Build oak_restricted_kernel_bin with Bazel - for bare metal only. #102
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and attest all | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
build_attest_all: | |
strategy: | |
fail-fast: false | |
matrix: | |
buildconfig: | |
- buildconfigs/key_xor_test_app.sh | |
- buildconfigs/oak_client_android_app.sh | |
- buildconfigs/oak_containers_kernel.sh | |
- buildconfigs/oak_containers_orchestrator.sh | |
- buildconfigs/oak_containers_stage1.sh | |
- buildconfigs/oak_containers_syslogd.sh | |
- buildconfigs/oak_containers_agent.sh | |
- buildconfigs/oak_containers_system_image.sh | |
- buildconfigs/oak_echo_enclave_app.sh | |
- buildconfigs/oak_echo_raw_enclave_app.sh | |
- buildconfigs/oak_functions_enclave_app.sh | |
- buildconfigs/oak_functions_insecure_enclave_app.sh | |
- buildconfigs/oak_orchestrator.sh | |
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh | |
- buildconfigs/stage0_bin.sh | |
permissions: | |
actions: read | |
id-token: write | |
attestations: write | |
contents: read | |
runs-on: ubuntu-20.04 | |
steps: | |
# Needed for GCS upload. | |
- name: Authenticate to Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} | |
# Needed for GCS upload. | |
- name: Setup Google Cloud | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Mount main branch | |
uses: actions/checkout@v4 | |
# Keeps two versions of SUBJECT_PATHS, with space resp. comma as | |
# path separator. Both are needed in later steps. | |
- name: Parse buildconfig | |
id: parse | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
source ${{ matrix.buildconfig }} | |
echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}" | |
paths="${SUBJECT_PATHS[@]}" | |
echo "subject-paths=${paths}" >> "${GITHUB_OUTPUT}" | |
echo "subject-paths-commas=${paths// /,}" >> "${GITHUB_OUTPUT}" | |
- name: Show values | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
gsutil --version | |
echo "package_name: ${{ steps.parse.outputs.package-name }}" | |
echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}" | |
echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}" | |
echo "GITHUB_SHA: ${GITHUB_SHA}" | |
- name: Build | |
id: build | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
source ${{ matrix.buildconfig }} | |
export RUST_BACKTRACE=1 | |
export RUST_LOG=debug | |
export XDG_RUNTIME_DIR=/var/run | |
scripts/docker_pull | |
scripts/docker_run "${BUILD_COMMAND[@]}" | |
- name: Show build artifacts | |
run: | | |
echo "${{ steps.parse.outputs.subject-paths }}" | |
ls -la ${{ steps.parse.outputs.subject-paths }} | |
- name: Attest | |
id: attest | |
uses: actions/[email protected] | |
with: | |
subject-path: ${{ steps.parse.outputs.subject-paths-commas }} | |
- name: Show bundle | |
run: | | |
echo "${{ steps.attest.outputs.bundle-path }}" | |
ls -la "${{ steps.attest.outputs.bundle-path }}" | |
cat "${{ steps.attest.outputs.bundle-path }}" | |
# Upload binary and provenance to GCS and index via http://static.space | |
# so that, regardless of the GCS bucket and path, it can easily be | |
# located by its digest. | |
# | |
# TODO: b/339774247 - The filenames are hardwired for now so they don't | |
# collide with the upload from the other workflow (which doesn't use | |
# these names). | |
- name: Upload | |
id: upload | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
set -o xtrace | |
bucket=oak-bins | |
package_name=${{ steps.parse.outputs.package-name }} | |
subject_paths=( ${{ steps.parse.outputs.subject-paths }} ) | |
binary_path="${subject_paths[0]}" | |
provenance_path=${{ steps.attest.outputs.bundle-path }} | |
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary" | |
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl" | |
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}" | |
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}" | |
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" | |
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" | |
curl --fail \ | |
--request POST \ | |
--header 'Content-Type: application/json' \ | |
--data "{ \"url\": \"${binary_url}\" }" \ | |
https://api.static.space/v1/snapshot | |
curl --fail \ | |
--request POST \ | |
--header 'Content-Type: application/json' \ | |
--data "{ \"url\": \"${provenance_url}\" }" \ | |
https://api.static.space/v1/snapshot |