From 1cb20432b2178d2656f9a4e8547dfb82545a093a Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 13:38:19 +0300 Subject: [PATCH 1/7] Add VEX attestation infrastructure for module builds. Enable cosign OpenVEX signing via base/vex image, giterminism secrets for registry and Vault, and CI build credentials. Signed-off-by: Maksim Khimchenko --- .github/workflows/dev_build_precache.yml | 2 +- .github/workflows/dev_build_svace.yml | 4 +- .../dev_module_build-and-registration.yml | 2 +- .github/workflows/dev_module_build.yml | 4 +- .github/workflows/e2e-test-releases.yml | 4 +- .../release_module_build-and-registration.yml | 16 +- .../release_module_release-channels.yml | 8 +- .gitlab-ci.yml | 2 + .werf/defines/vex.tmpl | 143 ++++++++++++++++++ werf-giterminism.yaml | 14 ++ 10 files changed, 186 insertions(+), 13 deletions(-) create mode 100644 .werf/defines/vex.tmpl diff --git a/.github/workflows/dev_build_precache.yml b/.github/workflows/dev_build_precache.yml index 6406ddbd5e..3049ebee5e 100644 --- a/.github/workflows/dev_build_precache.yml +++ b/.github/workflows/dev_build_precache.yml @@ -66,7 +66,7 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 env: WERF_EXPERIMENTAL_IMPORT_BY_SOURCE_IMAGE_TAG: "true" with: diff --git a/.github/workflows/dev_build_svace.yml b/.github/workflows/dev_build_svace.yml index c31fef6c1a..5e0a4da61a 100644 --- a/.github/workflows/dev_build_svace.yml +++ b/.github/workflows/dev_build_svace.yml @@ -111,11 +111,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: "true" diff --git a/.github/workflows/dev_module_build-and-registration.yml b/.github/workflows/dev_module_build-and-registration.yml index b251cedb82..bd78e812a2 100644 --- a/.github/workflows/dev_module_build-and-registration.yml +++ b/.github/workflows/dev_module_build-and-registration.yml @@ -112,7 +112,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ github.event.inputs.enableBuild == 'true' }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} diff --git a/.github/workflows/dev_module_build.yml b/.github/workflows/dev_module_build.yml index 93088ddcc7..f3ee59e7c9 100644 --- a/.github/workflows/dev_module_build.yml +++ b/.github/workflows/dev_module_build.yml @@ -418,11 +418,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: ${{ inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }} diff --git a/.github/workflows/e2e-test-releases.yml b/.github/workflows/e2e-test-releases.yml index 8404c029a7..e4ec3ff351 100644 --- a/.github/workflows/e2e-test-releases.yml +++ b/.github/workflows/e2e-test-releases.yml @@ -196,11 +196,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ matrix.module_tag }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{ secrets.SOURCE_REPO_GIT }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} diff --git a/.github/workflows/release_module_build-and-registration.yml b/.github/workflows/release_module_build-and-registration.yml index 8a2937c51f..dfeb005353 100644 --- a/.github/workflows/release_module_build-and-registration.yml +++ b/.github/workflows/release_module_build-and-registration.yml @@ -81,11 +81,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -134,11 +136,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -188,11 +192,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -242,11 +248,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" diff --git a/.github/workflows/release_module_release-channels.yml b/.github/workflows/release_module_release-channels.yml index f91ee80dea..fcbbd15080 100644 --- a/.github/workflows/release_module_release-channels.yml +++ b/.github/workflows/release_module_release-channels.yml @@ -205,7 +205,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -271,7 +271,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -330,7 +330,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -393,7 +393,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2ad3e5a2df..56b28affbb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -119,6 +119,8 @@ before_script: # Vars ================================================================================================================= variables: + REGISTRY_USER: ${MODULES_DEV_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_DEV_REGISTRY_PASSWORD} MODULES_MODULE_NAME: virtualization # DEV registry diff --git a/.werf/defines/vex.tmpl b/.werf/defines/vex.tmpl new file mode 100644 index 0000000000..f1571f99eb --- /dev/null +++ b/.werf/defines/vex.tmpl @@ -0,0 +1,143 @@ +# put image with vex mitigations to registry. +# Mitigations can be found in the known_vulnerabilities.vex file in the image directory +# input parameters: +# list of $ and image name. +# list ($ "common/kubernetes") +{{- define "vex mitigation" }} + {{- $context := index . 0 }} + {{- $imageName := index . 1 }} + {{- $knownVulnPath := "" }} + {{- $isVault := false }} + {{- if eq $imageName "dev" }} + {{- $knownVulnPath = "/deckhouse-controller/known_vulnerabilities.vex" }} + {{- else if eq $imageName "dev/install" }} + {{- $knownVulnPath = "/dhctl/known_vulnerabilities.vex" }} + {{- else if eq $imageName "bundle" }} + {{- $knownVulnPath = "/known_vulnerabilities.vex" }} + {{- else if hasKey $context "ModulePriority" }} + {{- $knownVulnPath = (printf "/%smodules/%s-%s/images/%s/known_vulnerabilities.vex" $context.ModulePath $context.ModulePriority $context.ModuleName $context.ImageName) }} + {{- else }} + {{- $knownVulnPath = (printf "/images/%s/known_vulnerabilities.vex" $context.ImageName) }} + {{- end }} + {{- $vexFile := false }} + {{- if eq (len ($context.Files.Glob $knownVulnPath)) 1 }} + {{- $vexFile = true }} + {{- end }} + {{- $werfSignKey := env "WERF_SIGN_KEY" "" }} + {{- $vaultKey := env "VAULT_KEY" "" }} + {{- $actionsIdToken := env "ACTIONS_ID_TOKEN_REQUEST_TOKEN" "" }} + {{- if or (ne $werfSignKey "") (ne $vaultKey "") (ne $actionsIdToken "") }} + {{- $isVault = true }} + {{- end }} + {{- if $vexFile }} +--- +image: {{ $imageName }}-vex-artifact +fromImage: base/vex +final: true +secrets: +- id: REGISTRY_USER + env: REGISTRY_USER +- id: REGISTRY_PASSWORD + env: REGISTRY_PASSWORD +{{- if eq $isVault true }} +{{- if ne $werfSignKey "" }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: WERF_SIGN_KEY +- id: VAULT_ROLE + env: WERF_VAULT_AUTH_ROLE +- id: VAULT_JWT + env: WERF_VAULT_AUTH_JWT +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- else }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: VAULT_KEY +- id: VAULT_ROLE + env: VAULT_ROLE +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- if eq $actionsIdToken "" }} +- id: VAULT_JWT + env: VAULT_ID_TOKEN +{{- end }} +{{- end }} +{{- if ne $actionsIdToken "" }} +- id: ACTIONS_ID_TOKEN_REQUEST_TOKEN + env: ACTIONS_ID_TOKEN_REQUEST_TOKEN +- id: ACTIONS_ID_TOKEN_REQUEST_URL + env: ACTIONS_ID_TOKEN_REQUEST_URL +{{- end }} +{{- end }} +git: +- add: {{ $knownVulnPath }} + to: /known_vulnerabilities.vex + stageDependencies: + install: + - "**/*" +dependencies: +- image: {{ $imageName }} + before: install + imports: + - type: ImageDigest + targetEnv: IMAGE_DIGEST + - type: ImageRepo + targetEnv: IMAGE_REPO +shell: + install: + - export REGISTRY_USER="$(cat /run/secrets/REGISTRY_USER)" + - export REGISTRY_PASSWORD="$(cat /run/secrets/REGISTRY_PASSWORD)" +{{- if $isVault }} + - export VAULT_ADDR="$(cat /run/secrets/VAULT_ADDR)" + - export VAULT_ROLE="$(cat /run/secrets/VAULT_ROLE)" + - export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/TRANSIT_SECRET_ENGINE_PATH)" + - VAULT_KEY=$(cat /run/secrets/VAULT_KEY) + - export VAULT_KEY="hashivault://${VAULT_KEY#hashivault://}" +{{- if ne $actionsIdToken "" }} + - export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)" + - export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)" + - export VAULT_AUTH_PATH="github" + - > + export VAULT_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) + - > + if [ -n "${VAULT_JWT}" ]; then + echo "Received Actions token"; + else + echo "Actions token empty"; + fi +{{- else }} + - export VAULT_AUTH_PATH="fox" + - export VAULT_JWT="$(cat /run/secrets/VAULT_JWT)" +{{- end }} + - > + export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${VAULT_AUTH_PATH}/login" -d '{"role":"'${VAULT_ROLE}'","jwt":"'${VAULT_JWT}'"}' | jq -r '.auth.client_token')" + - > + if [ -n "${VAULT_TOKEN}" ]; then + echo "Received Vault token"; + else + echo "Vault token empty"; + fi + - echo "Using predicate known_vulnerabilities.vex" +{{- else }} + - | + echo -e "\033[33mWARNING!!! Cosign will sign attestation with self-generated key pair!\033[0m" + export COSIGN_PASSWORD="" + cosign generate-key-pair + export VAULT_KEY="cosign.key" +{{- end }} + - | + cosign attest \ + --replace \ + --registry-username="${REGISTRY_USER}" \ + --registry-password="${REGISTRY_PASSWORD}" \ + --predicate /known_vulnerabilities.vex \ + --type openvex \ + --key ${VAULT_KEY} \ + --tlog-upload=false \ + -y -d \ + "${IMAGE_REPO}@${IMAGE_DIGEST}" + {{- end }} +{{- end }} diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index ee82bc554f..7be1aea499 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -13,6 +13,9 @@ config: - SVACE_ANALYZE_HOST - SVACE_ANALYZE_SSH_USER - DEBUG_COMPONENT + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - VAULT_KEY + - WERF_SIGN_KEY stapel: mount: allowBuildDir: true @@ -25,6 +28,17 @@ config: - GOPROXY - DISTRO_PACKAGES_PROXY helm: + allowEnvVariables: + - REGISTRY_USER + - REGISTRY_PASSWORD + - VAULT_ADDR + - WERF_SIGN_KEY + - WERF_VAULT_AUTH_ROLE + - WERF_VAULT_AUTH_JWT + - TRANSIT_SECRET_ENGINE_PATH + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - ACTIONS_ID_TOKEN_REQUEST_URL + allowUncommittedFiles: - "Chart.lock" - "charts/*.tgz" From 950c98f770f7416b2f2f4470a0cfa01eea4ccf5e Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 15:40:55 +0300 Subject: [PATCH 2/7] Fix VEX build: correct vex include and/or REGISTRY credentials in CI. Signed-off-by: Maksim Khimchenko --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 56b28affbb..6c8a81575a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -139,6 +139,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_PROD_REGISTRY_PASSWORD} MODULES_REGISTRY: registry-write.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/deckhouse/${EDITION}/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: PROD # Templates ============================================================================================================ From 68a982085f7e4949afdc889767d21f9f764ca2b5 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 15:44:18 +0300 Subject: [PATCH 3/7] Fix VEX build: add REGISTRY_USER/PASSWORD to CI build jobs. Signed-off-by: Maksim Khimchenko --- .../release_module_build-and-registration.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release_module_build-and-registration.yml b/.github/workflows/release_module_build-and-registration.yml index dfeb005353..4478ebdcdc 100644 --- a/.github/workflows/release_module_build-and-registration.yml +++ b/.github/workflows/release_module_build-and-registration.yml @@ -86,8 +86,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -141,8 +141,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -197,8 +197,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -253,8 +253,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" From ec8c6cb20864d35c54dbec1e1737bd3bc098ef0d Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 16:11:51 +0300 Subject: [PATCH 4/7] Fix VEX build: set REGISTRY_USER/PASSWORD per dev and prod CI extends. Signed-off-by: Maksim Khimchenko --- .gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6c8a81575a..53aa2c439f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -119,8 +119,6 @@ before_script: # Vars ================================================================================================================= variables: - REGISTRY_USER: ${MODULES_DEV_REGISTRY_LOGIN} - REGISTRY_PASSWORD: ${MODULES_DEV_REGISTRY_PASSWORD} MODULES_MODULE_NAME: virtualization # DEV registry From d1dea0d2cdec23dcec295ebd00dfdd88c4737d46 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 16:14:53 +0300 Subject: [PATCH 5/7] Fix VEX build: set REGISTRY_USER/PASSWORD per dev and prod CI extends. Signed-off-by: Maksim Khimchenko --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 53aa2c439f..1662e35a1f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -128,6 +128,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_DEV_REGISTRY_PASSWORD} MODULES_REGISTRY: dev-registry.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/sys/deckhouse-oss/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: DEV # PROD registry From d65e7a858c6f1fadf43930df0241b1d0e6de696c Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko <39365040+himax1991@users.noreply.github.com> Date: Fri, 26 Jun 2026 17:13:08 +0300 Subject: [PATCH 6/7] fix werf-giterminism Signed-off-by: Maksim Khimchenko <39365040+himax1991@users.noreply.github.com> --- werf-giterminism.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index 7be1aea499..6c71495f7a 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -13,9 +13,9 @@ config: - SVACE_ANALYZE_HOST - SVACE_ANALYZE_SSH_USER - DEBUG_COMPONENT - - ACTIONS_ID_TOKEN_REQUEST_TOKEN - - VAULT_KEY - - WERF_SIGN_KEY + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - VAULT_KEY + - WERF_SIGN_KEY stapel: mount: allowBuildDir: true From b86047187c9d71725099c6ce64f81b5fd5b3392c Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 17:15:28 +0300 Subject: [PATCH 7/7] fix wef-giterminism section Signed-off-by: Maksim Khimchenko --- werf-giterminism.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index 6c71495f7a..8f9e954dd2 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -1,7 +1,7 @@ giterminismConfigVersion: 1 config: goTemplateRendering: # The rules for the Go-template functions - allowEnvVariables: + allowEnvVariables: - /CI_.+/ - GOPROXY - MODULES_MODULE_TAG @@ -27,7 +27,6 @@ config: - DECKHOUSE_PRIVATE_REPO - GOPROXY - DISTRO_PACKAGES_PROXY -helm: allowEnvVariables: - REGISTRY_USER - REGISTRY_PASSWORD @@ -38,7 +37,7 @@ helm: - TRANSIT_SECRET_ENGINE_PATH - ACTIONS_ID_TOKEN_REQUEST_TOKEN - ACTIONS_ID_TOKEN_REQUEST_URL - +helm: allowUncommittedFiles: - "Chart.lock" - "charts/*.tgz"