mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 15:39:37 -05:00
ci: use nix + mkosi during os image build
This commit is contained in:
parent
f6d9f91877
commit
1da5153627
28
.github/actions/build_debugd/action.yml
vendored
28
.github/actions/build_debugd/action.yml
vendored
@ -1,28 +0,0 @@
|
||||
name: Build debugd
|
||||
description: Build the Constellation debugd binary
|
||||
|
||||
inputs:
|
||||
outputPath:
|
||||
description: "Output path of the binary"
|
||||
default: "./build/debugd"
|
||||
required: true
|
||||
|
||||
# Linux runner only (homedir trick does not work on macOS, required for private runner)
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Build debugd
|
||||
shell: bash
|
||||
env:
|
||||
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||
run: |
|
||||
echo "::group::Build debugd"
|
||||
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||
label=//debugd/cmd/debugd:debugd_linux_amd64
|
||||
bazel build "${label}"
|
||||
repository_root=$(git rev-parse --show-toplevel)
|
||||
out_rel=$(bazel cquery --output=files "${label}")
|
||||
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||
chmod +w "${OUTPUT_PATH}"
|
||||
echo "::endgroup::"
|
28
.github/actions/build_disk_mapper/action.yml
vendored
28
.github/actions/build_disk_mapper/action.yml
vendored
@ -1,28 +0,0 @@
|
||||
name: Build disk-mapper
|
||||
description: Build the Constellation disk-mapper binary
|
||||
|
||||
inputs:
|
||||
outputPath:
|
||||
description: "Output path of the binary"
|
||||
default: "./build/disk-mapper"
|
||||
required: true
|
||||
|
||||
# Linux runner only (Docker required)
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Build the disk-mapper
|
||||
shell: bash
|
||||
env:
|
||||
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||
run: |
|
||||
echo "::group::Build the disk-mapper"
|
||||
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||
label="//disk-mapper/cmd:disk-mapper_linux_amd64"
|
||||
bazel build "${label}"
|
||||
repository_root=$(git rev-parse --show-toplevel)
|
||||
out_rel=$(bazel cquery --output=files "${label}")
|
||||
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||
chmod +w "${OUTPUT_PATH}"
|
||||
echo "::endgroup::"
|
@ -1,28 +0,0 @@
|
||||
name: Build measurement-reader
|
||||
description: Build the Constellation measurement-reader binary
|
||||
|
||||
inputs:
|
||||
outputPath:
|
||||
description: "Output path of the binary"
|
||||
default: "./build/measurement-reader"
|
||||
required: true
|
||||
|
||||
# Linux runner only (Docker required)
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Build the measurement-reader
|
||||
shell: bash
|
||||
env:
|
||||
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||
run: |
|
||||
echo "::group::Build the measurement-reader"
|
||||
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||
label="//measurement-reader/cmd:measurement-reader_linux_amd64"
|
||||
bazel build "${label}"
|
||||
repository_root=$(git rev-parse --show-toplevel)
|
||||
out_rel=$(bazel cquery --output=files "${label}")
|
||||
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||
chmod +w "${OUTPUT_PATH}"
|
||||
echo "::endgroup::"
|
67
.github/actions/setup_mkosi/action.yaml
vendored
67
.github/actions/setup_mkosi/action.yaml
vendored
@ -1,67 +0,0 @@
|
||||
name: Setup mkosi
|
||||
description: Install mkosi and all its dependencies
|
||||
inputs:
|
||||
version:
|
||||
description: "Version (commit hash) of mkosi to install."
|
||||
required: true
|
||||
systemdVersion:
|
||||
description: "Version (commit hash) of systemd to install."
|
||||
required: true
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: Dependencies
|
||||
shell: bash
|
||||
run: |
|
||||
echo "::group::Dependencies"
|
||||
echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
|
||||
sudo apt-get update
|
||||
sudo apt-get install --assume-yes --no-install-recommends \
|
||||
bubblewrap \
|
||||
dnf \
|
||||
e2fsprogs \
|
||||
libfdisk-dev \
|
||||
mtools \
|
||||
ovmf \
|
||||
python3-pefile \
|
||||
python3-pyelftools \
|
||||
python3-setuptools \
|
||||
qemu-system-x86 \
|
||||
squashfs-tools \
|
||||
systemd-container
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Checkout systemd
|
||||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
||||
with:
|
||||
repository: systemd/systemd
|
||||
path: ${{ github.action_path }}/systemd
|
||||
ref: ${{ inputs.systemdVersion }}
|
||||
|
||||
- name: Update systemd tools
|
||||
shell: bash
|
||||
working-directory: ${{ github.action_path }}
|
||||
run: |
|
||||
echo "::group::Update systemd tools"
|
||||
sudo apt-get build-dep systemd
|
||||
meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true
|
||||
|
||||
BINARIES=(
|
||||
bootctl
|
||||
systemctl
|
||||
systemd-analyze
|
||||
systemd-dissect
|
||||
systemd-nspawn
|
||||
systemd-repart
|
||||
ukify
|
||||
)
|
||||
|
||||
ninja -C systemd/build ${BINARIES[@]}
|
||||
for BINARY in "${BINARIES[@]}"; do
|
||||
sudo ln -svf $PWD/systemd/build/$BINARY /usr/bin/$BINARY
|
||||
done
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Install
|
||||
shell: bash
|
||||
run: sudo python3 -m pip install git+https://github.com/systemd/mkosi.git@${{ inputs.version }}
|
@ -1,24 +0,0 @@
|
||||
lief==0.13.1 \
|
||||
--hash=sha256:018b542f09fe2305e1585a3e63a7e5132927b835062b456e5c8c571db7784d1e \
|
||||
--hash=sha256:0283a4c749afe58be8e21cdd9be79c657c51ca9b8346f75f4b97349b1f022851 \
|
||||
--hash=sha256:04c87039d1e68ebc467f83136179626403547dd1ce851541345f8ca0b1fe6c5b \
|
||||
--hash=sha256:16753bd72b1e3932d94d088a93b64e08c1f6c8bce1b064b47fe66ed73d9562b2 \
|
||||
--hash=sha256:23617d96d162081f8bf315d9b0494845891f8d0f04ad60991b83367ee9e261aa \
|
||||
--hash=sha256:3cfbc6c50f9e3a8015cd5ee88dfe83f423562c025439143bbd5c086a3f9fe599 \
|
||||
--hash=sha256:57bdb0471760c4ff520f5e5d005e503cc7ea3ebe22df307bb579a1a561b8c4e9 \
|
||||
--hash=sha256:661abaa48bc032b9a7529e0b73d2ced3e4a1f13381592f6b9e940750b07a5ac2 \
|
||||
--hash=sha256:8439805a389cc67b6d4ea7d757a3211f22298edce53c5b064fdf8bf05fabba54 \
|
||||
--hash=sha256:95a4b6d1f8dba9360aecf7542e54ce5eb02c0e88f2d827b5445594d5d51109f5 \
|
||||
--hash=sha256:965fadb1301d1a81f16067e4fa743d2be3f6aa71391a83b752ff811ec74b0766 \
|
||||
--hash=sha256:a0472636ab15b9afecf8b5d55966912af8cb4de2f05b98fc05c87d51880d0208 \
|
||||
--hash=sha256:a18fee5cf69adf9d5ee977778ccd46c39c450960f806231b26b69011f81bc712 \
|
||||
--hash=sha256:a3c900f49c3d3135c728faeb386d13310bb3511eb2d4e1c9b109b48ae2658361 \
|
||||
--hash=sha256:aa7f45c5125be80a513624d3a5f6bd50751c2edc6de5357fde218580111c8535 \
|
||||
--hash=sha256:b1f295dbb57094443926ac6051bee9a1945d92344f470da1cb506060eb2f91ac \
|
||||
--hash=sha256:b53317d78f8b7528e3f2f358b3f9334a1a84fae88c5aec1a3b7717ed31bfb066 \
|
||||
--hash=sha256:bb8b285a6c670df590c36fc0c19b9d2e32b99f17e57afa29bb3052f1d55aa50f \
|
||||
--hash=sha256:be871116faa698b6d9da76b0caec2ec5b7e7b8781cfb3a4ac0c4e348fb37ab49 \
|
||||
--hash=sha256:bfbf8885a3643ea9aaf663d039f50ca58b228886c3fe412725b22851aeda3b77 \
|
||||
--hash=sha256:c6839df875e912edd3fc553ab5d1b916527adee9c57ba85c69314a93f7ba2e15 \
|
||||
--hash=sha256:ccfba33c02f21d4ede26ab85eb6539a00e74e236569c13dcbab2e157b73673c4 \
|
||||
--hash=sha256:e414d6c23f26053f4824d080885ab1b75482122796cba7d09cbf157900646289
|
354
.github/workflows/build-os-image.yml
vendored
354
.github/workflows/build-os-image.yml
vendored
@ -45,84 +45,6 @@ on:
|
||||
required: false
|
||||
|
||||
jobs:
|
||||
build-dependencies:
|
||||
name: "Build binaries for embedding in the OS"
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: read
|
||||
outputs:
|
||||
bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
|
||||
disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
|
||||
upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }}
|
||||
measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
||||
with:
|
||||
go-version: "1.20.8"
|
||||
cache: true
|
||||
|
||||
- name: Setup bazel
|
||||
uses: ./.github/actions/setup_bazel
|
||||
with:
|
||||
useCache: "false"
|
||||
|
||||
- name: Build bootstrapper
|
||||
if: inputs.stream != 'debug'
|
||||
uses: ./.github/actions/build_bootstrapper
|
||||
with:
|
||||
outputPath: ${{ github.workspace }}/build/bootstrapper
|
||||
|
||||
- name: Build debugd
|
||||
if: inputs.stream == 'debug'
|
||||
uses: ./.github/actions/build_debugd
|
||||
with:
|
||||
outputPath: ${{ github.workspace }}/build/debugd
|
||||
|
||||
- name: Build disk-mapper
|
||||
uses: ./.github/actions/build_disk_mapper
|
||||
with:
|
||||
outputPath: ${{ github.workspace }}/build/disk-mapper
|
||||
|
||||
- name: Build upgrade-agent
|
||||
uses: ./.github/actions/build_upgrade_agent
|
||||
with:
|
||||
outputPath: ${{ github.workspace }}/build/upgrade-agent
|
||||
|
||||
- name: Build measurement-reader
|
||||
uses: ./.github/actions/build_measurement_reader
|
||||
with:
|
||||
outputPath: ${{ github.workspace }}/build/measurement-reader
|
||||
|
||||
- name: Upload dependencies
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
env:
|
||||
MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }}
|
||||
with:
|
||||
name: dependencies
|
||||
path: |
|
||||
${{ github.workspace }}/build/${{ env.MAIN_BINARY }}
|
||||
${{ github.workspace }}/build/disk-mapper
|
||||
${{ github.workspace }}/build/upgrade-agent
|
||||
${{ github.workspace }}/build/measurement-reader
|
||||
|
||||
- name: Collect hashes
|
||||
id: collect-hashes
|
||||
working-directory: ${{ github.workspace }}/build
|
||||
run: |
|
||||
{
|
||||
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
|
||||
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
|
||||
echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)"
|
||||
echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)"
|
||||
} | tee -a "$GITHUB_OUTPUT"
|
||||
|
||||
build-settings:
|
||||
name: "Determine build settings"
|
||||
runs-on: ubuntu-22.04
|
||||
@ -130,7 +52,6 @@ jobs:
|
||||
ref: ${{ steps.ref.outputs.ref }}
|
||||
stream: ${{ steps.stream.outputs.stream }}
|
||||
imageType: ${{ steps.image-type.outputs.imageType }}
|
||||
pkiSet: ${{ steps.pki-set.outputs.pkiSet }}
|
||||
imageVersion: ${{ steps.image-version.outputs.imageVersion }}
|
||||
imageName: ${{ steps.image-version.outputs.imageName }}
|
||||
imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
|
||||
@ -185,16 +106,6 @@ jobs:
|
||||
;;
|
||||
esac
|
||||
|
||||
- name: Determine PKI set
|
||||
id: pki-set
|
||||
shell: bash
|
||||
run: |
|
||||
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then
|
||||
echo "pkiSet=pki_prod" | tee -a "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "pkiSet=pki_testing" | tee -a "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Determine image version
|
||||
id: image-version
|
||||
shell: bash
|
||||
@ -220,43 +131,10 @@ jobs:
|
||||
|
||||
make-os-image:
|
||||
name: "Build OS using mkosi"
|
||||
needs: [build-settings, build-dependencies]
|
||||
needs: [build-settings]
|
||||
runs-on: ubuntu-22.04
|
||||
# TODO(malt3): flatten outputs once possible
|
||||
# https://github.com/community/community/discussions/17245
|
||||
outputs:
|
||||
image-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-aws-nitro-tpm-sha256 }}
|
||||
image-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-azure-sev-snp-sha256 }}
|
||||
image-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-gcp-sev-es-sha256 }}
|
||||
image-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-qemu-vtpm-sha256 }}
|
||||
image-efi-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-aws-nitro-tpm-sha256 }}
|
||||
image-efi-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-azure-sev-snp-sha256 }}
|
||||
image-efi-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-gcp-sev-es-sha256 }}
|
||||
image-efi-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-qemu-vtpm-sha256 }}
|
||||
image-initrd-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-aws-nitro-tpm-sha256 }}
|
||||
image-initrd-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-azure-sev-snp-sha256 }}
|
||||
image-initrd-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-gcp-sev-es-sha256 }}
|
||||
image-initrd-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-qemu-vtpm-sha256 }}
|
||||
image-root-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }}
|
||||
image-root-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-azure-sev-snp-sha256 }}
|
||||
image-root-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }}
|
||||
image-root-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }}
|
||||
image-root-verity-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }}
|
||||
image-root-verity-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-azure-sev-snp-sha256 }}
|
||||
image-root-verity-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }}
|
||||
image-root-verity-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }}
|
||||
image-vmlinuz-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }}
|
||||
image-vmlinuz-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }}
|
||||
image-vmlinuz-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }}
|
||||
image-vmlinuz-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }}
|
||||
image-raw-changelog-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-aws-nitro-tpm-sha256 }}
|
||||
image-raw-changelog-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-azure-sev-snp-sha256 }}
|
||||
image-raw-changelog-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-gcp-sev-es-sha256 }}
|
||||
image-raw-changelog-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-qemu-vtpm-sha256 }}
|
||||
image-raw-manifest-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-aws-nitro-tpm-sha256 }}
|
||||
image-raw-manifest-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-azure-sev-snp-sha256 }}
|
||||
image-raw-manifest-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-gcp-sev-es-sha256 }}
|
||||
image-raw-manifest-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-qemu-vtpm-sha256 }}
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
@ -281,97 +159,36 @@ jobs:
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Download build dependencies
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: dependencies
|
||||
path: ${{ github.workspace }}/build
|
||||
|
||||
- name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable
|
||||
run: |
|
||||
chmod +x ${{ github.workspace }}/build/bootstrapper || true
|
||||
chmod +x ${{ github.workspace }}/build/debugd || true
|
||||
chmod +x ${{ github.workspace }}/build/disk-mapper
|
||||
chmod +x ${{ github.workspace }}/build/upgrade-agent
|
||||
chmod +x ${{ github.workspace }}/build/measurement-reader
|
||||
|
||||
- name: Setup mkosi
|
||||
uses: ./.github/actions/setup_mkosi
|
||||
with:
|
||||
version: d8b32fbf3077b612db0024276e73cec3c2c87577
|
||||
systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677
|
||||
|
||||
- name: Prepare PKI for secure boot signing
|
||||
id: prepare-pki
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
env:
|
||||
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
|
||||
DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
|
||||
run: |
|
||||
echo "${DB_KEY}" > "${PKI_SET}/db.key"
|
||||
chmod 600 "${PKI_SET}/db.key"
|
||||
ln -s "${PKI_SET}" pki
|
||||
- uses: cachix/install-nix-action@v22
|
||||
|
||||
- name: Build
|
||||
id: build
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
env:
|
||||
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
|
||||
DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper
|
||||
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
|
||||
UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent
|
||||
MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader
|
||||
DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }}
|
||||
AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }}
|
||||
IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }}
|
||||
CSP: ${{ matrix.csp }}
|
||||
ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
|
||||
TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
|
||||
run: |
|
||||
echo "::group::Build"
|
||||
sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}_${ATTESTATION_VARIANT}"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Collect hashes
|
||||
id: collect-hashes
|
||||
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
||||
run: |
|
||||
bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}"
|
||||
{
|
||||
echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)"
|
||||
echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.efi | head -c 64)"
|
||||
echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.esp.raw | head -c 64)"
|
||||
echo "image-root-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)"
|
||||
echo "image-root-verity-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)"
|
||||
echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
|
||||
echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)"
|
||||
echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)"
|
||||
echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")"
|
||||
} | tee -a "$GITHUB_OUTPUT"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Upload raw OS image as artifact
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
with:
|
||||
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
|
||||
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
||||
|
||||
- name: Upload individual OS parts as artifacts
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
with:
|
||||
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: |
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz
|
||||
|
||||
- name: Upload manifest as artifact
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
with:
|
||||
name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
||||
path: |
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest
|
||||
${{ steps.build.outputs.image-dir }}/constellation.efi
|
||||
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
||||
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
||||
|
||||
upload-os-image:
|
||||
name: "Upload OS image to CSP"
|
||||
@ -399,7 +216,7 @@ jobs:
|
||||
- csp: openstack
|
||||
attestation_variant: qemu-vtpm
|
||||
env:
|
||||
RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
|
||||
RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw
|
||||
JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
|
||||
AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
|
||||
GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
|
||||
@ -446,13 +263,6 @@ jobs:
|
||||
with:
|
||||
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
|
||||
|
||||
- name: Prepare PKI for image upload
|
||||
id: prepare-pki
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
run: |
|
||||
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
|
||||
|
||||
- name: Upload AWS image
|
||||
if: matrix.csp == 'aws'
|
||||
shell: bash
|
||||
@ -575,7 +385,6 @@ jobs:
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
echo "::group::Install dependencies"
|
||||
python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y systemd-container # for systemd-dissect
|
||||
echo "::endgroup::"
|
||||
@ -584,13 +393,7 @@ jobs:
|
||||
working-directory: ${{ github.workspace }}/image/measured-boot
|
||||
run: |
|
||||
echo "::group::Calculate expected PCRs"
|
||||
{
|
||||
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
|
||||
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
|
||||
./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json ${{ matrix.csp }}
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
cp pcr-stable.json ${{ github.workspace }}/
|
||||
jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
|
||||
bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Add static PCRs
|
||||
@ -614,7 +417,7 @@ jobs:
|
||||
.measurements.12.warnOnly = false |
|
||||
.measurements.13.warnOnly = false |
|
||||
.measurements.14.warnOnly = true |
|
||||
.measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" |
|
||||
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
||||
.measurements.15.warnOnly = false' \
|
||||
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
||||
;;
|
||||
@ -634,7 +437,7 @@ jobs:
|
||||
.measurements.12.warnOnly = false |
|
||||
.measurements.13.warnOnly = false |
|
||||
.measurements.14.warnOnly = true |
|
||||
.measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" |
|
||||
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
||||
.measurements.15.warnOnly = false' \
|
||||
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
||||
;;
|
||||
@ -656,7 +459,7 @@ jobs:
|
||||
.measurements.12.warnOnly = false |
|
||||
.measurements.13.warnOnly = false |
|
||||
.measurements.14.warnOnly = true |
|
||||
.measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" |
|
||||
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
||||
.measurements.15.warnOnly = false' \
|
||||
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
||||
;;
|
||||
@ -669,6 +472,8 @@ jobs:
|
||||
.measurements.11.warnOnly = false |
|
||||
.measurements.12.warnOnly = false |
|
||||
.measurements.13.warnOnly = false |
|
||||
.measurements.14.warnOnly = true |
|
||||
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
||||
.measurements.15.warnOnly = false' \
|
||||
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
||||
;;
|
||||
@ -681,6 +486,8 @@ jobs:
|
||||
.measurements.11.warnOnly = false |
|
||||
.measurements.12.warnOnly = false |
|
||||
.measurements.13.warnOnly = false |
|
||||
.measurements.14.warnOnly = true |
|
||||
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
||||
.measurements.15.warnOnly = false' \
|
||||
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
||||
;;
|
||||
@ -797,127 +604,6 @@ jobs:
|
||||
--signature measurements.json.sig
|
||||
echo "::endgroup::"
|
||||
|
||||
generate-sbom:
|
||||
name: "Generate SBOM"
|
||||
needs: [build-settings, build-dependencies, make-os-image]
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Login to AWS
|
||||
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
||||
aws-region: eu-central-1
|
||||
|
||||
- name: Install squashfs tools
|
||||
run: |
|
||||
echo "::group::Install squashfs tools"
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y squashfs-tools
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Download rootfs
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
# downloading / using only the QEMU rootfs is fine
|
||||
# since the images only differ in the ESP partition
|
||||
name: parts-qemu-qemu-vtpm
|
||||
|
||||
- name: Download manifest
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
# downloading / using only the QEMU manifest is fine
|
||||
# since the images only differ in the ESP partition
|
||||
name: manifest-qemu-qemu-vtpm
|
||||
|
||||
- name: Unpack squashfs
|
||||
run: |
|
||||
echo "::group::Unpack squashfs"
|
||||
unsquashfs -user-xattrs -d image.root.tree image.root-x86-64.raw
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Create SBOM in SPDX fromat
|
||||
uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
|
||||
with:
|
||||
path: image.root.tree
|
||||
artifact-name: sbom.spdx.json
|
||||
output-file: sbom.spdx.json
|
||||
format: spdx-json
|
||||
|
||||
- name: Create SBOM in CycloneDX fromat
|
||||
uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
|
||||
with:
|
||||
path: image.root.tree
|
||||
artifact-name: sbom.cyclonedx.json
|
||||
output-file: sbom.cyclonedx.json
|
||||
format: cyclonedx-json
|
||||
|
||||
- name: Create SBOM in Syft fromat
|
||||
uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
|
||||
with:
|
||||
path: image.root.tree
|
||||
artifact-name: sbom.syft.json
|
||||
output-file: sbom.syft.json
|
||||
format: syft-json
|
||||
|
||||
- name: Combine hashes
|
||||
run: |
|
||||
cat > SHA256SUMS <<EOF
|
||||
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
|
||||
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
|
||||
${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
|
||||
${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader
|
||||
${{ needs.make-os-image.outputs.image-raw-aws-aws-nitro-tpm-sha256 }} aws/image.raw
|
||||
${{ needs.make-os-image.outputs.image-raw-changelog-aws-aws-nitro-tpm-sha256 }} aws/image.changelog
|
||||
${{ needs.make-os-image.outputs.image-raw-manifest-aws-aws-nitro-tpm-sha256 }} aws/image.manifest
|
||||
${{ needs.make-os-image.outputs.image-efi-aws-aws-nitro-tpm-sha256 }} aws/image.efi
|
||||
${{ needs.make-os-image.outputs.image-initrd-aws-aws-nitro-tpm-sha256 }} aws/image.initrd
|
||||
${{ needs.make-os-image.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} aws/image.root-x86-64.raw
|
||||
${{ needs.make-os-image.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} aws/image.root.verity
|
||||
${{ needs.make-os-image.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} aws/image.vmlinuz
|
||||
${{ needs.make-os-image.outputs.image-raw-azure-azure-sev-snp-sha256 }} azure/image.raw
|
||||
${{ needs.make-os-image.outputs.image-raw-changelog-azure-azure-sev-snp-sha256 }} azure/image.changelog
|
||||
${{ needs.make-os-image.outputs.image-raw-manifest-azure-azure-sev-snp-sha256 }} azure/image.manifest
|
||||
${{ needs.make-os-image.outputs.image-efi-azure-azure-sev-snp-sha256 }} azure/image.efi
|
||||
${{ needs.make-os-image.outputs.image-initrd-azure-azure-sev-snp-sha256 }} azure/image.initrd
|
||||
${{ needs.make-os-image.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} azure/image.root-x86-64.raw
|
||||
${{ needs.make-os-image.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} azure/image.root.verity
|
||||
${{ needs.make-os-image.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} azure/image.vmlinuz
|
||||
${{ needs.make-os-image.outputs.image-raw-gcp-gcp-sev-es-sha256 }} gcp/image.raw
|
||||
${{ needs.make-os-image.outputs.image-raw-changelog-gcp-gcp-sev-es-sha256 }} gcp/image.changelog
|
||||
${{ needs.make-os-image.outputs.image-raw-manifest-gcp-gcp-sev-es-sha256 }} gcp/image.manifest
|
||||
${{ needs.make-os-image.outputs.image-efi-gcp-gcp-sev-es-sha256 }} gcp/image.efi
|
||||
${{ needs.make-os-image.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} gcp/image.initrd
|
||||
${{ needs.make-os-image.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} gcp/image.root-x86-64.raw
|
||||
${{ needs.make-os-image.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} gcp/image.root.verity
|
||||
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} gcp/image.vmlinuz
|
||||
${{ needs.make-os-image.outputs.image-raw-qemu-qemu-vtpm-sha256 }} qemu/image.raw
|
||||
${{ needs.make-os-image.outputs.image-raw-changelog-qemu-qemu-vtpm-sha256 }} qemu/image.changelog
|
||||
${{ needs.make-os-image.outputs.image-raw-manifest-qemu-qemu-vtpm-sha256 }} qemu/image.manifest
|
||||
${{ needs.make-os-image.outputs.image-efi-qemu-qemu-vtpm-sha256 }} qemu/image.efi
|
||||
${{ needs.make-os-image.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} qemu/image.initrd
|
||||
${{ needs.make-os-image.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} qemu/image.root-x86-64.raw
|
||||
${{ needs.make-os-image.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} qemu/image.root.verity
|
||||
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }} qemu/image.vmlinuz
|
||||
EOF
|
||||
cat SHA256SUMS
|
||||
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
- name: Upload SBOMs to S3
|
||||
shell: bash
|
||||
run: |
|
||||
sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json'
|
||||
manifests='image.manifest image.changelog'
|
||||
hashes='SHA256SUMS'
|
||||
for file in ${sboms} ${manifests} ${hashes}; do
|
||||
aws s3 cp \
|
||||
"${file}" \
|
||||
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
|
||||
--no-progress
|
||||
done
|
||||
|
||||
upload-artifacts:
|
||||
name: "Upload image lookup table and CLI compatibility info"
|
||||
runs-on: ubuntu-22.04
|
||||
|
Loading…
Reference in New Issue
Block a user