Skip to content

Sync upstream (dfe41808) — needs conflict resolution#45

Open
cloud-api-adaptor-upstream-sync[bot] wants to merge 78 commits into
vijay/sync-cohere-testfrom
sync/upstream-2026-06-17-dfe41808
Open

Sync upstream (dfe41808) — needs conflict resolution#45
cloud-api-adaptor-upstream-sync[bot] wants to merge 78 commits into
vijay/sync-cohere-testfrom
sync/upstream-2026-06-17-dfe41808

Conversation

@cloud-api-adaptor-upstream-sync

@cloud-api-adaptor-upstream-sync cloud-api-adaptor-upstream-sync Bot commented Jun 17, 2026

Copy link
Copy Markdown

Upstream sync — manual merge needed

Upstream has new commits to merge into vijay/sync-cohere-test, but there are conflicts.

Upstream HEAD: dfe41808

How to resolve

The sync branch already contains the upstream commits (it points at
origin/main). To make it mergeable into vijay/sync-cohere-test,
merge cohere into the sync branch and resolve conflicts there:

git fetch origin
git checkout sync/upstream-2026-06-17-dfe41808
git merge origin/vijay/sync-cohere-test
# Git will show conflicts — resolve them in your IDE, then:
git add -A && git commit
git push origin sync/upstream-2026-06-17-dfe41808

Your IDE will show the native merge conflict UI with accept-theirs /
accept-ours / accept-both options for each conflict. Once the push
succeeds, the PR will become mergeable.

Review checklist

  • Resolve all conflicts
  • Verify CI passes
  • Check if any upstream changes obsolete our patches

Note

High Risk
Large CI and provider removals (docker, Azure e2e/podvm pipelines, CSI) plus PodVM path changes can break forks or custom workflows that still depend on those paths; release and e2e coverage shifts materially.

Overview
This PR brings in a large upstream alignment focused on simplifying how PodVM images are built and which providers and CI paths the project maintains.

PodVM build path is unified under src/cloud-api-adaptor/podvm (replacing podvm-mkosi in docs, smoketests, and workflows). Mkosi workflows now run make podvm-binaries in podvm/, and the Fedora mkosi workflow no longer builds or publishes a separate docker-provider OCI image from that job.

Removed or retired surface area includes the docker cloud provider (code, Helm provider, e2e workflow, and dev BUILTIN_CLOUD_PROVIDERS entry), CSI wrapper (README, release tags, publish/release workflows, and the build.yaml csi-wrapper job), Packer-based AWS podvm image tooling and root packer-check / lint packer job, and Azure-specific callable workflows for podvm image build, release, and e2e. Legacy podvm_builder / podvm_binaries / podvm packer-style publish jobs are dropped from e2e_run_all and podvm_publish in favor of mkosi-only publishing.

CI and tooling get broad GitHub Actions bumps (actions/checkout v6.0.3, docker buildx/login, CodeQL, zizmor, stale, build-push-action), clearer job names and permission comments, concurrency on several workflows, and removal of docker e2e from PR label triggers. Release/docs drop docker provider Helm pinning and csi-wrapper from the release process; CITATION.cff moves to 0.21.1. Minor fixes include govulncheck skipping modules with no Go packages, CAA release image adding ca-certificates, and golang base image bump in the Dockerfile.

Reviewed by Cursor Bugbot for commit dfe4180. Bugbot is set up for automated code reviews on this repo. Configure here.

Amulyam24 and others added 30 commits May 22, 2026 14:06
Move the cluster provisioning to BYOM to remove the dependency on
the deprecated Docker provider.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
This commit adds extensive unit test coverage for the libvirt cloud provider,
while preserving all existing tests from the main branch.

New unit tests added (using mocks):
- TestGetGuestForArchType (6 subtests)
- TestLookupMachine (5 subtests)
- TestGetCanonicalMachineName (7 subtests)
- TestCreateCloudInitISO (3 subtests)
- TestGetLaunchSecurityTypeInvalidURI
- TestCreateDomainXMLs390xWithMocks (mock-based unit test)
- TestCreateDomainXMLaarch64WithMocks (mock-based unit test)
- TestCreateDomainXMLx86_64 (3 subtests)
- TestCreateDomainXML (3 subtests)
- TestVerifyDomainXMLIOMMU (4 subtests)

- Combined TestCreateDomainXMLs390x and TestCreateDomainXMLaarch64 into TestCreateDomainXMLArchitectures
- Combined TestCreateDomainXMLs390xWithMocks and TestCreateDomainXMLaarch64WithMocks into TestCreateDomainXMLArchitecturesWithMocks
- Improves code maintainability and reduces duplication

Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com>
Assisted-by: IBM Bob <noreply@ibm.com>
- Refactor TestCloudInit to use verifyISOContents helper and tabular format
- Combined TestCreateCloudInitWithEmptyData, TestCreateCloudInitWithLargeData, TestCreateCloudInitWithSpecialCharacters, and TestCreateCloudInitVerifyVendorData into TestCreateCloudInitVariations
- Add TestCreateCloudInitErrorHandling for boundary condition testing
- All tests now use verifyISOContents helper for consistent ISO validation
- Improves code maintainability and reduces duplication

Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com>
Assisted-by: IBM Bob <noreply@ibm.com>
- Add tests for Manager.ParseCmd() flag registration
- Add tests for Manager configuration with values
- Add tests for Manager.LoadEnv() and GetConfig()
- Add tests for Manager.NewProvider() with valid/invalid configs
- Add tests for default constants validation
- Add tests for launch security, firmware, and data directory configuration
- Covers all Manager initialization and configuration scenarios

Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com>
Assisted-by: IBM Bob <noreply@ibm.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.29 to 1.7.32.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.7.29...v1.7.32)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.32
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Now that agent-ctl tags based on sha, we can switch to use the main
kata-containers version, rather than having a separate one.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bump components to match the kata 3.31.0 release

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update to pick up the 3.31.0 release

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Pin kata-deploy to the 3.31.0 version in prep of the 0.21.0 release

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.3 to 0.5.6.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bump the go module to remediate CVEs:
- GO-2026-5026
- GO-2026-4883

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bump the go module to remediate CVEs:
- GO-2026-5013
- GO-2026-5017
- GO-2026-5018
- GO-2026-5019
- GO-2026-5020

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update the helm charts with the latest image of CAA

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
But the appVersion to 0.21 to match the release and bump
the version in peer-pods, peerpod-ctrl and webhook

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The `kubectl apply` of the cert-manager manifest occasionally fails
with an etcd timeout:

```
Error from server: error when creating ".../cert-manager.yaml":
etcdserver: request timed out.
```

The manifest creates a large batch of resources (6 CRDs, RBAC,
deployments, webhook configs) in a single apply, and individual
writes can occasionally exceed the API server's request timeout
under transient cluster load.

Wrap the apply in a retry loop (3 attempts, 10s backoff). `kubectl
apply` is idempotent, so retrying after a partial failure simply
creates the missing resources without disturbing the ones already
applied. On the observed failing run, everything except (likely)
the last webhook config got created, and the retry will fill in the gap.

For `kubectl wait`, the Endpoints object isn't created by the cert-manager
manifest directly. It's created by the kube-controller-manager's endpoints
controller after the Service is created and once matching pods exist.
Right after `kubectl apply` returns, there's a brief window where the
Service exists but its Endpoints object hasn't been populated yet.
The apply just finished, so `kubectl wait` raced ahead of the controller.

Assisted-by: IBM Bob
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
The podvm-ubuntu-mkosi job calls podvm_mkosi_ubuntu.yaml which requires
artifact-metadata: write permission for the actions/attest@v4.1.0 action
to write attestation metadata. Without this permission, the workflow fails
with "The nested job 'build-image' is requesting 'artifact-metadata: write',
but is only allowed 'artifact-metadata: none'."

This matches the permission already granted to the podvm-mkosi job on line 84.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Also added MKOSI_VERSION environment variable to image build steps in
both podvm_mkosi.yaml and podvm_mkosi_ubuntu.yaml workflows to ensure
the mkosi version from versions.yaml is explicitly passed to make
commands, maintaining consistency with the binaries build step.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
The image target was calling mkosi with '--image system' argument which
is not supported in mkosi v26, causing build failures with:
"mkosi: error: argument verb: invalid Verb value: 'system'"

This argument was a remnant from mkosi v22 that wasn't removed during
the v26 upgrade. The image-debug and image-sftp targets were already
correct, so this change aligns the image target with them.

Fixes the s390x production image builds.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
The cross-build script was failing on ARM64 native builds because it
compared ARCH=arm64 with uname -m=aarch64, which didn't match, causing
it to incorrectly attempt cross-compilation and fail with:
"E: Unable to locate package qemu-system-aarch64"

Added replacement pattern to handle this

Co-authored-by: Magnus Kulke <magnuskulke@microsoft.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
Implement IRSA support for the AWS provider to enable workload identity
authentication on EKS, eliminating the need for static credentials stored
in Kubernetes secrets.

NewEC2Client now supports three authentication methods:
1. Static credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY)
2. Shared AWS profile (AWS_PROFILE, currently, only non-containerized CAA binary execution is supported)
3. Default credential chain (for IRSA support)

The default credential chain automatically supports IRSA via AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN

Entrypoint validation updated to accept either:
- Both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (static credentials)
- AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN (IRSA)

Fixes: confidential-containers#3027
Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
Assisted-by: Claude AI
Add unit tests to verify the two authentication paths in NewEC2Client:
1. Static credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY)
2. Default credential chain (IRSA, IMDS, environment variables, etc.)

Tests cover:
- Static credentials path with both access key and secret key
- Default credential chain path when no static credentials provided
- Partial credentials (only access key) falls through to default chain

Assisted-by: Claude AI
Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
Added comprehensive guide for configuring IRSA with cloud-api-adaptor
and peerpod-ctrl on Amazon EKS. The guide covers:
- IAM trust policy configuration
- Kubernetes service account annotations
- Deployment configuration examples
- Troubleshooting steps

Assisted-by: Claude AI
Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
It looks like when the arm "support" for podvm builds was added, it wasn't
updated to use the native arm runner, so update this, for simpler workflows

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
In case we want to support cross-compilation in future e.g. for local dev,
fix up the logic.

The cross-build script was using architecture names directly as QEMU
package names, but Debian/Ubuntu package names don't always match:
- x86_64 → qemu-system-x86 (not qemu-system-x86_64)
- aarch64 → qemu-system-arm (not qemu-system-aarch64)
- s390x → qemu-system-s390x (matches)

Added architecture-to-package mapping for Debian/Ubuntu systems to use
correct package names. Package names verified against Ubuntu 24.04.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-by: IBM Bob
As we are doing a 0.21.1 release, we should update the charts to match this version.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This reverts commit a1633eb.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This reverts commit 02bb592.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update the CITATION.cff for the 0.21.1 release

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
debian:trixie-slim ships without CA certificates. The dev build got
them transitively via openssh-client, but the release build only
installed iptables, causing Go TLS verification to fail against
ec2.<region>.amazonaws.com with x509: certificate signed by unknown
authority.

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](actions/stale@b5d41d4...eb5cf3a)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
chathuryaadapa and others added 30 commits June 2, 2026 10:29
Implements comprehensive yet focused unit tests for the inMemoryImage
implementation in the libvirt provider.

Tests cover:
- Image creation from byte arrays (text, empty, binary data)
- Size calculation functionality
- String representation
- Import operations with success and error handling

Test coverage:
- TestInMemoryImage: Validates creation, size(), and string() methods
- TestInMemoryImageImport: Tests importImage with various scenarios

Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com>
Assisted-by: IBM Bob <noreply@ibm.com>
Remove all CI/CD workflows related to csi-wrapper component as part
of the csi-wrapper removal process. This includes:
- Dedicated csi_wrapper_images.yaml workflow
- csi-wrapper jobs from build.yaml
- csi-wrapper jobs from release.yaml
- csi-wrapper jobs from publish_images_on_push.yaml

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-By: IBM Bob
Remove all documentation references to the csi-wrapper component:
- Remove CSI Wrapper section from main README
- Remove CSI wrapper architecture documentation
- Remove csi-wrapper from release process documentation

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
Remove the csi-wrapper component entirely from the codebase.
This includes all source code, examples, CRDs, and related files.

The csi-wrapper provided CSI volume support for peer pods but is
no longer needed as part of the project simplification effort.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-By: IBM Bob
Update IBM Cloud import script to download mkosi-based podvm images
using oras instead of the packer-specific download-image.sh script.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-by: IBM Bob
Remove legacy packer-based podvm build workflows in favor of mkosi-based
builds. The following workflows are removed:
- podvm_builder.yaml
- podvm_binaries.yaml
- podvm.yaml

Also update e2e_run_all.yaml and podvm_publish.yaml to remove references
to the deleted workflows.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-by: IBM Bob
Remove the podvm targets from the Makefile as:
- We already have separate makefiles for the podvm
builds, so it's just adding indirection
- They are mostly outdated packer-based build targets

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Remove packer-based build system and consolidate on mkosi approach.
Restructure binaries build to avoid circular dependencies by:
- Moving Dockerfiles to podvm-mkosi directory
- Renaming Docker build target to podvm-binaries
- Including Makefile.inc to inherit binaries target
- Updating workflows to use new target name

This completes the migration from packer to mkosi for podvm image builds.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-by: IBM Bob
Remove packer-specific AWS image build directory. Users should use
mkosi-based builds and convert to AMI format as needed.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-by: IBM Bob
Remove download-image.sh script that was specific to packer-based
image downloads. mkosi images are oras artifacts and should be
downloaded using oras pull directly.

Also update consuming-prebuilt-podvm-images.md to remove packer
section and references to download-image.sh.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update documentation to reflect removal of packer-based builds
and replace packer build instructions with mkosi-based instructions

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Azure is using mkosi image now, so update the old
log trace

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps the libvirt group with 2 updates in the /src/cloud-api-adaptor directory: [libvirt.org/go/libvirt](https://gitlab.com/libvirt/libvirt-go-module) and [libvirt.org/go/libvirtxml](https://gitlab.com/libvirt/libvirt-go-xml-module).
Bumps the libvirt group with 2 updates in the /src/cloud-providers directory: [libvirt.org/go/libvirt](https://gitlab.com/libvirt/libvirt-go-module) and [libvirt.org/go/libvirtxml](https://gitlab.com/libvirt/libvirt-go-xml-module).


Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0)

Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0)

Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0)

Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0)

Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0)

Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0)

Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0)

Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0
- [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0)

---
updated-dependencies:
- dependency-name: libvirt.org/go/libvirt
  dependency-version: 1.12003.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: libvirt
- dependency-name: libvirt.org/go/libvirt
  dependency-version: 1.12003.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: libvirt
- dependency-name: libvirt.org/go/libvirtxml
  dependency-version: 1.12002.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: libvirt
- dependency-name: libvirt.org/go/libvirtxml
  dependency-version: 1.12002.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: libvirt
...

Signed-off-by: dependabot[bot] <support@github.com>
Set zizmor-action to have `advanced-security: false`, so it will not
upload results to Advanced Security, and will instead print them to
the console for job reporting. Also turn on zizmor github annotations to try and highlight any issues in code being actively updated.

Drive-by: bump runner to ubuntu-24.04 to stay more up-to-date

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
At least for amd64 and arm64 artifacts we should make sure that the
builds weren't done on self-hosted runners.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Bump go version and dockerfiles to resolve CVEs:
- GO-2026-5037
- GO-2026-5038
- GO-2026-5039

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The workflows are dead code. azure e2e tests will have to be rebuilt
based on existing libvirt and aws ci machinery.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
…l-containers#3132)

* refactor: merge podvm mkosi tree

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Implements comprehensive yet focused unit tests for the libvirt provider
implementation with emphasis on maintainability and clarity.

Test coverage includes:
- Provider initialization with various configurations
- IP address handling (multiple, empty, nil)
- Instance creation with custom specs and launch security
- Instance deletion with error cases (empty ID)
- Configuration validation for all required fields
- Cloud config generation error handling

Tests covered:
- TestNewProvider: Provider creation with invalid URI
- TestGetIPs: IP address retrieval scenarios
- TestDeleteInstanceEmptyID: Empty instanceID validation
- TestCreateInstanceCloudConfigError: Cloud config error handling
- TestProviderConfigVerifier: Configuration validation
- TestTeardown: Provider cleanup

All tests are unit tests that run without requiring libvirt environment,
ensuring consistent test coverage across all environments.

Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com>
Assisted-by: IBM Bob <noreply@ibm.com>
Enable virtio-balloon for s390x by changing MemBalloon Model from "none" to "virtio" with IOMMU driver support. This matches the aarch64 implementation and brings s390x to feature parity with other architectures.

The virtio-balloon driver is architecture-independent and s390x's virtio-ccw transport supports all virtio devices. IOMMU is required for s390x virtio devices.

This enables dynamic memory reclamation from peer pod VMs, improving resource utilization on s390x hosts.

Assisted-by: IBM Bob <noreply@ibm.com>
Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
Implements transparent block volume support for confidential containers
running as Peer Pods. The CSI block driver writes volume metadata
(mountInfo.json) that the cloud-api-adaptor reads at pod creation time.
Volumes are attached as managed disks to the PodVM and detected inside
the guest by probing provider-specific device paths with a sysfs HCTL
fallback.

Signed-off-by: Mohammed Adnan <muhammedadnan50007@gmail.com>
Move inputs.podvm_image to PODVM_IMAGE environment variable to prevent code injection.
Also add quotes around PODVM_IMAGE variable to fix shellcheck SC2086.
Remove template expansion from line 188 to prevent code injection.

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Move template expressions to environment variables to prevent code injection.

Changes:
- inputs.registry → REGISTRY (line 170)
- inputs.arch → ARCH (line 174)
- inputs.image_tag → IMAGE_TAG (lines 179, 180)

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix template injection in three more workflows:
- azure-e2e-test.yml:159 - Move matrix.parameters.jitter to JITTER env var
- build.yaml:57 - Move matrix.type to BUILD_TYPE env var
- test-images.yaml:60 - Move matrix.targets to MATRIX_TARGET env var

These changes prevent code injection via template expansion by moving
untrusted inputs to environment variables instead of inline expansion.

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix workflow security issues identified by zizmor scan:

1. Added job names to 7 workflows (Notices)
   - actionlint.yaml: run-actionlint job
   - build.yaml: webhook and cloud-provider jobs
   - e2e_on_pull.yaml: authorize job
   - e2e_run_all.yaml: libvirt_e2e_arch_prep job
   - podvm_smoketest.yaml: build and test jobs
   - test-images.yaml: list-dockerfiles job

2. Added concurrency limits to 4 workflows (Warnings)
   - podvm_mkosi.yaml
   - podvm_smoketest.yaml
   - scorecard.yaml
   - test-images.yaml

3. Added explanatory comments for permissions in 13 instances (Warnings)
   - daily-e2e-tests.yaml
   - e2e_on_pull.yaml
   - e2e_run_all.yaml (4 instances)
   - lib-codeql.yaml
   - lint.yaml
   - podvm_publish.yaml
   - publish_images_on_push.yaml (2 instances)
   - release.yaml (2 instances)
   - scorecard.yaml
   - test-images.yaml
   - webhook_image.yaml

4. Fixed secrets environment issue (Warning)
   - test-images.yaml: Added production environment for secret access

These changes improve workflow security and clarity without affecting
functionality.

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Without an explicit <cpu> element, the guest CPU has no named model contract. host-model causes libvirt to resolve the best matching IBM Z model (e.g. gen17a on z17), ensuring live migration safety between hosts of the same generation, full feature support of the respective generation, and consistent behaviour with the x86_64 and aarch64 implementations.

Also adds CPU mode assertions to TestCreateDomainXMLArchitecturesWithMocks for s390x and aarch64.

Assisted-by: IBM Bob <noreply@ibm.com>
Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
… updates

Bumps the aws-sdk-go-v2 group with 6 updates in the /src/cloud-api-adaptor directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.7` | `1.41.12` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.17` | `1.32.23` |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.299.1` | `1.305.2` |
| [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.83.0` | `1.84.5` |
| [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.53.10` | `1.54.3` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.100.1` | `1.103.2` |

Bumps the aws-sdk-go-v2 group with 3 updates in the /src/cloud-providers directory: [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23)

Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.299.1 to 1.305.2
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/ec2/v1.299.1...service/ec2/v1.305.2)

Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.83.0 to 1.84.5
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.83.0...service/eks/v1.84.5)

Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.53.10 to 1.54.3
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/ecs/v1.53.10...service/s3/v1.54.3)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.100.1 to 1.103.2
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.100.1...service/s3/v1.103.2)

Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23)

Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.299.1 to 1.305.2
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/ec2/v1.299.1...service/ec2/v1.305.2)

Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.16 to 1.19.22
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@credentials/v1.19.16...credentials/v1.19.22)

Updates `github.com/aws/aws-sdk-go-v2/feature/ec2/imds` from 1.18.23 to 1.18.28
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.18.23...config/v1.18.28)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-version: 1.41.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.305.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
  dependency-version: 1.84.5
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-version: 1.54.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.103.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-version: 1.41.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.305.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/credentials
  dependency-version: 1.19.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk-go-v2
- dependency-name: github.com/aws/aws-sdk-go-v2/feature/ec2/imds
  dependency-version: 1.18.28
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk-go-v2
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@7211b7c...8aad20d)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
The podvm_mkosi.yaml workflow's concurrency group didn't vary based
on inputs, causing builds with different architectures to cancel each
other when called from e2e_run_all.yaml.

Updated the concurrency group to include all inputs using toJSON(),
ensuring each unique combination of inputs gets its own concurrency
group.

Update podvm_mkosi_ubuntu.yaml to match for robustness

Generated-By: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.