Merge branch 'main' into renovate/kubernetes-versions

.bazelrc

@@ -1,9 +1,3 @@
-# Sadly, some Bazel rules we depend on have no support for bzlmod yet
-# Here is an (incomplete) list of rules known to not support bzlmod.
-# Please extend this list as you find more.
-# - rules_nixpkgs: https://github.com/tweag/rules_nixpkgs/issues/181
-common --noenable_bzlmod
-
 # Import bazelrc presets
 import %workspace%/bazel/bazelrc/bazel7.bazelrc
 import %workspace%/bazel/bazelrc/convenience.bazelrc

.github/actions/artifact_download/action.yml

@@ -37,4 +37,4 @@ runs:
       shell: bash
       run: |
         mkdir -p ${{ inputs.path }}
-        7zz x -p'${{ inputs.encryptionSecret }}' -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z
+        7zz x -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

.github/actions/artifact_upload/action.yml

@@ -47,6 +47,7 @@ runs:
             something_exists=true
           fi
         done
+
         # Create an archive if files exist.
         # Don't create an archive file if no files are found
         # and warn.
@@ -55,11 +56,15 @@ runs:
           echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
           exit 0
         fi
+
         for target in ${paths}
         do
-          pushd "$(dirname "${target}")" || exit 1
-          7zz a -p'${{ inputs.encryptionSecret }}' -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
-          popd || exit 1
+          if compgen -G "${target}" > /dev/null
+          then
+            pushd "$(dirname "${target}")" || exit 1
+            7zz a -p'${{ inputs.encryptionSecret }}' -bso0 -bsp0 -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
+            popd || exit 1
+          fi
         done
 
     - name: Upload archive as artifact

.github/actions/e2e_benchmark/action.yml

@@ -49,7 +49,7 @@ runs:
         install kubestr /usr/local/bin
 
     - name: Checkout k8s-bench-suite
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
         repository: "edgelesssys/k8s-bench-suite"

.github/actions/e2e_mini/action.yml

@@ -11,6 +11,9 @@ inputs:
   azureTenantID:
     description: "Azure tenant to use for login with OIDC"
     required: true
+  azureIAMCredentials:
+    description: "Azure IAM credentials used for cleaning up resources"
+    required: true
   registry:
     description: "Container registry to use"
     required: true
@@ -38,9 +41,26 @@ runs:
 
     - name: MiniConstellation E2E
       shell: bash
+      id: e2e-test
       env:
         ARM_CLIENT_ID: ${{ inputs.azureClientID }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
         ARM_TENANT_ID: ${{ inputs.azureTenantID }}
       run: |
         bazel run --test_timeout=14400 //e2e/miniconstellation:push_remote_test
+
+    - name: Log in to azure
+      # only log in if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureIAMCredentials }}
+
+    - name: Clean up after failure
+      shell: bash
+      # clean up if e2e test failed or if the run was cancelled
+      if: (failure() && steps.e2e-test.conclusion == 'failure') || cancelled()
+      run: |
+        rg_name=${{ steps.e2e-test.outputs.rgname }}
+        echo "[*] Deleting resource group $rg_name"
+        az group delete -y --resource-group "$rg_name"

.github/actions/find_latest_image/action.yml

@@ -26,13 +26,13 @@ runs:
   steps:
     - name: Checkout head
       if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
     - name: Checkout ref
       if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ inputs.git-ref }}
 

.github/actions/login_azure/action.yml

@@ -10,6 +10,6 @@ runs:
     # As described at:
     # https://github.com/Azure/login#configure-deployment-credentials
     - name: Login to Azure
-      uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
+      uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
       with:
         creds: ${{ inputs.azure_credentials }}

.github/actions/pick_assignee/action.yml

@@ -15,7 +15,6 @@ runs:
       run: |
         possibleAssignees=(
           "elchead"
-          "malt3"
           "3u13r"
           "daniel-weisse"
           "msanft"

.github/actions/publish_helmchart/action.yml

@@ -13,7 +13,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         repository: edgelesssys/helm
         ref: main

.github/teams_payload_template.json

@@ -58,14 +58,6 @@
                                 "id": "a9a34611-9a38-4c00-a8a2-f87d94c2bf7d",
                                 "name": "Otto Bittner"
                             }
-                        },
-                        {
-                            "type": "mention",
-                            "text": "<at>malt3</at>",
-                            "mentioned": {
-                                "id": "3012fe21-cff7-499d-88cf-48cf12f2e90c",
-                                "name": "Malte Poll"
-                            }
                         }
                     ]
                 },

.github/workflows/assign_reviewer.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.label.name == 'dependencies' && github.event.pull_request.user.login == 'app/renovate'
     steps:
-    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - name: Pick assignee
       id: pick-assignee
       uses: ./.github/actions/pick_assignee

.github/workflows/aws-snp-launchmeasurement.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout repository
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ github.head_ref }}
         path: constellation
@@ -50,7 +50,7 @@ jobs:
         echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
         popd || exit 1
 
-    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         repository: virtee/sev-snp-measure-go.git
         ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8

.github/workflows/build-binaries.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: [arc-runner-set]
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/build-ccm-gcp.yml

@@ -19,10 +19,10 @@ jobs:
       latest: ${{ steps.find-latest.outputs.latest }}
     steps:
       - name: Checkout Constellation
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: "kubernetes/cloud-provider-gcp"
           path: "cloud-provider-gcp"
@@ -65,10 +65,10 @@ jobs:
         version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
     steps:
       - name: Checkout Constellation
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: "kubernetes/cloud-provider-gcp"
           path: "cloud-provider-gcp"

.github/workflows/build-gcp-guest-agent.yml

@@ -69,15 +69,15 @@ jobs:
 
       - name: Checkout GoogleCloudPlatform/guest-agent
         if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: "GoogleCloudPlatform/guest-agent"
           ref: refs/tags/${{ steps.latest-release.outputs.latest }}
           path: "guest-agent"
 
       - name: Checkout Constellation
         if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           path: "constellation"
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

.github/workflows/build-libvirt-container.yml

@@ -19,7 +19,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Setup bazel
         uses: ./.github/actions/setup_bazel_nix

.github/workflows/build-logcollector-images.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - name: Check out repository
         id: checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/build-os-image-scheduled.yml

@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ github.head_ref }}
 
@@ -121,7 +121,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ github.head_ref }}
 

.github/workflows/build-os-image.yml

@@ -59,7 +59,7 @@ jobs:
       cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
@@ -138,7 +138,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 

.github/workflows/build-versionsapi-ci-image.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - name: Check out repository
         id: checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/check-links.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 

.github/workflows/codeql.yml

@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Setup Go environment
         if: matrix.language == 'go'
@@ -44,7 +44,7 @@ jobs:
           cache: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
+        uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           languages: ${{ matrix.language }}
 
@@ -63,6 +63,6 @@ jobs:
           echo "::endgroup::"
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
+        uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/docs-vale.yml

@@ -16,12 +16,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Vale
-        uses: errata-ai/vale-action@38bf078c328061f59879b347ca344a718a736018 # tag=reviewdog
+        uses: errata-ai/vale-action@91ac403e8d26f5aa1b3feaa86ca63065936a85b6 # tag=reviewdog
         with:
           files: docs/docs
           fail_on_error: true