-
Notifications
You must be signed in to change notification settings - Fork 113
150 lines (130 loc) · 5.1 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Build and attest all
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
branches: [stage0verify]
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build_attest_all:
strategy:
fail-fast: false
matrix:
buildconfig:
- buildconfigs/key_xor_test_app.sh
- buildconfigs/oak_containers_kernel.sh
- buildconfigs/oak_containers_orchestrator.sh
- buildconfigs/oak_containers_stage1.sh
- buildconfigs/oak_containers_syslogd.sh
- buildconfigs/oak_containers_system_image.sh
- buildconfigs/oak_echo_enclave_app.sh
- buildconfigs/oak_echo_raw_enclave_app.sh
- buildconfigs/oak_functions_enclave_app.sh
- buildconfigs/oak_functions_insecure_enclave_app.sh
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
- buildconfigs/stage0_bin.sh
- buildconfigs/oak_orchestrator.sh
permissions:
actions: read
id-token: write
attestations: write
contents: read
runs-on: ubuntu-20.04
steps:
# Needed for GCS upload.
# - name: Authenticate to Google Cloud
# uses: google-github-actions/auth@v2
# with:
# credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
# Needed for GCS upload.
- name: Setup Google Cloud
uses: google-github-actions/setup-gcloud@v2
- name: Mount main branch
uses: actions/checkout@v4
- name: Parse buildconfig
id: parse
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}"
echo "binary-path=${BINARY_PATH}" >> "${GITHUB_OUTPUT}"
echo "subject-path=${SUBJECT_PATH}" >> "${GITHUB_OUTPUT}"
- name: Show values
run: |
set -o errexit
set -o nounset
set -o pipefail
gsutil --version
echo "package_name: ${{ steps.parse.outputs.package-name }}"
echo "binary_path: ${{ steps.parse.outputs.binary-path }}"
echo "subject_path: ${{ steps.parse.outputs.subject-path }}"
echo "GITHUB_SHA: ${GITHUB_SHA}"
- name: Build
id: build
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
export RUST_BACKTRACE=1
export RUST_LOG=debug
export XDG_RUNTIME_DIR=/var/run
scripts/docker_pull
scripts/docker_run "${BUILD_COMMAND[@]}"
- name: Show build artifact
run: |
echo "${{ steps.parse.outputs.binary-path }}"
ls -la "${{ steps.parse.outputs.binary-path }}"
echo "${{ steps.parse.outputs.subject-path }}"
ls -la ${{ steps.parse.outputs.subject-path }}
- name: Attest
id: attest
uses: actions/[email protected]
with:
subject-path: ${{ steps.parse.outputs.subject-path }}
- name: Show bundle
run: |
echo "${{ steps.attest.outputs.bundle-path }}"
ls -la "${{ steps.attest.outputs.bundle-path }}"
cat "${{ steps.attest.outputs.bundle-path }}"
# Upload binary and provenance to GCS and index via http://static.space
# so that, regardless of the GCS bucket and path, it can easily be
# located by its digest.
#
# TODO: b/339774247 - The filenames are hardwired for now so they don't
# collide with the upload from the other workflow (which doesn't use
# these names).
- name: Upload
id: upload
run: |
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
bucket=oak-bins
package_name=${{ steps.parse.outputs.package-name }}
binary_path=${{ steps.parse.outputs.binary-path }}
provenance_path=${{ steps.attest.outputs.bundle-path }}
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}"
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}"
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot