Merge remote-tracking branch 'origin/main' into syw-UID2-4159-token-gen-code-refactoring-UserIdentity

Author: sunnywu

.github/actions/build_ami/action.yaml

@@ -59,7 +59,7 @@ runs:
       uses: actions/checkout@v4
 
     - name: Get EIF for Release ${{ inputs.operator_release }}
-      uses: IABTechLab/uid2-operator/.github/actions/download_release_artifact@main
+      uses: ./.github/actions/download_release_artifact
       if: ${{ inputs.operator_release != '' }}
       with:
         github_token: ${{ inputs.github_token }}

.github/actions/build_aws_eif/action.yaml

@@ -96,8 +96,9 @@ runs:
 
         cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
         cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
-        cp ./scripts/aws/start.sh                                                                                 ${ARTIFACTS_OUTPUT_DIR}/
-        cp ./scripts/aws/stop.sh                                                                                  ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/ec2.py                                                                                   ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/confidential_compute.py                                                                      ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/requirements.txt                                                                         ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/proxies.host.yaml                                                                        ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/sockd.conf                                                                               ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/uid2operator.service                                                                     ${ARTIFACTS_OUTPUT_DIR}/

.github/actions/build_eks_docker_image/action.yaml

@@ -47,7 +47,7 @@ runs:
         mkdir ${{ inputs.artifacts_output_dir }} -p
 
     - name: Get EIF for Release ${{ inputs.operator_release }}
-      uses: IABTechLab/uid2-operator/.github/actions/download_release_artifact@main
+      uses: ./.github/actions/download_release_artifact
       if: ${{ inputs.operator_release != '' }}
       with:
         github_token: ${{ inputs.github_token }}

.github/actions/install_az_cli/action.yaml

@@ -0,0 +1,36 @@
+name: 'Install Azure CLI'
+description: 'Install Azure CLI'
+runs:
+  using: 'composite'
+  steps:
+    - name: uninstall azure-cli
+      shell: bash
+      run: |
+        sudo apt-get remove -y azure-cli
+
+    - name: install azure-cli 2.61.0
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
+        sudo mkdir -p /etc/apt/keyrings
+        curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
+          gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null
+        sudo chmod go+r /etc/apt/keyrings/microsoft.gpg
+        AZ_DIST=$(lsb_release -cs)
+        echo "Types: deb
+        URIs: https://packages.microsoft.com/repos/azure-cli/
+        Suites: ${AZ_DIST}
+        Components: main
+        Architectures: $(dpkg --print-architecture)
+        Signed-by: /etc/apt/keyrings/microsoft.gpg" | sudo tee /etc/apt/sources.list.d/azure-cli.sources
+        sudo apt-get update
+        sudo apt-get install azure-cli
+
+        apt-cache policy azure-cli
+        # Obtain the currently installed distribution
+        AZ_DIST=$(lsb_release -cs)
+        # Store an Azure CLI version of choice
+        AZ_VER=2.61.0
+        # Install a specific version
+        sudo apt-get install azure-cli=${AZ_VER}-1~${AZ_DIST} --allow-downgrades

.github/actions/update_operator_version/action.yaml

@@ -43,7 +43,7 @@ runs:
       uses: trstringer/manual-approval@v1
       with:
         secret: ${{ github.token }}
-        approvers: thomasm-ttd,atarassov-ttd,cody-constine-ttd
+        approvers: atarassov-ttd,vishalegbert-ttd,sunnywu,cody-constine-ttd
         minimum-approvals: 1
         issue-title: Creating Major version of UID2-Operator
 

.github/workflows/build-uid2-ami.yaml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Build UID2 Operator AMI
         id: buildAMI
-        uses: IABTechLab/uid2-operator/.github/actions/build_ami@main
+        uses: ./.github/actions/build_ami
         with:
           identity_scope: uid2
           eif_repo_owner: ${{ env.REPO_OWNER }}
@@ -92,7 +92,7 @@ jobs:
 
         - name: Build EUID Operator AMI
           id: buildAMI
-          uses: IABTechLab/uid2-operator/.github/actions/build_ami@main
+          uses: ./.github/actions/build_ami
           with:
             identity_scope: euid
             eif_repo_owner: ${{ env.REPO_OWNER }}

.github/workflows/publish-all-operators.yaml

@@ -1,5 +1,5 @@
 name: Publish All Operators
-run-name: ${{ format('Publish All Operators - {0} Release', inputs.release_type) }}
+run-name: ${{ format('Publish All Operators - {0} Release', github.event.inputs.release_type || 'scheduled') }}
 on:
   workflow_dispatch:
     inputs:
@@ -18,6 +18,8 @@ on:
         - CRITICAL,HIGH
         - CRITICAL,HIGH,MEDIUM
         - CRITICAL (DO NOT use if JIRA ticket not raised)
+  schedule:
+    - cron: "0 0 * * *"
 
 jobs:
   start:
@@ -26,13 +28,25 @@ jobs:
     outputs:
         new_version: ${{ steps.version.outputs.new_version }}
         commit_sha: ${{ steps.commit-and-tag.outputs.commit_sha }}
+        release_type: ${{ steps.set-env.outputs.release_type }}
+        vulnerability_severity: ${{ steps.set-env.outputs.vulnerability_severity }}
+    env:
+        RELEASE_TYPE: ${{ inputs.release_type || (github.event_name == 'schedule' && 'patch') }}
+        VULNERABILITY_SEVERITY: ${{ inputs.vulnerability_severity || (github.event_name == 'schedule' && 'CRITICAL,HIGH') }}
     steps:
+      - name: Set Environment Variables
+        id: set-env
+        run: |
+          echo "release_type=${{ inputs.release_type || (github.event_name == 'schedule' && 'patch') }}" >> $GITHUB_ENV
+          echo "vulnerability_severity=${{ inputs.vulnerability_severity || (github.event_name == 'schedule' && 'CRITICAL,HIGH') }}" >> $GITHUB_ENV
+          echo "release_type=${RELEASE_TYPE}" >> $GITHUB_OUTPUT
+          echo "vulnerability_severity=${VULNERABILITY_SEVERITY}" >> $GITHUB_OUTPUT
       - name: Approve Major release
-        if: inputs.release_type == 'Major'
+        if: env.RELEASE_TYPE == 'Major'
         uses: trstringer/manual-approval@v1
         with:
           secret: ${{ github.token }}
-          approvers: thomasm-ttd,atarassov-ttd,cody-constine-ttd
+          approvers: atarassov-ttd,vishalegbert-ttd,sunnywu,cody-constine-ttd
           minimum-approvals: 1
           issue-title: Creating Major version of UID2-Operator
 
@@ -64,7 +78,7 @@ jobs:
         id: version
         uses: IABTechLab/uid2-shared-actions/actions/version_number@v2
         with:
-          type: ${{ inputs.release_type }}
+          type: ${{ env.RELEASE_TYPE }}
           branch_name: ${{ github.ref }}
 
       - name: Update pom.xml
@@ -79,47 +93,47 @@ jobs:
         uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3
         with:
           add: 'pom.xml version.json'
-          message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
+          message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}'
           tag: v${{ steps.version.outputs.new_version }} 
 
   buildPublic:
     name: Public Operator
     needs: start
     uses: ./.github/workflows/publish-public-operator-docker-image.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
-      vulnerability_severity: ${{ inputs.vulnerability_severity }}
+      vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }}
     secrets: inherit
 
   buildGCP:
     name: GCP Private Operator
     needs: start
     uses: ./.github/workflows/publish-gcp-oidc-enclave-docker.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
       commit_sha: ${{ needs.start.outputs.commit_sha }}
-      vulnerability_severity: ${{ inputs.vulnerability_severity }}
+      vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }}
     secrets: inherit
 
   buildAzure:
     name: Azure Private Operator
     needs: start
     uses: ./.github/workflows/publish-azure-cc-enclave-docker.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
       commit_sha: ${{ needs.start.outputs.commit_sha }}
-      vulnerability_severity: ${{ inputs.vulnerability_severity }}
+      vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }}
     secrets: inherit
 
   buildAWS:
     name: AWS Private Operator EIF
     needs: start
     uses: ./.github/workflows/publish-aws-nitro-eif.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
       commit_sha: ${{ needs.start.outputs.commit_sha }}
     secrets: inherit
@@ -132,18 +146,11 @@ jobs:
       operator_run_number: ${{ github.run_id }}
     secrets: inherit
 
-  buildEKS:
-    name: Build AWS EKS Docker
-    needs: [start, buildAWS]
-    uses: ./.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml
-    with:
-      operator_run_number: ${{ github.run_id }}
-    secrets: inherit
-
   createRelease:
     name: Create Release
     runs-on: ubuntu-latest
-    needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI, buildEKS]
+    if: github.event_name == 'workflow_dispatch'
+    needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI]
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -162,12 +169,18 @@ jobs:
           pattern: gcp-oidc-enclave-ids-*
           path: ./manifests/gcp_oidc_operator
 
-      - name: Download Azure manifest
+      - name: Download Azure CC manifest
         uses: actions/download-artifact@v4
         with:
           pattern: azure-cc-enclave-id-*
           path: ./manifests/azure_cc_operator
 
+      - name: Download Azure AKS manifest
+        uses: actions/download-artifact@v4
+        with:
+          pattern: azure-aks-enclave-id-*
+          path: ./manifests/azure_aks_operator
+
       - name: Download EIF manifest
         uses: actions/download-artifact@v4
         with:
@@ -180,12 +193,6 @@ jobs:
           pattern: 'aws-ami-ids-*'
           path: ./manifests/aws_ami
 
-      - name: Download AWS EKS manifest
-        uses: actions/download-artifact@v4
-        with:
-          pattern: 'aws-eks-enclave-ids-*'
-          path: ./manifests/aws_eks
-
       - name: Download Deployment Files
         uses: actions/download-artifact@v4
         with:
@@ -216,6 +223,7 @@ jobs:
           (cd ./deployment/aws-euid-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/azure-cc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
+          (cd ./deployment/azure-aks-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd manifests && zip -r ../uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip .)
 
@@ -229,5 +237,19 @@ jobs:
               ./aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip
+              ./azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip
+  notifyFailure:
+      name: Notify Slack on Failure
+      runs-on: ubuntu-latest
+      if: failure() && github.ref == 'refs/heads/main'
+      needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI]
+      steps:
+        - name: Send Slack Alert
+          env:
+            SLACK_COLOR: danger
+            SLACK_MESSAGE: ':x: Operator Pipeline failed'
+            SLACK_TITLE: Pipeline Failed in ${{ github.workflow }}
+            SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          uses: rtCamp/action-slack-notify@v2

.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml

@@ -1,4 +1,4 @@
-name: Publish EKS Operator Docker Images
+name: Publish EKS Enclave Operator Docker Images
 run-name: >-
   ${{ inputs.operator_release == '' && format('Publish EKS Operator Docker Images for Operator Run Number: {0}', inputs.operator_run_number) || format('Publish EKS Operator Docker Images for Operator Release: {0}', inputs.operator_release)}}
 on:
@@ -36,9 +36,12 @@ jobs:
       security-events: write
       packages: write
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Build Docker Image for EKS Pod
         id: build_docker_image_uid
-        uses: IABTechLab/uid2-operator/.github/actions/build_eks_docker_image@main
+        uses: ./.github/actions/build_eks_docker_image
         with:
           identity_scope: uid2
           artifacts_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2
@@ -61,9 +64,12 @@ jobs:
       security-events: write
       packages: write
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Build Docker Image for EKS Pod
         id: build_docker_image_euid
-        uses: IABTechLab/uid2-operator/.github/actions/build_eks_docker_image@main
+        uses: ./.github/actions/build_eks_docker_image
         with:
           identity_scope: euid
           artifacts_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid

.github/workflows/publish-aws-nitro-eif.yaml

@@ -48,9 +48,12 @@ jobs:
         env: 
           GITHUB_CONTEXT: ${{ toJson(github) }}
 
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Update Operator Version
         id: update_version
-        uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@main
+        uses: ./.github/actions/update_operator_version
         with:
           release_type: ${{ inputs.release_type }}
           version_number_input: ${{ inputs.version_number_input }}
@@ -68,9 +71,12 @@ jobs:
     runs-on: ubuntu-latest
     needs: start
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Build UID2 AWS EIF
         id: build_uid2_eif
-        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+        uses: ./.github/actions/build_aws_eif
         with:
           identity_scope: uid2
           artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2
@@ -104,9 +110,12 @@ jobs:
     runs-on: ubuntu-latest
     needs: start
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Build EUID AWS EIF
         id: build_euid_eif
-        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+        uses: ./.github/actions/build_aws_eif
         with:
           identity_scope: euid
           artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid