From 84a4c2003c5269ae6c045f35e609425a251ef652 Mon Sep 17 00:00:00 2001
From: Al Cutter <al@google.com>
Date: Fri, 5 May 2023 16:58:35 +0100
Subject: [PATCH] Add simple PR CI action

---
 .github/workflows/pr_build.yml | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/pr_build.yml

diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
new file mode 100644
index 0000000..03d6b4c
--- /dev/null
+++ b/.github/workflows/pr_build.yml
@@ -0,0 +1,40 @@
+name: PR CI
+
+on: [push, pull_request]
+
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  build:
+    env:
+      TAMAGO_VERSION: 1.20.4
+      TAMAGO: /usr/local/tamago-go/bin/go
+      APPLET_PRIVATE_KEY: /tmp/applet.sec
+      APPLET_PUBLIC_KEY: /tmp/applet.pub
+      OS_PRIVATE_KEY1: /tmp/os1.sec
+      OS_PUBLIC_KEY1: /tmp/os1.pub
+      OS_PRIVATE_KEY2: /tmp/os2.sec
+      OS_PUBLIC_KEY2: /tmp/os2.pub
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - name: Install tools
+      run: |
+        wget -q https://github.com/usbarmory/tamago-go/releases/download/tamago-go${TAMAGO_VERSION}/tamago-go${TAMAGO_VERSION}.linux-amd64.tar.gz
+        sudo tar -xf tamago-go${TAMAGO_VERSION}.linux-amd64.tar.gz -C /
+        sudo apt install protobuf-compiler signify-openbsd
+        go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
+        echo "${HOME}/go/bin" >> $GITHUB_PATH
+    - name: Create throwaway keys & fake embed
+      run: |
+        signify-openbsd -G -n -p ${APPLET_PUBLIC_KEY} -s ${APPLET_PRIVATE_KEY}
+        signify-openbsd -G -n -p ${OS_PUBLIC_KEY1} -s ${OS_PRIVATE_KEY1}
+        signify-openbsd -G -n -p ${OS_PUBLIC_KEY2} -s ${OS_PRIVATE_KEY2}
+        # Now create a fake applet to embed, and sign it
+        mkdir -p trusted_os/assets
+        echo "When I grow up, I want to be an applet" > trusted_os/assets/trusted_applet.elf
+        signify-openbsd -S -s ${APPLET_PRIVATE_KEY} -m trusted_os/assets/trusted_applet.elf -x trusted_os/assets/trusted_applet.sig
+    - name: Make
+      run: |
+        DEBUG=1 make trusted_os
\ No newline at end of file