2022-10-19 07:10:15 -04:00
name : Build and Upload OS image
2023-01-23 04:59:17 -05:00
2022-10-19 07:10:15 -04:00
on :
workflow_dispatch :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
2022-12-09 05:51:38 -05:00
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
2022-10-19 07:10:15 -04:00
type : boolean
required : false
2022-12-09 05:51:38 -05:00
default : false
stream :
2023-01-16 06:20:01 -05:00
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
2022-12-09 05:51:38 -05:00
type : choice
required : true
options :
- "debug"
2023-01-16 07:56:06 -05:00
- "console"
- "nightly"
- "stable"
2023-01-02 06:25:17 -05:00
ref :
type : string
description : "Git ref to checkout"
required : false
workflow_call :
inputs :
imageVersion :
description : "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required : false
type : string
isRelease :
description : 'Is this a release? (sets "ref" to special value "-")'
type : boolean
required : false
default : false
stream :
description : "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
type : string
required : true
ref :
type : string
description : "Git ref to checkout"
required : false
2022-10-19 07:10:15 -04:00
jobs :
build-dependencies :
name : "Build binaries for embedding in the OS"
runs-on : ubuntu-22.04
permissions :
contents : read
packages : read
2022-10-01 18:48:06 -04:00
outputs :
bootstrapper-sha256 : ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
disk-mapper-sha256 : ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
2022-12-29 11:50:11 -05:00
upgrade-agent-sha256 : ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }}
2022-10-19 07:10:15 -04:00
steps :
- name : Checkout
2023-01-05 10:17:51 -05:00
uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 07:10:15 -04:00
- name : Build bootstrapper
2022-12-09 05:51:38 -05:00
if : inputs.stream != 'debug'
2022-10-19 07:10:15 -04:00
uses : ./.github/actions/build_bootstrapper
with :
outputPath : ${{ github.workspace }}/build/bootstrapper
- name : Build debugd
2022-12-09 05:51:38 -05:00
if : inputs.stream == 'debug'
2022-10-19 07:10:15 -04:00
uses : ./.github/actions/build_debugd
with :
2023-01-20 04:28:56 -05:00
outputPath : ${{ github.workspace }}/build/debugd
2022-10-19 07:10:15 -04:00
- name : Build disk-mapper
uses : ./.github/actions/build_disk_mapper
with :
outputPath : ${{ github.workspace }}/build/disk-mapper
2022-12-29 11:50:11 -05:00
- name : Build upgrade-agent
uses : ./.github/actions/build_upgrade_agent
with :
outputPath : ${{ github.workspace }}/build/upgrade-agent
2022-10-19 07:10:15 -04:00
- name : Upload dependencies
2023-01-06 11:35:54 -05:00
uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
2023-01-20 04:28:56 -05:00
env :
MAIN_BINARY : ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }}
2022-10-19 07:10:15 -04:00
with :
name : dependencies
path : |
2023-01-20 04:28:56 -05:00
${{ github.workspace }}/build/${{ env.MAIN_BINARY }}
2022-10-19 07:10:15 -04:00
${{ github.workspace }}/build/disk-mapper
2022-12-29 11:50:11 -05:00
${{ github.workspace }}/build/upgrade-agent
2022-10-19 07:10:15 -04:00
- name : Collect hashes
2022-10-01 18:48:06 -04:00
id : collect-hashes
2023-01-18 04:15:58 -05:00
working-directory : ${{ github.workspace }}/build
2022-10-19 07:10:15 -04:00
run : |
2022-11-11 08:49:16 -05:00
{
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
2022-12-29 11:50:11 -05:00
echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)"
2022-11-11 08:49:16 -05:00
} >> "$GITHUB_OUTPUT"
2022-10-19 07:10:15 -04:00
2022-11-04 11:48:52 -04:00
build-settings :
name : "Determine build settings"
runs-on : ubuntu-22.04
outputs :
2022-12-09 05:51:38 -05:00
ref : ${{ steps.ref.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ steps.stream.outputs.stream }}
2022-11-04 11:48:52 -04:00
imageType : ${{ steps.image-type.outputs.imageType }}
pkiSet : ${{ steps.pki-set.outputs.pkiSet }}
2022-12-09 05:51:38 -05:00
imageVersion : ${{ steps.image-version.outputs.imageVersion }}
imageName : ${{ steps.image-version.outputs.imageName }}
imageNameShort : ${{ steps.image-version.outputs.imageNameShort }}
imageApiBasePath : ${{ steps.image-version.outputs.imageApiBasePath }}
2022-11-04 11:48:52 -04:00
steps :
- name : Checkout
2023-01-05 10:17:51 -05:00
uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-11-04 11:48:52 -04:00
- name : Determine version
id : version
uses : ./.github/actions/pseudo_version
2022-12-09 05:51:38 -05:00
- name : Determine ref
id : ref
run : |
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
echo "ref=-" >> "$GITHUB_OUTPUT"
else
echo "ref=${{ steps.version.outputs.branchName }}" >> "$GITHUB_OUTPUT"
fi
2023-01-16 07:56:06 -05:00
- name : Determine and validate stream
id : stream
2022-12-09 05:51:38 -05:00
run : |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
echo "Nightly builds are not allowed for releases"
exit 1
2023-01-23 04:59:17 -05:00
fi
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
2022-12-09 05:51:38 -05:00
echo "Stable builds are only allowed for releases"
exit 1
fi
2023-01-23 04:59:17 -05:00
echo "stream=${{ inputs.stream }}" >> "$GITHUB_OUTPUT"
2023-01-16 07:56:06 -05:00
2022-11-04 11:48:52 -04:00
- name : Determine type of image build
shell : bash
id : image-type
run : |
2023-01-16 07:56:06 -05:00
case "${{ steps.stream.outputs.stream }}" in
"debug" )
echo "imageType=debug" >> "$GITHUB_OUTPUT"
;;
"console" )
echo "imageType=console" >> "$GITHUB_OUTPUT"
;;
*)
echo "imageType=default" >> "$GITHUB_OUTPUT"
;;
esac
2022-11-04 11:48:52 -04:00
- name : Determine PKI set
id : pki-set
shell : bash
run : |
2023-01-16 07:56:06 -05:00
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then
2022-12-09 05:51:38 -05:00
echo "pkiSet=pki_prod" >> "$GITHUB_OUTPUT"
else
echo "pkiSet=pki_testing" >> "$GITHUB_OUTPUT"
fi
- name : Determine image version
id : image-version
2022-11-16 09:45:10 -05:00
shell : bash
2022-12-09 05:51:38 -05:00
env :
REF : ${{ steps.ref.outputs.ref }}
2023-01-16 07:56:06 -05:00
STREAM : ${{ steps.stream.outputs.stream }}
2022-12-09 05:51:38 -05:00
IMAGE_VERSION : ${{ inputs.imageVersion || steps.version.outputs.pseudoVersion }}
2022-11-16 09:45:10 -05:00
run : |
2022-12-09 05:51:38 -05:00
{
echo "imageVersion=${IMAGE_VERSION}"
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
2023-01-04 11:07:16 -05:00
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
2022-12-09 05:51:38 -05:00
} >> "$GITHUB_OUTPUT"
2022-12-12 08:17:50 -05:00
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
2022-12-09 05:51:38 -05:00
echo "imageNameShort=${IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
elif [[ "${REF}" = "-" ]]; then
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
2022-11-16 09:45:10 -05:00
else
2022-12-09 05:51:38 -05:00
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
2022-11-16 09:45:10 -05:00
fi
2022-10-19 07:10:15 -04:00
make-os-image :
name : "Build OS using mkosi"
2022-11-04 11:48:52 -04:00
needs : [ build-settings, build-dependencies]
2022-10-19 07:10:15 -04:00
runs-on : ubuntu-22.04
2022-10-01 18:48:06 -04:00
# TODO: flatten outputs once possible
# https://github.com/community/community/discussions/17245
outputs :
2022-10-17 11:39:49 -04:00
image-raw-aws-sha256 : ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-raw-azure-sha256 : ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
image-raw-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
image-raw-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-efi-aws-sha256 : ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-efi-azure-sha256 : ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
image-efi-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
image-efi-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-initrd-aws-sha256 : ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-initrd-azure-sha256 : ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
image-initrd-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
image-initrd-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-root-raw-aws-sha256 : ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-root-raw-azure-sha256 : ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
image-root-raw-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
image-root-raw-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-root-verity-aws-sha256 : ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-root-verity-azure-sha256 : ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
image-root-verity-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
image-root-verity-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-vmlinuz-aws-sha256 : ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-vmlinuz-azure-sha256 : ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
image-vmlinuz-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
image-vmlinuz-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-raw-changelog-aws-sha256 : ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-raw-changelog-azure-sha256 : ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
image-raw-changelog-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
image-raw-changelog-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-raw-manifest-aws-sha256 : ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-raw-manifest-azure-sha256 : ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
image-raw-manifest-gcp-sha256 : ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
image-raw-manifest-qemu-sha256 : ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
2022-10-19 07:10:15 -04:00
strategy :
2022-11-03 10:22:51 -04:00
fail-fast : false
2022-10-19 07:10:15 -04:00
matrix :
2022-10-17 11:39:49 -04:00
csp : [ aws, azure, gcp, qemu]
2022-10-19 07:10:15 -04:00
steps :
- name : Checkout
2023-01-05 10:17:51 -05:00
uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 07:10:15 -04:00
- name : Download build dependencies
2023-01-06 11:35:54 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
2022-10-19 07:10:15 -04:00
with :
name : dependencies
path : ${{ github.workspace }}/build
2023-01-20 04:28:56 -05:00
- name : Mark bootstrapper, debugd, disk-mapper, and upgrade-agent as executable
2022-10-19 07:10:15 -04:00
run : |
2023-01-20 04:28:56 -05:00
chmod +x ${{ github.workspace }}/build/bootstrapper || true
chmod +x ${{ github.workspace }}/build/debugd || true
2022-10-19 07:10:15 -04:00
chmod +x ${{ github.workspace }}/build/disk-mapper
2022-12-29 11:50:11 -05:00
chmod +x ${{ github.workspace }}/build/upgrade-agent
2022-10-19 07:10:15 -04:00
- name : Setup mkosi
uses : ./.github/actions/setup_mkosi
with :
2022-11-02 05:14:42 -04:00
version : 058046019e7ed2e8e93af87b8c14a808dcc6bbc3
2022-10-19 07:10:15 -04:00
- name : Prepare PKI for secure boot signing
2022-11-04 11:48:52 -04:00
id : prepare-pki
2022-10-19 07:10:15 -04:00
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
env :
2022-11-04 11:48:52 -04:00
PKI_SET : ${{ needs.build-settings.outputs.pkiSet }}
2022-12-12 08:39:37 -05:00
DB_KEY : ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
2023-01-18 04:15:58 -05:00
run : |
echo "${DB_KEY}" > "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki
2022-10-19 07:10:15 -04:00
- name : Build
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
env :
BOOTSTRAPPER_BINARY : ${{ github.workspace }}/build/bootstrapper
2023-01-20 04:28:56 -05:00
DEBUGD_BINARY : ${{ github.workspace }}/build/bootstrapper
2022-10-19 07:10:15 -04:00
DISK_MAPPER_BINARY : ${{ github.workspace }}/build/disk-mapper
2022-12-29 11:50:11 -05:00
UPGRADE_AGENT_BINARY : ${{ github.workspace }}/build/upgrade-agent
2023-01-20 04:28:56 -05:00
DEBUG : ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }}
2023-01-16 07:56:06 -05:00
AUTOLOGIN : ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }}
2022-12-09 05:51:38 -05:00
IMAGE_VERSION : ${{ needs.build-settings.outputs.imageVersion }}
2022-10-19 07:10:15 -04:00
CSP : ${{ matrix.csp }}
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Build"
2023-01-20 04:28:56 -05:00
sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}"
2023-01-18 04:15:58 -05:00
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
2022-10-01 18:48:06 -04:00
- name : Collect hashes
id : collect-hashes
2023-01-18 04:15:58 -05:00
continue-on-error : true
working-directory : ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
2022-10-01 18:48:06 -04:00
run : |
2022-11-11 08:49:16 -05:00
{
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)"
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)"
echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)"
echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)"
echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)"
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)"
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)"
} >> "$GITHUB_OUTPUT"
2022-10-01 18:48:06 -04:00
2022-10-19 07:10:15 -04:00
- name : Upload raw OS image as artifact
2023-01-18 04:15:58 -05:00
if : always()
continue-on-error : true
2023-01-06 11:35:54 -05:00
uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
2022-10-19 07:10:15 -04:00
with :
name : image-${{ matrix.csp }}
2022-11-17 06:12:00 -05:00
path : ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw
2022-10-19 07:10:15 -04:00
- name : Upload individual OS parts as artifacts
2023-01-18 04:15:58 -05:00
if : always()
continue-on-error : true
2023-01-06 11:35:54 -05:00
uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
2022-10-19 07:10:15 -04:00
with :
name : parts-${{ matrix.csp }}
path : |
2022-11-17 06:12:00 -05:00
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.initrd
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz
2022-10-19 07:10:15 -04:00
- name : Upload manifest as artifact
2023-01-18 04:15:58 -05:00
if : always()
continue-on-error : true
2023-01-06 11:35:54 -05:00
uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
2022-10-19 07:10:15 -04:00
with :
name : manifest-${{ matrix.csp }}
path : |
2022-11-17 06:12:00 -05:00
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest
2022-10-19 07:10:15 -04:00
upload-os-image :
name : "Upload OS image to CSP"
2022-11-04 11:48:52 -04:00
needs : [ build-settings, make-os-image]
2022-10-19 07:10:15 -04:00
runs-on : ubuntu-22.04
2022-10-17 11:39:49 -04:00
permissions :
id-token : write
contents : read
2022-10-19 07:10:15 -04:00
strategy :
2022-11-03 10:22:51 -04:00
fail-fast : false
2022-10-19 07:10:15 -04:00
matrix :
2022-11-16 09:45:10 -05:00
csp : [ aws, azure, gcp, qemu]
2022-10-19 07:10:15 -04:00
upload-variant : [ "" ]
include :
- csp : azure
upload-variant : TrustedLaunch
steps :
- name : Checkout
2023-01-05 10:17:51 -05:00
uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-19 07:10:15 -04:00
- name : Download OS image artifact
2023-01-06 11:35:54 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
2022-10-19 07:10:15 -04:00
with :
name : image-${{ matrix.csp }}
2022-11-17 06:12:00 -05:00
path : ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
2022-10-19 07:10:15 -04:00
2022-11-04 11:48:52 -04:00
- name : Configure input variables
id : vars
uses : ./.github/actions/os_build_variables
with :
csp : ${{ matrix.csp }}
uploadVariant : ${{ matrix.upload-variant }}
basePath : ${{ github.workspace }}/image
2022-12-09 05:51:38 -05:00
ref : ${{ needs.build-settings.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ needs.build-settings.outputs.stream }}
2022-12-09 05:51:38 -05:00
imageVersion : ${{ needs.build-settings.outputs.imageVersion }}
2022-11-04 11:48:52 -04:00
imageType : ${{ needs.build-settings.outputs.imageType }}
2022-12-09 05:51:38 -05:00
debug : ${{ needs.build-settings.outputs.imageType == 'debug' }}
2022-11-04 11:48:52 -04:00
2022-10-19 07:10:15 -04:00
- name : Install tools
shell : bash
run : |
echo "::group::Install tools"
sudo apt-get update
2022-10-17 11:39:49 -04:00
sudo apt-get install -y \
pigz \
qemu-utils \
python3-crc32c
2022-10-19 07:10:15 -04:00
echo "::endgroup::"
2022-10-17 11:39:49 -04:00
- name : Login to AWS
2022-11-16 09:45:10 -05:00
# on AWS, login is required to upload the image as AMI
# on Azure, login is done to download the VMGS from S3
# on QEMU, login is done to upload the image to S3
2022-12-09 05:51:38 -05:00
if : matrix.csp == 'aws' || matrix.csp == 'azure' || matrix.csp == 'qemu'
2023-01-18 04:15:58 -05:00
uses : aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
2022-10-17 11:39:49 -04:00
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-19 07:10:15 -04:00
- name : Login to Azure
2022-11-08 10:21:08 -05:00
if : matrix.csp == 'azure'
2022-11-08 10:13:10 -05:00
uses : ./.github/actions/login_azure
2022-10-19 07:10:15 -04:00
with :
2022-10-21 10:23:29 -04:00
azure_credentials : ${{ secrets.AZURE_CREDENTIALS }}
2022-10-19 07:10:15 -04:00
- name : Login to GCP
2022-12-09 05:51:38 -05:00
if : matrix.csp == 'gcp'
2023-01-18 04:15:58 -05:00
uses : ./.github/actions/login_gcp
2022-10-19 07:10:15 -04:00
with :
2023-01-16 12:15:17 -05:00
service_account : "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
2022-10-19 07:10:15 -04:00
- name : Prepare PKI for image upload
2022-11-04 11:48:52 -04:00
id : prepare-pki
2022-10-19 07:10:15 -04:00
shell : bash
2023-01-18 04:15:58 -05:00
working-directory : ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
run : |
2022-11-04 11:48:52 -04:00
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
2022-10-19 07:10:15 -04:00
- name : Download VMGS blob
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported')
working-directory : ${{ github.workspace }}/image
env :
PKI_SET : ${{ needs.build-settings.outputs.pkiSet }}
AZURE_VMGS_REGION : ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_SECURITY_TYPE : ${{ steps.vars.outputs.azureSecurityType }}
2022-10-17 11:39:49 -04:00
run : |
aws s3 cp \
2022-11-11 08:49:16 -05:00
--region "${AZURE_VMGS_REGION}" \
"s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
"${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
2022-10-17 11:39:49 -04:00
--no -progress
- name : Upload AWS image
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'aws'
2022-10-17 11:39:49 -04:00
shell : bash
working-directory : ${{ github.workspace }}/image
2022-11-04 11:48:52 -04:00
env :
PKI : ${{ github.workspace }}/image/pki
2022-11-16 09:45:10 -05:00
AWS_JSON_OUTPUT : ${{ steps.vars.outputs.awsJsonOutput }}
2022-11-04 11:48:52 -04:00
AWS_BUCKET : ${{ steps.vars.outputs.awsBucket }}
AWS_EFIVARS_PATH : ${{ steps.vars.outputs.awsEfivarsPath }}
AWS_IMAGE_FILENAME : ${{ steps.vars.outputs.awsImageFilename }}
AWS_IMAGE_NAME : ${{ steps.vars.outputs.awsImageName }}
AWS_IMAGE_PATH : ${{ steps.vars.outputs.awsImagePath }}
AWS_REGION : ${{ steps.vars.outputs.awsRegion }}
AWS_REPLICATION_REGIONS : ${{ steps.vars.outputs.awsReplicationRegions }}
2022-11-09 05:49:04 -05:00
AWS_PUBLISH : ${{ steps.vars.outputs.awsPublish }}
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload AWS image"
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
- name : Upload GCP image
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'gcp'
2022-10-19 07:10:15 -04:00
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2022-11-04 11:48:52 -04:00
env :
PKI : ${{ github.workspace }}/image/pki
2022-11-16 09:45:10 -05:00
GCP_JSON_OUTPUT : ${{ steps.vars.outputs.gcpJsonOutput }}
2022-11-04 11:48:52 -04:00
GCP_BUCKET : ${{ steps.vars.outputs.gcpBucket }}
GCP_IMAGE_FAMILY : ${{ steps.vars.outputs.gcpImageFamily }}
GCP_IMAGE_FILENAME : ${{ steps.vars.outputs.gcpImageFilename }}
GCP_IMAGE_NAME : ${{ steps.vars.outputs.gcpImageName }}
GCP_IMAGE_PATH : ${{ steps.vars.outputs.gcpImagePath }}
GCP_PROJECT : ${{ steps.vars.outputs.gcpProject }}
GCP_RAW_IMAGE_PATH : ${{ steps.vars.outputs.gcpRawImagePath }}
GCP_REGION : ${{ steps.vars.outputs.gcpRegion }}
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload GCP image"
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
upload/upload_gcp.sh
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
- name : Upload Azure image
2023-01-18 04:15:58 -05:00
if : matrix.csp == 'azure'
2022-10-19 07:10:15 -04:00
shell : bash
2022-10-21 04:11:53 -04:00
working-directory : ${{ github.workspace }}/image
2022-11-04 11:48:52 -04:00
env :
PKI : ${{ github.workspace }}/image/pki
2022-11-16 09:45:10 -05:00
AZURE_JSON_OUTPUT : ${{ steps.vars.outputs.azureJsonOutput }}
2022-11-04 11:48:52 -04:00
AZURE_DISK_NAME : ${{ steps.vars.outputs.azureDiskName }}
AZURE_GALLERY_NAME : ${{ steps.vars.outputs.azureGalleryName }}
AZURE_IMAGE_DEFINITION : ${{ steps.vars.outputs.azureImageDefinition }}
AZURE_IMAGE_OFFER : ${{ steps.vars.outputs.azureImageOffer }}
AZURE_IMAGE_PATH : ${{ steps.vars.outputs.azureImagePath }}
AZURE_IMAGE_VERSION : ${{ steps.vars.outputs.azureImageVersion }}
AZURE_PUBLISHER : ${{ steps.vars.outputs.azurePublisher }}
AZURE_RAW_IMAGE_PATH : ${{ steps.vars.outputs.azureRawImagePath }}
AZURE_REGION : ${{ steps.vars.outputs.azureRegion }}
AZURE_REPLICATION_REGIONS : ${{ steps.vars.outputs.azureReplicationRegions }}
AZURE_VMGS_REGION : ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_RESOURCE_GROUP_NAME : ${{ steps.vars.outputs.azureResourceGroupName }}
AZURE_SECURITY_TYPE : ${{ steps.vars.outputs.azureSecurityType }}
AZURE_SKU : ${{ steps.vars.outputs.azureSku }}
AZURE_VMGS_PATH : ${{ steps.vars.outputs.azureVmgsPath }}
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload Azure image"
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
2022-10-19 07:10:15 -04:00
2022-11-16 09:45:10 -05:00
- name : Upload QEMU image
2022-12-09 05:51:38 -05:00
if : matrix.csp == 'qemu'
2023-01-18 04:15:58 -05:00
shell : bash
2022-11-16 09:45:10 -05:00
working-directory : ${{ github.workspace }}/image
env :
QEMU_JSON_OUTPUT : ${{ steps.vars.outputs.qemuJsonOutput }}
QEMU_BUCKET : ${{ steps.vars.outputs.qemuBucket }}
QEMU_BASE_URL : ${{ steps.vars.outputs.qemuBaseUrl }}
QEMU_IMAGE_PATH : ${{ steps.vars.outputs.qemuImagePath }}
2022-12-09 05:51:38 -05:00
REF : ${{needs.build-settings.outputs.ref }}
2023-01-16 07:56:06 -05:00
STREAM : ${{needs.build-settings.outputs.stream }}
2022-12-09 05:51:38 -05:00
IMAGE_VERSION : ${{needs.build-settings.outputs.imageVersion }}
2023-01-18 04:15:58 -05:00
run : |
echo "::group::Upload QEMU image"
upload/upload_qemu.sh
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
2022-11-16 09:45:10 -05:00
- name : Upload image lookup table as artifact
2023-01-06 11:35:54 -05:00
uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
2022-11-16 09:45:10 -05:00
with :
name : lookup-table
path : ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
2022-10-18 10:23:00 -04:00
calculate-pcrs :
name : "Calculate PCRs"
2022-11-16 09:45:10 -05:00
needs : [ build-settings, make-os-image]
permissions :
id-token : write
contents : read
2022-10-18 10:23:00 -04:00
runs-on : ubuntu-22.04
strategy :
2022-11-03 10:22:51 -04:00
fail-fast : false
2022-10-18 10:23:00 -04:00
matrix :
2022-10-17 11:39:49 -04:00
csp : [ aws, azure, gcp, qemu]
2022-10-18 10:23:00 -04:00
steps :
- name : Checkout repository
2023-01-05 10:17:51 -05:00
uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
2022-11-10 11:22:26 -05:00
with :
2023-01-02 06:25:17 -05:00
ref : ${{ inputs.ref || github.head_ref }}
2022-10-18 10:23:00 -04:00
2022-11-16 09:45:10 -05:00
- name : Login to AWS
uses : aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-18 10:23:00 -04:00
- name : Download OS image artifact
2023-01-06 11:35:54 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
2022-10-18 10:23:00 -04:00
with :
name : image-${{ matrix.csp }}
- name : Install dependencies
run : |
echo "::group::Install dependencies"
2023-01-17 10:12:23 -05:00
python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt
2022-10-18 10:23:00 -04:00
sudo apt-get update
sudo apt-get install -y systemd-container # for systemd-dissect
echo "::endgroup::"
- name : Calculate expected PCRs
2023-01-18 04:15:58 -05:00
working-directory : ${{ github.workspace }}/image/measured-boot
2022-10-18 10:23:00 -04:00
run : |
echo "::group::Calculate expected PCRs"
2022-11-11 08:49:16 -05:00
{
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json
2022-11-17 09:37:39 -05:00
./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}.json ${{ matrix.csp }}
2022-11-11 08:49:16 -05:00
} >> "$GITHUB_STEP_SUMMARY"
2022-10-13 04:53:52 -04:00
cp pcr-stable.json ${{ github.workspace }}/
2022-11-16 09:45:10 -05:00
jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
2022-10-18 10:23:00 -04:00
echo "::endgroup::"
- name : Upload expected PCRs as artifact
2023-01-06 11:35:54 -05:00
uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
2022-10-18 10:23:00 -04:00
with :
name : pcrs
path : pcrs-${{ matrix.csp }}.json
2022-11-16 09:45:10 -05:00
- name : Upload expected PCRs to S3
shell : bash
run : |
aws s3 cp \
"pcrs-${{ matrix.csp }}.json" \
2022-12-09 05:51:38 -05:00
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/csp/${{ matrix.csp }}/measurements.image.json" \
2022-11-16 09:45:10 -05:00
--no -progress
2022-10-19 07:10:15 -04:00
generate-sbom :
name : "Generate SBOM"
2022-11-16 09:45:10 -05:00
needs : [ build-settings, build-dependencies, make-os-image]
permissions :
id-token : write
contents : read
2022-10-19 07:10:15 -04:00
runs-on : ubuntu-22.04
steps :
2022-11-16 09:45:10 -05:00
- name : Login to AWS
uses : aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-10-19 07:10:15 -04:00
- name : Install squashfs tools
run : |
echo "::group::Install squashfs tools"
sudo apt-get update
sudo apt-get install -y squashfs-tools
echo "::endgroup::"
- name : Download rootfs
2023-01-06 11:35:54 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
2022-10-19 07:10:15 -04:00
with :
# downloading / using only the QEMU rootfs is fine
# since the images only differ in the ESP partition
name : parts-qemu
2022-11-16 09:45:10 -05:00
- name : Download manifest
2023-01-06 11:35:54 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
2022-11-16 09:45:10 -05:00
with :
# downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition
name : manifest-qemu
2022-10-19 07:10:15 -04:00
- name : Unpack squashfs
run : |
echo "::group::Unpack squashfs"
unsquashfs -user-xattrs -d image.root.tree image.root.raw
echo "::endgroup::"
2023-01-18 04:15:58 -05:00
- name : Create SBOM in SPDX fromat
2023-01-27 10:12:26 -05:00
uses : anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
2022-10-19 07:10:15 -04:00
with :
path : image.root.tree
artifact-name : sbom.spdx.json
2022-11-16 09:45:10 -05:00
output-file : sbom.spdx.json
2022-10-19 07:10:15 -04:00
format : spdx-json
2023-01-18 04:15:58 -05:00
- name : Create SBOM in CycloneDX fromat
2023-01-27 10:12:26 -05:00
uses : anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
2022-10-19 07:10:15 -04:00
with :
path : image.root.tree
artifact-name : sbom.cyclonedx.json
2022-11-16 09:45:10 -05:00
output-file : sbom.cyclonedx.json
2022-10-19 07:10:15 -04:00
format : cyclonedx-json
2023-01-18 04:15:58 -05:00
- name : Create SBOM in Syft fromat
2023-01-27 10:12:26 -05:00
uses : anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
2022-10-19 07:10:15 -04:00
with :
path : image.root.tree
artifact-name : sbom.syft.json
2022-11-16 09:45:10 -05:00
output-file : sbom.syft.json
2022-10-19 07:10:15 -04:00
format : syft-json
2022-10-01 18:48:06 -04:00
- name : Combine hashes
run : |
cat > SHA256SUMS <<EOF
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
2022-12-29 11:50:11 -05:00
${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
2022-10-17 11:39:49 -04:00
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
2022-10-01 18:48:06 -04:00
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi
${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi
${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi
${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
EOF
cat SHA256SUMS
2022-11-11 08:49:16 -05:00
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY"
2022-11-16 09:45:10 -05:00
- name : Upload SBOMs to S3
shell : bash
run : |
sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json'
manifests='image.raw.manifest image.raw.changelog'
hashes='SHA256SUMS'
for file in ${sboms} ${manifests} ${hashes}; do
aws s3 cp \
"${file}" \
2022-12-09 05:51:38 -05:00
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
2022-11-16 09:45:10 -05:00
--no -progress
done
upload-image-lookup-table :
name : "Upload image lookup table"
runs-on : ubuntu-22.04
needs : [ build-settings, upload-os-image]
permissions :
id-token : write
contents : read
steps :
- name : Download image lookup table
2023-01-06 11:35:54 -05:00
uses : actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
2022-11-16 09:45:10 -05:00
with :
name : lookup-table
2022-12-09 05:51:38 -05:00
- name : Login to AWS
uses : aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with :
role-to-assume : arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region : eu-central-1
2022-11-16 09:45:10 -05:00
- name : Combine lookup tables for CSPs
shell : bash
run : |
echo '{}' > intermediate.json
2022-12-01 05:51:33 -05:00
2022-12-09 05:51:38 -05:00
jq '.ref = "${{ needs.build-settings.outputs.ref }}"' intermediate.json > lookup-table.json
2022-12-01 05:51:33 -05:00
cp lookup-table.json intermediate.json
2023-01-16 07:56:06 -05:00
jq '.stream = "${{ needs.build-settings.outputs.stream }}"' intermediate.json > lookup-table.json
2022-12-09 05:51:38 -05:00
cp lookup-table.json intermediate.json
jq '.version = "${{ needs.build-settings.outputs.imageVersion }}"' intermediate.json > lookup-table.json
2022-12-01 05:51:33 -05:00
cp lookup-table.json intermediate.json
2022-11-16 09:45:10 -05:00
for lut in mkosi.output.*/*/image-upload*.json; do
jq -scS '.[0] * .[1]' intermediate.json "${lut}" > lookup-table.json
cp lookup-table.json intermediate.json
done
2022-12-01 05:51:33 -05:00
2022-11-16 09:45:10 -05:00
rm -f intermediate.json
2022-12-01 05:51:33 -05:00
2022-11-16 09:45:10 -05:00
- name : Upload lookup table to S3
shell : bash
run : |
aws s3 cp \
2022-12-09 05:51:38 -05:00
"lookup-table.json" \
"s3://cdn-constellation-backend/${{ needs.build-settings.outputs.imageApiBasePath }}/info.json" \
2022-11-16 09:45:10 -05:00
--no -progress
2023-01-09 08:36:16 -05:00
{
2022-12-09 05:51:38 -05:00
echo -e "Image version ([Lookup table](https://cdn.confidential.cloud/${{ needs.build-settings.outputs.imageApiBasePath }}/info.json)):"
2022-12-01 05:57:08 -05:00
echo
echo -e "\`\`\`"
2022-12-09 05:51:38 -05:00
echo "${{ needs.build-settings.outputs.imageNameShort }}"
2022-12-01 05:57:08 -05:00
echo -e "\`\`\`"
2023-01-09 08:36:16 -05:00
} >> "$GITHUB_STEP_SUMMARY"
2022-12-09 05:51:38 -05:00
2023-01-04 11:07:16 -05:00
add-version-to-versionsapi :
needs : [ upload-image-lookup-table, build-settings]
name : "Add version to versionsapi"
if : needs.build-settings.outputs.ref != '-'
2023-01-30 10:11:27 -05:00
permissions :
contents : read
id-token : write
2023-01-04 11:07:16 -05:00
uses : ./.github/workflows/versionsapi.yml
with :
command : add
ref : ${{ needs.build-settings.outputs.ref }}
2023-01-16 07:56:06 -05:00
stream : ${{ needs.build-settings.outputs.stream }}
2023-01-04 11:07:16 -05:00
version : ${{ needs.build-settings.outputs.imageVersion }}
add_latest : true