |
| # IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} | |
| # BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} | |
| # - name: Generate Trivy vulnerability scan report | |
| # uses: aquasecurity/trivy-action@0.14.0 | |
| # with: | |
| # image-ref: ${{ steps.meta.outputs.tags }} | |
| # format: 'sarif' | |
| # exit-code: '0' | |
| # ignore-unfixed: true | |
| # severity: 'CRITICAL,HIGH' | |
| # output: 'trivy-results.sarif' | |
| # hide-progress: true | |
| # - name: Upload Trivy scan report to GitHub Security tab | |
| # uses: github/codeql-action/upload-sarif@v3 | |
| # with: | |
| # sarif_file: 'trivy-results.sarif' | |
| # - name: Test with Trivy vulnerability scanner | |
| # uses: aquasecurity/trivy-action@0.14.0 | |
| # with: | |
| # image-ref: ${{ steps.meta.outputs.tags }} | |
| # format: 'table' | |
| # exit-code: '1' | |
| # ignore-unfixed: true | |
| # severity: ${{ inputs.vulnerability_severity }} | |
| # hide-progress: true | |
| # - name: Push to Docker | |
| # id: push-to-docker | |
| # uses: docker/build-push-action@v5 | |
| # with: | |
| # context: ${{ env.DOCKER_CONTEXT_PATH }} | |
| # push: true | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # labels: ${{ steps.meta.outputs.labels }} | |
| # build-args: | | |
| # JAR_VERSION=${{ steps.update_version.outputs.new_version }} | |
| # IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} | |
| azureCc: | |
| name: Azure CC | |
| runs-on: ubuntu-latest | |
| env: | |
| SCRIPTS_DIR: ./scripts/azure-cc/deployment | |
| # TODO | |
| permissions: | |
| contents: write | |
| security-events: write | |
| packages: write | |
| id-token: write | |
| pull-requests: write | |
| needs: buildImage | |
| # outputs: | |
| # jar_version: ${{ steps.update_version.outputs.new_version }} | |
| # image_tag: ${{ steps.update_version.outputs.image_tag }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Copy Azure deployment files | |
| # run: ./scripts/azure-cc/deployment/copy-input-files.sh | |
| run: | | |
| mkdir -p ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/gateway.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/gateway.parameters.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/vault.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/vault.parameters.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/operator.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/operator.parameters.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/vnet.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| cp ${{ env.SCRIPTS_DIR }}/vnet.parameters.json ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| - name: Update operator template | |
| run: | | |
| IMAGE=${{ needs.buildImage.outputs.tags }} | |
| IMAGE_VERSION=$(echo $IMAGE | awk -F':' '{print $2}') | |
| sed -i "s#IMAGE_PLACEHOLDER#${IMAGE}#g" ${{ env.ARTIFACTS_OUTPUT_DIR }}/operator.json | |
| sed -i "s#IMAGE_VERSION_PLACEHOLDER#${IMAGE_VERSION}#g" ${{ env.ARTIFACTS_OUTPUT_DIR }}/operator.json | |
| - name: Generate ACI policy | |
| id: aci_policy | |
| uses: ./.github/actions/acipolicygen_cc | |
| with: | |
| # TODO | |
| template_file: deployment-artifacts/operator.json | |
| - name: Update operator template | |
| # TODO | |
| run: | | |
| echo -n ${{ steps.aci_policy.outputs.policy }} >> ${{ env.SCRIPTS_DIR }}/policy.base64 | |
| # Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template | |
| # note that the EnclaveId is generated by generate.py on the raw policy, not the base64 version | |
| # | |
| base64 --decode < ${{ env.SCRIPTS_DIR }}/policy.base64 > ${{ env.SCRIPTS_DIR }}/generated.rego | |
| sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${{ env.SCRIPTS_DIR }}/generated.rego | |
| base64 --wrap=0 < ${{ env.SCRIPTS_DIR }}/generated.rego > ${{ env.SCRIPTS_DIR }}/generated.rego.base64 | |
| POLICY_DIGEST_FILE=azure-cc-operator-digest-${{ needs.buildImage.outputs.jar_version }}.txt | |
| GENERATED_REGO_SHA256=$(sha256sum ${{ env.SCRIPTS_DIR }}/generated.rego | cut -d ' ' -f 1) | |
| echo $GENERATED_REGO_SHA256 > ${{ env.MANIFEST_OUTPUT_DIR }}/$POLICY_DIGEST_FILE | |
| cp ${{ env.ARTIFACTS_OUTPUT_DIR }}/operator.json /tmp/source.json | |
| GENERATED_REGO_BASE64=$(echo -n $GENERATED_REGO | base64 --wrap=0) | |
| jq --arg policy $GENERATED_REGO_BASE64 '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' /tmp/source.json > ${{ env.ARTIFACTS_OUTPUT_DIR }}/operator.json | |
| # - name: Generate Azure deployment artifacts | |
| # env: | |
| # IMAGE: ${{ needs.buildImage.outputs.tags }} | |
| # OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| # MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR }} | |
| # VERSION_NUMBER: ${{ needs.buildImage.outputs.jar_version }} | |
| # run: | | |
| # bash ./scripts/azure-cc/deployment/generate-deployment-artifacts.sh | |
| - name: Upload deployment artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: azure-cc-deployment-files-${{ needs.buildImage.outputs.jar_version }} | |
| path: ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
| if-no-files-found: error | |
| - name: Upload manifest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: azure-cc-enclave-id-${{ needs.buildImage.outputs.jar_version }} | |
| path: ${{ env.MANIFEST_OUTPUT_DIR }} | |
| if-no-files-found: error | |
| - name: Generate release archive | |
| if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }} | |
| run: | | |
| zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ needs.buildImage.outputs.docker_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/* | |
| - name: Build changelog | |
| id: github_release | |
| if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }} | |
| uses: mikepenz/release-changelog-builder-action@v4 | |
| with: | |
| configurationJson: | | |
| { | |
| "template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ needs.buildImage.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ needs.buildImage.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}", | |
| "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" | |
| } | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create release | |
| if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }} | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| name: ${{ needs.buildImage.outputs.jar_version }} | |
| body: ${{ steps.github_release.outputs.changelog }} | |
| draft: true | |
| files: | | |
| ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ needs.buildImage.outputs.jar_version }}.zip | |
| ${{ env.MANIFEST_OUTPUT_DIR }}/azure-cc-operator-digest-${{ needs.buildImage.outputs.jar_version }}.txt | |
| # e2e: | |
| # name: E2E | |
| # uses: ./.github/workflows/run-e2e-tests-on-operator.yaml | |
| # needs: [buildImage, azureCc] | |
| # with: | |
| # operator_type: azure | |
| # operator_image_version: ${{ needs.buildImage.outputs.image_tag }} | |
| # secrets: inherit |