Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-23 16:30:11 -05:00
Code Issues Packages Projects Releases Wiki Activity

split workflow into multiple steps

Browse Source
This commit is contained in:
miampf 2025-02-20 12:03:27 +01:00
parent 4c94dfb1b0
commit b384971232
No known key found for this signature in database
GPG Key ID: EF039364B5B6886C
1 changed files with 25 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
.github/workflows/check-measurements-reproducibility.yml vendored
View File

@ -30,7 +30,7 @@ jobs:
jq jq
jd-diff-patch jd-diff-patch
moreutils moreutils
- name: Build images and produce measurements - name: Build images
run: | run: |
set -euo pipefail set -euo pipefail
shopt -s extglob shopt -s extglob
@ -41,10 +41,12 @@ jobs:
buildPath="$PWD/bazel-bin/image" buildPath="$PWD/bazel-bin/image"
cd "$(mktemp -d)" cd "$(mktemp -d)"
echo "Downloading release measurements" - name: Download measurements
run: |
curl -O https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ github.event.inputs.releasetag }}/image/measurements.json curl -O https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ github.event.inputs.releasetag }}/image/measurements.json
# compare all measurements with our own - name: Cleanup release measurements and generate our own
run: |
for directory in "$buildPath"/system/!(mkosi_wrapper.sh); do for directory in "$buildPath"/system/!(mkosi_wrapper.sh); do
dirname="$(basename "$directory")" dirname="$(basename "$directory")"
csp="$(echo "$dirname" | cut -d_ -f1)" csp="$(echo "$dirname" | cut -d_ -f1)"
@ -52,7 +54,7 @@ jobs:
echo "Comparing measurements of CSP $csp with attestation variant $attestationVariant" echo "Comparing measurements of CSP $csp with attestation variant $attestationVariant"
# This jq filter selects the measurements for the correct CSP and attestation variant # This jq filter selects the measurements for the correct CSP and attestation variant
# and then removes all `warnOnly: true` and `expected: 000...` measurements. # and then removes all `warnOnly: true` measurements.
jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \ jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
' '
.list.[] .list.[]
@ -63,35 +65,29 @@ jobs:
| .measurements | .measurements
| walk( | walk(
if ( if (
type=="object" and ( type=="object" and .warnOnly
.warnOnly or .expected == "0000000000000000000000000000000000000000000000000000000000000000"
)
) )
then del(.) else . end then del(.) else . end
) )
| del(..|nulls) | del(..|nulls)
| del(.[] .warnOnly) | del(.[] .warnOnly)
' \ ' \
measurements.json > their-measurements.json measurements.json > "$attestationVariant"_their-measurements.json
sudo env "PATH=$PATH" "$buildPath/measured-boot/cmd/cmd_/cmd" "$directory/constellation" ./own-measurements.json sudo env "PATH=$PATH" "$buildPath/measured-boot/cmd/cmd_/cmd" "$directory/constellation" ./"$attestationVariant"_own-measurements.json
# Remove all `expected: 000...` measurements like above. done
jq '
.measurements - name: Compare measurements
| walk( run: |
if ( for directory in "$buildPath"/system/!(mkosi_wrapper.sh); do
type == "object" and .expected == "0000000000000000000000000000000000000000000000000000000000000000" dirname="$(basename "$directory")"
) attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
then del(.) else . end
) echo "Their measurements for $attestationVariant:"
| del(..|nulls) ts " " < "$attestationVariant"_their-measurements.json
' \ echo "Own measurements for $attestationVariant:"
own-measurements.json | sponge ./own-measurements.json ts " " < "$attestationVariant"_own-measurements.json
echo "Their measurements:" # TODO: cache errors and return them later.
ts " " < their-measurements.json jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json
echo "Own measurements:"
ts " " < own-measurements.json
jd ./their-measurements.json ./own-measurements.json
done done