constellation/.github/actions/build_cli/action.yml

name: build
description: |
  Runs cmake & default make target in build folder. Additionally, Sigstore tools
  are used to sign CLI and publish a release when run on v* tag.
inputs:
  cosign-public-key:
    description: 'Cosign public key'
    required: false
    default: ''
  cosign-private-key:
    description: 'Cosign private key'
    required: false
    default: ''
  cosign-password:
    description: 'Password for Cosign private key'
    required: false
    default: ''
runs:
  using: "composite"
  steps:
    - name: Install build dependencies
      run: |
        sudo apt-get update
        sudo apt-get install \
          build-essential cmake \
          -y
      shell: bash

    # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
    # once it has the functionality
    - name: Install Cosign
      uses: sigstore/cosign-installer@main
    - name: Install Rekor
      run: |
        curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64
        sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
      shell: bash

    # https://github.blog/2022-04-12-git-security-vulnerability-announced/
    - name: Mark repository safe
      run: |
        git config --global --add safe.directory /__w/constellation/constellation
      shell: bash

    - name: Install Go
      uses: actions/setup-go@v3
      with:
        go-version: "1.18"
    - name: Build hack/pcr-reader
      run: |
        go build .
        echo "$(pwd)" >> $GITHUB_PATH
        export PATH="$PATH:$(pwd)"
      working-directory: hack/pcr-reader
      shell: bash

    - name: Build CLI
      run: |
        GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)
        mkdir build
        cd build
        cmake -DCLI_VERSION:STRING=${GIT_TAG} ..
        make -j`nproc` cli
        echo "$(pwd)" >> $GITHUB_PATH
        export PATH="$PATH:$(pwd)"
      shell: bash

    - name: Sign CLI
      run: |
        set -e
        set -o pipefail
        echo "$COSIGN_PUBLIC_KEY" > cosign.pub
        # Enabling experimental mode also publishes signature to Rekor
        COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig
        # Verify - As documentation & check
        # Local Signature (input: artifact, key, signature)
        cosign verify-blob --key cosign.pub --signature constellation.sig constellation
        # Transparency Log Signature (input: artifact, key)
        uuid=$(rekor-cli search --artifact constellation | tail -n 1)
        sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
        cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation
      shell: bash
      working-directory: build
      env:
        COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }}
        COSIGN_PASSWORD: ${{ inputs.cosign-password }}
      if: ${{ inputs.cosign-public-key != '' && inputs.cosign-private-key != '' && inputs.cosign-password != '' }}

    - name: Release CLI
      # GitHub endorsed release project. See: https://github.com/actions/create-release
      uses: softprops/action-gh-release@v1
      if: startsWith(github.ref, 'refs/tags/v')
      with:
        draft: true
        files: |
          build/constellation
          build/constellation.sig
          build/cosign.pub
e2e test github action implementation. (#100) e2e test implementation with GitHub actions on GCP 2022-05-03 09:15:53 +00:00			`name: build`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00			`description: \|`
			`Runs cmake & default make target in build folder. Additionally, Sigstore tools`
			`are used to sign CLI and publish a release when run on v* tag.`
			`inputs:`
			`cosign-public-key:`
			`description: 'Cosign public key'`
make signing keys optional in build step, since e2e test does not require signing (#254) * make signing keys optional in build step, since e2e test does not require signing 2022-07-07 10:18:41 +00:00			`required: false`
			`default: ''`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00			`cosign-private-key:`
			`description: 'Cosign private key'`
make signing keys optional in build step, since e2e test does not require signing (#254) * make signing keys optional in build step, since e2e test does not require signing 2022-07-07 10:18:41 +00:00			`required: false`
			`default: ''`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00			`cosign-password:`
			`description: 'Password for Cosign private key'`
make signing keys optional in build step, since e2e test does not require signing (#254) * make signing keys optional in build step, since e2e test does not require signing 2022-07-07 10:18:41 +00:00			`required: false`
			`default: ''`
e2e test github action implementation. (#100) e2e test implementation with GitHub actions on GCP 2022-05-03 09:15:53 +00:00			`runs:`
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`using: "composite"`
e2e test github action implementation. (#100) e2e test implementation with GitHub actions on GCP 2022-05-03 09:15:53 +00:00			`steps:`
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`- name: Install build dependencies`
			`run: \|`
			`sudo apt-get update`
			`sudo apt-get install \`
			`build-essential cmake \`
			`-y`
			`shell: bash`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00
			`# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial`
			`# once it has the functionality`
			`- name: Install Cosign`
			`uses: sigstore/cosign-installer@main`
			`- name: Install Rekor`
			`run: \|`
			`curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64`
			`sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli`
			`shell: bash`

Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`# https://github.blog/2022-04-12-git-security-vulnerability-announced/`
			`- name: Mark repository safe`
			`run: \|`
			`git config --global --add safe.directory /__w/constellation/constellation`
			`shell: bash`
fix: buildvcs unable to fetch vcs information (#228) 2022-06-23 15:52:25 +00:00
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`- name: Install Go`
			`uses: actions/setup-go@v3`
			`with:`
			`go-version: "1.18"`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00			`- name: Build hack/pcr-reader`
			`run: \|`
			`go build .`
			`echo "$(pwd)" >> $GITHUB_PATH`
			`export PATH="$PATH:$(pwd)"`
			`working-directory: hack/pcr-reader`
			`shell: bash`

Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`- name: Build CLI`
			`run: \|`
Ref/prepare changelog for v1.3.1 (#263) * prepare changelog. * document lb fix * set release version for cli Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: 3u13r <lc@edgeless.systems> 2022-07-11 13:19:56 +00:00			`GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)`
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`mkdir build`
			`cd build`
Ref/prepare changelog for v1.3.1 (#263) * prepare changelog. * document lb fix * set release version for cli Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: 3u13r <lc@edgeless.systems> 2022-07-11 13:19:56 +00:00			`cmake -DCLI_VERSION:STRING=${GIT_TAG} ..`
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			make -j`nproc` cli
			`echo "$(pwd)" >> $GITHUB_PATH`
			`export PATH="$PATH:$(pwd)"`
			`shell: bash`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00
			`- name: Sign CLI`
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`run: \|`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00			`set -e`
			`set -o pipefail`
			`echo "$COSIGN_PUBLIC_KEY" > cosign.pub`
			`# Enabling experimental mode also publishes signature to Rekor`
			`COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig`
			`# Verify - As documentation & check`
			`# Local Signature (input: artifact, key, signature)`
			`cosign verify-blob --key cosign.pub --signature constellation.sig constellation`
			`# Transparency Log Signature (input: artifact, key)`
			`uuid=$(rekor-cli search --artifact constellation \| tail -n 1)`
			`sig=$(rekor-cli get --uuid=$uuid --format=json \| jq -r .Body.HashedRekordObj.signature.content)`
			`cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation`
Build-as-a-Test & Abortable Workflows (#231) * build cli on every PR * build coordinator on every PR, while only triggering image builds on main. * abort previous runs of workflows if new commits are pushed Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-06-30 09:27:23 +00:00			`shell: bash`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00			`working-directory: build`
			`env:`
			`COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}`
			`COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }}`
			`COSIGN_PASSWORD: ${{ inputs.cosign-password }}`
make signing keys optional in build step, since e2e test does not require signing (#254) * make signing keys optional in build step, since e2e test does not require signing 2022-07-07 10:18:41 +00:00			`if: ${{ inputs.cosign-public-key != '' && inputs.cosign-private-key != '' && inputs.cosign-password != '' }}`
Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel <fk@edgelss.systems> 2022-07-04 10:16:11 +00:00
			`- name: Release CLI`
			`# GitHub endorsed release project. See: https://github.com/actions/create-release`
			`uses: softprops/action-gh-release@v1`
			`if: startsWith(github.ref, 'refs/tags/v')`
			`with:`
			`draft: true`
			`files: \|`
Fix/release process (#253) * fix path to artifacts. * add release step to docs Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-07-05 14:55:14 +00:00			`build/constellation`
			`build/constellation.sig`
			`build/cosign.pub`