mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
ci: remove artifact encryption for public artifacts (#2776)
* ci: remove artifact encryption for public artifacts * revert parts of #2765 * ci: add unused action exception for encrypted artifact download
This commit is contained in:
parent
539e6eac48
commit
07c884b945
@ -20,11 +20,10 @@ runs:
|
||||
zip -r terraform-module.zip terraform-module
|
||||
|
||||
- name: Upload artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: terraform-module
|
||||
path: terraform-module.zip
|
||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
||||
|
||||
- name: Cleanup Terraform module dir
|
||||
shell: bash
|
||||
|
38
.github/workflows/build-os-image.yml
vendored
38
.github/workflows/build-os-image.yml
vendored
@ -178,28 +178,25 @@ jobs:
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Upload raw OS image as artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload individual OS parts as artifacts
|
||||
uses: ./.github/actions/artifact_upload
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: >
|
||||
path: |
|
||||
${{ steps.build.outputs.image-dir }}/constellation.efi
|
||||
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
||||
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload sbom info as artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ steps.build.outputs.rpmdb }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
upload-os-image:
|
||||
name: "Upload OS image to CSP"
|
||||
@ -244,11 +241,10 @@ jobs:
|
||||
useCache: "false"
|
||||
|
||||
- name: Download OS image artifact
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Install tools
|
||||
shell: bash
|
||||
@ -316,7 +312,6 @@ jobs:
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
run: |
|
||||
echo "::group::Upload Azure image"
|
||||
chmod +w "${RAW_IMAGE_PATH}"
|
||||
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||||
bazel run //image/upload -- image azure \
|
||||
--verbose \
|
||||
@ -358,11 +353,10 @@ jobs:
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Upload image lookup table as artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: lookup-table
|
||||
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
calculate-pcrs:
|
||||
name: "Calculate PCRs"
|
||||
@ -396,10 +390,9 @@ jobs:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Download OS image artifact
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- uses: ./.github/actions/setup_bazel_nix
|
||||
with:
|
||||
@ -639,10 +632,6 @@ jobs:
|
||||
contents: read
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||
with:
|
||||
@ -650,12 +639,11 @@ jobs:
|
||||
aws-region: eu-central-1
|
||||
|
||||
- name: Download sbom
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
# downloading / using only the QEMU manifest is fine
|
||||
# since the images only differ in the ESP partition
|
||||
name: sbom-qemu-qemu-vtpm
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Upload SBOMs to S3
|
||||
shell: bash
|
||||
@ -683,10 +671,9 @@ jobs:
|
||||
useCache: "false"
|
||||
|
||||
- name: Download image lookup table
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: lookup-table
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||
@ -696,7 +683,12 @@ jobs:
|
||||
|
||||
- name: Upload lookup table to S3
|
||||
shell: bash
|
||||
run: bazel run //image/upload -- info --verbose image-upload*.json
|
||||
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Create CLI compatibility information artifact
|
||||
shell: bash
|
||||
|
18
.github/workflows/draft-release.yml
vendored
18
.github/workflows/draft-release.yml
vendored
@ -229,10 +229,9 @@ jobs:
|
||||
uses: ./.github/actions/download_release_binaries
|
||||
|
||||
- name: Download CLI SBOM
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Generate provenance subjects
|
||||
id: provenance-subjects
|
||||
@ -343,16 +342,14 @@ jobs:
|
||||
uses: ./.github/actions/download_release_binaries
|
||||
|
||||
- name: Download CLI SBOM
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Download provenance
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Install slsa-verifier
|
||||
run: |
|
||||
@ -423,22 +420,19 @@ jobs:
|
||||
uses: ./.github/actions/download_release_binaries
|
||||
|
||||
- name: Download CLI SBOM
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: constellation.spdx.sbom
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Download Constellation CLI SBOM's signature
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: constellation.spdx.sbom.sig
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Download Constellation provenance
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Rename provenance file
|
||||
run: |
|
||||
|
6
.github/workflows/e2e-windows.yml
vendored
6
.github/workflows/e2e-windows.yml
vendored
@ -34,11 +34,10 @@ jobs:
|
||||
enterpriseCLI: true
|
||||
|
||||
- name: Upload CLI artifact
|
||||
uses: ./.github/actions/artifact_upload
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
|
||||
name: "constell-exe"
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
e2e-test:
|
||||
name: E2E Test Windows
|
||||
@ -51,10 +50,9 @@ jobs:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Download CLI artifact
|
||||
uses: ./.github/actions/artifact_download
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: "constell-exe"
|
||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
||||
|
||||
- name: Check CLI version
|
||||
shell: pwsh
|
||||
|
@ -50,7 +50,7 @@ for action in ${actionNames}; do
|
||||
fi
|
||||
done
|
||||
|
||||
if ! ${used}; then
|
||||
if [[ ${used} == "false" && ${action} != ".github/actions/artifact_download" ]]; then
|
||||
echo "Action ${action} is unused"
|
||||
exitcode=1
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user