mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
328 lines
14 KiB
YAML
328 lines
14 KiB
YAML
|
name: Build and Upload OS image
|
||
|
on:
|
||
|
workflow_dispatch:
|
||
|
inputs:
|
||
|
imageVersion:
|
||
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
||
|
required: false
|
||
|
debug:
|
||
|
description: "Build debug image"
|
||
|
type: boolean
|
||
|
default: false
|
||
|
required: false
|
||
|
|
||
|
jobs:
|
||
|
build-dependencies:
|
||
|
name: "Build binaries for embedding in the OS"
|
||
|
runs-on: ubuntu-22.04
|
||
|
permissions:
|
||
|
contents: read
|
||
|
packages: read
|
||
|
steps:
|
||
|
- name: Checkout
|
||
|
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
|
||
|
|
||
|
- name: Build bootstrapper
|
||
|
if: ${{ inputs.debug == false }}
|
||
|
uses: ./.github/actions/build_bootstrapper
|
||
|
with:
|
||
|
outputPath: ${{ github.workspace }}/build/bootstrapper
|
||
|
|
||
|
- name: Build debugd
|
||
|
if: ${{ inputs.debug == true }}
|
||
|
uses: ./.github/actions/build_debugd
|
||
|
with:
|
||
|
outputPath: ${{ github.workspace }}/build/bootstrapper
|
||
|
|
||
|
- name: Build disk-mapper
|
||
|
uses: ./.github/actions/build_disk_mapper
|
||
|
with:
|
||
|
outputPath: ${{ github.workspace }}/build/disk-mapper
|
||
|
|
||
|
- name: Upload dependencies
|
||
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
|
||
|
with:
|
||
|
name: dependencies
|
||
|
path: |
|
||
|
${{ github.workspace }}/build/bootstrapper
|
||
|
${{ github.workspace }}/build/disk-mapper
|
||
|
|
||
|
- name: Collect hashes
|
||
|
run: |
|
||
|
echo "::set-output name=bootstrapper-sha256::$(sha256sum bootstrapper)"
|
||
|
echo "::set-output name=disk-mapper-sha256::$(sha256sum disk-mapper)"
|
||
|
working-directory: ${{ github.workspace }}/build
|
||
|
|
||
|
make-os-image:
|
||
|
name: "Build OS using mkosi"
|
||
|
needs: build-dependencies
|
||
|
runs-on: ubuntu-22.04
|
||
|
strategy:
|
||
|
matrix:
|
||
|
csp: [azure, gcp, qemu]
|
||
|
steps:
|
||
|
- name: Checkout
|
||
|
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
|
||
|
|
||
|
- name: Download build dependencies
|
||
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||
|
with:
|
||
|
name: dependencies
|
||
|
path: ${{ github.workspace }}/build
|
||
|
|
||
|
- name: Mark bootstrapper and disk-mapper as executable
|
||
|
run: |
|
||
|
chmod +x ${{ github.workspace }}/build/bootstrapper
|
||
|
chmod +x ${{ github.workspace }}/build/disk-mapper
|
||
|
|
||
|
- name: Setup mkosi
|
||
|
uses: ./.github/actions/setup_mkosi
|
||
|
with:
|
||
|
version: 1750fc261a071f39c54f8b64ce2424195f750ee0
|
||
|
|
||
|
- name: Prepare PKI for secure boot signing
|
||
|
shell: bash
|
||
|
run: |
|
||
|
ln -s pki_testing pki
|
||
|
echo "${DB_KEY}" > pki/db.key
|
||
|
working-directory: ${{ github.workspace }}/image/mkosi
|
||
|
env:
|
||
|
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }}
|
||
|
|
||
|
- name: Build
|
||
|
shell: bash
|
||
|
run: |
|
||
|
echo "::group::Build"
|
||
|
sudo make "${CSP}"
|
||
|
echo "::endgroup::"
|
||
|
working-directory: ${{ github.workspace }}/image/mkosi
|
||
|
env:
|
||
|
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
|
||
|
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
|
||
|
CSP: ${{ matrix.csp }}
|
||
|
|
||
|
- name: Upload raw OS image as artifact
|
||
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
|
||
|
with:
|
||
|
name: image-${{ matrix.csp }}
|
||
|
path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw
|
||
|
if: always()
|
||
|
continue-on-error: true
|
||
|
|
||
|
- name: Upload individual OS parts as artifacts
|
||
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
|
||
|
with:
|
||
|
name: parts-${{ matrix.csp }}
|
||
|
path: |
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz
|
||
|
if: always()
|
||
|
continue-on-error: true
|
||
|
|
||
|
- name: Upload manifest as artifact
|
||
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
|
||
|
with:
|
||
|
name: manifest-${{ matrix.csp }}
|
||
|
path: |
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog
|
||
|
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest
|
||
|
if: always()
|
||
|
continue-on-error: true
|
||
|
|
||
|
upload-os-image:
|
||
|
name: "Upload OS image to CSP"
|
||
|
needs: make-os-image
|
||
|
runs-on: ubuntu-22.04
|
||
|
strategy:
|
||
|
matrix:
|
||
|
csp: [azure, gcp]
|
||
|
upload-variant: [""]
|
||
|
include:
|
||
|
- csp: azure
|
||
|
upload-variant: TrustedLaunch
|
||
|
steps:
|
||
|
- name: Checkout
|
||
|
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
|
||
|
|
||
|
- name: Download OS image artifact
|
||
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||
|
with:
|
||
|
name: image-${{ matrix.csp }}
|
||
|
path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36
|
||
|
|
||
|
- name: Install tools
|
||
|
shell: bash
|
||
|
run: |
|
||
|
echo "::group::Install tools"
|
||
|
sudo apt-get update
|
||
|
sudo apt-get install -y pigz qemu-utils
|
||
|
echo "::endgroup::"
|
||
|
|
||
|
- name: Login to Azure
|
||
|
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
|
||
|
if: ${{ matrix.csp == 'azure' }}
|
||
|
with:
|
||
|
creds: ${{ secrets.AZURE_CREDENTIALS }}
|
||
|
|
||
|
- name: Login to GCP
|
||
|
uses: ./.github/actions/gcp_login
|
||
|
if: ${{ matrix.csp == 'gcp' }}
|
||
|
with:
|
||
|
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
|
||
|
|
||
|
- name: Prepare PKI for image upload
|
||
|
shell: bash
|
||
|
run: ln -s pki_testing pki
|
||
|
working-directory: ${{ github.workspace }}/image/mkosi
|
||
|
|
||
|
- name: Determine version
|
||
|
id: version
|
||
|
uses: ./.github/actions/pseudo_version
|
||
|
|
||
|
# Make sure to set valid names for GCP and Azure
|
||
|
# Azure
|
||
|
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
||
|
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
||
|
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
|
||
|
#
|
||
|
# GCP
|
||
|
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
|
||
|
- name: Configure input variables
|
||
|
shell: bash
|
||
|
run: |
|
||
|
timestamp=${{ steps.version.outputs.timestamp }}
|
||
|
semver=${{ steps.version.outputs.semanticVersion }}
|
||
|
imageVersion=${{ inputs.imageVersion }}
|
||
|
pseudover=${{ steps.version.outputs.pseudoVersion }}
|
||
|
echo "PKI=${{ github.workspace }}/image/mkosi/pki" >> $GITHUB_ENV
|
||
|
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
|
||
|
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
|
||
|
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
|
||
|
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
|
||
|
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
|
||
|
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
|
||
|
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
|
||
|
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
|
||
|
echo "AZURE_SKU=constellation" >> $GITHUB_ENV
|
||
|
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
|
||
|
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
|
||
|
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
|
||
|
# TODO: set default security type to "ConfidentialVM" once replication is possible
|
||
|
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
|
||
|
if [ -z "${AZURE_SECURITY_TYPE}" ]; then
|
||
|
AZURE_SECURITY_TYPE=ConfidentialVMSupported
|
||
|
fi
|
||
|
echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV
|
||
|
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
|
||
|
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
|
||
|
then
|
||
|
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
|
||
|
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
|
||
|
AZURE_IMAGE_DEFINITION=constellation
|
||
|
echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV
|
||
|
AZURE_GALLERY_NAME=Constellation
|
||
|
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
|
||
|
then
|
||
|
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
||
|
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
|
||
|
AZURE_IMAGE_DEFINITION=${semver}
|
||
|
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
|
||
|
AZURE_GALLERY_NAME=Constellation_Debug
|
||
|
else
|
||
|
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
||
|
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
|
||
|
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
|
||
|
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
|
||
|
AZURE_GALLERY_NAME=Constellation_Testing
|
||
|
fi
|
||
|
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
|
||
|
if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then
|
||
|
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV
|
||
|
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
|
||
|
else
|
||
|
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
|
||
|
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/mkosi/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
|
||
|
fi
|
||
|
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
|
||
|
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
|
||
|
echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV
|
||
|
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
|
||
|
|
||
|
- name: Download VMGS blob
|
||
|
run: aws s3 cp \
|
||
|
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||
|
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||
|
--no-progress
|
||
|
working-directory: ${{ github.workspace }}/image/mkosi
|
||
|
if: ${{ matrix.csp == 'azure' }}
|
||
|
|
||
|
- name: Upload GCP image
|
||
|
shell: bash
|
||
|
run: |
|
||
|
echo "::group::Upload GCP image"
|
||
|
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
|
||
|
upload/upload_gcp.sh
|
||
|
echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY
|
||
|
echo "::endgroup::"
|
||
|
working-directory: ${{ github.workspace }}/image/mkosi
|
||
|
if: ${{ matrix.csp == 'gcp' }}
|
||
|
|
||
|
- name: Upload Azure image
|
||
|
shell: bash
|
||
|
run: |
|
||
|
echo "::group::Upload Azure image"
|
||
|
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||
|
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
|
||
|
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
|
||
|
echo "::endgroup::"
|
||
|
working-directory: ${{ github.workspace }}/image/mkosi
|
||
|
if: ${{ matrix.csp == 'azure' }}
|
||
|
|
||
|
generate-sbom:
|
||
|
name: "Generate SBOM"
|
||
|
needs: make-os-image
|
||
|
runs-on: ubuntu-22.04
|
||
|
steps:
|
||
|
- name: Install squashfs tools
|
||
|
run: |
|
||
|
echo "::group::Install squashfs tools"
|
||
|
sudo apt-get update
|
||
|
sudo apt-get install -y squashfs-tools
|
||
|
echo "::endgroup::"
|
||
|
|
||
|
- name: Download rootfs
|
||
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||
|
with:
|
||
|
# downloading / using only the QEMU rootfs is fine
|
||
|
# since the images only differ in the ESP partition
|
||
|
name: parts-qemu
|
||
|
|
||
|
- name: Unpack squashfs
|
||
|
run: |
|
||
|
echo "::group::Unpack squashfs"
|
||
|
unsquashfs -user-xattrs -d image.root.tree image.root.raw
|
||
|
echo "::endgroup::"
|
||
|
|
||
|
- uses: anchore/sbom-action@eda59434a8e5ce9bda93a202dfe50f6a2e637bb6
|
||
|
with:
|
||
|
path: image.root.tree
|
||
|
artifact-name: sbom.spdx.json
|
||
|
format: spdx-json
|
||
|
|
||
|
- uses: anchore/sbom-action@eda59434a8e5ce9bda93a202dfe50f6a2e637bb6
|
||
|
with:
|
||
|
path: image.root.tree
|
||
|
artifact-name: sbom.cyclonedx.json
|
||
|
format: cyclonedx-json
|
||
|
|
||
|
- uses: anchore/sbom-action@eda59434a8e5ce9bda93a202dfe50f6a2e637bb6
|
||
|
with:
|
||
|
path: image.root.tree
|
||
|
artifact-name: sbom.syft.json
|
||
|
format: syft-json
|