diff --git a/.github/actions/build_apko/action.yml b/.github/actions/build_apko/action.yml index 86dc66bd1..be68f12ea 100644 --- a/.github/actions/build_apko/action.yml +++ b/.github/actions/build_apko/action.yml @@ -54,10 +54,16 @@ runs: password: ${{ inputs.githubToken }} - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - name: Build apko images and sign them + shell: bash + env: + COSIGN_EXPERIMENTAL: "true" + COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} + COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} + COSIGN_PASSWORD: ${{ inputs.cosignPassword }} run: | if [[ -z "${{ inputs.apkoConfig }}" ]]; then echo "Building all images in image" @@ -131,14 +137,14 @@ runs: mv sbom-*.* sboms/$imageName/ fi + + - name: Sign sboms + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' shell: bash env: - COSIGN_EXPERIMENTAL: "true" COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }} - - - name: Sign sboms run: | for dir in sboms/*; do for file in $dir/*; do @@ -151,17 +157,11 @@ runs: done zip -r sboms.zip sboms - shell: bash - env: - COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} - COSIGN_PASSWORD: ${{ inputs.cosignPassword }} - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - name: Upload SBOMs + if: always() + continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: sboms path: sboms.zip - if: always() - continue-on-error: true diff --git a/.github/actions/build_cli/action.yml b/.github/actions/build_cli/action.yml index 0d2f88c81..7a45281e0 100644 --- a/.github/actions/build_cli/action.yml +++ b/.github/actions/build_cli/action.yml @@ -33,11 +33,12 @@ runs: steps: # https://github.blog/2022-04-12-git-security-vulnerability-announced/ - name: Mark repository safe + shell: bash run: | git config --global --add safe.directory /__w/constellation/constellation - shell: bash - name: Build CLI + shell: bash run: | echo "::group::Build CLI" mkdir -p build @@ -53,26 +54,32 @@ runs: echo "$(pwd)" >> $GITHUB_PATH export PATH="$PATH:$(pwd)" echo "::endgroup::" - shell: bash # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial # once it has the functionality - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 - name: Install Rekor + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' + shell: bash + working-directory: build run: | HOSTOS="$(go env GOOS)" HOSTARCH="$(go env GOARCH)" curl -sLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-${HOSTOS}-${HOSTARCH} sudo install rekor-cli-${HOSTOS}-${HOSTARCH} /usr/local/bin/rekor-cli rm rekor-cli-${HOSTOS}-${HOSTARCH} - shell: bash - working-directory: build - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - name: Sign CLI + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' + shell: bash + working-directory: build + env: + COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} + COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} + COSIGN_PASSWORD: ${{ inputs.cosignPassword }} run: | SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }} echo "$COSIGN_PUBLIC_KEY" > cosign.pub @@ -85,10 +92,3 @@ runs: uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1) sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content) cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET} - shell: bash - working-directory: build - env: - COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} - COSIGN_PASSWORD: ${{ inputs.cosignPassword }} - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml index a4e49359f..0777579e4 100644 --- a/.github/actions/build_ko/action.yml +++ b/.github/actions/build_ko/action.yml @@ -41,7 +41,6 @@ outputs: description: "Container tag" value: ${{ steps.build.container_tag }} - # Linux runner only runs: using: "composite" @@ -55,8 +54,8 @@ runs: uses: imjasonh/setup-ko@9a31684920a610d5dbe8012888714d64706f9787 # tag=v0.6 - name: Build and upload ko container image - shell: bash id: build + shell: bash env: KO_USER: ${{ github.actor }} KO_CONFIG_PATH: ${{ inputs.koConfig }} diff --git a/.github/actions/build_micro_service/action.yml b/.github/actions/build_micro_service/action.yml index 6a1936b35..70936d71d 100644 --- a/.github/actions/build_micro_service/action.yml +++ b/.github/actions/build_micro_service/action.yml @@ -68,10 +68,10 @@ runs: PROJECT_VERSION=${{ inputs.projectVersion }} - name: Generate SBOM + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' uses: ./.github/actions/container_sbom with: containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-micro-service.outputs.digest }} cosignPublicKey: ${{ inputs.cosignPublicKey }} cosignPrivateKey: ${{ inputs.cosignPrivateKey }} cosignPassword: ${{ inputs.cosignPassword }} - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml index 7dc182fde..c122b0577 100644 --- a/.github/actions/build_micro_service_ko/action.yml +++ b/.github/actions/build_micro_service_ko/action.yml @@ -70,10 +70,10 @@ runs: echo CONTAINER_FULL=$container_full >> $GITHUB_ENV - name: Generate SBOM + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' uses: ./.github/actions/container_sbom with: containerReference: ${{ env.CONTAINER_FULL }} cosignPublicKey: ${{ inputs.cosignPublicKey }} cosignPrivateKey: ${{ inputs.cosignPrivateKey }} cosignPassword: ${{ inputs.cosignPassword }} - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' diff --git a/.github/actions/build_operator/action.yml b/.github/actions/build_operator/action.yml index 5f63bdccd..96e747ecf 100644 --- a/.github/actions/build_operator/action.yml +++ b/.github/actions/build_operator/action.yml @@ -66,29 +66,29 @@ runs: tags: ${{ steps.meta.outputs.tags }} - name: Generate SBOM + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' uses: ./.github/actions/container_sbom with: containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }} cosignPublicKey: ${{ inputs.cosignPublicKey }} cosignPrivateKey: ${{ inputs.cosignPrivateKey }} cosignPassword: ${{ inputs.cosignPassword }} - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - name: Bundle for pseudo version if: steps.pseudo-version.outputs.pseudoVersion != '' && inputs.pushTag == '' shell: bash - run: make bundle VERSION=${VERSION#v} working-directory: ${{ inputs.sourceDir }} env: VERSION: ${{ steps.pseudo-version.outputs.pseudoVersion }} + run: make bundle VERSION=${VERSION#v} - name: Bundle for semantic version if: inputs.pushTag != '' shell: bash - run: make bundle VERSION=${VERSION#v} working-directory: ${{ inputs.sourceDir }} env: VERSION: ${{ inputs.pushTag }} + run: make bundle VERSION=${VERSION#v} - name: Docker metadata for bundle id: bundle-meta @@ -112,26 +112,26 @@ runs: tags: ${{ steps.bundle-meta.outputs.tags }} - name: Generate Bundle SBOM + if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' uses: ./.github/actions/container_sbom with: containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }} cosignPublicKey: ${{ inputs.cosignPublicKey }} cosignPrivateKey: ${{ inputs.cosignPrivateKey }} cosignPassword: ${{ inputs.cosignPassword }} - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - name: Build and push catalog for pseudo versions if: steps.pseudo-version.outputs.pseudoVersion != '' && inputs.pushTag == '' shell: bash - run: make VERSION=${VERSION#v} catalog-build catalog-push working-directory: ${{ inputs.sourceDir }} env: VERSION: ${{ steps.pseudo-version.outputs.pseudoVersion }} + run: make VERSION=${VERSION#v} catalog-build catalog-push - name: Build and push catalog for releases if: inputs.pushTag != '' shell: bash - run: make VERSION=${VERSION#v} catalog-build catalog-push working-directory: ${{ inputs.sourceDir }} env: VERSION: ${{ inputs.pushTag }} + run: make VERSION=${VERSION#v} catalog-build catalog-push diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index c94e420a7..1c13be1c9 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -99,8 +99,8 @@ runs: fi - name: Remove embedded measurements - shell: bash if: inputs.keepMeasurements == 'false' + shell: bash run: | yq eval -i \ "(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index 75a29199f..b6b792e17 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -40,5 +40,5 @@ runs: echo "::endgroup::" - name: Constellation terminate - run: constellation terminate --yes shell: bash + run: constellation terminate --yes diff --git a/.github/actions/container_sbom/action.yml b/.github/actions/container_sbom/action.yml index a9eaada6f..09896b2fa 100644 --- a/.github/actions/container_sbom/action.yml +++ b/.github/actions/container_sbom/action.yml @@ -18,9 +18,11 @@ runs: using: "composite" steps: - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 + - name: Download syft & grype + shell: bash run: | SYFT_VERSION=0.59.0 GRYPE_VERSION=0.51.0 @@ -31,9 +33,14 @@ runs: tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz ./grype version echo $(pwd) >> $GITHUB_PATH - shell: bash - name: Generate SBOM + shell: bash + env: + # COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404 + COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} + COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} + COSIGN_PASSWORD: ${{ inputs.cosignPassword }} run: | set -ex echo "$COSIGN_PRIVATE_KEY" > cosign.key @@ -43,9 +50,3 @@ runs: # https://github.com/sigstore/cosign/issues/2264 cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY grype ${{ inputs.containerReference }} --fail-on high --only-fixed - shell: bash - env: - # COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404 - COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} - COSIGN_PASSWORD: ${{ inputs.cosignPassword }} diff --git a/.github/actions/e2e_kbench/action.yml b/.github/actions/e2e_kbench/action.yml index 278b96b2a..3c14dcb8c 100644 --- a/.github/actions/e2e_kbench/action.yml +++ b/.github/actions/e2e_kbench/action.yml @@ -32,12 +32,14 @@ runs: - name: Install patched K-Bench working-directory: "k-bench" - run: ./install.sh shell: bash + run: ./install.sh - name: Run K-Bench shell: bash working-directory: k-bench + env: + KUBECONFIG: ${{ inputs.kubeconfig }} run: | mkdir -p ./out kubectl create namespace kbench-pod-namespace --dry-run=client -o yaml | kubectl apply -f - @@ -55,12 +57,10 @@ runs: kubectl create namespace kbench-pod-namespace --dry-run=client -o yaml | kubectl apply -f - kubectl apply -f ../.github/actions/e2e_kbench/encrypted_storage.yml ./run.sh -r "kbench-constellation-${{ inputs.cloudProvider }}" -t "dp_network_intranode" -o "./out/" - env: - KUBECONFIG: ${{ inputs.kubeconfig }} - name: Merge K-Bench results - working-directory: k-bench shell: bash + working-directory: k-bench run: | mkdir -p "./out/kbench-constellation-${{ inputs.cloudProvider }}" mv ./out/results_kbench-constellation-${{ inputs.cloudProvider }}_*m/* "./out/kbench-constellation-${{ inputs.cloudProvider }}/" @@ -68,8 +68,8 @@ runs: cat ./out/kbench-constellation-${{ inputs.cloudProvider }}/*/kbench.log - name: Upload original benchmark results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: (!env.ACT) + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: path: "k-bench/out/kbench-constellation-${{ inputs.cloudProvider }}" name: "k-bench-constellation-${{ inputs.cloudProvider }}" @@ -82,26 +82,22 @@ runs: - name: Set S3 artifact store shell: bash - run: echo S3_PATH=s3://${ARTIFACT_BUCKET_CONSTELLATION}/benchmarks >> $GITHUB_ENV env: ARTIFACT_BUCKET_CONSTELLATION: "edgeless-artifact-store/constellation" + run: echo S3_PATH=s3://${ARTIFACT_BUCKET_CONSTELLATION}/benchmarks >> $GITHUB_ENV - name: Get previous benchmark records from S3 shell: bash + env: + KBENCH_RESULTS: ${{ github.workspace }}/k-bench/out/ + CSP: ${{ inputs.cloudProvider }} run: | mkdir -p benchmarks aws s3 cp --recursive ${S3_PATH} benchmarks --no-progress mv benchmarks/constellation-${CSP}.json benchmarks/constellation-${CSP}-previous.json - env: - KBENCH_RESULTS: ${{ github.workspace }}/k-bench/out/ - CSP: ${{ inputs.cloudProvider }} - name: Parse K-Bench results, create diagrams and post the progression summary shell: bash - run: | - python .github/actions/e2e_kbench/evaluate/parse.py - python .github/actions/e2e_kbench/evaluate/graph.py - python .github/actions/e2e_kbench/evaluate/compare.py >> $GITHUB_STEP_SUMMARY env: # Original K-Bench result directory KBENCH_RESULTS: k-bench/out/ @@ -111,10 +107,14 @@ runs: PREV_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}-previous.json CURR_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}.json CSP: ${{ inputs.cloudProvider }} + run: | + python .github/actions/e2e_kbench/evaluate/parse.py + python .github/actions/e2e_kbench/evaluate/graph.py + python .github/actions/e2e_kbench/evaluate/compare.py >> $GITHUB_STEP_SUMMARY - name: Upload benchmark results and graphs to action run - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: (!env.ACT) + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: path: | benchmarks/*_perf.png @@ -122,9 +122,9 @@ runs: name: "benchmarks" - name: Update benchmark records in S3 + if: github.ref == 'refs/heads/main' shell: bash - run: | - aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json env: CSP: ${{ inputs.cloudProvider }} - if: github.ref == 'refs/heads/main' + run: | + aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json diff --git a/.github/actions/e2e_mini/action.yml b/.github/actions/e2e_mini/action.yml index 1fdedb5cc..cd7bee85e 100644 --- a/.github/actions/e2e_mini/action.yml +++ b/.github/actions/e2e_mini/action.yml @@ -32,6 +32,10 @@ runs: - name: MiniConstellation E2E shell: bash + env: + ARM_CLIENT_ID: ${{ inputs.azureClientID }} + ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }} + ARM_TENANT_ID: ${{ inputs.azureTenantID }} run: | echo "::group::Terraform" cd .github/actions/e2e_mini @@ -46,20 +50,16 @@ runs: # Copy locally build Constellation CLI and run e2e script. scp -i id_rsa ../../../build/constellation adminuser@${AZURE_VM_IP}:. ssh -i id_rsa adminuser@${AZURE_VM_IP} 'bash -s' < run-e2e.sh - env: - ARM_CLIENT_ID: ${{ inputs.azureClientID }} - ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }} - ARM_TENANT_ID: ${{ inputs.azureTenantID }} - name: Delete deployment if: always() shell: bash + env: + ARM_CLIENT_ID: ${{ inputs.azureClientID }} + ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }} + ARM_TENANT_ID: ${{ inputs.azureTenantID }} run: | echo "::group::Terminate" cd .github/actions/e2e_mini terraform destroy -auto-approve echo "::endgroup::" - env: - ARM_CLIENT_ID: ${{ inputs.azureClientID }} - ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }} - ARM_TENANT_ID: ${{ inputs.azureTenantID }} diff --git a/.github/actions/e2e_sonobuoy/action.yml b/.github/actions/e2e_sonobuoy/action.yml index 89edba4eb..d5e798507 100644 --- a/.github/actions/e2e_sonobuoy/action.yml +++ b/.github/actions/e2e_sonobuoy/action.yml @@ -28,8 +28,8 @@ runs: install sonobuoy /usr/local/bin - name: Sonobuoy version - run: sonobuoy version shell: bash + run: sonobuoy version - name: Run e2e test shell: bash diff --git a/.github/actions/e2e_verify/action.yml b/.github/actions/e2e_verify/action.yml index 4a59c9dba..d23fa0f79 100644 --- a/.github/actions/e2e_verify/action.yml +++ b/.github/actions/e2e_verify/action.yml @@ -16,6 +16,7 @@ runs: shell: bash run: | yq -i 'del(.provider.${{ inputs.cloudProvider }}.measurements)' constellation-conf.yaml + - name: Fetch & write measurements shell: bash run: | @@ -27,6 +28,7 @@ runs: done yq -i '.provider.${{ inputs.cloudProvider }}.measurements |= array_to_map' constellation-conf.yaml cat constellation-conf.yaml + - name: Constellation verify shell: bash run: constellation verify --cluster-id $(jq -r ".clusterID" constellation-id.json) diff --git a/.github/actions/pseudo_version/action.yml b/.github/actions/pseudo_version/action.yml index 38a04fcb3..675c5f2a2 100644 --- a/.github/actions/pseudo_version/action.yml +++ b/.github/actions/pseudo_version/action.yml @@ -24,6 +24,8 @@ runs: steps: - name: get pseudo version id: pseudo-version + shell: bash + working-directory: hack/pseudo-version run: | if $(git rev-parse --is-shallow-repository); then git fetch --prune --unshallow --tags -v @@ -44,5 +46,3 @@ runs: echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT echo "branchName=${branchName}" >> $GITHUB_OUTPUT echo "releaseVersion=${releaseVersion}" >> $GITHUB_OUTPUT - working-directory: hack/pseudo-version - shell: bash diff --git a/.github/actions/setup_linux/action.yml b/.github/actions/setup_linux/action.yml index 5edfca96d..8cc78f46c 100644 --- a/.github/actions/setup_linux/action.yml +++ b/.github/actions/setup_linux/action.yml @@ -35,19 +35,19 @@ runs: sudo apt-get install curl gpg -y - name: Install yq jq + shell: bash run: | sudo apt-get install yq jq -y - shell: bash - name: Install AWS CLI + shell: bash run: | sudo apt-get -y install awscli - shell: bash - name: Install az CLI + shell: bash run: | sudo apt-get install azure-cli -y - shell: bash - name: Set up gcloud CLI uses: google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce # v1.0.1 diff --git a/.github/actions/setup_mkosi/action.yaml b/.github/actions/setup_mkosi/action.yaml index 055289a6e..2737f6d69 100644 --- a/.github/actions/setup_mkosi/action.yaml +++ b/.github/actions/setup_mkosi/action.yaml @@ -21,6 +21,7 @@ runs: e2fsprogs \ squashfs-tools echo "::endgroup::" + # Try to eliminate "Failed to dissect image: Connection timed out" errors from nspawn by compiling # systemd-nspawn from v251 from source. - name: Update systemd-nspawn @@ -35,6 +36,7 @@ runs: sudo ln -svf $PWD/systemd-stable/build/systemd-nspawn $(which systemd-nspawn) systemd-nspawn --version echo "::endgroup::" + - name: Install shell: bash run: sudo python3 -m pip install git+https://github.com/systemd/mkosi.git@${{ inputs.version }} diff --git a/.github/actions/shortname/action.yaml b/.github/actions/shortname/action.yaml index 6ca21de45..9a21d9666 100644 --- a/.github/actions/shortname/action.yaml +++ b/.github/actions/shortname/action.yaml @@ -21,8 +21,8 @@ runs: using: "composite" steps: - name: Extract ref, stream and version - shell: bash id: extract + shell: bash run: | ref="-" stream="stable" diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml index 5312699de..d76bcb8c1 100644 --- a/.github/workflows/build-binaries.yml +++ b/.github/workflows/build-binaries.yml @@ -111,6 +111,7 @@ jobs: uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: "1.19.5" + - name: Build disk-mapper uses: ./.github/actions/build_disk_mapper diff --git a/.github/workflows/build-ccm-gcp.yml b/.github/workflows/build-ccm-gcp.yml index 78a2ba82e..3a35cdfa5 100644 --- a/.github/workflows/build-ccm-gcp.yml +++ b/.github/workflows/build-ccm-gcp.yml @@ -16,7 +16,8 @@ jobs: - version: v25.2.0 latest: true steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkout kubernetes/cloud-provider-gcp + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: repository: "kubernetes/cloud-provider-gcp" ref: refs/tags/ccm/${{ matrix.version }} @@ -45,17 +46,20 @@ jobs: - name: Build CCM run: | "${GITHUB_WORKSPACE}/bin/bazel" build //cmd/cloud-controller-manager:cloud-controller-manager + - name: Copy CCM run: | # support new and old bazel output paths cp ./bazel-bin/cmd/cloud-controller-manager/cloud-controller-manager_/cloud-controller-manager ./cloud-controller-manager || \ cp ./bazel-bin/cmd/cloud-controller-manager/linux_amd64_pure_stripped/cloud-controller-manager ./cloud-controller-manager + - name: Prepare Dockerfile run: | cat > Dockerfile <> "$GITHUB_OUTPUT" - working-directory: ${{ github.workspace }}/build build-settings: name: "Determine build settings" @@ -279,20 +279,16 @@ jobs: - name: Prepare PKI for secure boot signing id: prepare-pki shell: bash - run: | - echo "${DB_KEY}" > "${PKI_SET}/db.key" - ln -s "${PKI_SET}" pki working-directory: ${{ github.workspace }}/image env: PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} + run: | + echo "${DB_KEY}" > "${PKI_SET}/db.key" + ln -s "${PKI_SET}" pki - name: Build shell: bash - run: | - echo "::group::Build" - sudo make IMAGE_VERSION="${IMAGE_VERSION}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}" - echo "::endgroup::" working-directory: ${{ github.workspace }}/image env: BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper @@ -301,9 +297,15 @@ jobs: AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }} IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }} CSP: ${{ matrix.csp }} + run: | + echo "::group::Build" + sudo make IMAGE_VERSION="${IMAGE_VERSION}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}" + echo "::endgroup::" - name: Collect hashes id: collect-hashes + continue-on-error: true + working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37 run: | { echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" @@ -315,18 +317,18 @@ jobs: echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" } >> "$GITHUB_OUTPUT" - working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37 - continue-on-error: true - name: Upload raw OS image as artifact + if: always() + continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw - if: always() - continue-on-error: true - name: Upload individual OS parts as artifacts + if: always() + continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: parts-${{ matrix.csp }} @@ -338,18 +340,16 @@ jobs: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz - if: always() - continue-on-error: true - name: Upload manifest as artifact + if: always() + continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: manifest-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest - if: always() - continue-on-error: true upload-os-image: name: "Upload OS image to CSP" @@ -403,11 +403,11 @@ jobs: echo "::endgroup::" - name: Login to AWS - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 # on AWS, login is required to upload the image as AMI # on Azure, login is done to download the VMGS from S3 # on QEMU, login is done to upload the image to S3 if: matrix.csp == 'aws' || matrix.csp == 'azure' || matrix.csp == 'qemu' + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 @@ -419,42 +419,36 @@ jobs: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} - name: Login to GCP - uses: ./.github/actions/login_gcp if: matrix.csp == 'gcp' + uses: ./.github/actions/login_gcp with: service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - name: Prepare PKI for image upload id: prepare-pki shell: bash + working-directory: ${{ github.workspace }}/image run: | ln -s ${{ needs.build-settings.outputs.pkiSet }} pki - working-directory: ${{ github.workspace }}/image - name: Download VMGS blob + if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') + working-directory: ${{ github.workspace }}/image + env: + PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} + AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} + AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} run: | aws s3 cp \ --region "${AZURE_VMGS_REGION}" \ "s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \ "${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \ --no-progress - working-directory: ${{ github.workspace }}/image - if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') - env: - PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} - AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} - AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} - name: Upload AWS image - shell: bash - run: | - echo "::group::Upload AWS image" - secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}" - upload/upload_aws.sh - echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" - echo "::endgroup::" - working-directory: ${{ github.workspace }}/image if: matrix.csp == 'aws' + shell: bash + working-directory: ${{ github.workspace }}/image env: PKI: ${{ github.workspace }}/image/pki AWS_JSON_OUTPUT: ${{ steps.vars.outputs.awsJsonOutput }} @@ -466,17 +460,17 @@ jobs: AWS_REGION: ${{ steps.vars.outputs.awsRegion }} AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }} AWS_PUBLISH: ${{ steps.vars.outputs.awsPublish }} + run: | + echo "::group::Upload AWS image" + secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}" + upload/upload_aws.sh + echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" + echo "::endgroup::" - name: Upload GCP image - shell: bash - run: | - echo "::group::Upload GCP image" - upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" - upload/upload_gcp.sh - echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" - echo "::endgroup::" - working-directory: ${{ github.workspace }}/image if: matrix.csp == 'gcp' + shell: bash + working-directory: ${{ github.workspace }}/image env: PKI: ${{ github.workspace }}/image/pki GCP_JSON_OUTPUT: ${{ steps.vars.outputs.gcpJsonOutput }} @@ -488,17 +482,17 @@ jobs: GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }} GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }} GCP_REGION: ${{ steps.vars.outputs.gcpRegion }} + run: | + echo "::group::Upload GCP image" + upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" + upload/upload_gcp.sh + echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" + echo "::endgroup::" - name: Upload Azure image - shell: bash - run: | - echo "::group::Upload Azure image" - upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" - upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" - echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" - echo "::endgroup::" - working-directory: ${{ github.workspace }}/image if: matrix.csp == 'azure' + shell: bash + working-directory: ${{ github.workspace }}/image env: PKI: ${{ github.workspace }}/image/pki AZURE_JSON_OUTPUT: ${{ steps.vars.outputs.azureJsonOutput }} @@ -517,15 +511,16 @@ jobs: AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} AZURE_SKU: ${{ steps.vars.outputs.azureSku }} AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }} + run: | + echo "::group::Upload Azure image" + upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" + upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" + echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" + echo "::endgroup::" - name: Upload QEMU image - shell: bash if: matrix.csp == 'qemu' - run: | - echo "::group::Upload QEMU image" - upload/upload_qemu.sh - echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" - echo "::endgroup::" + shell: bash working-directory: ${{ github.workspace }}/image env: QEMU_JSON_OUTPUT: ${{ steps.vars.outputs.qemuJsonOutput }} @@ -535,6 +530,11 @@ jobs: REF: ${{needs.build-settings.outputs.ref }} STREAM: ${{needs.build-settings.outputs.stream }} IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }} + run: | + echo "::group::Upload QEMU image" + upload/upload_qemu.sh + echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" + echo "::endgroup::" - name: Upload image lookup table as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 @@ -579,6 +579,7 @@ jobs: echo "::endgroup::" - name: Calculate expected PCRs + working-directory: ${{ github.workspace }}/image/measured-boot run: | echo "::group::Calculate expected PCRs" { @@ -589,7 +590,6 @@ jobs: cp pcr-stable.json ${{ github.workspace }}/ jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json echo "::endgroup::" - working-directory: ${{ github.workspace }}/image/measured-boot - name: Upload expected PCRs as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 @@ -646,21 +646,24 @@ jobs: unsquashfs -user-xattrs -d image.root.tree image.root.raw echo "::endgroup::" - - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 + - name: Create SBOM in SPDX fromat + uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 with: path: image.root.tree artifact-name: sbom.spdx.json output-file: sbom.spdx.json format: spdx-json - - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 + - name: Create SBOM in CycloneDX fromat + uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 with: path: image.root.tree artifact-name: sbom.cyclonedx.json output-file: sbom.cyclonedx.json format: cyclonedx-json - - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 + - name: Create SBOM in Syft fromat + uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 with: path: image.root.tree artifact-name: sbom.syft.json diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 23b7a9bcb..b27342248 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,7 +46,7 @@ jobs: echo "::group::Install go dependencies" mods=$(go list -f '{{.Dir}}' -m | xargs) for mod in $mods; do - (cd "$mod" || exit; go mod tidy) + (cd "$mod" || exit; go mod download) done echo "::endgroup::" diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index 9584256f8..55dbb7388 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -198,6 +198,7 @@ jobs: uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + - name: Checkout ref if: github.event.steps.check-bootstrapper-cache.cache-hit != 'true' && inputs.git-ref != 'head' uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 @@ -239,6 +240,7 @@ jobs: uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + - name: Checkout ref if: inputs.git-ref != 'head' uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index cd5539b4f..b2b613ac6 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -106,8 +106,8 @@ jobs: azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }} - name: Create Azure resource group - if: matrix.provider == 'azure' id: az_resource_group_gen + if: matrix.provider == 'azure' shell: bash run: | uuid=$(cat /proc/sys/kernel/random/uuid) diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index 9758118ad..7a09dd6d4 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -79,9 +79,9 @@ jobs: shortname: ${{ inputs.osImage }} - name: Check if image definition from build pipeline exists + shell: bash run: | wget -O /dev/null "https://cdn.confidential.cloud/constellation/v1/ref/${{ steps.extract.outputs.ref }}/stream/${{ steps.extract.outputs.stream }}/${{ steps.extract.outputs.version }}/image/info.json" - shell: bash - name: Setup Go environment uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 @@ -89,11 +89,11 @@ jobs: go-version: "1.19.5" - name: Build hack/pcr-reader + shell: bash + working-directory: hack/pcr-reader run: | go build . pwd >> "$GITHUB_PATH" - working-directory: hack/pcr-reader - shell: bash - name: Login to Azure if: matrix.provider == 'azure' @@ -102,8 +102,8 @@ jobs: azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }} - name: Create Azure resource group - if: matrix.provider == 'azure' id: az_resource_group_gen + if: matrix.provider == 'azure' shell: bash run: | uuid=$(cat /proc/sys/kernel/random/uuid) @@ -112,8 +112,8 @@ jobs: echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Create Cluster in E2E Test environment - if: matrix.provider != 'qemu' id: create_cluster + if: matrix.provider != 'qemu' uses: ./.github/actions/e2e_test with: workerNodesCount: 1 @@ -134,6 +134,9 @@ jobs: - name: Fetch PCRs from running cluster if: matrix.provider != 'qemu' + shell: bash + env: + CSP: ${{ matrix.provider }} run: | KUBECONFIG="${PWD}/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m CONSTELL_IP=$(jq -r ".ip" constellation-id.json) @@ -187,12 +190,10 @@ jobs: echo "PCRs to be published after removing known variable ones:" cat "${{ github.workspace }}/generated-measurements/measurements.json" mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" - shell: bash - env: - CSP: ${{ matrix.provider }} - name: Set PCRs for QEMU if: matrix.provider == 'qemu' + shell: bash env: ref: ${{ steps.extract.outputs.ref }} stream: ${{ steps.extract.outputs.stream }} @@ -216,7 +217,6 @@ jobs: .measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \ -I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json" mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" - shell: bash - name: Upload measurements as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 @@ -262,11 +262,11 @@ jobs: go-version: "1.19.5" - name: Build hack/pcr-compare + shell: bash + working-directory: hack/pcr-compare run: | go build . pwd >> "$GITHUB_PATH" - working-directory: hack/pcr-compare - shell: bash - name: Download calculated measurements from artifact uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.1.1 @@ -275,21 +275,21 @@ jobs: path: "${{ github.workspace }}/generated-measurements" - name: Download expected measurements from build pipeline for image - run: | - path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json" - mkdir -p ${{ github.workspace }}/expected-measurements - wget -O ${{ github.workspace }}/expected-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}" - cat ${{ github.workspace }}/expected-measurements/measurements.image.json shell: bash env: ref: ${{ needs.calculate-measurements-on-csp.outputs.ref }} stream: ${{ needs.calculate-measurements-on-csp.outputs.stream }} version: ${{ needs.calculate-measurements-on-csp.outputs.version }} + run: | + path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json" + mkdir -p ${{ github.workspace }}/expected-measurements + wget -O ${{ github.workspace }}/expected-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}" + cat ${{ github.workspace }}/expected-measurements/measurements.image.json - name: Check if expected measurements == actual measurements from running cluster + shell: bash run: | pcr-compare ${{ github.workspace }}/expected-measurements/measurements.image.json ${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json - shell: bash sign-measurements: name: "Sign Measurements" @@ -377,10 +377,6 @@ jobs: aws-region: eu-central-1 - name: Upload to S3 - run: | - S3_PATH=s3://cdn-constellation-backend/constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }} - aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" "${S3_PATH}/measurements.json" - aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig" "${S3_PATH}/measurements.json.sig" shell: bash env: IMAGE_UID: ${{ inputs.osImage }} @@ -389,3 +385,7 @@ jobs: ref: ${{ needs.calculate-measurements-on-csp.outputs.ref }} stream: ${{ needs.calculate-measurements-on-csp.outputs.stream }} version: ${{ needs.calculate-measurements-on-csp.outputs.version }} + run: | + S3_PATH=s3://cdn-constellation-backend/constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }} + aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" "${S3_PATH}/measurements.json" + aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig" "${S3_PATH}/measurements.json.sig" diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 32c9aa7df..61d92905b 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -28,10 +28,12 @@ jobs: uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} + - name: Setup Go environment uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: "1.19.5" + - name: Build CLI uses: ./.github/actions/build_cli with: @@ -41,6 +43,7 @@ jobs: cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} + - name: Upload CLI as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -59,22 +62,27 @@ jobs: uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-amd64 + - name: Download CLI binaries darwin-arm64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-arm64 + - name: Download CLI binaries linux-amd64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-amd64 + - name: Download CLI binaries linux-arm64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-arm64 + - name: Download CLI SBOM uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom + - name: Generate provenance subjects id: provenance-subjects run: | @@ -97,7 +105,9 @@ jobs: uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} + - name: Download syft & grype + shell: bash run: | SYFT_VERSION=0.62.1 GRYPE_VERSION=0.53.1 @@ -108,24 +118,27 @@ jobs: tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz ./grype version pwd >> "$GITHUB_PATH" - shell: bash + - name: Install Cosign uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 + - name: Build signed SBOM - run: | - syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json - cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig - grype constellation.spdx.sbom --fail-on high --only-fixed env: COSIGN_EXPERIMENTAL: 1 COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} + run: | + syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json + cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig + grype constellation.spdx.sbom --fail-on high --only-fixed + - name: Upload Constellation CLI SBOM uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: constellation.spdx.sbom path: constellation.spdx.sbom + - name: Upload Constellation CLI SBOM's signature uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -157,30 +170,37 @@ jobs: uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-amd64 + - name: Download CLI binaries darwin-arm64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-arm64 + - name: Download CLI binaries linux-amd64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-amd64 + - name: Download CLI binaries linux-arm64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-arm64 + - name: Download CLI SBOM uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom + - name: Download provenance uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.provenance.outputs.provenance-name }} + - name: Install slsa-verifier run: | curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64 install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier + - name: Verify provenance run: | slsa-verifier verify-artifact constellation-darwin-amd64 \ @@ -211,37 +231,46 @@ jobs: run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub env: COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} + - name: Download CLI binaries darwin-amd64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-amd64 + - name: Download CLI binaries darwin-arm64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-arm64 + - name: Download CLI binaries linux-amd64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-amd64 + - name: Download CLI binaries linux-arm64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-arm64 + - name: Download Constellation CLI SBOM uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom + - name: Download Constellation CLI SBOM's signature uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom.sig + - name: Download Constellation provenance uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.provenance.outputs.provenance-name }} + - name: Rename provenance file run: | mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl + - name: Create release with artifacts # GitHub endorsed release project. See: https://github.com/actions/create-release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f9897ce2c..327ba56f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,6 +35,7 @@ jobs: echo "Version must be in the form of vX.Y.Z" exit 1 fi + - name: Extract version info id: version-info run: | @@ -109,9 +110,11 @@ jobs: env: BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.head_ref }} + - name: Create release branch if: inputs.kind == 'minor' run: | @@ -154,7 +157,8 @@ jobs: VERSION: ${{ inputs.version }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} @@ -235,7 +239,8 @@ jobs: VERSION: ${{ inputs.version }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} @@ -298,7 +303,8 @@ jobs: env: VERSION: ${{ inputs.version }} steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} @@ -326,7 +332,8 @@ jobs: VERSION: ${{ inputs.version }} NEW_BRANCH: feat/release/${{ inputs.version }}/changes-to-main steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkot + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f5fc9d716..99f08a4a7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,26 +19,26 @@ jobs: id-token: write steps: - - name: "Checkout code" + - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - - name: "Run analysis" + - name: Run analysis uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 with: results_file: results.sarif results_format: sarif publish_results: true - - name: "Upload artifact" + - name: Upload artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 with: name: SARIF file path: results.sarif retention-days: 5 - - name: "Upload to code-scanning" + - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 with: sarif_file: results.sarif diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml index 76e902dd8..22ce2c268 100644 --- a/.github/workflows/test-integration.yml +++ b/.github/workflows/test-integration.yml @@ -41,5 +41,5 @@ jobs: # Runs all test targets starting with "integration-" - name: Integration Tests - run: ctest -R integration- working-directory: build + run: ctest -R integration- diff --git a/.github/workflows/test-unittest.yml b/.github/workflows/test-unittest.yml index 9dd34f1d6..aafe66219 100644 --- a/.github/workflows/test-unittest.yml +++ b/.github/workflows/test-unittest.yml @@ -40,10 +40,10 @@ jobs: run: mkdir build && cd build && cmake .. - name: Unit Tests - run: ctest -R unit working-directory: build env: TMPDIR: ${{ runner.temp }} + run: ctest -R unit test-darwin: runs-on: macos-12 diff --git a/.github/workflows/update-cli-reference.yml b/.github/workflows/update-cli-reference.yml index b4f1ca5ec..f271dc3b0 100644 --- a/.github/workflows/update-cli-reference.yml +++ b/.github/workflows/update-cli-reference.yml @@ -26,8 +26,8 @@ jobs: cache: true - name: Generate reference docs - run: go run . | cat header.md - > ../../cli.md working-directory: hack/clidocgen + run: go run . | cat header.md - > ../../cli.md - name: Get commit sha run: | @@ -41,8 +41,6 @@ jobs: - name: Publish new reference (create new branch) if: env.EXISTS == 0 uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 # tag=v1.1.1 - env: - API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }} with: source_file: "cli.md" destination_repo: "edgelesssys/constellation" @@ -51,12 +49,12 @@ jobs: user_name: "${{ github.actor }}" user_email: "${{ github.actor }}@users.noreply.github.com" commit_message: "CLI reference was updated by edgelesssys/constellation@${{ env.COMMIT_END}}" + env: + API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }} - name: Publish new reference (update branch) if: env.EXISTS == 1 uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 # tag=v1.1.1 - env: - API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }} with: source_file: "cli.md" destination_repo: "edgelesssys/constellation" @@ -65,3 +63,5 @@ jobs: user_name: "${{ github.actor }}" user_email: "${{ github.actor }}@users.noreply.github.com" commit_message: "CLI reference was updated by edgelesssys/constellation@${{ env.COMMIT_END}}" + env: + API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }}