diff --git a/.github/secrets.env.encrypted b/.github/secrets.env.encrypted index 9599302c..ca72d213 100644 --- a/.github/secrets.env.encrypted +++ b/.github/secrets.env.encrypted @@ -1,6 +1,6 @@ { "k": "ct", - "c": "mBbKV0G4)-8UdG=fVK^Mgf0{+={6c)WxWPnZ(Cp1Iq=%3}nK4a)CGBx1bjZ=qv8EHV9gp30vQ`13OJxFK&vBuwpyEt$JE{*iks{9CMl@IGpcvQ8gA7RNsgU>j6~vXw+Ir0WKXxrDu|PrlDk@Z@tYC11HTq*7Ufq{V_GxAc=rh+gkkDsiM%LjPyK-fvut?5Fwf*i8>YcD-HELZe^)cc$8aXF;l#4*srYmmdO$ydq-KxbwECzD%{l$#IQh90%*!8$=`lK`!aea=QOICK(5JGRkL1<_eHdY9z1_J8<51L=N29rCD=uup}QKsFs2>$S)|D9?w4r;l>ovY*rGAxmlR14{QFjmRFQP!4d#Q6k6p=#uO(tNpb(^yl7XC+h4xCXFq(gy*@DmrEK>}gF7fQx{^)m{aV4gA&KH|wO)rikb|jF_K@5|f+NpJ*%)`>xuKl=uSaMF4p!PA;EzE4?hdtPnd+5Y4Dk|UC7@wAs%G|M~f`LP3K*__-N~wag5|>u|aHGqB{mnyWcVLsKU&RUA*PLl#znp61^`!uKxq8~0fpsZi%tn;yFzj>-vHH*Zndd0d(|vjSN7XFO6f$aN3~2jD)GOi}6EHaE^o(dM0T6=5c!rBY7_9zJzpt74(wmd&;*o}70+0^HUc9)3GP7-s0il063@(-@;mcA;%pp%{`q+J}@ZQ>Y7i|Que0zv2o~nuk#%2pe^E0UN;J&qv)igfU!(!JHBVN`&s8VknlfK+YI`d6Ex(qIR)))}{j{8ZssNpWrUUpL%CGhk)6bjn`YMP@j&!4b)o5EHb&x(EwT5Re@jO4IK&ZSSQ50Gn`=uvGmBQ_N|c=l+SXHc{Mwe^hT_DK)zCcCW;$(YGqnzo9>AZz%W3Dp9wW9mjKd*NrGw;>G4_yU_>0^X1Ol6KHcL#1|MY;|SC5Hwu<&vtJ>^t3onC{{VkhX", + "c": "mBbJL?+!rwxwAxZ%!lOJh*?v`12MmVh2UsWZsy;_Z6TcAO`L`R#wlSJ;DSnQDSncQ{t03|n10s~QX@}CLE2scXx1<=WEQB1dcf{&qzlcG38T17L!l}b6Aty-JTMdZz<|KAMOlUVDcv}UfKV8!D*Vf7tVSOxY*vs&1BB3riH4ZGt}%oE=ArN5O0W~Lc0~H&3XfVA^LIFg||-TYXCF;|BHVlV4p<^%d_erLmX;Y4DU*V^bFfp`RuS*%zUNys)XMHr7WU-(45iqqCMEzoIlik)wAu+TALCPcr?RK@5?pA2{~?VZ%{Ft~w=8V!70@qC~}9rlodaY;|SC5Hwu<&vtJ>^t3onC{{VkhX", "ob": null, "bf": null, "hm": null, diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 75fd99f1..daeae5c3 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,7 +26,7 @@ jobs: - uses: ./.github/actions/setup-test - name: Decrypt secrets - uses: cipherstash/protectgh@main + uses: cipherstash/secrets-action@main with: secrets-file: .github/secrets.env.encrypted env: diff --git a/.github/workflows/release-aws-marketplace.yml b/.github/workflows/release-aws-marketplace.yml deleted file mode 100644 index 5a24619e..00000000 --- a/.github/workflows/release-aws-marketplace.yml +++ /dev/null @@ -1,125 +0,0 @@ -# Builds and pushes the proxy docker image to the AWS Marketplace ECR -# -# here: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners -# -# -# ECR is a private registry that is not controlled by us -# Most of the existing Docker actions are not compatible with ECR, so some of this is quite manual -# -# Builds for different images are handled using tags, because I could not get other things workings. -# -# The tag formats are: -# - proxy-{os}-{arch}-{release-tag} -# - proxy-{os}-{arch}-build-{timestamp} -# -# ECR is immutable - so test builds need a timestamp or they fail with a conflicts - -name: "Proxy — Build & Push Proxy Docker Image for AWS Marketplace" - -on: - release: - types: - - published - push: - branches: - - main - paths: - - .github/workflows/release-aws-marketplace.yml - - workflow_dispatch: - - -env: - REGISTRY_IMAGE: cipherstash/cipherstash - AWS_REGION: us-east-1 - -jobs: - build: - name: Build binaries + Docker images - permissions: - contents: read - packages: write - id-token: write # This is required for requesting the JWT - strategy: - fail-fast: false - matrix: - build: - - { os: linux-arm64-public, arch: linux/arm64, tag: linux-arm64, cache-provider: github } - runs-on: ${{matrix.build.os}} - steps: - # print OIDC claim - - name: print oidc token claims - run: | - IDTOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" -H "Accept: application/json; api-version=2.0" -H "Content-Type: application/json" | jq -r '.value' ) - jwtd() { - if [[ -x $(command -v jq) ]]; then - jq -R 'split(".") | .[1] | @base64d | fromjson' <<< "${1}" > jwt_claims.json - cat jwt_claims.json | jq -r '.sub' - echo ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL}} - fi - } - jwtd $IDTOKEN - - - name: install-aws-cli - uses: unfor19/install-aws-cli-action@v1 - if: ${{ matrix.build.arch == 'linux/arm64' }} - with: - version: 2 # default - verbose: false # default - arch: arm64 # allowed values: amd64, arm64 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ vars.AWS_MARKETPLACE_IAM_ROLE }} - aws-region: us-east-1 - - - name: Log in to AWS Marketplace ECR - id: ecr-login - uses: aws-actions/amazon-ecr-login@v2 - with: - registries: ${{ vars.AWS_MARKETPLACE_ECR_ID }} - - - uses: actions/checkout@v4 - - - name: Decrypt secrets - uses: cipherstash/protectgh@main - with: - secrets-file: .github/secrets.env.encrypted - env: - CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }} - CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }} - CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }} - CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }} - - - uses: jdx/mise-action@v2 - with: - version: 2025.1.6 # [default: latest] mise version to install - install: true # [default: true] run `mise install` - cache: false # do not cache release builds - - - run: | - mise run build --platform ${{matrix.build.arch}} - - - uses: actions/upload-artifact@v4 - with: - name: cipherstash-proxy-${{matrix.build.tag}} - path: cipherstash-proxy - - - if: github.event_name != 'pull_request' - name: Release to AWS - env: - AWS_MARKETPLACE_ECR_REPOSITORY: ${{ vars.AWS_MARKETPLACE_ECR_REPOSITORY }} - BUILD_TAG: ${{ matrix.build.tag }} - RELEASE_TAG: ${{ github.event.release.tag_name }} - run: | - mise run release:aws-marketplace - - - name: Notify Multitudes - run: | - curl --request POST \ - --fail-with-body \ - --url "https://api.developer.multitudes.co/deployments" \ - --header "Content-Type: application/json" \ - --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \ - --data '{"commitSha": "${{ github.sha }}", "environmentName":"marketplace"}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ef7167ee..a07f2740 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: - uses: actions/checkout@v4 - name: Decrypt secrets - uses: cipherstash/protectgh@main + uses: cipherstash/secrets-action@main with: secrets-file: .github/secrets.env.encrypted env: @@ -106,7 +106,7 @@ jobs: - uses: actions/checkout@v4 - name: Decrypt secrets - uses: cipherstash/protectgh@main + uses: cipherstash/secrets-action@main with: secrets-file: .github/secrets.env.encrypted env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d90e4ac5..41bf4692 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,7 +26,7 @@ jobs: - uses: ./.github/actions/setup-test - name: Decrypt secrets - uses: cipherstash/protectgh@main + uses: cipherstash/secrets-action@main with: secrets-file: .github/secrets.env.encrypted env: diff --git a/mise.toml b/mise.toml index 898e1516..d154c3ac 100644 --- a/mise.toml +++ b/mise.toml @@ -683,28 +683,6 @@ docker tag cipherstash/proxy:latest cipherstash/proxy:latest docker push cipherstash/proxy:latest """ -[tasks."release:aws-marketplace"] -description = "Release a Docker image to AWS Marketplace for cipherstash-proxy" -run = """ -if [ -z "$AWS_MARKETPLACE_ECR_REPOSITORY" ]; then - echo "error: no AWS ECR repository provided" - echo "error: please set AWS_MARKETPLACE_ECR_REPOSITORY" - exit 2 -fi - -# If release tag is empty, generate a build timestamp -# Release tag is set when tagging as an actual version github release. -if [ -z "$RELEASE_TAG" ]; then - RELEASE_TAG=build-$(date +%s) -fi - -echo $AWS_MARKETPLACE_ECR_REPOSITORY:proxy-$BUILD_TAG-$RELEASE_TAG - -docker tag cipherstash/proxy:latest $AWS_MARKETPLACE_ECR_REPOSITORY:proxy-$BUILD_TAG-$RELEASE_TAG - -docker push $AWS_MARKETPLACE_ECR_REPOSITORY:proxy-$BUILD_TAG-$RELEASE_TAG -""" - # ====================================================================================================