mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
ci: use native go code for os image upload
This commit is contained in:
parent
ee91d8b1cc
commit
2efa3083dc
304
.github/actions/os_build_variables/action.yml
vendored
304
.github/actions/os_build_variables/action.yml
vendored
@ -1,304 +0,0 @@
|
|||||||
name: Determine OS image upload variables
|
|
||||||
description: "Determine parameters used for image upload to various CSPs."
|
|
||||||
inputs:
|
|
||||||
csp:
|
|
||||||
description: "Cloud Service Provider"
|
|
||||||
required: true
|
|
||||||
uploadVariant:
|
|
||||||
description: "Upload variant"
|
|
||||||
required: true
|
|
||||||
basePath:
|
|
||||||
description: "Base path to the image build directory"
|
|
||||||
required: true
|
|
||||||
ref:
|
|
||||||
description: "Branch of the image to be built (or '-' for releases)"
|
|
||||||
required: true
|
|
||||||
stream:
|
|
||||||
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
|
|
||||||
required: true
|
|
||||||
imageVersion:
|
|
||||||
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> or pseudo version"
|
|
||||||
required: false
|
|
||||||
imageType:
|
|
||||||
description: "Type of image to build"
|
|
||||||
required: true
|
|
||||||
debug:
|
|
||||||
description: "Build debug image"
|
|
||||||
required: false
|
|
||||||
default: "false"
|
|
||||||
outputs:
|
|
||||||
awsRegion:
|
|
||||||
description: "Primary AWS region"
|
|
||||||
value: ${{ steps.aws.outputs.region }}
|
|
||||||
awsReplicationRegions:
|
|
||||||
description: "AWS regions to replicate the image to"
|
|
||||||
value: ${{ steps.aws.outputs.replicationRegions }}
|
|
||||||
awsBucket:
|
|
||||||
description: "AWS S3 bucket to upload the image to"
|
|
||||||
value: ${{ steps.aws.outputs.bucket }}
|
|
||||||
awsEfivarsPath:
|
|
||||||
description: "AWS efivars path"
|
|
||||||
value: ${{ steps.aws.outputs.efivarsPath }}
|
|
||||||
awsImagePath:
|
|
||||||
description: "AWS image path"
|
|
||||||
value: ${{ steps.aws.outputs.imagePath }}
|
|
||||||
awsJsonOutput:
|
|
||||||
description: "AWS ami json output path"
|
|
||||||
value: ${{ steps.aws.outputs.jsonOutput }}
|
|
||||||
awsImageFilename:
|
|
||||||
description: "AWS raw image filename"
|
|
||||||
value: ${{ steps.aws.outputs.imageFilename }}
|
|
||||||
awsImageName:
|
|
||||||
description: "AWS image name"
|
|
||||||
value: ${{ steps.aws.outputs.imageName }}
|
|
||||||
awsPublish:
|
|
||||||
description: "Should AWS AMI be published"
|
|
||||||
value: ${{ steps.aws.outputs.publish }}
|
|
||||||
azureResourceGroupName:
|
|
||||||
description: "Azure resource group name"
|
|
||||||
value: ${{ steps.azure.outputs.resourceGroupName }}
|
|
||||||
azureRegion:
|
|
||||||
description: "Primary Azure region"
|
|
||||||
value: ${{ steps.azure.outputs.region }}
|
|
||||||
azureReplicationRegions:
|
|
||||||
description: "Azure regions to replicate the image to"
|
|
||||||
value: ${{ steps.azure.outputs.replicationRegions }}
|
|
||||||
azureVmgsRegion:
|
|
||||||
description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)"
|
|
||||||
value: ${{ steps.azure.outputs.vmgsRegion }}
|
|
||||||
azureSku:
|
|
||||||
description: "Azure SIG SKU"
|
|
||||||
value: ${{ steps.azure.outputs.sku }}
|
|
||||||
azurePublisher:
|
|
||||||
description: "Azure SIG publisher"
|
|
||||||
value: ${{ steps.azure.outputs.publisher }}
|
|
||||||
azureRawImagePath:
|
|
||||||
description: "Azure raw image path"
|
|
||||||
value: ${{ steps.azure.outputs.rawImagePath }}
|
|
||||||
azureImagePath:
|
|
||||||
description: "Azure image path"
|
|
||||||
value: ${{ steps.azure.outputs.imagePath }}
|
|
||||||
azureJsonOutput:
|
|
||||||
description: "Azure image json output path"
|
|
||||||
value: ${{ steps.azure.outputs.jsonOutput }}
|
|
||||||
azureSecurityType:
|
|
||||||
description: "Azure security type"
|
|
||||||
value: ${{ steps.azure.outputs.securityType }}
|
|
||||||
azureDiskName:
|
|
||||||
description: "Azure disk name"
|
|
||||||
value: ${{ steps.azure.outputs.diskName }}
|
|
||||||
azureImageDefinition:
|
|
||||||
description: "Azure image definition"
|
|
||||||
value: ${{ steps.azure.outputs.imageDefinition }}
|
|
||||||
azureImageOffer:
|
|
||||||
description: "Azure image offer"
|
|
||||||
value: ${{ steps.azure.outputs.imageOffer }}
|
|
||||||
azureImageVersion:
|
|
||||||
description: "Azure image version"
|
|
||||||
value: ${{ steps.azure.outputs.imageVersion }}
|
|
||||||
azureGalleryName:
|
|
||||||
description: "Azure gallery name"
|
|
||||||
value: ${{ steps.azure.outputs.galleryName }}
|
|
||||||
azureVmgsPath:
|
|
||||||
description: "Azure VMGS path"
|
|
||||||
value: ${{ steps.azure.outputs.vmgsPath }}
|
|
||||||
gcpProject:
|
|
||||||
description: "GCP project"
|
|
||||||
value: ${{ steps.gcp.outputs.project }}
|
|
||||||
gcpBucket:
|
|
||||||
description: "GCP bucket"
|
|
||||||
value: ${{ steps.gcp.outputs.bucket }}
|
|
||||||
gcpRegion:
|
|
||||||
description: "GCP region"
|
|
||||||
value: ${{ steps.gcp.outputs.region }}
|
|
||||||
gcpRawImagePath:
|
|
||||||
description: "GCP raw image path"
|
|
||||||
value: ${{ steps.gcp.outputs.rawImagePath }}
|
|
||||||
gcpImagePath:
|
|
||||||
description: "GCP image path"
|
|
||||||
value: ${{ steps.gcp.outputs.imagePath }}
|
|
||||||
gcpJsonOutput:
|
|
||||||
description: "GCP image json output path"
|
|
||||||
value: ${{ steps.gcp.outputs.jsonOutput }}
|
|
||||||
gcpImageName:
|
|
||||||
description: "GCP image name"
|
|
||||||
value: ${{ steps.gcp.outputs.imageName }}
|
|
||||||
gcpImageFilename:
|
|
||||||
description: "GCP image filename"
|
|
||||||
value: ${{ steps.gcp.outputs.imageFilename }}
|
|
||||||
gcpImageFamily:
|
|
||||||
description: "GCP image family"
|
|
||||||
value: ${{ steps.gcp.outputs.imageFamily }}
|
|
||||||
openStackJsonOutput:
|
|
||||||
description: "OpenStack image json output path"
|
|
||||||
value: ${{ steps.openstack.outputs.jsonOutput }}
|
|
||||||
openStackBucket:
|
|
||||||
description: "OpenStack S3 bucket"
|
|
||||||
value: ${{ steps.openstack.outputs.bucket }}
|
|
||||||
openStackBaseUrl:
|
|
||||||
description: "OpenStack raw image base URL"
|
|
||||||
value: ${{ steps.openstack.outputs.baseUrl }}
|
|
||||||
openStackImagePath:
|
|
||||||
description: "OpenStack image path"
|
|
||||||
value: ${{ steps.openstack.outputs.imagePath }}
|
|
||||||
qemuJsonOutput:
|
|
||||||
description: "QEMU image json output path"
|
|
||||||
value: ${{ steps.qemu.outputs.jsonOutput }}
|
|
||||||
qemuBucket:
|
|
||||||
description: "QEMU S3 bucket"
|
|
||||||
value: ${{ steps.qemu.outputs.bucket }}
|
|
||||||
qemuBaseUrl:
|
|
||||||
description: "QEMU raw image base URL"
|
|
||||||
value: ${{ steps.qemu.outputs.baseUrl }}
|
|
||||||
qemuImagePath:
|
|
||||||
description: "QEMU image path"
|
|
||||||
value: ${{ steps.qemu.outputs.imagePath }}
|
|
||||||
|
|
||||||
runs:
|
|
||||||
using: "composite"
|
|
||||||
steps:
|
|
||||||
- name: Determine version
|
|
||||||
id: version
|
|
||||||
uses: ./.github/actions/pseudo_version
|
|
||||||
|
|
||||||
- name: Configure AWS input variables
|
|
||||||
id: aws
|
|
||||||
if: inputs.csp == 'aws'
|
|
||||||
shell: bash
|
|
||||||
env:
|
|
||||||
basePath: ${{ inputs.basePath }}
|
|
||||||
ref: ${{ inputs.ref }}
|
|
||||||
stream: ${{ inputs.stream }}
|
|
||||||
imageVersion: ${{ inputs.imageVersion }}
|
|
||||||
imageType: ${{ inputs.imageType }}
|
|
||||||
timestamp: ${{ steps.version.outputs.timestamp }}
|
|
||||||
semver: ${{ steps.version.outputs.semanticVersion }}
|
|
||||||
run: |
|
|
||||||
echo "region=eu-central-1" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "replicationRegions=us-east-2 ap-south-1" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "bucket=constellation-images" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~37/efivars.bin" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imagePath=${basePath}/mkosi.output.aws/fedora~37/image.raw" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "jsonOutput=${basePath}/mkosi.output.aws/fedora~37/image-upload.json" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageFilename=image-$(date +%s).raw" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
if [[ "${stream}" = "stable" ]]
|
|
||||||
then
|
|
||||||
echo "imageName=constellation-${imageVersion}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "publish=true" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
else
|
|
||||||
echo "imageName=constellation-${ref}-${stream}-${semver}-${timestamp}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "publish=false" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
|
||||||
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
|
||||||
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
|
|
||||||
- name: Configure Azure input variables
|
|
||||||
id: azure
|
|
||||||
if: inputs.csp == 'azure'
|
|
||||||
shell: bash
|
|
||||||
env:
|
|
||||||
basePath: ${{ inputs.basePath }}
|
|
||||||
ref: ${{ inputs.ref }}
|
|
||||||
stream: ${{ inputs.stream }}
|
|
||||||
imageVersion: ${{ inputs.imageVersion }}
|
|
||||||
imageType: ${{ inputs.imageType }}
|
|
||||||
timestamp: ${{ steps.version.outputs.timestamp }}
|
|
||||||
semver: ${{ steps.version.outputs.semanticVersion }}
|
|
||||||
uploadVariant: ${{ inputs.uploadVariant }}
|
|
||||||
run: |
|
|
||||||
echo "resourceGroupName=constellation-images" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "region=northeurope" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "vmgsRegion=eu-central-1" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "replicationRegions=northeurope eastus westeurope westus" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "sku=constellation" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "publisher=edgelesssys" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~37/image.raw" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imagePath=${basePath}/mkosi.output.azure/fedora~37/image.vhd" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "jsonOutput=${basePath}/mkosi.output.azure/fedora~37/image-upload${uploadVariant}.json" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
# TODO: set default security type to "ConfidentialVM" once replication is possible
|
|
||||||
securityType=${{ inputs.uploadVariant }}
|
|
||||||
if [[ -z "${securityType}" ]]; then
|
|
||||||
securityType=ConfidentialVMSupported
|
|
||||||
fi
|
|
||||||
echo "securityType=${securityType}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "diskName=constellation-${stream}-${timestamp}-${securityType,,}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
if [[ "${stream}" = "stable" ]]
|
|
||||||
then
|
|
||||||
echo "imageDefinition=constellation" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageOffer=constellation" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageVersion=${imageVersion:1}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
galleryName=Constellation
|
|
||||||
elif [[ "${imageType}" = "debug" && ( "${ref}" = "-" || "${ref}" = "main" ) ]]
|
|
||||||
then
|
|
||||||
echo "imageDefinition=${semver}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageOffer=${semver}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
galleryName=Constellation_Debug
|
|
||||||
else
|
|
||||||
echo "imageDefinition=${ref}-${stream}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageOffer=${ref}-${stream}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
galleryName=Constellation_Testing
|
|
||||||
fi
|
|
||||||
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
|
|
||||||
if [[ "${securityType}" == "ConfidentialVMSupported" ]]; then
|
|
||||||
echo "galleryName=${galleryName}_CVM" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "vmgsPath=" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
else
|
|
||||||
echo "galleryName=${galleryName}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# image family and image name may include lowercase alphanumeric characters and dashes.
|
|
||||||
# Must not end or begin with a dash
|
|
||||||
- name: Configure GCP input variables
|
|
||||||
id: gcp
|
|
||||||
if: inputs.csp == 'gcp'
|
|
||||||
shell: bash
|
|
||||||
env:
|
|
||||||
basePath: ${{ inputs.basePath }}
|
|
||||||
ref: ${{ inputs.ref }}
|
|
||||||
stream: ${{ inputs.stream }}
|
|
||||||
imageVersion: ${{ inputs.imageVersion }}
|
|
||||||
imageType: ${{ inputs.imageType }}
|
|
||||||
timestamp: ${{ steps.version.outputs.timestamp }}
|
|
||||||
run: |
|
|
||||||
echo "project=constellation-images" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "bucket=constellation-images" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "region=europe-west3" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~37/image.raw" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imagePath=${basePath}/mkosi.output.gcp/fedora~37/image.tar.gz" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "jsonOutput=${basePath}/mkosi.output.gcp/fedora~37/image-upload.json" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageName=${imageVersion//./-}-${stream}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imageFilename=${imageVersion//./-}-${stream}.tar.gz" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
if [[ "${stream}" = "stable" ]]
|
|
||||||
then
|
|
||||||
echo "imageFamily=constellation" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
else
|
|
||||||
echo "imageFamily=constellation-${ref::45}" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Configure OpenStack input variables
|
|
||||||
id: openstack
|
|
||||||
if: inputs.csp == 'openstack'
|
|
||||||
shell: bash
|
|
||||||
env:
|
|
||||||
basePath: ${{ inputs.basePath }}
|
|
||||||
run: |
|
|
||||||
echo "bucket=cdn-constellation-backend" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "baseUrl=https://cdn.confidential.cloud" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imagePath=${basePath}/mkosi.output.openstack/fedora~37/image.raw" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "jsonOutput=${basePath}/mkosi.output.openstack/fedora~37/image-upload.json" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
- name: Configure QEMU input variables
|
|
||||||
id: qemu
|
|
||||||
if: inputs.csp == 'qemu'
|
|
||||||
shell: bash
|
|
||||||
env:
|
|
||||||
basePath: ${{ inputs.basePath }}
|
|
||||||
run: |
|
|
||||||
echo "bucket=cdn-constellation-backend" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "baseUrl=https://cdn.confidential.cloud" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "imagePath=${basePath}/mkosi.output.qemu/fedora~37/image.raw" | tee -a "$GITHUB_OUTPUT"
|
|
||||||
echo "jsonOutput=${basePath}/mkosi.output.qemu/fedora~37/image-upload.json" | tee -a "$GITHUB_OUTPUT"
|
|
148
.github/workflows/build-os-image.yml
vendored
148
.github/workflows/build-os-image.yml
vendored
@ -370,9 +370,20 @@ jobs:
|
|||||||
matrix:
|
matrix:
|
||||||
csp: [aws, azure, gcp, openstack, qemu]
|
csp: [aws, azure, gcp, openstack, qemu]
|
||||||
upload-variant: [""]
|
upload-variant: [""]
|
||||||
# include:
|
env:
|
||||||
# - csp: azure
|
AWS_IMAGE_PATH: mkosi.output.aws/fedora~37/image.raw
|
||||||
# upload-variant: TrustedLaunch
|
AWS_JSON_OUTPUT: mkosi.output.aws/fedora~37/image-upload.json
|
||||||
|
AZURE_IMAGE_PATH: mkosi.output.azure/fedora~37/image.vhd
|
||||||
|
AZURE_JSON_OUTPUT: mkosi.output.azure/fedora~37/image-upload.json
|
||||||
|
AZURE_RAW_IMAGE_PATH: mkosi.output.azure/fedora~37/image.raw
|
||||||
|
GCP_IMAGE_PATH: mkosi.output.gcp/fedora~37/image.tar.gz
|
||||||
|
GCP_JSON_OUTPUT: mkosi.output.gcp/fedora~37/image-upload.json
|
||||||
|
GCP_RAW_IMAGE_PATH: mkosi.output.gcp/fedora~37/image.raw
|
||||||
|
OPENSTACK_IMAGE_PATH: mkosi.output.openstack/fedora~37/image.raw
|
||||||
|
OPENSTACK_JSON_OUTPUT: mkosi.output.openstack/fedora~37/image-upload.json
|
||||||
|
QEMU_IMAGE_PATH: mkosi.output.qemu/fedora~37/image.raw
|
||||||
|
QEMU_JSON_OUTPUT: mkosi.output.qemu/fedora~37/image-upload.json
|
||||||
|
SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||||
@ -385,19 +396,6 @@ jobs:
|
|||||||
name: image-${{ matrix.csp }}
|
name: image-${{ matrix.csp }}
|
||||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
|
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
|
||||||
|
|
||||||
- name: Configure input variables
|
|
||||||
id: vars
|
|
||||||
uses: ./.github/actions/os_build_variables
|
|
||||||
with:
|
|
||||||
csp: ${{ matrix.csp }}
|
|
||||||
uploadVariant: ${{ matrix.upload-variant }}
|
|
||||||
basePath: ${{ github.workspace }}/image
|
|
||||||
ref: ${{ needs.build-settings.outputs.ref }}
|
|
||||||
stream: ${{ needs.build-settings.outputs.stream }}
|
|
||||||
imageVersion: ${{ needs.build-settings.outputs.imageVersion }}
|
|
||||||
imageType: ${{ needs.build-settings.outputs.imageType }}
|
|
||||||
debug: ${{ needs.build-settings.outputs.imageType == 'debug' }}
|
|
||||||
|
|
||||||
- name: Install tools
|
- name: Install tools
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@ -407,14 +405,9 @@ jobs:
|
|||||||
pigz \
|
pigz \
|
||||||
qemu-utils \
|
qemu-utils \
|
||||||
python3-pip
|
python3-pip
|
||||||
pip install google_crc32c
|
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
- name: Login to AWS
|
- name: Login to AWS
|
||||||
# on AWS, login is required to upload the image as AMI
|
|
||||||
# on Azure, login is done to download the VMGS from S3
|
|
||||||
# on QEMU, login is done to upload the image to S3
|
|
||||||
if: matrix.csp == 'aws' || matrix.csp == 'azure' || matrix.csp == 'openstack' || matrix.csp == 'qemu'
|
|
||||||
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
|
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
|
||||||
with:
|
with:
|
||||||
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
||||||
@ -439,39 +432,19 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
|
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
|
||||||
|
|
||||||
- name: Download VMGS blob
|
|
||||||
if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported')
|
|
||||||
working-directory: ${{ github.workspace }}/image
|
|
||||||
env:
|
|
||||||
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
|
|
||||||
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
|
|
||||||
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
|
|
||||||
run: |
|
|
||||||
aws s3 cp \
|
|
||||||
--region "${AZURE_VMGS_REGION}" \
|
|
||||||
"s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
|
|
||||||
"${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
|
|
||||||
--no-progress
|
|
||||||
|
|
||||||
- name: Upload AWS image
|
- name: Upload AWS image
|
||||||
if: matrix.csp == 'aws'
|
if: matrix.csp == 'aws'
|
||||||
shell: bash
|
shell: bash
|
||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
env:
|
|
||||||
PKI: ${{ github.workspace }}/image/pki
|
|
||||||
AWS_JSON_OUTPUT: ${{ steps.vars.outputs.awsJsonOutput }}
|
|
||||||
AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }}
|
|
||||||
AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }}
|
|
||||||
AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }}
|
|
||||||
AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }}
|
|
||||||
AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }}
|
|
||||||
AWS_REGION: ${{ steps.vars.outputs.awsRegion }}
|
|
||||||
AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }}
|
|
||||||
AWS_PUBLISH: ${{ steps.vars.outputs.awsPublish }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Upload AWS image"
|
echo "::group::Upload AWS image"
|
||||||
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
|
bazel run //image/upload -- \
|
||||||
upload/upload_aws.sh
|
aws \
|
||||||
|
--verbose \
|
||||||
|
--raw-image "${AWS_IMAGE_PATH}" \
|
||||||
|
--variant "" \
|
||||||
|
--version "${SHORTNAME}" \
|
||||||
|
--out "${AWS_JSON_OUTPUT}"
|
||||||
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
@ -479,21 +452,16 @@ jobs:
|
|||||||
if: matrix.csp == 'gcp'
|
if: matrix.csp == 'gcp'
|
||||||
shell: bash
|
shell: bash
|
||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
env:
|
|
||||||
PKI: ${{ github.workspace }}/image/pki
|
|
||||||
GCP_JSON_OUTPUT: ${{ steps.vars.outputs.gcpJsonOutput }}
|
|
||||||
GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }}
|
|
||||||
GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }}
|
|
||||||
GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }}
|
|
||||||
GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }}
|
|
||||||
GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }}
|
|
||||||
GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }}
|
|
||||||
GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }}
|
|
||||||
GCP_REGION: ${{ steps.vars.outputs.gcpRegion }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Upload GCP image"
|
echo "::group::Upload GCP image"
|
||||||
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
|
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
|
||||||
upload/upload_gcp.sh
|
bazel run //image/upload -- \
|
||||||
|
gcp \
|
||||||
|
--verbose \
|
||||||
|
--raw-image "${GCP_IMAGE_PATH}" \
|
||||||
|
--variant sev-es \
|
||||||
|
--version "${SHORTNAME}" \
|
||||||
|
--out "${GCP_JSON_OUTPUT}"
|
||||||
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
@ -501,46 +469,32 @@ jobs:
|
|||||||
if: matrix.csp == 'azure'
|
if: matrix.csp == 'azure'
|
||||||
shell: bash
|
shell: bash
|
||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
env:
|
|
||||||
PKI: ${{ github.workspace }}/image/pki
|
|
||||||
AZURE_JSON_OUTPUT: ${{ steps.vars.outputs.azureJsonOutput }}
|
|
||||||
AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }}
|
|
||||||
AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }}
|
|
||||||
AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }}
|
|
||||||
AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }}
|
|
||||||
AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }}
|
|
||||||
AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }}
|
|
||||||
AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }}
|
|
||||||
AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }}
|
|
||||||
AZURE_REGION: ${{ steps.vars.outputs.azureRegion }}
|
|
||||||
AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }}
|
|
||||||
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
|
|
||||||
AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }}
|
|
||||||
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
|
|
||||||
AZURE_SKU: ${{ steps.vars.outputs.azureSku }}
|
|
||||||
AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Upload Azure image"
|
echo "::group::Upload Azure image"
|
||||||
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||||||
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
|
bazel run //image/upload -- \
|
||||||
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
azure \
|
||||||
|
--verbose \
|
||||||
|
--raw-image "${AZURE_IMAGE_PATH}" \
|
||||||
|
--variant cvm \
|
||||||
|
--version "${SHORTNAME}" \
|
||||||
|
--out "${AZURE_JSON_OUTPUT}"
|
||||||
|
echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
- name: Upload OpenStack image
|
- name: Upload OpenStack image
|
||||||
if: matrix.csp == 'openstack'
|
if: matrix.csp == 'openstack'
|
||||||
shell: bash
|
shell: bash
|
||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
env:
|
|
||||||
OPENSTACK_JSON_OUTPUT: ${{ steps.vars.outputs.openStackJsonOutput }}
|
|
||||||
OPENSTACK_BUCKET: ${{ steps.vars.outputs.openStackBucket }}
|
|
||||||
OPENSTACK_BASE_URL: ${{ steps.vars.outputs.openStackBaseUrl }}
|
|
||||||
OPENSTACK_IMAGE_PATH: ${{ steps.vars.outputs.openStackImagePath }}
|
|
||||||
REF: ${{needs.build-settings.outputs.ref }}
|
|
||||||
STREAM: ${{needs.build-settings.outputs.stream }}
|
|
||||||
IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Upload OpenStack image"
|
echo "::group::Upload OpenStack image"
|
||||||
upload/upload_openstack.sh
|
bazel run //image/upload -- \
|
||||||
|
openstack \
|
||||||
|
--verbose \
|
||||||
|
--raw-image "${OPENSTACK_IMAGE_PATH}" \
|
||||||
|
--variant sev \
|
||||||
|
--version "${SHORTNAME}" \
|
||||||
|
--out "${OPENSTACK_JSON_OUTPUT}"
|
||||||
echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${OPENSTACK_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${OPENSTACK_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
@ -548,17 +502,15 @@ jobs:
|
|||||||
if: matrix.csp == 'qemu'
|
if: matrix.csp == 'qemu'
|
||||||
shell: bash
|
shell: bash
|
||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
env:
|
|
||||||
QEMU_JSON_OUTPUT: ${{ steps.vars.outputs.qemuJsonOutput }}
|
|
||||||
QEMU_BUCKET: ${{ steps.vars.outputs.qemuBucket }}
|
|
||||||
QEMU_BASE_URL: ${{ steps.vars.outputs.qemuBaseUrl }}
|
|
||||||
QEMU_IMAGE_PATH: ${{ steps.vars.outputs.qemuImagePath }}
|
|
||||||
REF: ${{needs.build-settings.outputs.ref }}
|
|
||||||
STREAM: ${{needs.build-settings.outputs.stream }}
|
|
||||||
IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Upload QEMU image"
|
echo "::group::Upload QEMU image"
|
||||||
upload/upload_qemu.sh
|
bazel run //image/upload -- \
|
||||||
|
qemu \
|
||||||
|
--verbose \
|
||||||
|
--raw-image "${QEMU_IMAGE_PATH}" \
|
||||||
|
--variant default \
|
||||||
|
--version "${SHORTNAME}" \
|
||||||
|
--out "${QEMU_JSON_OUTPUT}"
|
||||||
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user