Merged main

IABTechLab · Feb 29, 2024 · 2431449 · 2431449
2 parents 7042058 + 7207185
commit 2431449
Show file tree

Hide file tree

Showing 71 changed files with 685 additions and 1,169 deletions.
diff --git a/.github/actions/build_aws_eif/action.yaml b/.github/actions/build_aws_eif/action.yaml
@@ -0,0 +1,68 @@
+name: Build AWS EIF
+description: Builds the EIF for AWS private operators
+
+inputs:
+  identity_scope:
+    description: The identity scope [uid2, euid]
+    required: true
+  artifacts_base_output_dir:
+    description: The base output directory for the AMI artifacts
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Run amazonlinux Docker image
+      shell: bash
+      run: |
+        docker stop $(docker ps -a -q)
+        docker system prune -f
+        docker build -t amazonlinux -f ./scripts/aws/pipeline/amazonlinux.Dockerfile .
+        docker run -d --privileged --name amazonlinux amazonlinux:latest
+
+    - name: Create build folder
+      id: buildFolder
+      shell: bash
+      run: |
+        BUILD_FOLDER="./build/${{ inputs.identity_scope }}"
+        mkdir -p $BUILD_FOLDER
+        echo "BUILD_FOLDER=$BUILD_FOLDER" >> $GITHUB_OUTPUT
+
+    - name: Get identity scope
+      shell: bash
+      run: |
+        echo "${{ inputs.identity_scope }}" | tr '[:lower:]' '[:upper:]' > ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt
+        cat ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt
+
+    - name: Get version number from pom.xml
+      shell: bash
+      run: |
+        grep -o '<version>.*</version>' ./pom.xml | head -1 | sed 's/<version>\(.*\)<\/version>/\1/' > ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt
+        cat ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt
+
+    - name: Build EIF
+      shell: bash
+      run: |
+        make -f Makefile.nitro ${{ inputs.identity_scope }}operator.eif
+
+    - name: Prepare artifacts
+      shell: bash
+      run: |
+        ARTIFACTS_OUTPUT_DIR="${{ inputs.artifacts_base_output_dir }}/${{ inputs.identity_scope }}"
+
+        mkdir -p ${ARTIFACTS_OUTPUT_DIR}
+
+        cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
+        cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/start.sh                                                                                 ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/stop.sh                                                                                  ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/proxies.host.yaml                                                                        ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/sockd.conf                                                                               ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/uid2operator.service                                                                     ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/pipeline/$(cat ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt)_VERSION ${ARTIFACTS_OUTPUT_DIR}/VERSION
+
+        docker cp amazonlinux:/sockd                                    ${ARTIFACTS_OUTPUT_DIR}/
+        docker cp amazonlinux:/vsockpx                                  ${ARTIFACTS_OUTPUT_DIR}/
+        docker cp amazonlinux:/${{ inputs.identity_scope }}operator.eif ${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif
+        docker cp amazonlinux:/pcr0.txt                                 ${ARTIFACTS_OUTPUT_DIR}/
diff --git a/.github/workflows/e2e-azure-cc-enclave.yaml b/.github/workflows/e2e-azure-cc-enclave.yaml
@@ -50,7 +50,7 @@ jobs:
           cd ./e2e && bash ./setup_ngrok.sh
 
       - name: Log in to the Docker container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

diff --git a/.github/workflows/e2e-gcp-oidc-enclave.yaml b/.github/workflows/e2e-gcp-oidc-enclave.yaml
@@ -58,7 +58,7 @@ jobs:
           cd ./e2e && bash ./prepare_gcp_enclave_metadata.sh
 
       - name: Log in to the Docker container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml
@@ -5,7 +5,7 @@ on:
     inputs:
       release_type:
         type: choice
-        description: 'The type of release'
+        description: The type of release
         options:
         - Major
         - Minor
@@ -27,7 +27,7 @@ jobs:
             GITHUB_CONTEXT: ${{ toJson(github) }}
 
       - name: Check branch and release type
-        uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2.2.2
+        uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2
         with:
           release_type: ${{ inputs.release_type }}
 
@@ -37,7 +37,7 @@ jobs:
           fetch-depth: 0
 
       - name: Scan vulnerabilities
-        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v2.4.0
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v2
         with:
           scan_severity: HIGH,CRITICAL
           failure_severity: CRITICAL
@@ -56,14 +56,12 @@ jobs:
           sed -i "s/$current_version/$new_version/g" pom.xml
           echo "Version number updated from $current_version to $new_version"
 
-      - name: Commit pom.xml and version.json
-        uses: EndBug/add-and-commit@v9
+      - name: Commit pom.xml, version.json and set tag
+        uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v2
         with:
           add: 'pom.xml version.json'
-          author_name: Release Workflow
-          author_email: [email protected]
           message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
-          tag: v${{ steps.version.outputs.new_version }}
+          tag: v${{ steps.version.outputs.new_version }} 
 
   buildPublic:
     name: Public Operator
@@ -98,19 +96,19 @@ jobs:
     needs: [start, buildPublic, buildGCP, buildAzure]
     steps:
       - name: Download public artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: image-details
           path: ./artifacts/public_operator
 
       - name: Download GCP artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: gcp-oidc-deployment-files
           path: ./artifacts/gcp_oidc_operator
 
       - name: Download Azure artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: azure-cc-deployment-files
           path: ./artifacts/azure_cc_operator
@@ -124,7 +122,7 @@ jobs:
             azure-cc-deployment-files
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: uid2-operator-release-${{ needs.start.outputs.new_version }}
           path: ./artifacts/
@@ -144,7 +142,7 @@ jobs:
 
       - name: Build changelog
         id: changelog
-        uses: mikepenz/release-changelog-builder-action@v3
+        uses: mikepenz/release-changelog-builder-action@v4
         with:
           toTag: v${{ needs.start.outputs.new_version }}
           configurationJson: |

diff --git a/.github/workflows/publish-aws-nitro-enclave-docker.yaml b/.github/workflows/publish-aws-nitro-enclave-docker.yaml
@@ -0,0 +1,138 @@
+name: Publish AWS Nitro Operator
+run-name: ${{ format('Publish {0} AWS Nitro Operator', inputs.release_type) }}
+on:
+  workflow_dispatch:
+    inputs:
+      release_type:
+        type: choice
+        description: The type of release
+        options:
+          - Major
+          - Minor
+          - Patch
+          - Snapshot
+      version_number_input:
+        description: If set, the version number will not be incremented and the given number will be used.
+        type: string
+        default: ''
+  workflow_call:
+    inputs:
+      release_type:
+        description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major]
+        required: true
+        type: string
+      version_number_input:
+        description: If set, the version number will not be incremented and the given number will be used.
+        type: string
+        default: ''
+
+    outputs:
+      pcr0:
+        description: The EIF PCR0
+        value: ${{ jobs.buildImage.outputs.pcr0 }}
+
+env:
+  ENCLAVE_PROTOCOL: aws-nitro
+  ARTIFACTS_BASE_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts
+
+jobs:
+  buildImage:
+    name: Build Image
+    runs-on: ubuntu-latest
+    outputs:
+      pcr0: ${{ steps.showPCR0.outputs.PCR0 }}
+    steps:
+      - name: Check branch and release type
+        id: checkRelease
+        uses: IABTechLab/uid2-shared-actions/actions/[email protected]
+        with:
+          release_type: ${{ inputs.release_type }}
+
+      - name: Free up space
+        run: |
+          rm -rf /opt/hostedtoolcache
+
+      - name: Show Context
+        run: |
+          printenv
+          echo "$GITHUB_CONTEXT"
+        shell: bash
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+          IS_RELEASE: ${{ steps.checkRelease.outputs.IS_RELEASE }}
+
+      - name: Checkout full history on Main
+        uses: actions/checkout@v4
+        if: ${{ inputs.version_number_input == '' }}
+        with:
+          # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout.
+          fetch-depth: 0
+
+      - name: Checkout full history at tag v${{ inputs.version_number_input }}
+        uses: actions/checkout@v4
+        if: ${{ inputs.version_number_input != '' }}
+        with:
+          ref: v${{ inputs.version_number_input }}
+          # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout.
+          fetch-depth: 0
+
+      - name: Restore timestamps
+        uses: thetradedesk/[email protected]
+
+      - name: Set version number
+        id: version
+        uses: IABTechLab/uid2-shared-actions/actions/version_number@main
+        with:
+          type: ${{ inputs.release_type }}
+          version_number: ${{ inputs.version_number_input }}
+          branch_name: ${{ github.ref }}
+
+      - name: Update pom.xml
+        id: updatePom
+        run: |
+          current_version=$(grep -o '<version>.*</version>' pom.xml | head -1 | sed 's/<version>\(.*\)<\/version>/\1/')
+          new_version=${{ steps.version.outputs.new_version }} 
+          sed -i "0,/$current_version/s/$current_version/$new_version/" pom.xml
+          echo "Version number updated from $current_version to $new_version"
+          echo "image_tag=${{ steps.version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }}" >> $GITHUB_OUTPUT
+
+      - name: Commit pom.xml and version.json
+        if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.IS_RELEASE != 'true' }}
+        uses: EndBug/add-and-commit@v9
+        with:
+          add: 'pom.xml version.json'
+          author_name: Release Workflow
+          author_email: [email protected]
+          message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
+
+      - name: Commit pom.xml, version.json and set tag
+        if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.IS_RELEASE == 'true' }}
+        uses: EndBug/add-and-commit@v9
+        with:
+          add: 'pom.xml version.json'
+          author_name: Release Workflow
+          author_email: [email protected]
+          message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
+          tag: v${{ steps.version.outputs.new_version }}
+
+      - name: Run amazonlinux Docker image
+        run: |
+          docker build -t amazonlinux -f ./scripts/aws/pipeline/amazonlinux.Dockerfile .
+          docker run -d --privileged --name amazonlinux amazonlinux:latest
+
+      - name: Build UID2 AWS EIF
+        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+        with:
+          identity_scope: uid2
+          artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}
+
+      - name: Build EUID AWS EIF
+        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+        with:
+          identity_scope: euid
+          artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: aws-nitro-deployment-files
+          path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}