Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: fix artifact upload in image build pipeline (#2765)

Browse Source 
* Fix parameter expansion when uploading multiple files
* On download, ensure target directory exists
* Rename encryption-secret -> encryptionSecret
* Remove incorrect secret access from e2e test action
* Add missing checkout action to workflows using our download action
* Fix spacing
* Fix upload action uploading whole directory structure instead of target files
* Explicitly give write permissions to Azure disk image, since permissions are no longer dropped on upload

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-12-21 19:28:18 +01:00 committed by GitHub
parent 66c0b581b2
commit 8c1972c335
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 109 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/actions/artifact_download/action.yml vendored
View File

@ -9,7 +9,7 @@ inputs:
description: 'Download to a specified path.'
required: false
default: ./
encryption-secret:
encryptionSecret:
description: 'The secret to use for decrypting the artifact.'
required: true
@ -36,4 +36,5 @@ runs:
- name: Decrypt and unzip archive
shell: bash
run: |
unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
mkdir -p ${{ inputs.path }}
unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip

27
.github/actions/artifact_upload/action.yml vendored
View File

@ -3,7 +3,7 @@ description: Upload an encrypted zip archive as a github artifact.
inputs:
path:
description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.'
description: 'The path(s) that should be uploaded. Paths may contain globs. Only the final component of a path is uploaded.'
required: true
name:
description: 'The name of the artifact.'
@ -11,7 +11,7 @@ inputs:
retention-days:
description: 'How long the artifact should be retained for.'
default: 60
encryption-secret:
encryptionSecret:
description: 'The secret to use for encrypting the files.'
required: true
@ -34,10 +34,14 @@ runs:
run: |
shopt -s extglob
paths="${{ inputs.path }}"
paths=${paths%$'\n'} # Remove trailing newline
# Check if any file matches the given pattern(s).
something_exists=false
for pattern in ${{ inputs.path }}; do
if compgen -G $pattern > /dev/null; then
for pattern in ${paths}
do
if compgen -G "${pattern}" > /dev/null; then
something_exists=true
fi
done
@ -45,12 +49,19 @@ runs:
# Create an archive if files exist.
# Don't create an archive file if no files are found
# and warn.
if $something_exists; then
zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }}
else
echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded."
if ! ${something_exists}
then
echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
exit 0
fi
for target in ${paths}
do
pushd "$(dirname "${target}")" || exit 1
zip -e -P '${{ inputs.encryptionSecret }}' -r "${{ steps.tempdir.outputs.directory }}/archive.zip" "$(basename "${target}")"
popd || exit 1
done
- name: Upload archive as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:

4
.github/actions/constellation_create/action.yml vendored
View File

@ -59,7 +59,7 @@ inputs:
force:
description: "Set the force-flag on apply to ignore version mismatches."
required: false
encryption-secret:
encryptionSecret:
description: "The secret to use for encrypting the artifact."
required: true
@ -267,4 +267,4 @@ runs:
name: serial-logs-${{ inputs.artifactNameSuffix }}
path: >
!(terraform).log
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}

8
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -17,7 +17,7 @@ inputs:
awsOpenSearchPwd:
description: "AWS OpenSearch Password to upload the results."
required: false
encryption-secret:
encryptionSecret:
description: 'The secret to use for encrypting the artifact.'
required: true
@ -100,7 +100,7 @@ runs:
with:
path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
name: "fio-constellation-${{ inputs.cloudProvider }}.json"
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run knb benchmark
shell: bash
@ -122,7 +122,7 @@ runs:
with:
path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
name: "knb-constellation-${{ inputs.cloudProvider }}.json"
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Assume AWS role to retrieve and update benchmarks in S3
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -176,7 +176,7 @@ runs:
path: >
benchmarks/constellation-${{ inputs.cloudProvider }}.json
name: "benchmarks"
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Upload benchmark results to opensearch
if: (!env.ACT)

4
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -11,7 +11,7 @@ inputs:
kubeconfig:
description: "The kubeconfig of the cluster to test."
required: true
encryption-secret:
encryptionSecret:
description: 'The secret to use for encrypting the artifact.'
required: true
@ -51,7 +51,7 @@ runs:
with:
name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
path: "*_sonobuoy_*.tar.gz"
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
# Only works on "sonobuoy full" tests (e2e plugin)
- name: Extract test results

10
.github/actions/e2e_test/action.yml vendored
View File

@ -86,7 +86,7 @@ inputs:
force:
description: "Set the force-flag on apply to ignore version mismatches."
required: false
encryption-secret:
encryptionSecret:
description: 'The secret to use for decrypting the artifact.'
required: true
@ -299,7 +299,7 @@ runs:
clusterCreation: ${{ inputs.clusterCreation }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Deploy log- and metrics-collection (Kubernetes)
id: deploy-logcollection
@ -334,7 +334,7 @@ runs:
sonobuoyTestSuiteCmd: "--mode quick"
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run sonobuoy full test
if: inputs.test == 'sonobuoy full'
@ -344,7 +344,7 @@ runs:
sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run autoscaling test
if: inputs.test == 'autoscaling'
@ -367,7 +367,7 @@ runs:
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Run constellation verify test
if: inputs.test == 'verify'

4
.github/actions/upload_terraform_module/action.yml vendored
View File

@ -1,7 +1,7 @@
name: Upload Terraform infrastructure module
description: "Upload the Terraform infrastructure module as an artifact."
inputs:
encryption-secret:
encryptionSecret:
description: 'The secret to use for encrypting the artifact.'
required: true
@ -24,7 +24,7 @@ runs:
with:
name: terraform-module
path: terraform-module.zip
encryption-secret: ${{ inputs.encryption-secret }}
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Cleanup Terraform module dir
shell: bash

32
.github/workflows/build-os-image.yml vendored
View File

@ -182,7 +182,7 @@ jobs:
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload individual OS parts as artifacts
uses: ./.github/actions/artifact_upload
@ -192,14 +192,14 @@ jobs:
${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload sbom info as artifact
uses: ./.github/actions/artifact_upload
with:
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ steps.build.outputs.rpmdb }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-os-image:
name: "Upload OS image to CSP"
@ -248,7 +248,7 @@ jobs:
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install tools
shell: bash
@ -316,6 +316,7 @@ jobs:
working-directory: ${{ github.workspace }}/image
run: |
echo "::group::Upload Azure image"
chmod +w "${RAW_IMAGE_PATH}"
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
bazel run //image/upload -- image azure \
--verbose \
@ -361,7 +362,7 @@ jobs:
with:
name: lookup-table
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
calculate-pcrs:
name: "Calculate PCRs"
@ -398,7 +399,7 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: ./.github/actions/setup_bazel_nix
with:
@ -545,7 +546,7 @@ jobs:
with:
name: measurements
path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
upload-pcrs:
name: "Sign & upload PCRs"
@ -568,7 +569,7 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: measurements
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -640,6 +641,10 @@ jobs:
contents: read
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
@ -652,7 +657,7 @@ jobs:
# downloading / using only the QEMU manifest is fine
# since the images only differ in the ESP partition
name: sbom-qemu-qemu-vtpm
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload SBOMs to S3
shell: bash
@ -683,7 +688,7 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: lookup-table
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@ -693,12 +698,7 @@ jobs:
- name: Upload lookup table to S3
shell: bash
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ inputs.ref || github.head_ref }}
run: bazel run //image/upload -- info --verbose image-upload*.json
- name: Create CLI compatibility information artifact
shell: bash

14
.github/workflows/draft-release.yml vendored
View File

@ -176,7 +176,7 @@ jobs:
- name: Upload Terraform infrastructure module
uses: ./.github/actions/upload_terraform_module
with:
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
push-containers:
runs-on: ubuntu-22.04
@ -232,7 +232,7 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Generate provenance subjects
id: provenance-subjects
@ -346,13 +346,13 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download provenance
uses: ./.github/actions/artifact_download
with:
name: ${{ needs.provenance.outputs.provenance-name }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Install slsa-verifier
run: |
@ -426,19 +426,19 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation CLI SBOM's signature
uses: ./.github/actions/artifact_download
with:
name: constellation.spdx.sbom.sig
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download Constellation provenance
uses: ./.github/actions/artifact_download
with:
name: ${{ needs.provenance.outputs.provenance-name }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Rename provenance file
run: |

2
.github/workflows/e2e-test-daily.yml vendored
View File

@ -91,7 +91,7 @@ jobs:
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
clusterCreation: "cli"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

2
.github/workflows/e2e-test-release.yml vendored
View File

@ -265,7 +265,7 @@ jobs:
clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

2
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -305,7 +305,7 @@ jobs:
clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

2
.github/workflows/e2e-test.yml vendored
View File

@ -246,7 +246,7 @@ jobs:
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }}
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

4
.github/workflows/e2e-upgrade.yml vendored
View File

@ -183,7 +183,7 @@ jobs:
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
clusterCreation: "cli"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Build CLI
uses: ./.github/actions/build_cli
@ -283,7 +283,7 @@ jobs:
node-operator.logs
node-maintenance-operator.logs
constellation-version.yaml
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Always terminate cluster
if: always()

4
.github/workflows/e2e-windows.yml vendored
View File

@ -38,7 +38,7 @@ jobs:
with:
path: "bazel-bin/cli/cli_enterprise_windows_amd64"
name: "constell-exe"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
e2e-test:
name: E2E Test Windows
@ -54,7 +54,7 @@ jobs:
uses: ./.github/actions/artifact_download
with:
name: "constell-exe"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Check CLI version
shell: pwsh

72
.github/workflows/reproducible-builds.yml vendored
View File

@ -57,14 +57,14 @@ jobs:
with:
name: "binaries-${{ matrix.target }}"
path: "${{ env.binary }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload hash artifact
uses: ./.github/actions/artifact_upload
with:
name: "sha256sums"
path: "${{ env.binary }}.sha256"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
build-osimages:
strategy:
@ -135,23 +135,27 @@ jobs:
- "cli_enterprise_windows_amd64"
runs-on: ubuntu-22.04
steps:
- name: Download binaries
uses: ./.github/actions/artifact_download
with:
name: "binaries-${{ matrix.target }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Hash
shell: bash
if: runner.os == 'Linux'
run: sha256sum cli_enterprise*
- name: Download binaries
uses: ./.github/actions/artifact_download
with:
name: "binaries-${{ matrix.target }}"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Compare binaries
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "cli_enterprise*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
- name: Hash
shell: bash
if: runner.os == 'Linux'
run: sha256sum cli_enterprise*
- name: Compare binaries
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "cli_enterprise*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
compare-osimages:
needs: build-osimages
@ -165,20 +169,24 @@ jobs:
- "gcp_gcp-sev-snp_nightly"
runs-on: ubuntu-22.04
steps:
- name: Download os images
uses: ./.github/actions/artifact_download
with:
name: "osimages-${{ matrix.target }}"
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Hash
shell: bash
if: runner.os == 'Linux'
run: sha256sum osimage-*
- name: Download os images
uses: ./.github/actions/artifact_download
with:
name: "osimages-${{ matrix.target }}"
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Compare os images
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "osimage-*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
- name: Hash
shell: bash
if: runner.os == 'Linux'
run: sha256sum osimage-*
- name: Compare os images
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "osimage-*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"

2
.github/workflows/scorecard.yml vendored
View File

@ -35,7 +35,7 @@ jobs:
name: SARIF file
path: results.sarif
retention-days: 5
encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1