mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
ci: remove artifact encryption for public artifacts (#2776)
* ci: remove artifact encryption for public artifacts * revert parts of #2765 * ci: add unused action exception for encrypted artifact download
This commit is contained in:
parent
539e6eac48
commit
07c884b945
@ -20,11 +20,10 @@ runs:
|
|||||||
zip -r terraform-module.zip terraform-module
|
zip -r terraform-module.zip terraform-module
|
||||||
|
|
||||||
- name: Upload artifact
|
- name: Upload artifact
|
||||||
uses: ./.github/actions/artifact_upload
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
with:
|
with:
|
||||||
name: terraform-module
|
name: terraform-module
|
||||||
path: terraform-module.zip
|
path: terraform-module.zip
|
||||||
encryptionSecret: ${{ inputs.encryptionSecret }}
|
|
||||||
|
|
||||||
- name: Cleanup Terraform module dir
|
- name: Cleanup Terraform module dir
|
||||||
shell: bash
|
shell: bash
|
||||||
|
38
.github/workflows/build-os-image.yml
vendored
38
.github/workflows/build-os-image.yml
vendored
@ -178,28 +178,25 @@ jobs:
|
|||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
- name: Upload raw OS image as artifact
|
- name: Upload raw OS image as artifact
|
||||||
uses: ./.github/actions/artifact_upload
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
with:
|
with:
|
||||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||||
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Upload individual OS parts as artifacts
|
- name: Upload individual OS parts as artifacts
|
||||||
uses: ./.github/actions/artifact_upload
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
with:
|
with:
|
||||||
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||||
path: >
|
path: |
|
||||||
${{ steps.build.outputs.image-dir }}/constellation.efi
|
${{ steps.build.outputs.image-dir }}/constellation.efi
|
||||||
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
||||||
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Upload sbom info as artifact
|
- name: Upload sbom info as artifact
|
||||||
uses: ./.github/actions/artifact_upload
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
with:
|
with:
|
||||||
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||||
path: ${{ steps.build.outputs.rpmdb }}
|
path: ${{ steps.build.outputs.rpmdb }}
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
upload-os-image:
|
upload-os-image:
|
||||||
name: "Upload OS image to CSP"
|
name: "Upload OS image to CSP"
|
||||||
@ -244,11 +241,10 @@ jobs:
|
|||||||
useCache: "false"
|
useCache: "false"
|
||||||
|
|
||||||
- name: Download OS image artifact
|
- name: Download OS image artifact
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Install tools
|
- name: Install tools
|
||||||
shell: bash
|
shell: bash
|
||||||
@ -316,7 +312,6 @@ jobs:
|
|||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Upload Azure image"
|
echo "::group::Upload Azure image"
|
||||||
chmod +w "${RAW_IMAGE_PATH}"
|
|
||||||
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||||||
bazel run //image/upload -- image azure \
|
bazel run //image/upload -- image azure \
|
||||||
--verbose \
|
--verbose \
|
||||||
@ -358,11 +353,10 @@ jobs:
|
|||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
- name: Upload image lookup table as artifact
|
- name: Upload image lookup table as artifact
|
||||||
uses: ./.github/actions/artifact_upload
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
with:
|
with:
|
||||||
name: lookup-table
|
name: lookup-table
|
||||||
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
calculate-pcrs:
|
calculate-pcrs:
|
||||||
name: "Calculate PCRs"
|
name: "Calculate PCRs"
|
||||||
@ -396,10 +390,9 @@ jobs:
|
|||||||
ref: ${{ inputs.ref || github.head_ref }}
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
- name: Download OS image artifact
|
- name: Download OS image artifact
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- uses: ./.github/actions/setup_bazel_nix
|
- uses: ./.github/actions/setup_bazel_nix
|
||||||
with:
|
with:
|
||||||
@ -639,10 +632,6 @@ jobs:
|
|||||||
contents: read
|
contents: read
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
||||||
with:
|
|
||||||
ref: ${{ inputs.ref || github.head_ref }}
|
|
||||||
|
|
||||||
- name: Login to AWS
|
- name: Login to AWS
|
||||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||||
with:
|
with:
|
||||||
@ -650,12 +639,11 @@ jobs:
|
|||||||
aws-region: eu-central-1
|
aws-region: eu-central-1
|
||||||
|
|
||||||
- name: Download sbom
|
- name: Download sbom
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
# downloading / using only the QEMU manifest is fine
|
# downloading / using only the QEMU manifest is fine
|
||||||
# since the images only differ in the ESP partition
|
# since the images only differ in the ESP partition
|
||||||
name: sbom-qemu-qemu-vtpm
|
name: sbom-qemu-qemu-vtpm
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Upload SBOMs to S3
|
- name: Upload SBOMs to S3
|
||||||
shell: bash
|
shell: bash
|
||||||
@ -683,10 +671,9 @@ jobs:
|
|||||||
useCache: "false"
|
useCache: "false"
|
||||||
|
|
||||||
- name: Download image lookup table
|
- name: Download image lookup table
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: lookup-table
|
name: lookup-table
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Login to AWS
|
- name: Login to AWS
|
||||||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
||||||
@ -696,7 +683,12 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload lookup table to S3
|
- name: Upload lookup table to S3
|
||||||
shell: bash
|
shell: bash
|
||||||
run: bazel run //image/upload -- info --verbose image-upload*.json
|
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
|
||||||
|
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
- name: Create CLI compatibility information artifact
|
- name: Create CLI compatibility information artifact
|
||||||
shell: bash
|
shell: bash
|
||||||
|
18
.github/workflows/draft-release.yml
vendored
18
.github/workflows/draft-release.yml
vendored
@ -229,10 +229,9 @@ jobs:
|
|||||||
uses: ./.github/actions/download_release_binaries
|
uses: ./.github/actions/download_release_binaries
|
||||||
|
|
||||||
- name: Download CLI SBOM
|
- name: Download CLI SBOM
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom
|
name: constellation.spdx.sbom
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Generate provenance subjects
|
- name: Generate provenance subjects
|
||||||
id: provenance-subjects
|
id: provenance-subjects
|
||||||
@ -343,16 +342,14 @@ jobs:
|
|||||||
uses: ./.github/actions/download_release_binaries
|
uses: ./.github/actions/download_release_binaries
|
||||||
|
|
||||||
- name: Download CLI SBOM
|
- name: Download CLI SBOM
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom
|
name: constellation.spdx.sbom
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Download provenance
|
- name: Download provenance
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Install slsa-verifier
|
- name: Install slsa-verifier
|
||||||
run: |
|
run: |
|
||||||
@ -423,22 +420,19 @@ jobs:
|
|||||||
uses: ./.github/actions/download_release_binaries
|
uses: ./.github/actions/download_release_binaries
|
||||||
|
|
||||||
- name: Download CLI SBOM
|
- name: Download CLI SBOM
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom
|
name: constellation.spdx.sbom
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Download Constellation CLI SBOM's signature
|
- name: Download Constellation CLI SBOM's signature
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom.sig
|
name: constellation.spdx.sbom.sig
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Download Constellation provenance
|
- name: Download Constellation provenance
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Rename provenance file
|
- name: Rename provenance file
|
||||||
run: |
|
run: |
|
||||||
|
6
.github/workflows/e2e-windows.yml
vendored
6
.github/workflows/e2e-windows.yml
vendored
@ -34,11 +34,10 @@ jobs:
|
|||||||
enterpriseCLI: true
|
enterpriseCLI: true
|
||||||
|
|
||||||
- name: Upload CLI artifact
|
- name: Upload CLI artifact
|
||||||
uses: ./.github/actions/artifact_upload
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
with:
|
with:
|
||||||
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
|
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
|
||||||
name: "constell-exe"
|
name: "constell-exe"
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
e2e-test:
|
e2e-test:
|
||||||
name: E2E Test Windows
|
name: E2E Test Windows
|
||||||
@ -51,10 +50,9 @@ jobs:
|
|||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
- name: Download CLI artifact
|
- name: Download CLI artifact
|
||||||
uses: ./.github/actions/artifact_download
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: "constell-exe"
|
name: "constell-exe"
|
||||||
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
|
|
||||||
|
|
||||||
- name: Check CLI version
|
- name: Check CLI version
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
@ -50,7 +50,7 @@ for action in ${actionNames}; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if ! ${used}; then
|
if [[ ${used} == "false" && ${action} != ".github/actions/artifact_download" ]]; then
|
||||||
echo "Action ${action} is unused"
|
echo "Action ${action} is unused"
|
||||||
exitcode=1
|
exitcode=1
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user