Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-12 07:59:29 -05:00
Code Issues Packages Projects Releases Wiki Activity

ci: unified order and style of workflows/actions

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-01-18 10:15:58 +01:00
parent 41690288a1
commit 411dfed18f
31 changed files with 235 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/actions/build_apko/action.yml vendored
View File

@ -54,10 +54,16 @@ runs:
password: ${{ inputs.githubToken }}
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Build apko images and sign them
shell: bash
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
if [[ -z "${{ inputs.apkoConfig }}" ]]; then
echo "Building all images in image"
@ -131,14 +137,14 @@ runs:
mv sbom-*.* sboms/$imageName/
fi
- name: Sign sboms
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
shell: bash
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
- name: Sign sboms
run: |
for dir in sboms/*; do
for file in $dir/*; do
@ -151,17 +157,11 @@ runs:
done
zip -r sboms.zip sboms
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
- name: Upload SBOMs
if: always()
continue-on-error: true
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: sboms
path: sboms.zip
if: always()
continue-on-error: true

26
.github/actions/build_cli/action.yml vendored
View File

@ -33,11 +33,12 @@ runs:
steps:
# https://github.blog/2022-04-12-git-security-vulnerability-announced/
- name: Mark repository safe
shell: bash
run: |
git config --global --add safe.directory /__w/constellation/constellation
shell: bash
- name: Build CLI
shell: bash
run: |
echo "::group::Build CLI"
mkdir -p build
@ -53,26 +54,32 @@ runs:
echo "$(pwd)" >> $GITHUB_PATH
export PATH="$PATH:$(pwd)"
echo "::endgroup::"
shell: bash
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
# once it has the functionality
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Install Rekor
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
shell: bash
working-directory: build
run: |
HOSTOS="$(go env GOOS)"
HOSTARCH="$(go env GOARCH)"
curl -sLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-${HOSTOS}-${HOSTARCH}
sudo install rekor-cli-${HOSTOS}-${HOSTARCH} /usr/local/bin/rekor-cli
rm rekor-cli-${HOSTOS}-${HOSTARCH}
shell: bash
working-directory: build
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
- name: Sign CLI
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
shell: bash
working-directory: build
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
@ -85,10 +92,3 @@ runs:
uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1)
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET}
shell: bash
working-directory: build
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

3
.github/actions/build_ko/action.yml vendored
View File

@ -41,7 +41,6 @@ outputs:
description: "Container tag"
value: ${{ steps.build.container_tag }}
# Linux runner only
runs:
using: "composite"
@ -55,8 +54,8 @@ runs:
uses: imjasonh/setup-ko@9a31684920a610d5dbe8012888714d64706f9787 # tag=v0.6
- name: Build and upload ko container image
shell: bash
id: build
shell: bash
env:
KO_USER: ${{ github.actor }}
KO_CONFIG_PATH: ${{ inputs.koConfig }}

2
.github/actions/build_micro_service/action.yml vendored
View File

@ -68,10 +68,10 @@ runs:
PROJECT_VERSION=${{ inputs.projectVersion }}
- name: Generate SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: ./.github/actions/container_sbom
with:
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-micro-service.outputs.digest }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

2
.github/actions/build_micro_service_ko/action.yml vendored
View File

@ -70,10 +70,10 @@ runs:
echo CONTAINER_FULL=$container_full >> $GITHUB_ENV
- name: Generate SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false'
uses: ./.github/actions/container_sbom
with:
containerReference: ${{ env.CONTAINER_FULL }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false'

12
.github/actions/build_operator/action.yml vendored
View File

@ -66,29 +66,29 @@ runs:
tags: ${{ steps.meta.outputs.tags }}
- name: Generate SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: ./.github/actions/container_sbom
with:
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
- name: Bundle for pseudo version
if: steps.pseudo-version.outputs.pseudoVersion != '' && inputs.pushTag == ''
shell: bash
run: make bundle VERSION=${VERSION#v}
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ steps.pseudo-version.outputs.pseudoVersion }}
run: make bundle VERSION=${VERSION#v}
- name: Bundle for semantic version
if: inputs.pushTag != ''
shell: bash
run: make bundle VERSION=${VERSION#v}
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ inputs.pushTag }}
run: make bundle VERSION=${VERSION#v}
- name: Docker metadata for bundle
id: bundle-meta
@ -112,26 +112,26 @@ runs:
tags: ${{ steps.bundle-meta.outputs.tags }}
- name: Generate Bundle SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: ./.github/actions/container_sbom
with:
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
- name: Build and push catalog for pseudo versions
if: steps.pseudo-version.outputs.pseudoVersion != '' && inputs.pushTag == ''
shell: bash
run: make VERSION=${VERSION#v} catalog-build catalog-push
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ steps.pseudo-version.outputs.pseudoVersion }}
run: make VERSION=${VERSION#v} catalog-build catalog-push
- name: Build and push catalog for releases
if: inputs.pushTag != ''
shell: bash
run: make VERSION=${VERSION#v} catalog-build catalog-push
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ inputs.pushTag }}
run: make VERSION=${VERSION#v} catalog-build catalog-push

2
.github/actions/constellation_create/action.yml vendored
View File

@ -99,8 +99,8 @@ runs:
fi
- name: Remove embedded measurements
shell: bash
if: inputs.keepMeasurements == 'false'
shell: bash
run: |
yq eval -i \
"(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \

2
.github/actions/constellation_destroy/action.yml vendored
View File

@ -40,5 +40,5 @@ runs:
echo "::endgroup::"
- name: Constellation terminate
run: constellation terminate --yes
shell: bash
run: constellation terminate --yes

17
.github/actions/container_sbom/action.yml vendored
View File

@ -18,9 +18,11 @@ runs:
using: "composite"
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Download syft & grype
shell: bash
run: |
SYFT_VERSION=0.59.0
GRYPE_VERSION=0.51.0
@ -31,9 +33,14 @@ runs:
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
./grype version
echo $(pwd) >> $GITHUB_PATH
shell: bash
- name: Generate SBOM
shell: bash
env:
# COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
set -ex
echo "$COSIGN_PRIVATE_KEY" > cosign.key
@ -43,9 +50,3 @@ runs:
# https://github.com/sigstore/cosign/issues/2264
cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY
grype ${{ inputs.containerReference }} --fail-on high --only-fixed
shell: bash
env:
# COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}

34
.github/actions/e2e_kbench/action.yml vendored
View File

@ -32,12 +32,14 @@ runs:
- name: Install patched K-Bench
working-directory: "k-bench"
run: ./install.sh
shell: bash
run: ./install.sh
- name: Run K-Bench
shell: bash
working-directory: k-bench
env:
KUBECONFIG: ${{ inputs.kubeconfig }}
run: |
mkdir -p ./out
kubectl create namespace kbench-pod-namespace --dry-run=client -o yaml | kubectl apply -f -
@ -55,12 +57,10 @@ runs:
kubectl create namespace kbench-pod-namespace --dry-run=client -o yaml | kubectl apply -f -
kubectl apply -f ../.github/actions/e2e_kbench/encrypted_storage.yml
./run.sh -r "kbench-constellation-${{ inputs.cloudProvider }}" -t "dp_network_intranode" -o "./out/"
env:
KUBECONFIG: ${{ inputs.kubeconfig }}
- name: Merge K-Bench results
working-directory: k-bench
shell: bash
working-directory: k-bench
run: |
mkdir -p "./out/kbench-constellation-${{ inputs.cloudProvider }}"
mv ./out/results_kbench-constellation-${{ inputs.cloudProvider }}_*m/* "./out/kbench-constellation-${{ inputs.cloudProvider }}/"
@ -68,8 +68,8 @@ runs:
cat ./out/kbench-constellation-${{ inputs.cloudProvider }}/*/kbench.log
- name: Upload original benchmark results
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: (!env.ACT)
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
path: "k-bench/out/kbench-constellation-${{ inputs.cloudProvider }}"
name: "k-bench-constellation-${{ inputs.cloudProvider }}"
@ -82,26 +82,22 @@ runs:
- name: Set S3 artifact store
shell: bash
run: echo S3_PATH=s3://${ARTIFACT_BUCKET_CONSTELLATION}/benchmarks >> $GITHUB_ENV
env:
ARTIFACT_BUCKET_CONSTELLATION: "edgeless-artifact-store/constellation"
run: echo S3_PATH=s3://${ARTIFACT_BUCKET_CONSTELLATION}/benchmarks >> $GITHUB_ENV
- name: Get previous benchmark records from S3
shell: bash
env:
KBENCH_RESULTS: ${{ github.workspace }}/k-bench/out/
CSP: ${{ inputs.cloudProvider }}
run: |
mkdir -p benchmarks
aws s3 cp --recursive ${S3_PATH} benchmarks --no-progress
mv benchmarks/constellation-${CSP}.json benchmarks/constellation-${CSP}-previous.json
env:
KBENCH_RESULTS: ${{ github.workspace }}/k-bench/out/
CSP: ${{ inputs.cloudProvider }}
- name: Parse K-Bench results, create diagrams and post the progression summary
shell: bash
run: |
python .github/actions/e2e_kbench/evaluate/parse.py
python .github/actions/e2e_kbench/evaluate/graph.py
python .github/actions/e2e_kbench/evaluate/compare.py >> $GITHUB_STEP_SUMMARY
env:
# Original K-Bench result directory
KBENCH_RESULTS: k-bench/out/
@ -111,10 +107,14 @@ runs:
PREV_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}-previous.json
CURR_BENCH: benchmarks/constellation-${{ inputs.cloudProvider }}.json
CSP: ${{ inputs.cloudProvider }}
run: |
python .github/actions/e2e_kbench/evaluate/parse.py
python .github/actions/e2e_kbench/evaluate/graph.py
python .github/actions/e2e_kbench/evaluate/compare.py >> $GITHUB_STEP_SUMMARY
- name: Upload benchmark results and graphs to action run
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: (!env.ACT)
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
path: |
benchmarks/*_perf.png
@ -122,9 +122,9 @@ runs:
name: "benchmarks"
- name: Update benchmark records in S3
if: github.ref == 'refs/heads/main'
shell: bash
run: |
aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json
env:
CSP: ${{ inputs.cloudProvider }}
if: github.ref == 'refs/heads/main'
run: |
aws s3 cp benchmarks/constellation-${CSP}.json ${S3_PATH}/constellation-${CSP}.json

16
.github/actions/e2e_mini/action.yml vendored
View File

@ -32,6 +32,10 @@ runs:
- name: MiniConstellation E2E
shell: bash
env:
ARM_CLIENT_ID: ${{ inputs.azureClientID }}
ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
ARM_TENANT_ID: ${{ inputs.azureTenantID }}
run: |
echo "::group::Terraform"
cd .github/actions/e2e_mini
@ -46,20 +50,16 @@ runs:
# Copy locally build Constellation CLI and run e2e script.
scp -i id_rsa ../../../build/constellation adminuser@${AZURE_VM_IP}:.
ssh -i id_rsa adminuser@${AZURE_VM_IP} 'bash -s' < run-e2e.sh
env:
ARM_CLIENT_ID: ${{ inputs.azureClientID }}
ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
ARM_TENANT_ID: ${{ inputs.azureTenantID }}
- name: Delete deployment
if: always()
shell: bash
env:
ARM_CLIENT_ID: ${{ inputs.azureClientID }}
ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
ARM_TENANT_ID: ${{ inputs.azureTenantID }}
run: |
echo "::group::Terminate"
cd .github/actions/e2e_mini
terraform destroy -auto-approve
echo "::endgroup::"
env:
ARM_CLIENT_ID: ${{ inputs.azureClientID }}
ARM_SUBSCRIPTION_ID: ${{ inputs.azureSubscriptionID }}
ARM_TENANT_ID: ${{ inputs.azureTenantID }}

2
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -28,8 +28,8 @@ runs:
install sonobuoy /usr/local/bin
- name: Sonobuoy version
run: sonobuoy version
shell: bash
run: sonobuoy version
- name: Run e2e test
shell: bash

2
.github/actions/e2e_verify/action.yml vendored
View File

@ -16,6 +16,7 @@ runs:
shell: bash
run: |
yq -i 'del(.provider.${{ inputs.cloudProvider }}.measurements)' constellation-conf.yaml
- name: Fetch & write measurements
shell: bash
run: |
@ -27,6 +28,7 @@ runs:
done
yq -i '.provider.${{ inputs.cloudProvider }}.measurements |= array_to_map' constellation-conf.yaml
cat constellation-conf.yaml
- name: Constellation verify
shell: bash
run: constellation verify --cluster-id $(jq -r ".clusterID" constellation-id.json)

4
.github/actions/pseudo_version/action.yml vendored
View File

@ -24,6 +24,8 @@ runs:
steps:
- name: get pseudo version
id: pseudo-version
shell: bash
working-directory: hack/pseudo-version
run: |
if $(git rev-parse --is-shallow-repository); then
git fetch --prune --unshallow --tags -v
@ -44,5 +46,3 @@ runs:
echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT
echo "branchName=${branchName}" >> $GITHUB_OUTPUT
echo "releaseVersion=${releaseVersion}" >> $GITHUB_OUTPUT
working-directory: hack/pseudo-version
shell: bash

6
.github/actions/setup_linux/action.yml vendored
View File

@ -35,19 +35,19 @@ runs:
sudo apt-get install curl gpg -y
- name: Install yq jq
shell: bash
run: |
sudo apt-get install yq jq -y
shell: bash
- name: Install AWS CLI
shell: bash
run: |
sudo apt-get -y install awscli
shell: bash
- name: Install az CLI
shell: bash
run: |
sudo apt-get install azure-cli -y
shell: bash
- name: Set up gcloud CLI
uses: google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce # v1.0.1

2
.github/actions/setup_mkosi/action.yaml vendored
View File

@ -21,6 +21,7 @@ runs:
e2fsprogs \
squashfs-tools
echo "::endgroup::"
# Try to eliminate "Failed to dissect image: Connection timed out" errors from nspawn by compiling
# systemd-nspawn from v251 from source.
- name: Update systemd-nspawn
@ -35,6 +36,7 @@ runs:
sudo ln -svf $PWD/systemd-stable/build/systemd-nspawn $(which systemd-nspawn)
systemd-nspawn --version
echo "::endgroup::"
- name: Install
shell: bash
run: sudo python3 -m pip install git+https://github.com/systemd/mkosi.git@${{ inputs.version }}

2
.github/actions/shortname/action.yaml vendored
View File

@ -21,8 +21,8 @@ runs:
using: "composite"
steps:
- name: Extract ref, stream and version
shell: bash
id: extract
shell: bash
run: |
ref="-"
stream="stable"

1
.github/workflows/build-binaries.yml vendored
View File

@ -111,6 +111,7 @@ jobs:
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Build disk-mapper
uses: ./.github/actions/build_disk_mapper

6
.github/workflows/build-ccm-gcp.yml vendored
View File

@ -16,7 +16,8 @@ jobs:
- version: v25.2.0
latest: true
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout kubernetes/cloud-provider-gcp
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
repository: "kubernetes/cloud-provider-gcp"
ref: refs/tags/ccm/${{ matrix.version }}
@ -45,17 +46,20 @@ jobs:
- name: Build CCM
run: |
"${GITHUB_WORKSPACE}/bin/bazel" build //cmd/cloud-controller-manager:cloud-controller-manager
- name: Copy CCM
run: |
# support new and old bazel output paths
cp ./bazel-bin/cmd/cloud-controller-manager/cloud-controller-manager_/cloud-controller-manager ./cloud-controller-manager || \
cp ./bazel-bin/cmd/cloud-controller-manager/linux_amd64_pure_stripped/cloud-controller-manager ./cloud-controller-manager
- name: Prepare Dockerfile
run: |
cat > Dockerfile <<EOF
FROM scratch
COPY ./cloud-controller-manager /cloud-controller-manager
EOF
- name: Build and push container image
id: build
uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # tag=v3.2.0

6
.github/workflows/build-gcp-guest-agent.yml vendored
View File

@ -16,13 +16,15 @@ jobs:
- version: "20220927.00"
latest: true
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout GoogleCloudPlatform/guest-agent
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
repository: "GoogleCloudPlatform/guest-agent"
ref: refs/tags/${{ matrix.version }}
path: "guest-agent"
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout Constellation
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
path: "constellation"
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

121
.github/workflows/build-os-image.yml vendored
View File

@ -97,13 +97,13 @@ jobs:
- name: Collect hashes
id: collect-hashes
working-directory: ${{ github.workspace }}/build
run: |
{
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)"
} >> "$GITHUB_OUTPUT"
working-directory: ${{ github.workspace }}/build
build-settings:
name: "Determine build settings"
@ -279,20 +279,16 @@ jobs:
- name: Prepare PKI for secure boot signing
id: prepare-pki
shell: bash
run: |
echo "${DB_KEY}" > "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki
working-directory: ${{ github.workspace }}/image
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
run: |
echo "${DB_KEY}" > "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki
- name: Build
shell: bash
run: |
echo "::group::Build"
sudo make IMAGE_VERSION="${IMAGE_VERSION}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
env:
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
@ -301,9 +297,15 @@ jobs:
AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }}
IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }}
CSP: ${{ matrix.csp }}
run: |
echo "::group::Build"
sudo make IMAGE_VERSION="${IMAGE_VERSION}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}"
echo "::endgroup::"
- name: Collect hashes
id: collect-hashes
continue-on-error: true
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
run: |
{
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)"
@ -315,18 +317,18 @@ jobs:
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)"
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)"
} >> "$GITHUB_OUTPUT"
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
continue-on-error: true
- name: Upload raw OS image as artifact
if: always()
continue-on-error: true
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw
if: always()
continue-on-error: true
- name: Upload individual OS parts as artifacts
if: always()
continue-on-error: true
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: parts-${{ matrix.csp }}
@ -338,18 +340,16 @@ jobs:
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz
if: always()
continue-on-error: true
- name: Upload manifest as artifact
if: always()
continue-on-error: true
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: manifest-${{ matrix.csp }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest
if: always()
continue-on-error: true
upload-os-image:
name: "Upload OS image to CSP"
@ -403,11 +403,11 @@ jobs:
echo "::endgroup::"
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
# on AWS, login is required to upload the image as AMI
# on Azure, login is done to download the VMGS from S3
# on QEMU, login is done to upload the image to S3
if: matrix.csp == 'aws' || matrix.csp == 'azure' || matrix.csp == 'qemu'
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
@ -419,42 +419,36 @@ jobs:
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Login to GCP
uses: ./.github/actions/login_gcp
if: matrix.csp == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
- name: Prepare PKI for image upload
id: prepare-pki
shell: bash
working-directory: ${{ github.workspace }}/image
run: |
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
working-directory: ${{ github.workspace }}/image
- name: Download VMGS blob
if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported')
working-directory: ${{ github.workspace }}/image
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
run: |
aws s3 cp \
--region "${AZURE_VMGS_REGION}" \
"s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
"${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
--no-progress
working-directory: ${{ github.workspace }}/image
if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported')
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
- name: Upload AWS image
shell: bash
run: |
echo "::group::Upload AWS image"
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: matrix.csp == 'aws'
shell: bash
working-directory: ${{ github.workspace }}/image
env:
PKI: ${{ github.workspace }}/image/pki
AWS_JSON_OUTPUT: ${{ steps.vars.outputs.awsJsonOutput }}
@ -466,17 +460,17 @@ jobs:
AWS_REGION: ${{ steps.vars.outputs.awsRegion }}
AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }}
AWS_PUBLISH: ${{ steps.vars.outputs.awsPublish }}
run: |
echo "::group::Upload AWS image"
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
- name: Upload GCP image
shell: bash
run: |
echo "::group::Upload GCP image"
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
upload/upload_gcp.sh
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: matrix.csp == 'gcp'
shell: bash
working-directory: ${{ github.workspace }}/image
env:
PKI: ${{ github.workspace }}/image/pki
GCP_JSON_OUTPUT: ${{ steps.vars.outputs.gcpJsonOutput }}
@ -488,17 +482,17 @@ jobs:
GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }}
GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }}
GCP_REGION: ${{ steps.vars.outputs.gcpRegion }}
run: |
echo "::group::Upload GCP image"
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
upload/upload_gcp.sh
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
- name: Upload Azure image
shell: bash
run: |
echo "::group::Upload Azure image"
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: matrix.csp == 'azure'
shell: bash
working-directory: ${{ github.workspace }}/image
env:
PKI: ${{ github.workspace }}/image/pki
AZURE_JSON_OUTPUT: ${{ steps.vars.outputs.azureJsonOutput }}
@ -517,15 +511,16 @@ jobs:
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
AZURE_SKU: ${{ steps.vars.outputs.azureSku }}
AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }}
run: |
echo "::group::Upload Azure image"
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
- name: Upload QEMU image
shell: bash
if: matrix.csp == 'qemu'
run: |
echo "::group::Upload QEMU image"
upload/upload_qemu.sh
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
shell: bash
working-directory: ${{ github.workspace }}/image
env:
QEMU_JSON_OUTPUT: ${{ steps.vars.outputs.qemuJsonOutput }}
@ -535,6 +530,11 @@ jobs:
REF: ${{needs.build-settings.outputs.ref }}
STREAM: ${{needs.build-settings.outputs.stream }}
IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }}
run: |
echo "::group::Upload QEMU image"
upload/upload_qemu.sh
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
- name: Upload image lookup table as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
@ -579,6 +579,7 @@ jobs:
echo "::endgroup::"
- name: Calculate expected PCRs
working-directory: ${{ github.workspace }}/image/measured-boot
run: |
echo "::group::Calculate expected PCRs"
{
@ -589,7 +590,6 @@ jobs:
cp pcr-stable.json ${{ github.workspace }}/
jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image/measured-boot
- name: Upload expected PCRs as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
@ -646,21 +646,24 @@ jobs:
unsquashfs -user-xattrs -d image.root.tree image.root.raw
echo "::endgroup::"
- uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
- name: Create SBOM in SPDX fromat
uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
with:
path: image.root.tree
artifact-name: sbom.spdx.json
output-file: sbom.spdx.json
format: spdx-json
- uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
- name: Create SBOM in CycloneDX fromat
uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
with:
path: image.root.tree
artifact-name: sbom.cyclonedx.json
output-file: sbom.cyclonedx.json
format: cyclonedx-json
- uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
- name: Create SBOM in Syft fromat
uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
with:
path: image.root.tree
artifact-name: sbom.syft.json

2
.github/workflows/codeql.yml vendored
View File

@ -46,7 +46,7 @@ jobs:
echo "::group::Install go dependencies"
mods=$(go list -f '{{.Dir}}' -m | xargs)
for mod in $mods; do
(cd "$mod" || exit; go mod tidy)
(cd "$mod" || exit; go mod download)
done
echo "::endgroup::"

2
.github/workflows/e2e-test-manual.yml vendored
View File

@ -198,6 +198,7 @@ jobs:
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: github.event.steps.check-bootstrapper-cache.cache-hit != 'true' && inputs.git-ref != 'head'
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@ -239,6 +240,7 @@ jobs:
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.git-ref != 'head'
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

2
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -106,8 +106,8 @@ jobs:
azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }}
- name: Create Azure resource group
if: matrix.provider == 'azure'
id: az_resource_group_gen
if: matrix.provider == 'azure'
shell: bash
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)

42
.github/workflows/generate-measurements.yml vendored
View File

@ -79,9 +79,9 @@ jobs:
shortname: ${{ inputs.osImage }}
- name: Check if image definition from build pipeline exists
shell: bash
run: |
wget -O /dev/null "https://cdn.confidential.cloud/constellation/v1/ref/${{ steps.extract.outputs.ref }}/stream/${{ steps.extract.outputs.stream }}/${{ steps.extract.outputs.version }}/image/info.json"
shell: bash
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
@ -89,11 +89,11 @@ jobs:
go-version: "1.19.5"
- name: Build hack/pcr-reader
shell: bash
working-directory: hack/pcr-reader
run: |
go build .
pwd >> "$GITHUB_PATH"
working-directory: hack/pcr-reader
shell: bash
- name: Login to Azure
if: matrix.provider == 'azure'
@ -102,8 +102,8 @@ jobs:
azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }}
- name: Create Azure resource group
if: matrix.provider == 'azure'
id: az_resource_group_gen
if: matrix.provider == 'azure'
shell: bash
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
@ -112,8 +112,8 @@ jobs:
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Create Cluster in E2E Test environment
if: matrix.provider != 'qemu'
id: create_cluster
if: matrix.provider != 'qemu'
uses: ./.github/actions/e2e_test
with:
workerNodesCount: 1
@ -134,6 +134,9 @@ jobs:
- name: Fetch PCRs from running cluster
if: matrix.provider != 'qemu'
shell: bash
env:
CSP: ${{ matrix.provider }}
run: |
KUBECONFIG="${PWD}/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m
CONSTELL_IP=$(jq -r ".ip" constellation-id.json)
@ -187,12 +190,10 @@ jobs:
echo "PCRs to be published after removing known variable ones:"
cat "${{ github.workspace }}/generated-measurements/measurements.json"
mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
shell: bash
env:
CSP: ${{ matrix.provider }}
- name: Set PCRs for QEMU
if: matrix.provider == 'qemu'
shell: bash
env:
ref: ${{ steps.extract.outputs.ref }}
stream: ${{ steps.extract.outputs.stream }}
@ -216,7 +217,6 @@ jobs:
.measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
-I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
shell: bash
- name: Upload measurements as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
@ -262,11 +262,11 @@ jobs:
go-version: "1.19.5"
- name: Build hack/pcr-compare
shell: bash
working-directory: hack/pcr-compare
run: |
go build .
pwd >> "$GITHUB_PATH"
working-directory: hack/pcr-compare
shell: bash
- name: Download calculated measurements from artifact
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.1.1
@ -275,21 +275,21 @@ jobs:
path: "${{ github.workspace }}/generated-measurements"
- name: Download expected measurements from build pipeline for image
run: |
path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json"
mkdir -p ${{ github.workspace }}/expected-measurements
wget -O ${{ github.workspace }}/expected-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}"
cat ${{ github.workspace }}/expected-measurements/measurements.image.json
shell: bash
env:
ref: ${{ needs.calculate-measurements-on-csp.outputs.ref }}
stream: ${{ needs.calculate-measurements-on-csp.outputs.stream }}
version: ${{ needs.calculate-measurements-on-csp.outputs.version }}
run: |
path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json"
mkdir -p ${{ github.workspace }}/expected-measurements
wget -O ${{ github.workspace }}/expected-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}"
cat ${{ github.workspace }}/expected-measurements/measurements.image.json
- name: Check if expected measurements == actual measurements from running cluster
shell: bash
run: |
pcr-compare ${{ github.workspace }}/expected-measurements/measurements.image.json ${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json
shell: bash
sign-measurements:
name: "Sign Measurements"
@ -377,10 +377,6 @@ jobs:
aws-region: eu-central-1
- name: Upload to S3
run: |
S3_PATH=s3://cdn-constellation-backend/constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}
aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" "${S3_PATH}/measurements.json"
aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig" "${S3_PATH}/measurements.json.sig"
shell: bash
env:
IMAGE_UID: ${{ inputs.osImage }}
@ -389,3 +385,7 @@ jobs:
ref: ${{ needs.calculate-measurements-on-csp.outputs.ref }}
stream: ${{ needs.calculate-measurements-on-csp.outputs.stream }}
version: ${{ needs.calculate-measurements-on-csp.outputs.version }}
run: |
S3_PATH=s3://cdn-constellation-backend/constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}
aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" "${S3_PATH}/measurements.json"
aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig" "${S3_PATH}/measurements.json.sig"

39
.github/workflows/release-cli.yml vendored
View File

@ -28,10 +28,12 @@ jobs:
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Build CLI
uses: ./.github/actions/build_cli
with:
@ -41,6 +43,7 @@ jobs:
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload CLI as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
@ -59,22 +62,27 @@ jobs:
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-linux-arm64
- name: Download CLI SBOM
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom
- name: Generate provenance subjects
id: provenance-subjects
run: |
@ -97,7 +105,9 @@ jobs:
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Download syft & grype
shell: bash
run: |
SYFT_VERSION=0.62.1
GRYPE_VERSION=0.53.1
@ -108,24 +118,27 @@ jobs:
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
./grype version
pwd >> "$GITHUB_PATH"
shell: bash
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Build signed SBOM
run: |
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed
env:
COSIGN_EXPERIMENTAL: 1
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run: |
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed
- name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: constellation.spdx.sbom
path: constellation.spdx.sbom
- name: Upload Constellation CLI SBOM's signature
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
@ -157,30 +170,37 @@ jobs:
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-linux-arm64
- name: Download CLI SBOM
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Install slsa-verifier
run: |
curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64
install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier
- name: Verify provenance
run: |
slsa-verifier verify-artifact constellation-darwin-amd64 \
@ -211,37 +231,46 @@ jobs:
run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub
env:
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation-linux-arm64
- name: Download Constellation CLI SBOM
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom
- name: Download Constellation CLI SBOM's signature
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: constellation.spdx.sbom.sig
- name: Download Constellation provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Rename provenance file
run: |
mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl
- name: Create release with artifacts
# GitHub endorsed release project. See: https://github.com/actions/create-release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15

17
.github/workflows/release.yml vendored
View File

@ -35,6 +35,7 @@ jobs:
echo "Version must be in the form of vX.Y.Z"
exit 1
fi
- name: Extract version info
id: version-info
run: |
@ -109,9 +110,11 @@ jobs:
env:
BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ github.head_ref }}
- name: Create release branch
if: inputs.kind == 'minor'
run: |
@ -154,7 +157,8 @@ jobs:
VERSION: ${{ inputs.version }}
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@ -235,7 +239,8 @@ jobs:
VERSION: ${{ inputs.version }}
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@ -298,7 +303,8 @@ jobs:
env:
VERSION: ${{ inputs.version }}
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@ -326,7 +332,8 @@ jobs:
VERSION: ${{ inputs.version }}
NEW_BRANCH: feat/release/${{ inputs.version }}/changes-to-main
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Checkot
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}

8
.github/workflows/scorecard.yml vendored
View File

@ -19,26 +19,26 @@ jobs:
id-token: write
steps:
- name: "Checkout code"
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
- name: Run analysis
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: "Upload artifact"
- name: Upload artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload to code-scanning"
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
with:
sarif_file: results.sarif

2
.github/workflows/test-integration.yml vendored
View File

@ -41,5 +41,5 @@ jobs:
# Runs all test targets starting with "integration-"
- name: Integration Tests
run: ctest -R integration-
working-directory: build
run: ctest -R integration-

2
.github/workflows/test-unittest.yml vendored
View File

@ -40,10 +40,10 @@ jobs:
run: mkdir build && cd build && cmake ..
- name: Unit Tests
run: ctest -R unit
working-directory: build
env:
TMPDIR: ${{ runner.temp }}
run: ctest -R unit
test-darwin:
runs-on: macos-12

10
.github/workflows/update-cli-reference.yml vendored
View File

@ -26,8 +26,8 @@ jobs:
cache: true
- name: Generate reference docs
run: go run . | cat header.md - > ../../cli.md
working-directory: hack/clidocgen
run: go run . | cat header.md - > ../../cli.md
- name: Get commit sha
run: |
@ -41,8 +41,6 @@ jobs:
- name: Publish new reference (create new branch)
if: env.EXISTS == 0
uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 # tag=v1.1.1
env:
API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }}
with:
source_file: "cli.md"
destination_repo: "edgelesssys/constellation"
@ -51,12 +49,12 @@ jobs:
user_name: "${{ github.actor }}"
user_email: "${{ github.actor }}@users.noreply.github.com"
commit_message: "CLI reference was updated by edgelesssys/constellation@${{ env.COMMIT_END}}"
env:
API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }}
- name: Publish new reference (update branch)
if: env.EXISTS == 1
uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 # tag=v1.1.1
env:
API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }}
with:
source_file: "cli.md"
destination_repo: "edgelesssys/constellation"
@ -65,3 +63,5 @@ jobs:
user_name: "${{ github.actor }}"
user_email: "${{ github.actor }}@users.noreply.github.com"
commit_message: "CLI reference was updated by edgelesssys/constellation@${{ env.COMMIT_END}}"
env:
API_TOKEN_GITHUB: ${{ secrets.CI_GITHUB_REPOSITORY }}