diff --git a/.github/actions/generate_measurements/action.yml b/.github/actions/generate_measurements/action.yml index 5ef15db57..f989cbbeb 100644 --- a/.github/actions/generate_measurements/action.yml +++ b/.github/actions/generate_measurements/action.yml @@ -50,8 +50,8 @@ inputs: description: "The resource group to use" required: false azureUserAssignedIdentity: - description: "The Azure user assigned identity to use for Constellation." - required: false + description: "The Azure user assigned identity to use for Constellation." + required: false cosignPublicKey: description: "Cosign public key to sign measurements." required: true @@ -74,6 +74,11 @@ inputs: description: "AWS S3 bucket name to upload measurements." required: true +outputs: + kubeconfig: + description: "Kubeconfig file of the created cluster." + value: ${{ steps.create-cluster.outputs.kubeconfig }} + runs: using: "composite" steps: @@ -95,6 +100,7 @@ runs: if: ${{ inputs.cloudProvider == 'gcp' }} - name: Create cluster + id: create-cluster uses: ./.github/actions/constellation_create with: cloudProvider: ${{ inputs.cloudProvider }} diff --git a/.github/workflows/azure-snp-reporter.yml b/.github/workflows/azure-snp-reporter.yml index c6c86d217..9063a5775 100644 --- a/.github/workflows/azure-snp-reporter.yml +++ b/.github/workflows/azure-snp-reporter.yml @@ -75,4 +75,4 @@ jobs: - name: Verify report shell: bash - run: go run ./hack/azure-snp-report-verify/verify.go $(cat ./maa-report.jwt) + run: go run ./hack/azure-snp-report-verify/verify.go "$(cat ./maa-report.jwt)" diff --git a/.github/workflows/build-micro-service-manual.yml b/.github/workflows/build-micro-service-manual.yml index ccd610d82..0111d13d5 100644 --- a/.github/workflows/build-micro-service-manual.yml +++ b/.github/workflows/build-micro-service-manual.yml @@ -45,11 +45,11 @@ jobs: run: | case "${{ inputs.microService }}" in "join-service" ) - echo "microServiceDockerfile=joinservice/Dockerfile" >> $GITHUB_ENV ;; + echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;; "kmsserver" ) - echo "microServiceDockerfile=kms/Dockerfile" >> $GITHUB_ENV ;; + echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;; "verification-service" ) - echo "microServiceDockerfile=verify/Dockerfile" >> $GITHUB_ENV ;; + echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;; esac - name: Build and upload container image diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 903680d08..0098b6670 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -55,8 +55,10 @@ jobs: - name: Collect hashes id: collect-hashes run: | - echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT - echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT + { + echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" + echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" + } >> "$GITHUB_OUTPUT" working-directory: ${{ github.workspace }}/build build-settings: @@ -82,12 +84,12 @@ jobs: run: | if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ] then - echo "imageType=release" >> $GITHUB_OUTPUT + echo "imageType=release" >> "$GITHUB_OUTPUT" elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ] then - echo "imageType=debug" >> $GITHUB_OUTPUT + echo "imageType=debug" >> "$GITHUB_OUTPUT" else - echo "imageType=branch" >> $GITHUB_OUTPUT + echo "imageType=branch" >> "$GITHUB_OUTPUT" fi - name: Determine PKI set @@ -96,9 +98,9 @@ jobs: run: | if [ "${{ steps.image-type.outputs.imageType }}" = "release" ] then - echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT + echo "pkiSet=pki_prod" >> "$GITHUB_OUTPUT" else - echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT + echo "pkiSet=pki_testing" >> "$GITHUB_OUTPUT" fi make-os-image: @@ -170,8 +172,8 @@ jobs: id: prepare-pki shell: bash run: | - echo "${DB_KEY}" > ${PKI_SET}/db.key - ln -s ${PKI_SET} pki + echo "${DB_KEY}" > "${PKI_SET}/db.key" + ln -s "${PKI_SET}" pki working-directory: ${{ github.workspace }}/image env: PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} @@ -192,14 +194,16 @@ jobs: - name: Collect hashes id: collect-hashes run: | - echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT - echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT - echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT - echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT - echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT - echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT - echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT - echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT + { + echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" + echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" + echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" + echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" + echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" + echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" + echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" + echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" + } >> "$GITHUB_OUTPUT" working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 continue-on-error: true @@ -314,9 +318,9 @@ jobs: - name: Download VMGS blob run: | aws s3 cp \ - --region ${AZURE_VMGS_REGION} \ - s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \ - ${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \ + --region "${AZURE_VMGS_REGION}" \ + "s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \ + "${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \ --no-progress working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }} @@ -331,7 +335,7 @@ jobs: echo "::group::Upload AWS image" secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}" upload/upload_aws.sh "${AWS_AMI_OUTPUT}" - echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY + echo -e "Uploaded AWS image: \`\`\`$(jq < "${AWS_AMI_OUTPUT}")\`\`\`" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'aws' }} @@ -353,7 +357,7 @@ jobs: echo "::group::Upload GCP image" upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" upload/upload_gcp.sh - echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY + echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'gcp' }} @@ -374,7 +378,7 @@ jobs: echo "::group::Upload Azure image" upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" - echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY + echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' }} @@ -426,9 +430,11 @@ jobs: - name: Calculate expected PCRs run: | echo "::group::Calculate expected PCRs" - ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY - ./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }} >> $GITHUB_STEP_SUMMARY - ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY + { + ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json + ./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }} + ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json + } >> "$GITHUB_STEP_SUMMARY" cp pcr-stable.json ${{ github.workspace }}/ jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json echo "::endgroup::" @@ -522,4 +528,4 @@ jobs: ${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz EOF cat SHA256SUMS - echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> $GITHUB_STEP_SUMMARY + echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index e2f2dddc5..e78331eb3 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -45,8 +45,8 @@ jobs: run: | uuid=$(cat /proc/sys/kernel/random/uuid) name=e2e-test-${uuid%%-*} - az group create --location northeurope --name $name --tags e2e - echo "res_group_name=$name" >> $GITHUB_OUTPUT + az group create --location northeurope --name "$name" --tags e2e + echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Run E2E test id: e2e_test diff --git a/.github/workflows/e2e-test-manual-macos.yml b/.github/workflows/e2e-test-manual-macos.yml index ae569814a..9c322108a 100644 --- a/.github/workflows/e2e-test-manual-macos.yml +++ b/.github/workflows/e2e-test-manual-macos.yml @@ -120,8 +120,8 @@ jobs: run: | uuid=$(uuidgen) name=e2e-test-${uuid%%-*} - az group create --location westus --name $name --tags e2e - echo "res_group_name=$name" >> $GITHUB_OUTPUT + az group create --location westus --name "$name" --tags e2e + echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Set up gcloud CLI if: ${{ github.event.inputs.cloudProvider == 'gcp' }} @@ -154,7 +154,7 @@ jobs: continue-on-error: true uses: ./.github/actions/constellation_destroy with: - cloudProvider: ${{ steps.e2e_test.outputs.kubeconfig }} + kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - name: Notify teams channel if: ${{ failure() && github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index e109611e2..f8cb67a4e 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -85,8 +85,8 @@ jobs: run: | uuid=$(cat /proc/sys/kernel/random/uuid) name=e2e-test-${uuid%%-*} - az group create --location westus --name $name --tags e2e - echo "res_group_name=$name" >> $GITHUB_OUTPUT + az group create --location westus --name "$name" --tags e2e + echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Run manual E2E test id: e2e_test diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index bb66264d3..3213658e2 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -65,8 +65,8 @@ jobs: run: | uuid=$(cat /proc/sys/kernel/random/uuid) name=e2e-test-${uuid%%-*} - az group create --location northeurope --name $name --tags e2e - echo "res_group_name=$name" >> $GITHUB_OUTPUT + az group create --location northeurope --name "$name" --tags e2e + echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Run E2E test id: e2e_test diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index 9e61a7cd6..2d6c65aba 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -53,10 +53,11 @@ jobs: run: | uuid=$(cat /proc/sys/kernel/random/uuid) name=e2e-test-${uuid%%-*} - az group create --location westus --name $name --tags e2e - echo "res_group_name=$name" >> $GITHUB_OUTPUT + az group create --location westus --name "$name" --tags e2e + echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Create Cluster & Generate Measurements + id: create_and_measure uses: ./.github/actions/generate_measurements with: cloudProvider: ${{ github.event.inputs.cloudProvider }} @@ -83,6 +84,8 @@ jobs: if: always() continue-on-error: true uses: ./.github/actions/constellation_destroy + with: + kubeconfig: ${{ steps.create_and_measure.outputs.kubeconfig }} - name: Always destroy Azure resource group if: ${{ always() && github.event.inputs.cloudProvider == 'azure' }} diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index a1c2f7ff8..ba1a1bb92 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -84,7 +84,7 @@ jobs: curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz ./grype version - echo $(pwd) >> $GITHUB_PATH + pwd >> "$GITHUB_PATH" shell: bash - name: Build signed SBOMs diff --git a/.github/workflows/test-govulncheck.yml b/.github/workflows/test-govulncheck.yml index 82dde60cf..373283b15 100644 --- a/.github/workflows/test-govulncheck.yml +++ b/.github/workflows/test-govulncheck.yml @@ -41,10 +41,10 @@ jobs: run: | mods=$(go list -f '{{.Dir}}/...' -m | xargs) echo "Found mods: $mods" - echo "submods=${mods}" >> $GITHUB_OUTPUT + echo "submods=${mods}" >> "$GITHUB_OUTPUT" - name: Govulncheck shell: bash run: | go install golang.org/x/vuln/cmd/govulncheck@latest - GOMEMLIMIT=5GiB govulncheck $(go list -f '{{.Dir}}/...' -m | xargs) + GOMEMLIMIT=5GiB govulncheck "$(go list -f '{{.Dir}}/...' -m | xargs)" diff --git a/.github/workflows/test-lint.yml b/.github/workflows/test-lint.yml index fa887e4b9..3cc0b4334 100644 --- a/.github/workflows/test-lint.yml +++ b/.github/workflows/test-lint.yml @@ -46,7 +46,7 @@ jobs: run: | mods=$(go list -f '{{.Dir}}/...' -m | xargs) echo "Found mods: $mods" - echo "submods=${mods}" >> $GITHUB_OUTPUT + echo "submods=${mods}" >> "$GITHUB_OUTPUT" - name: golangci-lint uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1 # tag=v3.3.0 diff --git a/.github/workflows/test-operator-codegen.yml b/.github/workflows/test-operator-codegen.yml index e286f5e7f..fea2ac585 100644 --- a/.github/workflows/test-operator-codegen.yml +++ b/.github/workflows/test-operator-codegen.yml @@ -35,7 +35,7 @@ jobs: run: | dirs=$(find . \! -name . -prune -type d) for dir in $dirs; do - (cd $dir; make manifests generate) + (cd "$dir"; make manifests generate) done - name: Check diff and fail on changes diff --git a/.github/workflows/test-tf.yml b/.github/workflows/test-tf.yml index 25957a738..853277f9d 100644 --- a/.github/workflows/test-tf.yml +++ b/.github/workflows/test-tf.yml @@ -32,8 +32,8 @@ jobs: result=0 for dir in $dirs; do echo "Checking $dir" - terraform -chdir=$dir init || result=1 - terraform -chdir=$dir fmt -check=true -diff=true || result=1 - terraform -chdir=$dir validate -no-color || result=1 + terraform -chdir="$dir" init || result=1 + terraform -chdir="$dir" fmt -check=true -diff=true || result=1 + terraform -chdir="$dir" validate -no-color || result=1 done exit $result diff --git a/.github/workflows/test-tfsec.yml b/.github/workflows/test-tfsec.yml index c1fdcaa17..45b663940 100644 --- a/.github/workflows/test-tfsec.yml +++ b/.github/workflows/test-tfsec.yml @@ -36,4 +36,4 @@ jobs: - name: tfsec summary shell: bash - run: cat results.text | tail -n 27 >> $GITHUB_STEP_SUMMARY + run: tail -n 27 results.text >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/test-tidy.yml b/.github/workflows/test-tidy.yml index 7d22e07fc..ec5702d65 100644 --- a/.github/workflows/test-tidy.yml +++ b/.github/workflows/test-tidy.yml @@ -38,7 +38,7 @@ jobs: run: | mods=$(go list -f '{{.Dir}}' -m | xargs) echo "Found mods: $mods" - echo "submods=${mods}" >> $GITHUB_OUTPUT + echo "submods=${mods}" >> "$GITHUB_OUTPUT" - name: Go tidy check id: tidycheck @@ -54,7 +54,8 @@ jobs: if: ${{ failure() && (steps.tidycheck.conclusion == 'failure') && startsWith(github.head_ref, 'renovate/') }} shell: bash run: | - for mod in ${{ steps.submods.outputs.submods }}; do + mods=${{ steps.submods.outputs.submods }} + for mod in $mods; do (cd $mod; go mod tidy) done diff --git a/.github/workflows/update-cli-reference.yml b/.github/workflows/update-cli-reference.yml index 57e7cd331..e0bff98c5 100644 --- a/.github/workflows/update-cli-reference.yml +++ b/.github/workflows/update-cli-reference.yml @@ -31,12 +31,12 @@ jobs: - name: Get commit sha run: | - echo "COMMIT_END=$(echo ${{ github.sha }} | cut -c1-8)" >> $GITHUB_ENV + echo "COMMIT_END=$(echo ${{ github.sha }} | cut -c1-8)" >> "$GITHUB_ENV" - name: Check if action branch exists run: | - ex=$(git ls-remote --heads origin action/constellation/update-cli-reference) - echo "EXISTS=$(if [ -z "$ex" ]; then echo 0; else echo 1; fi)" >> $GITHUB_ENV + ex="$(git ls-remote --heads origin action/constellation/update-cli-reference)" + echo "EXISTS=$(if [ -z "$ex" ]; then echo 0; else echo 1; fi)" >> "$GITHUB_ENV" - name: Publish new reference (create new branch) if: ${{ env.EXISTS == 0 }}