2022-10-19 07:10:15 -04:00
name : Build and Upload OS image
2023-01-23 04:59:17 -05:00
2022-10-19 07:10:15 -04:00
on :
workflow_dispatch :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
2022-12-09 05:51:38 -05:00
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
2022-10-19 07:10:15 -04:00
type : boolean
required : false
2022-12-09 05:51:38 -05:00
default : false
stream :
2023-01-16 06:20:01 -05:00
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
2022-12-09 05:51:38 -05:00
type : choice
required : true
options :
- "debug"
2023-01-16 07:56:06 -05:00
- "console"
- "nightly"
- "stable"
2023-01-02 06:25:17 -05:00
ref :
type : string
description : "Git ref to checkout"
required : false
workflow_call :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
type : string
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
type : boolean
required : false
default : false
stream :
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
type : string
required : true
ref :
type : string
description : "Git ref to checkout"
required : false
2022-10-19 07:10:15 -04:00
jobs :
2022-11-04 11:48:52 -04:00
build-settings :
name : "Determine build settings"
runs-on : ubuntu-22.04
outputs :
2022-12-09 05:51:38 -05:00
ref : ${{ steps.ref.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ steps.stream.outputs.stream }}
2022-11-04 11:48:52 -04:00
imageType : ${{ steps.image-type.outputs.imageType }}
2022-12-09 05:51:38 -05:00
imageVersion : ${{ steps.image-version.outputs.imageVersion }}
imageName : ${{ steps.image-version.outputs.imageName }}
imageNameShort : ${{ steps.image-version.outputs.imageNameShort }}
imageApiBasePath : ${{ steps.image-version.outputs.imageApiBasePath }}
2023-02-24 06:00:04 -05:00
cliApiBasePath : ${{ steps.image-version.outputs.cliApiBasePath }}
2022-11-04 11:48:52 -04:00
steps :
- name : Checkout
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-11-04 11:48:52 -04:00
- name : Determine version
id : version
uses : ./.github/actions/pseudo_version
2022-12-09 05:51:38 -05:00
- name : Determine ref
id : ref
run : |
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
2023-04-14 12:25:53 -04:00
echo "ref=-" | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
else
2023-04-14 12:25:53 -04:00
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
fi
2023-01-16 07:56:06 -05:00
- name : Determine and validate stream
id : stream
2022-12-09 05:51:38 -05:00
run : |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
echo "Nightly builds are not allowed for releases"
exit 1
2023-01-23 04:59:17 -05:00
fi
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
2022-12-09 05:51:38 -05:00
echo "Stable builds are only allowed for releases"
exit 1
fi
2023-04-14 12:25:53 -04:00
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
2022-11-04 11:48:52 -04:00
- name : Determine type of image build
shell : bash
id : image-type
run : |
2023-01-16 07:56:06 -05:00
case "${{ steps.stream.outputs.stream }}" in
"debug" )
2023-04-14 12:25:53 -04:00
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
;;
"console" )
2023-04-14 12:25:53 -04:00
echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
;;
*)
2023-04-14 12:25:53 -04:00
echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
;;
esac
2022-11-04 11:48:52 -04:00
2022-12-09 05:51:38 -05:00
- name : Determine image version
id : image-version
2022-11-16 09:45:10 -05:00
shell : bash
2022-12-09 05:51:38 -05:00
env :
REF : ${{ steps.ref.outputs.ref }}
2023-01-16 07:56:06 -05:00
STREAM : ${{ steps.stream.outputs.stream }}
2023-03-14 09:53:33 -04:00
IMAGE_VERSION : ${{ inputs.imageVersion || steps.version.outputs.version }}
2022-11-16 09:45:10 -05:00
run : |
2022-12-09 05:51:38 -05:00
{
echo "imageVersion=${IMAGE_VERSION}"
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
2023-01-04 11:07:16 -05:00
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
2023-02-24 06:00:04 -05:00
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
2023-03-21 07:20:27 -04:00
} | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
2022-12-12 08:17:50 -05:00
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
2023-04-14 12:25:53 -04:00
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-12-09 05:51:38 -05:00
elif [[ "${REF}" = "-" ]]; then
2023-04-14 12:25:53 -04:00
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-11-16 09:45:10 -05:00
else
2023-04-14 12:25:53 -04:00
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
2022-11-16 09:45:10 -05:00
fi
2022-10-19 07:10:15 -04:00
make-os-image :
name : "Build OS using mkosi"
2023-09-18 07:55:46 -04:00
needs : [ build-settings]
2023-10-04 04:13:43 -04:00
runs-on : ubuntu-latest-8-cores
2022-10-19 07:10:15 -04:00
strategy :
2022-11-03 10:22:51 -04:00
fail-fast : false
2022-10-19 07:10:15 -04:00
matrix :
2023-05-23 10:22:29 -04:00
include :
- csp : aws
attestation_variant : aws-nitro-tpm
2023-05-26 04:15:30 -04:00
- csp : aws
attestation_variant : aws-sev-snp
2023-05-23 10:22:29 -04:00
- csp : azure
attestation_variant : azure-sev-snp
- csp : gcp
attestation_variant : gcp-sev-es
- csp : gcp
attestation_variant : gcp-sev-snp
- csp : qemu
attestation_variant : qemu-vtpm
- csp : openstack
attestation_variant : qemu-vtpm
2022-10-19 07:10:15 -04:00
steps :
- name : Checkout
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 07:10:15 -04:00
2023-10-04 07:55:38 -04:00
- uses : ./.github/actions/setup_bazel_nix
2023-09-29 05:03:34 -04:00
with :
2023-10-04 07:55:38 -04:00
useCache : "false"
2022-10-19 07:10:15 -04:00
- name : Build
2023-09-18 07:55:46 -04:00
id : build
2022-10-19 07:10:15 -04:00
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
env :
2023-09-18 07:55:46 -04:00
TARGET : //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Build"
2023-10-19 02:34:17 -04:00
bazel build //image/base:rpmdb
2023-10-04 04:51:17 -04:00
bazel build "${TARGET}"
2022-11-11 08:49:16 -05:00
{
2023-10-04 04:51:17 -04:00
echo "image-dir=$(bazel cquery --output=files "$TARGET")"
2023-10-17 08:04:41 -04:00
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
2023-03-21 07:20:27 -04:00
} | tee -a "$GITHUB_OUTPUT"
2023-09-18 07:55:46 -04:00
echo "::endgroup::"
2022-10-01 18:48:06 -04:00
2022-10-19 07:10:15 -04:00
- name : Upload raw OS image as artifact
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_upload
2022-10-19 07:10:15 -04:00
with :
2023-05-23 10:22:29 -04:00
name : image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
2023-09-18 07:55:46 -04:00
path : ${{ steps.build.outputs.image-dir }}/constellation.raw
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2022-10-19 07:10:15 -04:00
- name : Upload individual OS parts as artifacts
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_upload
2022-10-19 07:10:15 -04:00
with :
2023-05-23 10:22:29 -04:00
name : parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
2023-12-20 09:17:49 -05:00
path : >
2023-09-18 07:55:46 -04:00
${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2022-10-19 07:10:15 -04:00
2023-10-17 08:04:41 -04:00
- name : Upload sbom info as artifact
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_upload
2023-10-17 08:04:41 -04:00
with :
name : sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path : ${{ steps.build.outputs.rpmdb }}
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2023-10-17 08:04:41 -04:00
2022-10-19 07:10:15 -04:00
upload-os-image :
name : "Upload OS image to CSP"
2022-11-04 11:48:52 -04:00
needs : [ build-settings, make-os-image]
2022-10-19 07:10:15 -04:00
runs-on : ubuntu-22.04
2022-10-17 11:39:49 -04:00
permissions :
id-token : write
contents : read
2022-10-19 07:10:15 -04:00
strategy :
2022-11-03 10:22:51 -04:00
fail-fast : false
2022-10-19 07:10:15 -04:00
matrix :
2023-05-23 10:22:29 -04:00
include :
- csp : aws
attestation_variant : aws-nitro-tpm
2023-05-26 04:15:30 -04:00
- csp : aws
attestation_variant : aws-sev-snp
2023-05-23 10:22:29 -04:00
- csp : azure
attestation_variant : azure-sev-snp
- csp : gcp
attestation_variant : gcp-sev-es
- csp : gcp
attestation_variant : gcp-sev-snp
- csp : qemu
attestation_variant : qemu-vtpm
- csp : openstack
attestation_variant : qemu-vtpm
2023-04-27 05:37:37 -04:00
env :
2023-09-18 07:55:46 -04:00
RAW_IMAGE_PATH : mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw
2023-06-15 10:50:35 -04:00
JSON_OUTPUT : mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
AZURE_IMAGE_PATH : mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
GCP_IMAGE_PATH : mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
2023-04-27 05:37:37 -04:00
SHORTNAME : ${{ needs.build-settings.outputs.imageNameShort }}
2023-05-23 10:22:29 -04:00
ATTESTATION_VARIANT : ${{ matrix.attestation_variant }}
2022-10-19 07:10:15 -04:00
steps :
- name : Checkout
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 07:10:15 -04:00
2023-10-04 07:55:38 -04:00
- uses : ./.github/actions/setup_bazel_nix
with :
useCache : "false"
2022-10-19 07:10:15 -04:00
- name : Download OS image artifact
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_download
2022-10-19 07:10:15 -04:00
with :
2023-05-23 10:22:29 -04:00
name : image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
2023-06-15 10:50:35 -04:00
path : ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2022-10-19 07:10:15 -04:00
- name : Install tools
shell : bash
run : |
echo "::group::Install tools"
sudo apt-get update
2022-10-17 11:39:49 -04:00
sudo apt-get install -y \
pigz \
qemu-utils \
2023-03-06 07:29:15 -05:00
python3-pip
2022-10-19 07:10:15 -04:00
echo "::endgroup::"
2022-10-17 11:39:49 -04:00
- name : Login to AWS
2023-10-26 02:18:37 -04:00
uses : aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
2022-10-17 11:39:49 -04:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-19 07:10:15 -04:00
- name : Login to Azure
2022-11-08 10:21:08 -05:00
if : matrix.csp == 'azure'
2022-11-08 10:13:10 -05:00
uses : ./.github/actions/login_azure
2022-10-19 07:10:15 -04:00
with :
2022-10-21 10:23:29 -04:00
azure_credentials : ${{ secrets.AZURE_CREDENTIALS }}
2022-10-19 07:10:15 -04:00
- name : Login to GCP
2022-12-09 05:51:38 -05:00
if : matrix.csp == 'gcp'
2023-01-18 04:15:58 -05:00
uses : ./.github/actions/login_gcp
2022-10-19 07:10:15 -04:00
with :
2023-11-27 07:04:41 -05:00
service_account : "image-uploader@constellation-images.iam.gserviceaccount.com"
2022-10-19 07:10:15 -04:00
2022-10-17 11:39:49 -04:00
- name : Upload AWS image
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'aws'
2022-10-17 11:39:49 -04:00
shell : bash
working-directory : ${{ github.workspace }}/image
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload AWS image"
2023-05-23 10:22:29 -04:00
bazel run //image/upload -- image aws \
2023-04-27 05:37:37 -04:00
--verbose \
2023-05-23 10:22:29 -04:00
--raw-image "${RAW_IMAGE_PATH}" \
--attestation-variant "${ATTESTATION_VARIANT}" \
2023-04-27 05:37:37 -04:00
--version "${SHORTNAME}" \
2023-05-23 10:22:29 -04:00
--out "${JSON_OUTPUT}"
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
2023-01-18 04:15:58 -05:00
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
- name : Upload GCP image
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'gcp'
2022-10-19 07:10:15 -04:00
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload GCP image"
2023-05-23 10:22:29 -04:00
upload/pack.sh gcp "${RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
bazel run //image/upload -- image gcp \
2023-04-27 05:37:37 -04:00
--verbose \
--raw-image "${GCP_IMAGE_PATH}" \
2023-05-23 10:22:29 -04:00
--attestation-variant "${ATTESTATION_VARIANT}" \
2023-04-27 05:37:37 -04:00
--version "${SHORTNAME}" \
2023-05-23 10:22:29 -04:00
--out "${JSON_OUTPUT}"
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
2023-01-18 04:15:58 -05:00
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
- name : Upload Azure image
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'azure'
2022-10-19 07:10:15 -04:00
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload Azure image"
2023-12-21 13:28:18 -05:00
chmod +w "${RAW_IMAGE_PATH}"
2023-05-23 10:22:29 -04:00
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
bazel run //image/upload -- image azure \
2023-04-27 05:37:37 -04:00
--verbose \
--raw-image "${AZURE_IMAGE_PATH}" \
2023-05-23 10:22:29 -04:00
--attestation-variant "${ATTESTATION_VARIANT}" \
2023-04-27 05:37:37 -04:00
--version "${SHORTNAME}" \
2023-05-23 10:22:29 -04:00
--out "${JSON_OUTPUT}"
echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
2023-01-18 04:15:58 -05:00
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
2023-02-27 12:19:52 -05:00
- name : Upload OpenStack image
if : matrix.csp == 'openstack'
shell : bash
working-directory : ${{ github.workspace }}/image
run : |
echo "::group::Upload OpenStack image"
2023-05-23 10:22:29 -04:00
bazel run //image/upload -- image openstack \
2023-04-27 05:37:37 -04:00
--verbose \
2023-05-23 10:22:29 -04:00
--raw-image "${RAW_IMAGE_PATH}" \
--attestation-variant "${ATTESTATION_VARIANT}" \
2023-04-27 05:37:37 -04:00
--version "${SHORTNAME}" \
2023-05-23 10:22:29 -04:00
--out "${JSON_OUTPUT}"
echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
2023-02-27 12:19:52 -05:00
echo "::endgroup::"
2022-11-16 09:45:10 -05:00
- name : Upload QEMU image
2022-12-09 05:51:38 -05:00
if : matrix.csp == 'qemu'
2023-01-18 04:15:58 -05:00
shell : bash
2022-11-16 09:45:10 -05:00
working-directory : ${{ github.workspace }}/image
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload QEMU image"
2023-05-23 10:22:29 -04:00
bazel run //image/upload -- image qemu \
2023-04-27 05:37:37 -04:00
--verbose \
2023-05-23 10:22:29 -04:00
--raw-image "${RAW_IMAGE_PATH}" \
--attestation-variant "${ATTESTATION_VARIANT}" \
2023-04-27 05:37:37 -04:00
--version "${SHORTNAME}" \
2023-05-23 10:22:29 -04:00
--out "${JSON_OUTPUT}"
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
2023-01-18 04:15:58 -05:00
echo "::endgroup::"
2022-11-16 09:45:10 -05:00
- name : Upload image lookup table as artifact
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_upload
2022-11-16 09:45:10 -05:00
with :
name : lookup-table
path : ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2022-11-16 09:45:10 -05:00
2022-10-18 10:23:00 -04:00
calculate-pcrs :
name : "Calculate PCRs"
2022-11-16 09:45:10 -05:00
needs : [ build-settings, make-os-image]
permissions :
id-token : write
contents : read
2022-10-18 10:23:00 -04:00
runs-on : ubuntu-22.04
strategy :
2022-11-03 10:22:51 -04:00
fail-fast : false
2022-10-18 10:23:00 -04:00
matrix :
2023-05-23 10:22:29 -04:00
include :
- csp : aws
attestation_variant : aws-nitro-tpm
2023-05-26 04:15:30 -04:00
- csp : aws
attestation_variant : aws-sev-snp
2023-05-23 10:22:29 -04:00
- csp : azure
attestation_variant : azure-sev-snp
- csp : gcp
attestation_variant : gcp-sev-es
- csp : gcp
attestation_variant : gcp-sev-snp
- csp : qemu
attestation_variant : qemu-vtpm
- csp : openstack
attestation_variant : qemu-vtpm
2022-10-18 10:23:00 -04:00
steps :
- name : Checkout repository
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-18 10:23:00 -04:00
- name : Download OS image artifact
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_download
2022-10-18 10:23:00 -04:00
with :
2023-05-23 10:22:29 -04:00
name : image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2022-10-18 10:23:00 -04:00
2023-10-04 07:55:38 -04:00
- uses : ./.github/actions/setup_bazel_nix
with :
useCache : "false"
2022-10-18 10:23:00 -04:00
- name : Install dependencies
run : |
echo "::group::Install dependencies"
sudo apt-get update
sudo apt-get install -y systemd-container # for systemd-dissect
echo "::endgroup::"
- name : Calculate expected PCRs
2023-01-18 04:15:58 -05:00
working-directory : ${{ github.workspace }}/image/measured-boot
2022-10-18 10:23:00 -04:00
run : |
echo "::group::Calculate expected PCRs"
2023-09-18 07:55:46 -04:00
bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY"
2022-10-18 10:23:00 -04:00
echo "::endgroup::"
2023-02-09 07:33:17 -05:00
- name : Add static PCRs
run : |
case ${{ matrix.csp }} in
aws)
yq e '.csp = "AWS" |
2023-05-23 10:22:29 -04:00
.attestationVariant = "${{ matrix.attestation_variant }}" |
2023-02-09 07:33:17 -05:00
.measurements.0.warnOnly = true |
.measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" |
.measurements.2.warnOnly = true |
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.3.warnOnly = true |
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.4.warnOnly = false |
.measurements.6.warnOnly = true |
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.14.warnOnly = true |
2023-09-18 07:55:46 -04:00
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
2023-02-09 07:33:17 -05:00
.measurements.15.warnOnly = false' \
2023-05-23 10:22:29 -04:00
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
2023-02-09 07:33:17 -05:00
;;
azure)
yq e '.csp = "Azure" |
2023-05-23 10:22:29 -04:00
.attestationVariant = "${{ matrix.attestation_variant }}" |
2023-02-09 07:33:17 -05:00
.measurements.1.warnOnly = true |
.measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.2.warnOnly = true |
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.3.warnOnly = true |
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.14.warnOnly = true |
2023-09-18 07:55:46 -04:00
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
2023-02-09 07:33:17 -05:00
.measurements.15.warnOnly = false' \
2023-05-23 10:22:29 -04:00
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
2023-02-09 07:33:17 -05:00
;;
gcp)
yq e '.csp = "GCP" |
2023-05-23 10:22:29 -04:00
.attestationVariant = "${{ matrix.attestation_variant }}" |
2023-02-09 07:33:17 -05:00
.measurements.1.warnOnly = true |
.measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" |
.measurements.2.warnOnly = true |
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.3.warnOnly = true |
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.4.warnOnly = false |
.measurements.6.warnOnly = true |
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.14.warnOnly = true |
2023-09-18 07:55:46 -04:00
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
2023-02-09 07:33:17 -05:00
.measurements.15.warnOnly = false' \
2023-05-23 10:22:29 -04:00
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
2023-02-09 07:33:17 -05:00
;;
2023-02-27 12:19:52 -05:00
openstack)
yq e '.csp = "OpenStack" |
2023-05-23 10:22:29 -04:00
.attestationVariant = "${{ matrix.attestation_variant }}" |
2023-02-27 12:19:52 -05:00
.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
2023-09-18 07:55:46 -04:00
.measurements.14.warnOnly = true |
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
2023-02-27 12:19:52 -05:00
.measurements.15.warnOnly = false' \
2023-05-23 10:22:29 -04:00
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
2023-02-27 12:19:52 -05:00
;;
2023-02-09 07:33:17 -05:00
qemu)
yq e '.csp = "QEMU" |
2023-05-23 10:22:29 -04:00
.attestationVariant = "${{ matrix.attestation_variant }}" |
2023-02-09 07:33:17 -05:00
.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
2023-09-18 07:55:46 -04:00
.measurements.14.warnOnly = true |
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
2023-02-09 07:33:17 -05:00
.measurements.15.warnOnly = false' \
2023-05-23 10:22:29 -04:00
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
2023-02-09 07:33:17 -05:00
;;
*)
echo "Unknown CSP: ${{ matrix.csp }}"
exit 1
;;
esac
2023-07-13 05:37:47 -04:00
# TODO (malt3): Calculate PCR from firmware blob.
# AWS SNP machines have a different expected value for PCR 0.
if [[ ${{ matrix.attestation_variant }} = "aws-sev-snp" ]]
then
yq e '.csp = "AWS" |
.measurements.0.expected = "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"' \
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
fi
2023-05-23 10:22:29 -04:00
- name : Envelope measurements
shell : bash
run : |
echo "::group::Envelope measurements"
bazel run //image/upload -- measurements envelope \
--in "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
--out "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
--version "${{ needs.build-settings.outputs.imageNameShort }}" \
--csp "${{ matrix.csp }}" \
--attestation-variant "${{ matrix.attestation_variant }}"
echo "::endgroup::"
- name : Upload expected measurements as artifact
2023-12-22 07:01:57 -05:00
uses : actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
2022-10-18 10:23:00 -04:00
with :
2023-05-23 10:22:29 -04:00
name : measurements
path : pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
upload-pcrs :
name : "Sign & upload PCRs"
needs : [ build-settings, calculate-pcrs]
permissions :
id-token : write
contents : read
runs-on : ubuntu-22.04
steps :
- name : Checkout repository
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2023-05-23 10:22:29 -04:00
with :
ref : ${{ inputs.ref || github.head_ref }}
2023-10-17 07:26:07 -04:00
- uses : ./.github/actions/setup_bazel_nix
with :
useCache : "false"
2023-05-23 10:22:29 -04:00
- name : Download measurements
2023-12-22 07:01:57 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
2023-05-23 10:22:29 -04:00
with :
name : measurements
- name : Login to AWS
2023-10-26 02:18:37 -04:00
uses : aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
2023-05-23 10:22:29 -04:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-18 10:23:00 -04:00
2023-02-09 07:33:17 -05:00
- name : Install Cosign
2023-07-03 02:19:10 -04:00
uses : sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
2023-02-09 07:33:17 -05:00
- name : Install Rekor
shell : bash
run : |
curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
rm rekor-cli-linux-amd64
2023-05-23 10:22:29 -04:00
- name : Merge measurements
shell : bash
run : |
echo "::group::Merge measurements"
bazel run //image/upload -- measurements merge \
--out measurements.json \
pcrs-*.json
echo "::endgroup::"
2023-02-09 07:33:17 -05:00
- name : Sign measurements
2023-06-06 04:32:22 -04:00
if : inputs.stream != 'debug'
2023-02-09 07:33:17 -05:00
shell : bash
env :
COSIGN_PUBLIC_KEY : ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY : ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD : ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run : |
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \
2023-05-23 10:22:29 -04:00
"${{ github.workspace }}/measurements.json" > "${{ github.workspace }}/measurements.json.sig"
2023-02-09 07:33:17 -05:00
# Verify - As documentation & check
# Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub \
2023-05-23 10:22:29 -04:00
--signature "measurements.json.sig" \
"measurements.json"
2023-02-09 07:33:17 -05:00
# Transparency Log Signature (input: artifact, key)
2023-05-23 10:22:29 -04:00
uuid=$(rekor-cli search --artifact "${{ github.workspace }}/measurements.json" | tail -n 1)
2023-02-09 07:33:17 -05:00
sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
2023-05-23 10:22:29 -04:00
cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/measurements.json"
2023-02-09 07:33:17 -05:00
2023-06-06 04:32:22 -04:00
- name : Create stub signature file
if : inputs.stream == 'debug'
shell : bash
run : |
echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${{ github.workspace }}/measurements.json.sig"
2023-05-23 10:22:29 -04:00
- name : Upload measurements
2022-11-16 09:45:10 -05:00
shell : bash
run : |
2023-05-23 10:22:29 -04:00
echo "::group::Upload measurements"
bazel run //image/upload -- measurements upload \
--measurements measurements.json \
--signature measurements.json.sig
echo "::endgroup::"
2022-11-16 09:45:10 -05:00
2023-10-17 08:04:41 -04:00
upload-sbom :
name : "Upload SBOM"
needs : [ build-settings, make-os-image]
permissions :
id-token : write
contents : read
runs-on : ubuntu-22.04
steps :
2023-12-21 13:28:18 -05:00
- uses : actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with :
ref : ${{ inputs.ref || github.head_ref }}
2023-10-17 08:04:41 -04:00
- name : Login to AWS
2023-10-26 02:18:37 -04:00
uses : aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
2023-10-17 08:04:41 -04:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
- name : Download sbom
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_download
2023-10-17 08:04:41 -04:00
with :
# downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition
name : sbom-qemu-qemu-vtpm
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2023-10-17 08:04:41 -04:00
- name : Upload SBOMs to S3
shell : bash
run : |
aws s3 cp \
rpmdb.tar \
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
--no -progress
2023-02-24 06:00:04 -05:00
upload-artifacts :
name : "Upload image lookup table and CLI compatibility info"
2022-11-16 09:45:10 -05:00
runs-on : ubuntu-22.04
needs : [ build-settings, upload-os-image]
permissions :
id-token : write
contents : read
steps :
2023-05-23 10:22:29 -04:00
- name : Checkout repository
2023-12-20 10:10:35 -05:00
uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2023-05-23 10:22:29 -04:00
with :
ref : ${{ inputs.ref || github.head_ref }}
2023-10-04 07:55:38 -04:00
- uses : ./.github/actions/setup_bazel_nix
with :
useCache : "false"
2022-11-16 09:45:10 -05:00
- name : Download image lookup table
2023-12-20 09:17:49 -05:00
uses : ./.github/actions/artifact_download
2022-11-16 09:45:10 -05:00
with :
name : lookup-table
2023-12-21 13:28:18 -05:00
encryptionSecret : ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
2022-11-16 09:45:10 -05:00
2022-12-09 05:51:38 -05:00
- name : Login to AWS
2023-10-26 02:18:37 -04:00
uses : aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
2022-12-09 05:51:38 -05:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-11-16 09:45:10 -05:00
- name : Upload lookup table to S3
shell : bash
2023-12-21 13:28:18 -05:00
run : bazel run //image/upload -- info --verbose image-upload*.json
2023-02-24 06:00:04 -05:00
- name : Create CLI compatibility information artifact
shell : bash
run : |
2023-09-29 04:22:08 -04:00
bazel run //hack/cli-k8s-compatibility -- \
2023-02-24 06:00:04 -05:00
--ref=${{ needs.build-settings.outputs.ref }} \
--stream=${{ needs.build-settings.outputs.stream }} \
--version=${{ needs.build-settings.outputs.imageVersion }} \
2023-03-10 04:21:58 -05:00
add-image-version-to-versionsapi :
2023-10-06 08:34:06 -04:00
needs : [ upload-artifacts, upload-pcrs, build-settings]
2023-03-10 04:21:58 -05:00
name : "Add image version to versionsapi"
2023-01-04 11:07:16 -05:00
if : needs.build-settings.outputs.ref != '-'
2023-01-30 10:11:27 -05:00
permissions :
contents : read
id-token : write
2023-01-04 11:07:16 -05:00
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ needs.build-settings.outputs.stream }}
2023-01-04 11:07:16 -05:00
version : ${{ needs.build-settings.outputs.imageVersion }}
2023-03-10 04:21:58 -05:00
kind : "image"
add_latest : true
add-cli-version-to-versionsapi :
2023-04-13 11:44:23 -04:00
needs : [ upload-artifacts, build-settings, add-image-version-to-versionsapi]
2023-03-10 04:21:58 -05:00
name : "Add CLI version to versionsapi"
if : needs.build-settings.outputs.ref != '-'
permissions :
contents : read
id-token : write
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
stream : ${{ needs.build-settings.outputs.stream }}
version : ${{ needs.build-settings.outputs.imageVersion }}
kind : "cli"
2023-01-04 11:07:16 -05:00
add_latest : true
