-
Notifications
You must be signed in to change notification settings - Fork 113
176 lines (156 loc) · 6.4 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Build and attest all
on:
push:
branches: [main]
pull_request:
branches: [main]
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build_attest_all:
strategy:
fail-fast: false
matrix:
buildconfig:
- buildconfigs/key_xor_test_app.sh
- buildconfigs/oak_client_android_app.sh
- buildconfigs/oak_containers_agent.sh
- buildconfigs/oak_containers_kernel.sh
- buildconfigs/oak_containers_orchestrator.sh
- buildconfigs/oak_containers_stage1.sh
- buildconfigs/oak_containers_syslogd.sh
- buildconfigs/oak_containers_system_image.sh
- buildconfigs/oak_containers_nvidia_system_image.sh
- buildconfigs/oak_echo_enclave_app.sh
- buildconfigs/oak_echo_raw_enclave_app.sh
- buildconfigs/oak_functions_enclave_app.sh
- buildconfigs/oak_functions_insecure_enclave_app.sh
- buildconfigs/oak_orchestrator.sh
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
- buildconfigs/stage0_bin.sh
permissions:
actions: read
id-token: write
attestations: write
contents: read
runs-on: ubuntu-20.04
steps:
# Needed for GCS upload.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
# Needed for GCS upload.
- name: Setup Google Cloud
uses: google-github-actions/setup-gcloud@v2
- name: Mount main branch
uses: actions/checkout@v4
# The runner comes with all this software pre-installed:
# https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2004-Readme.md
# To avoid failures due to lack of disk space, we delete some large packages
# which are irrelevant for building. Sources:
# https://github.com/jens-maus/RaspberryMatic/blob/ea6b8ce0dd2d53ea88b2766ba8d7f8e1d667281f/.github/workflows/ci.yml#L34-L40
# https://github.com/actions/runner-images/issues/2875
- name: Free disk space
run: |
set -o errexit
set -o xtrace
df --human-readable
sudo apt-get remove --yes \
'^dotnet-.*' '^llvm-.*' 'php.*' azure-cli \
hhvm google-chrome-stable firefox powershell
df --human-readable
sudo apt-get autoremove --yes
df --human-readable
sudo apt clean
df --human-readable
docker rmi $(docker image ls --all --quiet)
df --human-readable
rm --recursive --force "${AGENT_TOOLSDIRECTORY}"
df --human-readable
# Keeps two versions of SUBJECT_PATHS, with space resp. comma as
# path separator. Both are needed in later steps.
- name: Parse buildconfig
id: parse
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}"
paths="${SUBJECT_PATHS[@]}"
echo "subject-paths=${paths}" >> "${GITHUB_OUTPUT}"
echo "subject-paths-commas=${paths// /,}" >> "${GITHUB_OUTPUT}"
- name: Show values
run: |
set -o errexit
set -o nounset
set -o pipefail
gsutil --version
echo "package_name: ${{ steps.parse.outputs.package-name }}"
echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}"
echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}"
echo "GITHUB_SHA: ${GITHUB_SHA}"
- name: Build
id: build
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
export RUST_BACKTRACE=1
export RUST_LOG=debug
export XDG_RUNTIME_DIR=/var/run
scripts/docker_pull
scripts/docker_run "${BUILD_COMMAND[@]}"
- name: Show build artifacts
run: |
echo "${{ steps.parse.outputs.subject-paths }}"
ls -la ${{ steps.parse.outputs.subject-paths }}
- name: Attest
id: attest
uses: actions/[email protected]
with:
subject-path: ${{ steps.parse.outputs.subject-paths-commas }}
- name: Show bundle
run: |
echo "${{ steps.attest.outputs.bundle-path }}"
ls -la "${{ steps.attest.outputs.bundle-path }}"
cat "${{ steps.attest.outputs.bundle-path }}"
# Upload binary and provenance to GCS and index via http://static.space
# so that, regardless of the GCS bucket and path, it can easily be
# located by its digest.
#
# TODO: b/339774247 - The filenames are hardwired for now so they don't
# collide with the upload from the other workflow (which doesn't use
# these names).
- name: Upload
id: upload
run: |
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
bucket=oak-bins
package_name=${{ steps.parse.outputs.package-name }}
subject_paths=( ${{ steps.parse.outputs.subject-paths }} )
binary_path="${subject_paths[0]}"
provenance_path=${{ steps.attest.outputs.bundle-path }}
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}"
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}"
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot