fix(security): isolate supervisor identity from sandbox children #1685
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Branch E2E Checks | |
| on: | |
| push: | |
| branches: | |
| - "pull-request/[0-9]+" | |
| workflow_dispatch: {} | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| pr_metadata: | |
| name: Resolve PR metadata | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| should_run: ${{ steps.gate.outputs.should_run }} | |
| run_core_e2e: ${{ steps.labels.outputs.run_core_e2e }} | |
| run_gpu_e2e: ${{ steps.labels.outputs.run_gpu_e2e }} | |
| run_any_e2e: ${{ steps.labels.outputs.run_any_e2e }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - id: gate | |
| uses: ./.github/actions/pr-gate | |
| - id: labels | |
| if: steps.gate.outputs.should_run == 'true' | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| LABELS_JSON: ${{ steps.gate.outputs.labels_json }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| if [ "$EVENT_NAME" != "push" ]; then | |
| run_core_e2e=true | |
| run_gpu_e2e=true | |
| else | |
| run_core_e2e="$(jq -r 'index("test:e2e") != null' <<< "$LABELS_JSON")" | |
| run_gpu_e2e="$(jq -r 'index("test:e2e-gpu") != null' <<< "$LABELS_JSON")" | |
| fi | |
| if [ "$run_core_e2e" = "true" ] || [ "$run_gpu_e2e" = "true" ]; then | |
| run_any_e2e=true | |
| else | |
| run_any_e2e=false | |
| fi | |
| { | |
| echo "run_core_e2e=$run_core_e2e" | |
| echo "run_gpu_e2e=$run_gpu_e2e" | |
| echo "run_any_e2e=$run_any_e2e" | |
| } >> "$GITHUB_OUTPUT" | |
| build-gateway: | |
| needs: [pr_metadata] | |
| if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true' | |
| permissions: | |
| contents: read | |
| packages: write | |
| uses: ./.github/workflows/docker-build.yml | |
| with: | |
| component: gateway | |
| image-tag: ${{ github.sha }} | |
| build-supervisor: | |
| needs: [pr_metadata] | |
| if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_any_e2e == 'true' | |
| permissions: | |
| contents: read | |
| packages: write | |
| uses: ./.github/workflows/docker-build.yml | |
| with: | |
| component: supervisor | |
| image-tag: ${{ github.sha }} | |
| e2e: | |
| needs: [pr_metadata, build-gateway, build-supervisor] | |
| if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true' | |
| permissions: | |
| contents: read | |
| packages: read | |
| uses: ./.github/workflows/e2e-test.yml | |
| with: | |
| image-tag: ${{ github.sha }} | |
| runner: linux-arm64-cpu8 | |
| gpu-e2e: | |
| needs: [pr_metadata, build-supervisor] | |
| if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_gpu_e2e == 'true' | |
| permissions: | |
| contents: read | |
| packages: read | |
| uses: ./.github/workflows/e2e-gpu-test.yaml | |
| with: | |
| image-tag: ${{ github.sha }} | |
| kubernetes-e2e: | |
| needs: [pr_metadata, build-gateway, build-supervisor] | |
| if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true' | |
| permissions: | |
| contents: read | |
| packages: read | |
| uses: ./.github/workflows/e2e-kubernetes-test.yml | |
| with: | |
| image-tag: ${{ github.sha }} | |
| core-e2e-result: | |
| name: Core E2E result | |
| needs: [pr_metadata, build-gateway, build-supervisor, e2e, kubernetes-e2e] | |
| if: always() && needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify core E2E jobs | |
| env: | |
| BUILD_GATEWAY_RESULT: ${{ needs.build-gateway.result }} | |
| BUILD_SUPERVISOR_RESULT: ${{ needs.build-supervisor.result }} | |
| E2E_RESULT: ${{ needs.e2e.result }} | |
| KUBERNETES_E2E_RESULT: ${{ needs.kubernetes-e2e.result }} | |
| run: | | |
| set -euo pipefail | |
| failed=0 | |
| for item in \ | |
| "build-gateway:$BUILD_GATEWAY_RESULT" \ | |
| "build-supervisor:$BUILD_SUPERVISOR_RESULT" \ | |
| "e2e:$E2E_RESULT" \ | |
| "kubernetes-e2e:$KUBERNETES_E2E_RESULT"; do | |
| name="${item%%:*}" | |
| result="${item#*:}" | |
| if [ "$result" != "success" ]; then | |
| echo "::error::$name concluded $result" | |
| failed=1 | |
| fi | |
| done | |
| exit "$failed" | |
| gpu-e2e-result: | |
| name: GPU E2E result | |
| needs: [pr_metadata, build-supervisor, gpu-e2e] | |
| if: always() && needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_gpu_e2e == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify GPU E2E jobs | |
| env: | |
| BUILD_SUPERVISOR_RESULT: ${{ needs.build-supervisor.result }} | |
| GPU_E2E_RESULT: ${{ needs.gpu-e2e.result }} | |
| run: | | |
| set -euo pipefail | |
| failed=0 | |
| for item in \ | |
| "build-supervisor:$BUILD_SUPERVISOR_RESULT" \ | |
| "gpu-e2e:$GPU_E2E_RESULT"; do | |
| name="${item%%:*}" | |
| result="${item#*:}" | |
| if [ "$result" != "success" ]; then | |
| echo "::error::$name concluded $result" | |
| failed=1 | |
| fi | |
| done | |
| exit "$failed" |