ci: remove artifact encryption for public artifacts (#2776)

* ci: remove artifact encryption for public artifacts

* revert parts of  #2765

* ci: add unused action exception for encrypted artifact download
This commit is contained in:
3u13r 2023-12-29 11:02:37 +01:00 committed by GitHub
parent 539e6eac48
commit 07c884b945
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 25 additions and 42 deletions

View File

@ -20,11 +20,10 @@ runs:
zip -r terraform-module.zip terraform-module
- name: Upload artifact
uses: ./.github/actions/artifact_upload
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: terraform-module
path: terraform-module.zip
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Cleanup Terraform module dir
shell: bash

View File

@ -178,28 +178,25 @@ jobs:
echo "::endgroup::"
- name: Upload raw OS image as artifact
uses: ./.github/actions/artifact_upload
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload individual OS parts as artifacts
uses: ./.github/actions/artifact_upload
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: >
path: |
${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload sbom info as artifact
uses: ./.github/actions/artifact_upload
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.rpmdb }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-os-image:
name: "Upload OS image to CSP"
@ -244,11 +241,10 @@ jobs:
useCache: "false"
- name: Download OS image artifact
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install tools
shell: bash
@ -316,7 +312,6 @@ jobs:
working-directory: ${{ github.workspace }}/image
run: |
echo "::group::Upload Azure image"
chmod +w "${RAW_IMAGE_PATH}"
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
bazel run //image/upload -- image azure \
--verbose \
@ -358,11 +353,10 @@ jobs:
echo "::endgroup::"
- name: Upload image lookup table as artifact
uses: ./.github/actions/artifact_upload
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: lookup-table
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
calculate-pcrs:
name: "Calculate PCRs"
@ -396,10 +390,9 @@ jobs:
ref: ${{ inputs.ref || github.head_ref }}
- name: Download OS image artifact
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: ./.github/actions/setup_bazel_nix
with:
@ -639,10 +632,6 @@ jobs:
contents: read
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
@ -650,12 +639,11 @@ jobs:
aws-region: eu-central-1
- name: Download sbom
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
# downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition
name: sbom-qemu-qemu-vtpm
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload SBOMs to S3
shell: bash
@ -683,10 +671,9 @@ jobs:
useCache: "false"
- name: Download image lookup table
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: lookup-table
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -696,7 +683,12 @@ jobs:
- name: Upload lookup table to S3
shell: bash
run: bazel run //image/upload -- info --verbose image-upload*.json
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Create CLI compatibility information artifact
shell: bash

View File

@ -229,10 +229,9 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Generate provenance subjects
id: provenance-subjects
@ -343,16 +342,14 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download provenance
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.provenance.outputs.provenance-name }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install slsa-verifier
run: |
@ -423,22 +420,19 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation CLI SBOM's signature
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom.sig
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation provenance
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.provenance.outputs.provenance-name }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Rename provenance file
run: |

View File

@ -34,11 +34,10 @@ jobs:
enterpriseCLI: true
- name: Upload CLI artifact
uses: ./.github/actions/artifact_upload
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
name: "constell-exe"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
e2e-test:
name: E2E Test Windows
@ -51,10 +50,9 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download CLI artifact
uses: ./.github/actions/artifact_download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "constell-exe"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Check CLI version
shell: pwsh

View File

@ -50,7 +50,7 @@ for action in ${actionNames}; do
fi
done
if ! ${used}; then
if [[ ${used} == "false" && ${action} != ".github/actions/artifact_download" ]]; then
echo "Action ${action} is unused"
exitcode=1
fi