ci: remove artifact encryption for public artifacts (#2776)

* ci: remove artifact encryption for public artifacts

* revert parts of  #2765

* ci: add unused action exception for encrypted artifact download
This commit is contained in:
3u13r 2023-12-29 11:02:37 +01:00 committed by GitHub
parent 539e6eac48
commit 07c884b945
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 25 additions and 42 deletions

View File

@ -20,11 +20,10 @@ runs:
zip -r terraform-module.zip terraform-module zip -r terraform-module.zip terraform-module
- name: Upload artifact - name: Upload artifact
uses: ./.github/actions/artifact_upload uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: terraform-module name: terraform-module
path: terraform-module.zip path: terraform-module.zip
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Cleanup Terraform module dir - name: Cleanup Terraform module dir
shell: bash shell: bash

View File

@ -178,28 +178,25 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
- name: Upload raw OS image as artifact - name: Upload raw OS image as artifact
uses: ./.github/actions/artifact_upload uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.image-dir }}/constellation.raw path: ${{ steps.build.outputs.image-dir }}/constellation.raw
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload individual OS parts as artifacts - name: Upload individual OS parts as artifacts
uses: ./.github/actions/artifact_upload uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: > path: |
${{ steps.build.outputs.image-dir }}/constellation.efi ${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd ${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload sbom info as artifact - name: Upload sbom info as artifact
uses: ./.github/actions/artifact_upload uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.rpmdb }} path: ${{ steps.build.outputs.rpmdb }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-os-image: upload-os-image:
name: "Upload OS image to CSP" name: "Upload OS image to CSP"
@ -244,11 +241,10 @@ jobs:
useCache: "false" useCache: "false"
- name: Download OS image artifact - name: Download OS image artifact
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install tools - name: Install tools
shell: bash shell: bash
@ -316,7 +312,6 @@ jobs:
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
run: | run: |
echo "::group::Upload Azure image" echo "::group::Upload Azure image"
chmod +w "${RAW_IMAGE_PATH}"
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
bazel run //image/upload -- image azure \ bazel run //image/upload -- image azure \
--verbose \ --verbose \
@ -358,11 +353,10 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
- name: Upload image lookup table as artifact - name: Upload image lookup table as artifact
uses: ./.github/actions/artifact_upload uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: lookup-table name: lookup-table
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
calculate-pcrs: calculate-pcrs:
name: "Calculate PCRs" name: "Calculate PCRs"
@ -396,10 +390,9 @@ jobs:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Download OS image artifact - name: Download OS image artifact
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: ./.github/actions/setup_bazel_nix - uses: ./.github/actions/setup_bazel_nix
with: with:
@ -639,10 +632,6 @@ jobs:
contents: read contents: read
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with: with:
@ -650,12 +639,11 @@ jobs:
aws-region: eu-central-1 aws-region: eu-central-1
- name: Download sbom - name: Download sbom
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
# downloading / using only the QEMU manifest is fine # downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition # since the images only differ in the ESP partition
name: sbom-qemu-qemu-vtpm name: sbom-qemu-qemu-vtpm
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload SBOMs to S3 - name: Upload SBOMs to S3
shell: bash shell: bash
@ -683,10 +671,9 @@ jobs:
useCache: "false" useCache: "false"
- name: Download image lookup table - name: Download image lookup table
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: lookup-table name: lookup-table
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -696,7 +683,12 @@ jobs:
- name: Upload lookup table to S3 - name: Upload lookup table to S3
shell: bash shell: bash
run: bazel run //image/upload -- info --verbose image-upload*.json run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Create CLI compatibility information artifact - name: Create CLI compatibility information artifact
shell: bash shell: bash

View File

@ -229,10 +229,9 @@ jobs:
uses: ./.github/actions/download_release_binaries uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM - name: Download CLI SBOM
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: constellation.spdx.sbom name: constellation.spdx.sbom
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Generate provenance subjects - name: Generate provenance subjects
id: provenance-subjects id: provenance-subjects
@ -343,16 +342,14 @@ jobs:
uses: ./.github/actions/download_release_binaries uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM - name: Download CLI SBOM
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: constellation.spdx.sbom name: constellation.spdx.sbom
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download provenance - name: Download provenance
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: ${{ needs.provenance.outputs.provenance-name }} name: ${{ needs.provenance.outputs.provenance-name }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install slsa-verifier - name: Install slsa-verifier
run: | run: |
@ -423,22 +420,19 @@ jobs:
uses: ./.github/actions/download_release_binaries uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM - name: Download CLI SBOM
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: constellation.spdx.sbom name: constellation.spdx.sbom
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation CLI SBOM's signature - name: Download Constellation CLI SBOM's signature
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: constellation.spdx.sbom.sig name: constellation.spdx.sbom.sig
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation provenance - name: Download Constellation provenance
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: ${{ needs.provenance.outputs.provenance-name }} name: ${{ needs.provenance.outputs.provenance-name }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Rename provenance file - name: Rename provenance file
run: | run: |

View File

@ -34,11 +34,10 @@ jobs:
enterpriseCLI: true enterpriseCLI: true
- name: Upload CLI artifact - name: Upload CLI artifact
uses: ./.github/actions/artifact_upload uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
path: "bazel-bin/cli/cli_enterprise_windows_amd64" path: "bazel-bin/cli/cli_enterprise_windows_amd64"
name: "constell-exe" name: "constell-exe"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
e2e-test: e2e-test:
name: E2E Test Windows name: E2E Test Windows
@ -51,10 +50,9 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download CLI artifact - name: Download CLI artifact
uses: ./.github/actions/artifact_download uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: "constell-exe" name: "constell-exe"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Check CLI version - name: Check CLI version
shell: pwsh shell: pwsh

View File

@ -50,7 +50,7 @@ for action in ${actionNames}; do
fi fi
done done
if ! ${used}; then if [[ ${used} == "false" && ${action} != ".github/actions/artifact_download" ]]; then
echo "Action ${action} is unused" echo "Action ${action} is unused"
exitcode=1 exitcode=1
fi fi