chore(ci): kresify gh actions

Kresify, only handle gh workflows.

Signed-off-by: Noel Georgi <git@frezbo.dev>

.conform.yaml

@@ -1,3 +1,7 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-02T14:45:40Z by kres fcfe226-dirty.
+
 policies:
   - type: commit
     spec:
@@ -34,15 +38,18 @@ policies:
           - talosctl
           - kernel
           - security
+          - ci
           - ^v1.8
   - type: license
     spec:
       skipPaths:
         - .git/
+        - testdata/
       includeSuffixes:
         - .go
       excludeSuffixes:
         - .pb.go
+        - .pb.gw.go
         - _string.go
         - _enumer.go
         - _string_linux.go

.github/workflows/integration-aws-cron.yaml

@@ -0,0 +1,70 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-aws-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 7 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Mask secrets
+        run: |
+          echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')"
+      - name: Set secrets for job
+        run: |
+          sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-aws-prepare
+        env:
+          E2E_AWS_TARGET: default
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make e2e-aws-prepare
+      - name: checkout contrib
+        uses: actions/checkout@v4
+        with:
+          path: _out/contrib
+          ref: main
+          repository: siderolabs/contrib
+      - name: setup tf
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: "false"
+      - name: tf apply
+        env:
+          TF_E2E_ACTION: apply
+          TF_E2E_TEST_TYPE: aws
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf
+      - name: e2e-aws
+        run: |
+          make e2e-aws
+      - name: tf destroy
+        if: always()
+        env:
+          TF_E2E_ACTION: destroy
+          TF_E2E_TEST_TYPE: aws
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf

.github/workflows/integration-aws-nvidia-nonfree-cron.yaml

@@ -0,0 +1,97 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-aws-nvidia-nonfree-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 7 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Mask secrets
+        run: |
+          echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')"
+      - name: Set secrets for job
+        run: |
+          sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: checkout extensions
+        uses: actions/checkout@v4
+        with:
+          path: _out/extensions
+          ref: main
+          repository: siderolabs/extensions
+      - name: set variables
+        run: |
+          cat _out/talos-metadata >> "$GITHUB_ENV"
+      - name: build extensions
+        env:
+          PLATFORM: linux/amd64
+          PUSH: "true"
+          REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make nvidia-container-toolkit nonfree-kmod-nvidia extensions-metadata -C _out/extensions
+      - name: e2e-aws-prepare
+        env:
+          E2E_AWS_TARGET: nvidia-nonfree
+          EXTENSIONS_METADATA_FILE: _out/extensions/_out/extensions-metadata
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make e2e-aws-prepare
+      - name: checkout contrib
+        uses: actions/checkout@v4
+        with:
+          path: _out/contrib
+          ref: main
+          repository: siderolabs/contrib
+      - name: setup tf
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: "false"
+      - name: tf apply
+        env:
+          TF_E2E_ACTION: apply
+          TF_E2E_TEST_TYPE: aws
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf
+      - name: e2e-aws-nvidia-nonfree
+        env:
+          EXTRA_TEST_ARGS: -talos.extensions.nvidia
+          TEST_NUM_NODES: "4"
+        run: |
+          make e2e-aws
+      - name: tf destroy
+        if: always()
+        env:
+          TF_E2E_ACTION: destroy
+          TF_E2E_TEST_TYPE: aws
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf

.github/workflows/integration-aws-nvidia-oss-cron.yaml

@@ -0,0 +1,97 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-aws-nvidia-oss-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 7 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Mask secrets
+        run: |
+          echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')"
+      - name: Set secrets for job
+        run: |
+          sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: checkout extensions
+        uses: actions/checkout@v4
+        with:
+          path: _out/extensions
+          ref: main
+          repository: siderolabs/extensions
+      - name: set variables
+        run: |
+          cat _out/talos-metadata >> "$GITHUB_ENV"
+      - name: build extensions
+        env:
+          PLATFORM: linux/amd64
+          PUSH: "true"
+          REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make nvidia-container-toolkit nvidia-open-gpu-kernel-modules extensions-metadata -C _out/extensions
+      - name: e2e-aws-prepare
+        env:
+          E2E_AWS_TARGET: nvidia-oss
+          EXTENSIONS_METADATA_FILE: _out/extensions/_out/extensions-metadata
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make e2e-aws-prepare
+      - name: checkout contrib
+        uses: actions/checkout@v4
+        with:
+          path: _out/contrib
+          ref: main
+          repository: siderolabs/contrib
+      - name: setup tf
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: "false"
+      - name: tf apply
+        env:
+          TF_E2E_ACTION: apply
+          TF_E2E_TEST_TYPE: aws
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf
+      - name: e2e-aws-nvidia-oss
+        env:
+          EXTRA_TEST_ARGS: -talos.extensions.nvidia
+          TEST_NUM_NODES: "4"
+        run: |
+          make e2e-aws
+      - name: tf destroy
+        if: always()
+        env:
+          TF_E2E_ACTION: destroy
+          TF_E2E_TEST_TYPE: aws
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf

.github/workflows/integration-azure-cron.yaml

@@ -0,0 +1,77 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-azure-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 7 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Mask secrets
+        run: |
+          echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')"
+      - name: Set secrets for job
+        run: |
+          sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-azure-prepare
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make e2e-azure-prepare
+      - name: checkout contrib
+        uses: actions/checkout@v4
+        with:
+          path: _out/contrib
+          ref: main
+          repository: siderolabs/contrib
+      - name: setup tf
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: "false"
+      - name: tf apply
+        env:
+          ARM_CLIENT_ID: ${{ env.AZURE_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ env.AZURE_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ env.AZURE_TENANT_ID }}
+          TF_E2E_ACTION: apply
+          TF_E2E_TEST_TYPE: azure
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf
+      - name: e2e-azure
+        run: |
+          make e2e-azure
+      - name: tf destroy
+        if: always()
+        env:
+          ARM_CLIENT_ID: ${{ env.AZURE_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ env.AZURE_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ env.AZURE_TENANT_ID }}
+          TF_E2E_ACTION: destroy
+          TF_E2E_TEST_TYPE: azure
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf

.github/workflows/integration-cilium-cron.yaml

@@ -0,0 +1,66 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-cilium-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-cilium
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          QEMU_WORKERS: "2"
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}]'
+          WITH_CUSTOM_CNI: cilium
+          WITH_FIREWALL: accept
+          WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: "yes"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-cilium-strict
+        env:
+          CILIUM_INSTALL_TYPE: strict
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          QEMU_WORKERS: "2"
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]'
+          WITH_CUSTOM_CNI: cilium
+          WITH_FIREWALL: accept
+          WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: "yes"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-cilium-strict-kubespan
+        env:
+          CILIUM_INSTALL_TYPE: strict
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          QEMU_WORKERS: "2"
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]'
+          WITH_CUSTOM_CNI: cilium
+          WITH_FIREWALL: accept
+          WITH_KUBESPAN: "true"
+          WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: "yes"
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-cloud-images-cron.yaml

@@ -0,0 +1,45 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-cloud-images-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 2 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Mask secrets
+        run: |
+          echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')"
+      - name: Set secrets for job
+        run: |
+          sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: images
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          PLATFORM: linux/amd64,linux/arm64
+        run: |
+          make images
+      - name: cloud-images
+        run: |
+          make cloud-images

.github/workflows/integration-equinix-metal-cron.yaml

@@ -0,0 +1,69 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-equinix-metal-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 7 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Mask secrets
+        run: |
+          echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')"
+      - name: Set secrets for job
+        run: |
+          sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-equinix-metal-prepare
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make e2e-equinix-metal-prepare
+      - name: checkout contrib
+        uses: actions/checkout@v4
+        with:
+          path: _out/contrib
+          ref: main
+          repository: siderolabs/contrib
+      - name: setup tf
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: "false"
+      - name: tf apply
+        env:
+          TF_E2E_ACTION: apply
+          TF_E2E_TEST_TYPE: equinix-metal
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf
+      - name: e2e-equinix-metal
+        run: |
+          make e2e-equinix-metal
+      - name: tf destroy
+        if: always()
+        env:
+          TF_E2E_ACTION: destroy
+          TF_E2E_TEST_TYPE: equinix-metal
+          TF_SCRIPT_DIR: _out/contrib
+        run: |
+          make e2e-cloud-tf

.github/workflows/integration-extensions-cron.yaml

@@ -0,0 +1,68 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-extensions-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 6 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: checkout extensions
+        uses: actions/checkout@v4
+        with:
+          path: _out/extensions
+          ref: main
+          repository: siderolabs/extensions
+      - name: set variables
+        run: |
+          cat _out/talos-metadata >> "$GITHUB_ENV"
+      - name: build extensions
+        env:
+          PLATFORM: linux/amd64
+          PUSH: "true"
+          REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make all extensions-metadata -C _out/extensions
+      - name: installer extensions
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make installer-with-extensions
+      - name: e2e-extensions
+        env:
+          EXTRA_TEST_ARGS: -talos.extensions.qemu
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          QEMU_EXTRA_DISKS: "3"
+          QEMU_MEMORY_WORKERS: "4096"
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CONFIG_PATCH_WORKER: '@_out/extensions-patch.yaml'
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-image-factory-cron.yaml

@@ -0,0 +1,101 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-image-factory-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 6 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: factory-1.6-iso
+        env:
+          FACTORY_BOOT_METHOD: iso
+          FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_UPGRADE: "true"
+          FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f
+          FACTORY_UPGRADE_VERSION: v1.6.1
+          FACTORY_VERSION: v1.6.0
+          KUBERNETES_VERSION: 1.29.0
+        run: |
+          sudo -E make e2e-image-factory
+      - name: factory-1.6-image
+        env:
+          FACTORY_BOOT_METHOD: disk-image
+          FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_UPGRADE: "true"
+          FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f
+          FACTORY_UPGRADE_VERSION: v1.6.1
+          FACTORY_VERSION: v1.6.0
+          KUBERNETES_VERSION: 1.29.0
+        run: |
+          sudo -E make e2e-image-factory
+      - name: factory-1.6-pxe
+        env:
+          FACTORY_BOOT_METHOD: pxe
+          FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_VERSION: v1.6.1
+          KUBERNETES_VERSION: 1.29.0
+        run: |
+          sudo -E make e2e-image-factory
+      - name: factory-1.6-secureboot
+        env:
+          FACTORY_BOOT_METHOD: secureboot-iso
+          FACTORY_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f
+          FACTORY_UPGRADE: "true"
+          FACTORY_UPGRADE_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_UPGRADE_VERSION: v1.6.1
+          FACTORY_VERSION: v1.6.0
+          KUBERNETES_VERSION: 1.29.0
+        run: |
+          sudo -E make e2e-image-factory
+      - name: factory-1.5-iso
+        env:
+          FACTORY_BOOT_METHOD: iso
+          FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_UPGRADE: "true"
+          FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f
+          FACTORY_UPGRADE_VERSION: v1.5.5
+          FACTORY_VERSION: v1.5.5
+          KUBERNETES_VERSION: 1.28.5
+        run: |
+          sudo -E make e2e-image-factory
+      - name: factory-1.3-iso
+        env:
+          FACTORY_BOOT_METHOD: iso
+          FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_UPGRADE: "true"
+          FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f
+          FACTORY_UPGRADE_VERSION: v1.3.7
+          FACTORY_VERSION: v1.3.7
+          KUBERNETES_VERSION: 1.26.5
+        run: |
+          sudo -E make e2e-image-factory
+      - name: factory-1.3-image
+        env:
+          FACTORY_BOOT_METHOD: disk-image
+          FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
+          FACTORY_VERSION: v1.3.7
+          KUBERNETES_VERSION: 1.26.5
+        run: |
+          sudo -E make e2e-image-factory

.github/workflows/integration-images-cron.yaml

@@ -0,0 +1,36 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-images-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - generic
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: images
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          PLATFORM: linux/amd64,linux/arm64
+        run: |
+          make images

.github/workflows/integration-misc-cron.yaml

@@ -0,0 +1,114 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-misc-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 5 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-firewall
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_FIREWALL: block
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-network-chaos
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_NETWORK_CHAOS: "yes"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-canal-reset
+        env:
+          CUSTOM_CNI_URL: https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/canal.yaml
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          INTEGRATION_TEST_RUN: TestIntegration/api.ResetSuite/TestResetWithSpec
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-bios-cgroupsv1
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CONFIG_PATCH: '[{"op": "add", "path": "/machine/install/extraKernelArgs/-", "value": "talos.unified_cgroup_hierarchy=0"}]'
+          WITH_UEFI: "false"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-disk-image
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          USE_DISK_IMAGE: "true"
+          VIA_MAINTENANCE_MODE: "true"
+          WITH_DISK_ENCRYPTION: "true"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-controlplane-port
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CONTROL_PLANE_PORT: "443"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-no-cluster-discovery
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CLUSTER_DISCOVERY: "false"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-kubespan
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io\
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_CLUSTER_DISCOVERY: "true"
+          WITH_KUBESPAN: "true"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-default-hostname
+        env:
+          DISABLE_DHCP_HOSTNAME: "true"
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          VIA_MAINTENANCE_MODE: "true"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-siderolink
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          VIA_MAINTENANCE_MODE: "true"
+          WITH_SIDEROLINK_AGENT: "true"
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-siderolink-tunnel
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          VIA_MAINTENANCE_MODE: "true"
+          WITH_SIDEROLINK_AGENT: tunnel
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-provision-0-cron.yaml

@@ -0,0 +1,45 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-provision-0-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 4 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: provision-tests-prepare
+        run: |
+          make provision-tests-prepare
+      - name: provision-tests-track-0
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          sudo -E make provision-tests-track-0

.github/workflows/integration-provision-1-cron.yaml

@@ -0,0 +1,45 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-provision-1-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 4 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: provision-tests-prepare
+        run: |
+          make provision-tests-prepare
+      - name: provision-tests-track-1
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          sudo -E make provision-tests-track-1

.github/workflows/integration-provision-2-cron.yaml

@@ -0,0 +1,45 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-provision-2-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 4 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: provision-tests-prepare
+        run: |
+          make provision-tests-prepare
+      - name: provision-tests-track-2
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          sudo -E make provision-tests-track-2

.github/workflows/integration-qemu-cron.yaml

@@ -0,0 +1,35 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-qemu-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-qemu
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-qemu-csi-cron.yaml

@@ -0,0 +1,42 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-qemu-csi-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-qemu-csi
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          QEMU_CPUS_WORKERS: "4"
+          QEMU_EXTRA_DISKS: "1"
+          QEMU_EXTRA_DISKS_SIZE: "12288"
+          QEMU_MEMORY_WORKERS: "5120"
+          QEMU_WORKERS: "3"
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_TEST: run_csi_tests
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-qemu-encrypted-vip-cron.yaml

@@ -0,0 +1,38 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-qemu-encrypted-vip-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: e2e-qemu
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          WITH_DISK_ENCRYPTION: "true"
+          WITH_KUBESPAN: "true"
+          WITH_VIRTUAL_IP: "true"
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-qemu-race-cron.yaml

@@ -0,0 +1,52 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-qemu-race-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: build-race
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          PLATFORM: linux/amd64
+          PUSH: "true"
+          TAG_SUFFIX: -race
+          WITH_RACE: "1"
+        run: |
+          make initramfs installer
+      - name: e2e-qemu-race
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          TAG_SUFFIX: -race
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/integration-reproducibility-test-cron.yaml

@@ -0,0 +1,42 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-21T13:52:48Z by kres 0290180.
+
+name: integration-reproducibility-test-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 2 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: reproducibility-test
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make reproducibility-test

.github/workflows/integration-trusted-boot-cron.yaml

@@ -0,0 +1,38 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: integration-trusted-boot-cron
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 3 * * *
+jobs:
+  default:
+    runs-on:
+      - self-hosted
+      - talos
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: _out
+      - name: Fix artifact permissions
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: integration-trusted-boot
+        env:
+          EXTRA_TEST_ARGS: -talos.trustedboot
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          VIA_MAINTENANCE_MODE: "true"
+          WITH_TRUSTED_BOOT_ISO: "true"
+        run: |
+          sudo -E make e2e-qemu

.github/workflows/slack-notify.yaml

@@ -0,0 +1,112 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-05-16T11:03:04Z by kres 48517a9.
+
+name: slack-notify
+"on":
+  workflow_run:
+    workflows:
+      - default
+      - integration-qemu-cron
+      - integration-trusted-boot-cron
+      - integration-provision-0-cron
+      - integration-provision-1-cron
+      - integration-provision-2-cron
+      - integration-misc-cron
+      - integration-extensions-cron
+      - integration-cilium-cron
+      - integration-qemu-encrypted-vip-cron
+      - integration-qemu-race-cron
+      - integration-qemu-csi-cron
+      - integration-images-cron
+      - integration-reproducibility-test-cron
+      - integration-cloud-images-cron
+      - integration-image-factory-cron
+      - integration-aws-cron
+      - integration-aws-nvidia-oss-cron
+      - integration-aws-nvidia-nonfree-cron
+      - integration-azure-cron
+      - integration-equinix-metal-cron
+    types:
+      - completed
+jobs:
+  slack-notify:
+    runs-on:
+      - self-hosted
+      - generic
+    if: github.event.workflow_run.conclusion != 'skipped'
+    steps:
+      - name: Get PR number
+        id: get-pr-number
+        if: github.event.workflow_run.event == 'pull_request'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo pull_request_number=$(gh pr view -R ${{ github.repository }} ${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }} --json number --jq .number) >> $GITHUB_OUTPUT
+      - name: Slack Notify
+        uses: slackapi/slack-github-action@v1
+        with:
+          channel-id: proj-talos-maintainers
+          payload: |
+            {
+                "attachments": [
+                    {
+                        "color": "${{ github.event.workflow_run.conclusion == 'success' && '#2EB886' || github.event.workflow_run.conclusion == 'failure' && '#A30002' || '#FFCC00' }}",
+                        "fallback": "test",
+                        "blocks": [
+                            {
+                                "type": "section",
+                                "fields": [
+                                    {
+                                        "type": "mrkdwn",
+                                        "text": "${{ github.event.workflow_run.event == 'pull_request' && format('*Pull Request:* {0} (`{1}`)\n<{2}/pull/{3}|{4}>', github.repository, github.ref_name, github.event.repository.html_url, steps.get-pr-number.outputs.pull_request_number, github.event.workflow_run.display_title) || format('*Build:* {0} (`{1}`)\n<{2}/commit/{3}|{4}>', github.repository, github.ref_name, github.event.repository.html_url, github.sha, github.event.workflow_run.display_title) }}"
+                                    },
+                                    {
+                                        "type": "mrkdwn",
+                                        "text": "*Status:*\n`${{ github.event.workflow_run.conclusion }}`"
+                                    }
+                                ]
+                            },
+                            {
+                                "type": "section",
+                                "fields": [
+                                    {
+                                        "type": "mrkdwn",
+                                        "text": "*Author:*\n`${{ github.actor }}`"
+                                    },
+                                    {
+                                        "type": "mrkdwn",
+                                        "text": "*Event:*\n`${{ github.event.workflow_run.event }}`"
+                                    }
+                                ]
+                            },
+                            {
+                                "type": "divider"
+                            },
+                            {
+                                "type": "actions",
+                                "elements": [
+                                    {
+                                        "type": "button",
+                                        "text": {
+                                            "type": "plain_text",
+                                            "text": "Logs"
+                                        },
+                                        "url": "${{ github.event.workflow_run.html_url }}"
+                                    },
+                                    {
+                                        "type": "button",
+                                        "text": {
+                                            "type": "plain_text",
+                                            "text": "Commit"
+                                        },
+                                        "url": "${{ github.event.repository.html_url }}/commit/${{ github.sha }}"
+                                    }
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

.secrets.yaml

@@ -0,0 +1,89 @@
+secrets:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:AeXmU6IET6Mu1m7RrGbUxKYfeGw=,iv:ivTCvzsvlMDeRi1Xo+Xig+q/MFjinRT25oTQ4dTpD5w=,tag:ZgeWJ9306rFP2QCfn13XEQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:jOYsF4j5MuwJnUDW+m2TQxCaf1DOH+6QeAwtkBI2UKSCepG0ptHuzw==,iv:bYHZmQZly0S0fpRTQ6VwbafDYxH18jmfn6T/0/KQuqQ=,tag:55xc/fyBbb96QYzlohkZ+A==,type:str]
+    AWS_DEFAULT_REGION: ENC[AES256_GCM,data:Q7KZm7eenYFn,iv:VuzTTfAHe9FOTcqrGiJU9qdNixTxszm23rSXuNDB3cA=,tag:eGbIm8M/1Lsl0aoa9NanOQ==,type:str]
+    AZURE_SUBSCRIPTION_ID: ENC[AES256_GCM,data:vSY8xRgtR/ZGaztRyKUZsPUfFOJF2Nn5Zj8uO4q4Xm/uMKHA,iv:gImkSQLPnK2lDs8BpKP/y5qtYUTQREBXPR+LiUz8RQU=,tag:CVeHJ5YOz6BW8M7JDgQHYQ==,type:str]
+    AZURE_CLIENT_ID: ENC[AES256_GCM,data:sr2EhYwKjlsHYatqEoDXcm3yp5W8kzLyU4wpUPVvIwquxfM/,iv:ZMqoaG+F9JCfpUUbH6S0vvpwUmrfbCNpv4EJzFkb7Ng=,tag:RN5psxUWFa0SHroi4iqPHQ==,type:str]
+    AZURE_CLIENT_SECRET: ENC[AES256_GCM,data:DXH6XWJ1hfdrJJ2ue7Oq2cKsZKjuIAVACCBXRrp86EjrMY/4I9StnA==,iv:GHFK7zQmBQNUHOQvozGigW1pvfbFxaOZQR/HJc58XD4=,tag:1ciek8BjoJjTjIaoImJj6Q==,type:str]
+    AZURE_TENANT_ID: ENC[AES256_GCM,data:dZapmCqJeTx9C0us38mxDpPbdxBn39fJOmIc+5MgnAI6esT5,iv:s/GuStsQKgdc/6jpq2YMAE9GggLH/xGfrDzzgk/4kmQ=,tag:+dVM3/Joq3OA/opmSU6TSA==,type:str]
+    EM_PROJECT_ID: ENC[AES256_GCM,data:nPVZ+Uoul/W7UpxIoeMP1n3YhuEjq3fNKD+zoso4FBP2Obd0,iv:SSF8KZBczWvCJjZpvDo60mnoM21CrzdmmKs2reLi8w0=,tag:VKjsQSHqiQY+IzkIXO70MA==,type:str]
+    EM_API_TOKEN: ENC[AES256_GCM,data:PnNDZTRDTubebmtAuH1sAuEp5ZwzVie5WA0AhCUk26M=,iv:5MdcOwY+QrIdkFgCXcs2rBGCXQBnhi/EDxTPWr/vCMs=,tag:mcQ9qrWPYMaPalzr/GV7pQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xrpa9ujxxcj2u2gzfrzv8mxak4rts94a6y60ypurv6rs5cpr4e4sg95f0k
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvL24xdzZ5WVF6Mmxxa0NW
+            TnFSM00xWHFYRHJhbmxZU09hWG0weFNBdkdFCmVrQ1pxd2hJWkltMHo1S0dvMWwr
+            QXlMN1FCbTc3ajZQVS9xNXNtUDB0NEkKLS0tIHdtbmd3NG9Kdlo1VzdqMENVcVkr
+            ZE0zRWwxVzBLL3Q1WW1FNmVvc0txZm8K+GkjAq/WSduuDrsbeyqVi29Pj2IL25mA
+            a11K/HVqTCU834uHQXjpN3keJS23v5BJGZCpOwVXyZX8f1yAm/ZQAA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-06T06:16:37Z"
+    mac: ENC[AES256_GCM,data:q3NlR1Yi/4J/aCZUbatqL50gW7FPCMrYhYXSZWaZz4f+MLqzV+ymk4dO2QvS7ssgIX7TUVXjR2ClXgl+U3p31rqeVm8o8+LQPimJJnaQ0JrbO8tRZP3sQrQ4tghOKM1hFO/sz/52NTvoxl9OS9qIsq38fM+LUor4gEFekBQEyow=,iv:tZu7y6uezwvUFeHq4DdgNI0izg7DWspDIbzUxKTIBDs=,tag:PvYXbzD4HcWOP1Jw+zmHmA==,type:str]
+    pgp:
+        - created_at: "2024-04-29T17:03:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D/dYBJRlWfQISAQdAG/X828buETcY2yNXRA2dORhwHSfBk25lhTMOesAozk0w
+            42HQ4ZHV/xc/a9QsfX5pqAZgWbXUGce473RSMfbx3Xd2qnurqhOxyJ41xIQ2U1RX
+            0l4BQKFt84pgtGHzVdmOsqGzn+kHVxeL9vmsNmC8GGiTGOt/YlLepTwN/0lxl9YC
+            CtPehgXh1HEjPF6+97KEe/LsIqsEusiBvnz7ieF5bzpt0rhje0mG/yRPpHdE3tzp
+            =eUa+
+            -----END PGP MESSAGE-----
+          fp: 15D5721F5F5BAF121495363EFE042E3D4085A811
+        - created_at: "2024-04-29T17:03:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D+EORkHurkvgSAQdAc9l7LbjRnrmSkDnnqyjJgRso3exRZoFeHPvhd5FS3C8w
+            fa5KZkhoTCx9G19FFMOFksjLlCRVET7iN4/eI51KOuQ2XAj1PfG+fLPMucNtU7xz
+            0l4Baqj1OkL2vF+u0r1OHpZO3R+8h0N1sMoN/4tgQc58ClNCSrslrUiclZXv1brN
+            yX+sK8AtlxiBl9f5DIVqA5v+emtHx38OvR3o9iX8JppYuChmnU6a2mHy0cjwEgM/
+            =xkKE
+            -----END PGP MESSAGE-----
+          fp: CC51116A94490FA6FB3C18EB2401FCAE863A06CA
+        - created_at: "2024-04-29T17:03:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DCsA/BhMt3V4SAQdAdsc6wpQaH5PxlLbUgJ1AtQQLAfzW8N8u9tMoYUsw9Cww
+            jfAQCIpFjOCcKn2EfQzb/KXSHHiAFBx0BYF4kEoEnclyytkBtny1O14eZMVp0Ja0
+            0l4BAEzpCeHkgxS19TghHguj7dmRvwk+C3U/qZR0Yd5F8okK3OyLGxE8SzOCC+Ex
+            YZ2LiEerDzj7N3SxdzRBtYgpturs0TUlZwbO2jWvb92LrCg+fwZTDf+FXBMKJMgJ
+            =F891
+            -----END PGP MESSAGE-----
+          fp: 4919F560F0D35F80CF382D76E084A2DF1143C14D
+        - created_at: "2024-04-29T17:03:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAxQwM84t19oOAQgApMfAt5Si/Uo/Mk5VoOXvRXljrdRAkr7NXcRgw7aR99oR
+            oMp6M6yd6mMej840Vchrd5QPavMd6Pyrepebip50QViXzZKub4uw7ulSXr9Yy0Oa
+            cuVL7kimrjQE/3RfZfU4sHzoZUioz3lmfD1tVz7dCTxTp/wlJlb/68sZRG6fS/vE
+            KXjTf4P7IccTb5UWj8XMXcIaFrZ29MiHW/SBVeiYUkJk9gx37hTffz9lFKPx7iAN
+            MTZrbrqgyo5ZjM/z17j+F4I9M9eXaxld6fysFsuLHGmsZSvOrUSem8Db0gjr6hIi
+            ryv2tktT3HOuwhtSD9LuSa8Fkht5eOK9xu9E2MZSPtJeASK9n4FBaX+29mdtsW3z
+            +W7z1+hI/rWA6wVbJr/3h7gn0Z72/AlTcGqMJnITx73cBZTib30oMGtWWZ5dRBGU
+            TUeLQF8E0j4W7JMC+pDSUI71mMksoD+ihysJ3If96w==
+            =tZQw
+            -----END PGP MESSAGE-----
+          fp: 966BC282A680D8BB3E8363E865933E76F0549B0D
+        - created_at: "2024-04-29T17:03:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DzfZC0UNQ1VgSAQdAIOqJfm6hMsqYmTZtTbI1akgjnyMqXpK39iBZNx+HtzEw
+            DFLS/aioTT3QTndbSCtv4zlh5GqlhfMZrstgWBNhta0g4gxifX9VKWG2PUns4RX3
+            0l4BO3JwpHIV23X56gt9/H94GtuebNOaoNRLW7WmqpclpLV9Z3gm9Q0FOBeUGCPX
+            JDYt0QL0rcqIGPAcxEgLcx42vxHtUWfGcYGBugRbKVQ1xiEPZUAZgYAC5WqeKne2
+            =lE3W
+            -----END PGP MESSAGE-----
+          fp: AA5213AF261C1977AF38B03A94B473337258BFD5
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

.sops.yaml

@@ -0,0 +1,13 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2024-04-29T16:25:51Z by kres ebc009d-dirty.
+
+creation_rules:
+  - age: age1xrpa9ujxxcj2u2gzfrzv8mxak4rts94a6y60ypurv6rs5cpr4e4sg95f0k
+    # order: Andrey, Noel, Artem, Utku, Dmitriy
+    pgp: >-
+      15D5721F5F5BAF121495363EFE042E3D4085A811,
+      CC51116A94490FA6FB3C18EB2401FCAE863A06CA,
+      4919F560F0D35F80CF382D76E084A2DF1143C14D,
+      966BC282A680D8BB3E8363E865933E76F0549B0D,
+      AA5213AF261C1977AF38B03A94B473337258BFD5

Makefile

@@ -9,7 +9,6 @@ IMAGE_REGISTRY ?= $(REGISTRY)
 IMAGE_TAG ?= $(TAG)$(TAG_SUFFIX)
 BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 REGISTRY_AND_USERNAME := $(IMAGE_REGISTRY)/$(USERNAME)
-DOCKER_LOGIN_ENABLED ?= true
 NAME = Talos
 
 CLOUD_IMAGES_EXTRA_ARGS ?= ""
@@ -22,6 +21,9 @@ PKGS_PREFIX ?= ghcr.io/siderolabs
 PKGS ?= v1.8.0-alpha.0-16-g9ebfd1b
 EXTRAS ?= v1.8.0-alpha.0-1-g01ad9f5
 
+KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
+CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest
+
 PKG_FHS ?= $(PKGS_PREFIX)/fhs:$(PKGS)
 PKG_CA_CERTIFICATES ?= $(PKGS_PREFIX)/ca-certificates:$(PKGS)
 PKG_CRYPTSETUP ?= $(PKGS_PREFIX)/cryptsetup:$(PKGS)
@@ -84,7 +86,6 @@ ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
 TALOSCTL_DEFAULT_TARGET := talosctl-$(OPERATING_SYSTEM)
 TALOSCTL_EXECUTABLE := $(PWD)/$(ARTIFACTS)/$(TALOSCTL_DEFAULT_TARGET)-$(ARCH)
 INTEGRATION_TEST_DEFAULT_TARGET := integration-test-$(OPERATING_SYSTEM)
-MODULE_SIG_VERIFY_DEFAULT_TARGET := module-sig-verify-$(OPERATING_SYSTEM)
 INTEGRATION_TEST_PROVISION_DEFAULT_TARGET := integration-test-provision-$(OPERATING_SYSTEM)
 # renovate: datasource=github-releases depName=kubernetes/kubernetes
 KUBECTL_VERSION ?= v1.30.1
@@ -403,7 +404,7 @@ talosctl-cni-bundle: ## Creates a compressed tarball that includes CNI bundle fo
 cloud-images: ## Uploads cloud images (AMIs, etc.) to the cloud registry.
 	@docker run --rm -v $(PWD):/src -w /src \
 		-e TAG=$(TAG) -e ARTIFACTS=$(ARTIFACTS) -e ABBREV_TAG=$(ABBREV_TAG) \
-		-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SVC_ACCT \
+		-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
 		-e AZURE_SUBSCRIPTION_ID -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID \
 		golang:$(GO_VERSION) \
 		./hack/cloud-image-uploader.sh $(CLOUD_IMAGES_EXTRA_ARGS)
@@ -456,9 +457,6 @@ $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64:
 $(ARTIFACTS)/$(INTEGRATION_TEST_PROVISION_DEFAULT_TARGET)-amd64:
 	@$(MAKE) local-$(INTEGRATION_TEST_PROVISION_DEFAULT_TARGET) DEST=$(ARTIFACTS) PLATFORM=linux/amd64 WITH_RACE=true NAME=Client
 
-$(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64:
-	@$(MAKE) local-$(MODULE_SIG_VERIFY_DEFAULT_TARGET) DEST=$(ARTIFACTS) PLATFORM=linux/amd64
-
 $(ARTIFACTS)/kubectl:
 	@mkdir -p $(ARTIFACTS)
 	@curl -L -o $(ARTIFACTS)/kubectl "$(KUBECTL_URL)"
@@ -484,7 +482,7 @@ $(ARTIFACTS)/cilium:
 	@curl -L "$(CILIUM_CLI_URL)" | tar xzf - -C $(ARTIFACTS) cilium
 	@chmod +x $(ARTIFACTS)/cilium
 
-external-artifacts: $(ARTIFACTS)/kubectl $(ARTIFACTS)/clusterctl $(ARTIFACTS)/kubestr $(ARTIFACTS)/helm $(ARTIFACTS)/cilium $(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64
+external-artifacts: $(ARTIFACTS)/kubectl $(ARTIFACTS)/clusterctl $(ARTIFACTS)/kubestr $(ARTIFACTS)/helm $(ARTIFACTS)/cilium
 
 e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts ## Runs the E2E test for the specified platform (e.g. e2e-docker).
 	@$(MAKE) hack-test-$@ \
@@ -497,8 +495,6 @@ e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts
 		ARTIFACTS=$(ARTIFACTS) \
 		TALOSCTL=$(PWD)/$(ARTIFACTS)/$(TALOSCTL_DEFAULT_TARGET)-amd64 \
 		INTEGRATION_TEST=$(PWD)/$(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 \
-		MODULE_SIG_VERIFY=$(PWD)/$(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64 \
-		KERNEL_MODULE_SIGNING_PUBLIC_KEY=$(PWD)/$(ARTIFACTS)/signing_key.x509 \
 		SHORT_INTEGRATION_TEST=$(SHORT_INTEGRATION_TEST) \
 		CUSTOM_CNI_URL=$(CUSTOM_CNI_URL) \
 		KUBECTL=$(PWD)/$(ARTIFACTS)/kubectl \
@@ -526,9 +522,9 @@ provision-tests-track-%:
 		REGISTRY=$(IMAGE_REGISTRY) \
 		ARTIFACTS=$(ARTIFACTS)
 
-installer-with-extensions: $(ARTIFACTS)/extensions-metadata
+installer-with-extensions: $(ARTIFACTS)/extensions/_out/extensions-metadata
 	$(MAKE) image-installer \
-		IMAGER_ARGS="--base-installer-image=$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG) $(shell cat $(ARTIFACTS)/extensions-metadata | grep -vE 'tailscale|xen-guest-agent|nvidia' | xargs -n 1 echo --system-extension-image)"
+		IMAGER_ARGS="--base-installer-image=$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG) $(shell cat $(ARTIFACTS)/extensions/_out/extensions-metadata | grep -vE 'tailscale|xen-guest-agent|nvidia' | xargs -n 1 echo --system-extension-image)"
 	crane push $(ARTIFACTS)/installer-amd64.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-amd64-extensions
 	echo -n "$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-amd64-extensions" | jq -Rs -f hack/test/extensions/extension-patch-filter.jq | yq eval ".[] | split_doc" -P > $(ARTIFACTS)/extensions-patch.yaml
 
@@ -557,27 +553,27 @@ release-artifacts:
 
 # Utilities
 
+.PHONY: rekres
+rekres:
+	@docker pull $(KRES_IMAGE)
+	@docker run --rm --net=host --user $(shell id -u):$(shell id -g) -v $(PWD):/src -w /src -e GITHUB_TOKEN $(KRES_IMAGE)
+
 .PHONY: conformance
-conformance: ## Performs policy checks against the commit and source code.
-	docker run --rm -it -v $(PWD):/src -w /src ghcr.io/siderolabs/conform:latest enforce
+conformance:
+	@docker pull $(CONFORMANCE_IMAGE)
+	@docker run --rm -it -v $(PWD):/src -w /src $(CONFORMANCE_IMAGE) enforce
 
 .PHONY: release-notes
 release-notes:
 	ARTIFACTS=$(ARTIFACTS) ./hack/release.sh $@ $(ARTIFACTS)/RELEASE_NOTES.md $(TAG)
 
-.PHONY: login
-login: ## Logs in to the configured container registry.
-ifeq ($(DOCKER_LOGIN_ENABLED), true)
-	@docker login --username "$(GHCR_USERNAME)" --password "$(GHCR_PASSWORD)" $(IMAGE_REGISTRY)
-endif
-
-push: login ## Pushes the installer, imager, talos and talosctl images to the configured container registry with the generated tag.
+push: ## Pushes the installer, imager, talos and talosctl images to the configured container registry with the generated tag.
 	@$(MAKE) installer PUSH=true
 	@$(MAKE) imager PUSH=true
 	@$(MAKE) talos PUSH=true
 	@$(MAKE) talosctl-image PUSH=true
 
-push-%: login ## Pushes the installer, imager, talos and talosctl images to the configured container registry with the specified tag (e.g. push-latest).
+push-%: ## Pushes the installer, imager, talos and talosctl images to the configured container registry with the specified tag (e.g. push-latest).
 	@$(MAKE) push IMAGE_TAG=$*
 
 .PHONY: clean

hack/test/e2e-aws-prepare.sh

@@ -19,16 +19,16 @@ function get_ami_id() {
 function cloud_image_upload_with_extensions() {
   case "${1}" in
     nvidia-oss)
-      EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
+      EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
       ;;
     nvidia-oss-fabricmanager)
-      EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
+      EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
       ;;
-    nvidia-proprietary)
-      EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
+    nvidia-nonfree)
+      EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
       ;;
-    nvidia-proprietary-fabricmanager)
-      EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
+    nvidia-nonfree-fabricmanager)
+      EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")')
       ;;
     *)
       ;;

hack/test/e2e-cloud-tf.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+source ./hack/test/e2e.sh
+
+# This script is used to run the end-to-end tests on a cloud provider using Terraform.
+
+if [[ "${CI}" != "true" ]]; then
+    echo "This script is only meant to be run in CI."
+    exit 1
+fi
+
+BUCKET_NAME="talos-ci-e2e"
+
+cp "${TF_SCRIPT_DIR}/hack/backend-aws.tf" "${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}/backend.tf"
+
+cp "${ARTIFACTS}/e2e-${TF_E2E_TEST_TYPE}-generated"/* "${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}"
+
+terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \
+    init \
+    -backend-config="bucket=${BUCKET_NAME}" \
+    -backend-config="key=cloud-tf/${TF_E2E_TEST_TYPE}-${GITHUB_SHA}-terraform.tfstate"
+
+case "${TF_E2E_ACTION}" in
+    "apply")
+        terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \
+            apply \
+            -auto-approve \
+            -var-file="vars.json"
+
+        terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \
+            output \
+            -raw \
+            talosconfig > "${ARTIFACTS}/e2e-${TF_E2E_TEST_TYPE}-talosconfig"
+
+        terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \
+            output \
+            -raw \
+            kubeconfig > "${ARTIFACTS}/e2e-${TF_E2E_TEST_TYPE}-kubeconfig"
+        ;;
+    "destroy")
+        terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \
+            apply \
+            -destroy \
+            -auto-approve \
+            -var-file="vars.json" \
+            -refresh="${TF_E2E_REFRESH_ON_DESTROY:-true}"
+
+        aws s3api delete-object --bucket "${BUCKET_NAME}" --key "cloud-tf/${TF_E2E_TEST_TYPE}-${GITHUB_SHA}-terraform.tfstate"
+        ;;
+    *)
+        echo "Unsupported action: ${TF_E2E_ACTION}"
+        exit 1
+        ;;
+esac

hack/test/e2e-docker.sh

@@ -17,11 +17,11 @@ function create_cluster {
     --image="${IMAGE}" \
     --controlplanes=1 \
     --workers=1 \
-    --mtu=1450 \
+    --mtu=1430 \
     --memory=2048 \
     --cpus=2.0 \
     --with-init-node=false \
-    ${REGISTRY_MIRROR_FLAGS} \
+    "${REGISTRY_MIRROR_FLAGS[@]}" \
     --crashdump
 
   "${TALOSCTL}" config node 10.5.0.2

hack/test/e2e-image-factory.sh

@@ -48,7 +48,7 @@ function create_cluster {
     --controlplanes=3 \
     --workers="${QEMU_WORKERS:-1}" \
     --disk=15360 \
-    --mtu=1450 \
+    --mtu=1430 \
     --memory=2048 \
     --memory-workers="${QEMU_MEMORY_WORKERS:-2048}" \
     --cpus="${QEMU_CPUS:-2}" \

hack/test/e2e-iso.sh

@@ -19,7 +19,7 @@ function create_cluster {
     --iso-path=${ARTIFACTS}/metal-amd64.iso \
     --controlplanes=1 \
     --workers=0 \
-    --mtu=1450 \
+    --mtu=1430 \
     --memory=2048 \
     --cpus=2.0 \
     --cidr=172.20.2.0/24 \
@@ -27,7 +27,7 @@ function create_cluster {
     --install-image=${REGISTRY:-ghcr.io}/siderolabs/installer:${TAG} \
     --cni-bundle-url=${ARTIFACTS}/talosctl-cni-bundle-'${ARCH}'.tar.gz \
     --crashdump \
-    ${REGISTRY_MIRROR_FLAGS}
+    "${REGISTRY_MIRROR_FLAGS[@]}"
 
   "${TALOSCTL}" config node "${NODE}"
 }

hack/test/e2e-qemu.sh

@@ -173,7 +173,7 @@ function create_cluster {
     --disk=15360 \
     --extra-disks="${QEMU_EXTRA_DISKS:-0}" \
     --extra-disks-size="${QEMU_EXTRA_DISKS_SIZE:-5120}" \
-    --mtu=1450 \
+    --mtu=1430 \
     --memory=2048 \
     --memory-workers="${QEMU_MEMORY_WORKERS:-2048}" \
     --cpus="${QEMU_CPUS:-2}" \

hack/test/e2e.sh

@@ -12,8 +12,6 @@
 #  - ARTIFACTS
 #  - TALOSCTL
 #  - INTEGRATION_TEST
-#  - MODULE_SIG_VERIFY
-#  - KERNEL_MODULE_SIGNING_PUBLIC_KEY
 #  - SHORT_INTEGRATION_TEST
 #  - CUSTOM_CNI_URL
 #  - KUBECTL
@@ -108,7 +106,7 @@ function create_cluster_capi {
 
   # Wait for nodes to check in
   timeout=$(($(date +%s) + TIMEOUT))
-  until ${KUBECTL} get nodes -o go-template='{{ len .items }}' | grep ${NUM_NODES} >/dev/null; do
+  until ${KUBECTL} get nodes -o go-template='{{ len .items }}' | grep "${NUM_NODES}" >/dev/null; do
     [[ $(date +%s) -gt $timeout ]] && exit 1
     ${KUBECTL} get nodes -o wide && :
     sleep 10
@@ -210,7 +208,7 @@ function build_registry_mirrors {
   if [[ "${CI:-false}" == "true" ]]; then
     REGISTRY_MIRROR_FLAGS=()
 
-    for registry in docker.io registry.k8s.io quay.io gcr.io ghcr.io registry.dev.talos-systems.io; do
+    for registry in docker.io registry.k8s.io quay.io gcr.io ghcr.io; do
       local service="registry-${registry//./-}.ci.svc"
       addr=$(python3 -c "import socket; print(socket.gethostbyname('${service}'))")
 
@@ -218,7 +216,7 @@ function build_registry_mirrors {
     done
   else
     # use the value from the environment, if present
-    REGISTRY_MIRROR_FLAGS=(${REGISTRY_MIRROR_FLAGS:-})
+    REGISTRY_MIRROR_FLAGS=("${REGISTRY_MIRROR_FLAGS:-}")
   fi
 }
 

hack/test/provision-tests.sh

@@ -2,46 +2,45 @@
 
 set -eoux pipefail
 
+INTEGRATION_TEST_FLAGS=()
+
 case "${CI:-false}" in
   true)
-    mirror_flag=""
+    MIRROR_FLAG=()
 
-    for registry in docker.io k8s.gcr.io registry.k8s.io quay.io gcr.io ghcr.io registry.dev.talos-systems.io; do
+    for registry in docker.io k8s.gcr.io registry.k8s.io quay.io gcr.io ghcr.io; do
       service="registry-${registry//./-}.ci.svc"
-      addr=`python3 -c "import socket; print(socket.gethostbyname('${service}'))"`
+      addr=$(python3 -c "import socket; print(socket.gethostbyname('${service}'))")
 
-      if [[ ! -z "${mirror_flag}" ]]; then
-        mirror_flag="${mirror_flag},"
-      fi
-
-      mirror_flag="${mirror_flag}${registry}=http://${addr}:5000"
+      MIRROR_FLAG+=("${registry}=http://${addr}:5000")
     done
 
-    INTEGRATION_TEST_FLAGS="-talos.provision.target-installer-registry=${REGISTRY} -talos.provision.registry-mirror ${mirror_flag}"
+    MIRROR_FLAGS="${MIRROR_FLAG[*]}"
+
+    INTEGRATION_TEST_FLAGS+=("-talos.provision.target-installer-registry=${REGISTRY}" "-talos.provision.registry-mirror=${MIRROR_FLAGS// /,}")
     ;;
   *)
-    INTEGRATION_TEST_FLAGS=
     ;;
 esac
 
 if [ "${INTEGRATION_TEST_RUN:-undefined}" != "undefined" ]; then
-  INTEGRATION_TEST_FLAGS="${INTEGRATION_TEST_FLAGS} -test.run ${INTEGRATION_TEST_RUN}"
+  INTEGRATION_TEST_FLAGS+=("-test.run=${INTEGRATION_TEST_RUN}")
 fi
 
 if [ "${INTEGRATION_TEST_TRACK:-undefined}" != "undefined" ]; then
-  INTEGRATION_TEST_FLAGS="${INTEGRATION_TEST_FLAGS} -talos.provision.cidr 172.$(( ${INTEGRATION_TEST_TRACK} + 21 )).0.0/24"
+  INTEGRATION_TEST_FLAGS+=("-talos.provision.cidr=172.$(( INTEGRATION_TEST_TRACK + 21 )).0.0/24")
 fi
 
 case "${CUSTOM_CNI_URL:-false}" in
   false)
     ;;
   *)
-    INTEGRATION_TEST_FLAGS="${INTEGRATION_TEST_FLAGS} -talos.provision.custom-cni-url=${CUSTOM_CNI_URL}"
+    INTEGRATION_TEST_FLAGS+=("-talos.provision.custom-cni-url=${CUSTOM_CNI_URL}")
     ;;
 esac
 
 "${INTEGRATION_TEST}" -test.v \
   -talos.talosctlpath "${TALOSCTL}" \
-  -talos.provision.mtu 1450  \
-  -talos.provision.cni-bundle-url ${ARTIFACTS}/talosctl-cni-bundle-'${ARCH}'.tar.gz \
-  ${INTEGRATION_TEST_FLAGS}
+  -talos.provision.mtu 1430  \
+  -talos.provision.cni-bundle-url "${ARTIFACTS}/talosctl-cni-bundle-\${ARCH}.tar.gz" \
+  "${INTEGRATION_TEST_FLAGS[@]}"