mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 23:49:30 -05:00
bazel: use remote caching (#1456)
* bazel: add configuration for remote caching * ci: enable bazel remote caching for building binaries * ci: use bazel directly when building go binaries * ci: enable cache for most build steps * dev-docs: document remote caching
This commit is contained in:
parent
4f37fe38f9
commit
c3c0940adb
9
.bazelrc
9
.bazelrc
@ -38,3 +38,12 @@ build:linux_arm64_static --platforms @zig_sdk//libc_aware/platform:linux_arm64_m
|
|||||||
|
|
||||||
# bazel config to explicitly disable stamping (hide version information at build time)
|
# bazel config to explicitly disable stamping (hide version information at build time)
|
||||||
build:nostamp --nostamp --workspace_status_command=
|
build:nostamp --nostamp --workspace_status_command=
|
||||||
|
|
||||||
|
# bazel config to use remote cache
|
||||||
|
build:remote_cache --bes_results_url=https://app.buildbuddy.io/invocation/
|
||||||
|
build:remote_cache --bes_backend=grpcs://remote.buildbuddy.io
|
||||||
|
build:remote_cache --remote_cache=grpcs://remote.buildbuddy.io
|
||||||
|
build:remote_cache --remote_timeout=3600
|
||||||
|
build:remote_cache --experimental_remote_build_event_upload=minimal
|
||||||
|
build:remote_cache --experimental_remote_cache_compression
|
||||||
|
build:remote_cache_readonly --noremote_upload_local_results # Uploads logs & artifacts without writing to cache
|
||||||
|
16
.github/actions/build_bootstrapper/action.yml
vendored
16
.github/actions/build_bootstrapper/action.yml
vendored
@ -4,7 +4,7 @@ description: Build the Constellation bootstrapper binary
|
|||||||
inputs:
|
inputs:
|
||||||
outputPath:
|
outputPath:
|
||||||
description: "Output path of the binary"
|
description: "Output path of the binary"
|
||||||
default: "./bootstrapper"
|
default: "./build/bootstrapper"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
# Linux runner only (Docker required)
|
# Linux runner only (Docker required)
|
||||||
@ -13,10 +13,16 @@ runs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Build the bootstrapper
|
- name: Build the bootstrapper
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build the bootstrapper"
|
echo "::group::Build the bootstrapper"
|
||||||
mkdir -p build && cd build
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
cmake -DBAZEL:STRING=bazelisk ..
|
label=//bootstrapper/cmd/bootstrapper:bootstrapper_linux_amd64
|
||||||
make bootstrapper
|
bazel build "${label}"
|
||||||
mv -n bootstrapper "${{ inputs.outputPath }}"
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
|
chmod +w "${OUTPUT_PATH}"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
19
.github/actions/build_cdbg/action.yml
vendored
19
.github/actions/build_cdbg/action.yml
vendored
@ -10,15 +10,28 @@ inputs:
|
|||||||
description: "Build CLI for this architecture. [amd64, arm64]"
|
description: "Build CLI for this architecture. [amd64, arm64]"
|
||||||
required: true
|
required: true
|
||||||
default: "amd64"
|
default: "amd64"
|
||||||
|
outputPath:
|
||||||
|
description: "Output path of the binary"
|
||||||
|
default: "./build/cdbg"
|
||||||
|
required: false
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: "composite"
|
using: "composite"
|
||||||
steps:
|
steps:
|
||||||
- name: Build cdbg
|
- name: Build cdbg
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
GOOS: ${{ inputs.targetOS }}
|
||||||
|
GOARCH: ${{ inputs.targetArch }}
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build cdbg"
|
echo "::group::Build cdbg"
|
||||||
mkdir -p build && cd build
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
cmake ..
|
label="//debugd/cmd/cdbg:cdbg_${GOOS}_${GOARCH}"
|
||||||
GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make cdbg
|
bazel build "${label}"
|
||||||
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
|
chmod +w "${OUTPUT_PATH}"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
39
.github/actions/build_cli/action.yml
vendored
39
.github/actions/build_cli/action.yml
vendored
@ -1,6 +1,6 @@
|
|||||||
name: Build CLI
|
name: Build CLI
|
||||||
description: |
|
description: |
|
||||||
Runs cmake and cli make target in build folder. Optionally, Sigstore tools
|
Builds CLI. Optionally, Sigstore tools
|
||||||
are used to sign CLI when inputs are provided. A draft release is published
|
are used to sign CLI when inputs are provided. A draft release is published
|
||||||
when run on v* tag.
|
when run on v* tag.
|
||||||
inputs:
|
inputs:
|
||||||
@ -28,6 +28,9 @@ inputs:
|
|||||||
description: "Password for Cosign private key"
|
description: "Password for Cosign private key"
|
||||||
required: false
|
required: false
|
||||||
default: ""
|
default: ""
|
||||||
|
outputPath:
|
||||||
|
description: "Output path of the binary"
|
||||||
|
required: false
|
||||||
runs:
|
runs:
|
||||||
using: "composite"
|
using: "composite"
|
||||||
steps:
|
steps:
|
||||||
@ -39,20 +42,28 @@ runs:
|
|||||||
|
|
||||||
- name: Build CLI
|
- name: Build CLI
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
GOOS: ${{ inputs.targetOS }}
|
||||||
|
GOARCH: ${{ inputs.targetArch }}
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build CLI"
|
echo "::group::Build CLI"
|
||||||
mkdir -p build
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
cd build
|
|
||||||
if [ ${{ inputs.enterpriseCLI }} == 'true' ]
|
if [ ${{ inputs.enterpriseCLI }} == 'true' ]
|
||||||
then
|
then
|
||||||
cmake -DBAZEL:STRING=bazelisk -DCLI_BUILD_TAGS:STRING=enterprise ..
|
cli_variant=enterprise
|
||||||
else
|
else
|
||||||
cmake -DBAZEL:STRING=bazelisk ..
|
cli_variant=oss
|
||||||
fi
|
fi
|
||||||
GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make cli
|
label="//cli:cli_${cli_variant}_${GOOS}_${GOARCH}"
|
||||||
cp constellation constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
|
bazel build "${label}"
|
||||||
echo "$(pwd)" >> $GITHUB_PATH
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
export PATH="$PATH:$(pwd)"
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
|
chmod +w "${OUTPUT_PATH}"
|
||||||
|
echo "$(dirname "${OUTPUT_PATH}")" >> $GITHUB_PATH
|
||||||
|
export PATH="$PATH:$(dirname "${OUTPUT_PATH}")"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
|
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
|
||||||
@ -80,15 +91,15 @@ runs:
|
|||||||
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
||||||
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
||||||
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
|
||||||
run: |
|
run: |
|
||||||
SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
|
|
||||||
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
||||||
# Enabling experimental mode also publishes signature to Rekor
|
# Enabling experimental mode also publishes signature to Rekor
|
||||||
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY ${SIGN_TARGET} > ${SIGN_TARGET}.sig
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
|
||||||
# Verify - As documentation & check
|
# Verify - As documentation & check
|
||||||
# Local Signature (input: artifact, key, signature)
|
# Local Signature (input: artifact, key, signature)
|
||||||
cosign verify-blob --key cosign.pub --signature ${SIGN_TARGET}.sig ${SIGN_TARGET}
|
cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}"
|
||||||
# Transparency Log Signature (input: artifact, key)
|
# Transparency Log Signature (input: artifact, key)
|
||||||
uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1)
|
uuid=$(rekor-cli search --artifact "${OUTPUT_PATH}" | tail -n 1)
|
||||||
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
||||||
cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET}
|
cosign verify-blob --key cosign.pub --signature <(echo $sig) "${OUTPUT_PATH}"
|
||||||
|
20
.github/actions/build_debugd/action.yml
vendored
20
.github/actions/build_debugd/action.yml
vendored
@ -4,7 +4,7 @@ description: Build the Constellation debugd binary
|
|||||||
inputs:
|
inputs:
|
||||||
outputPath:
|
outputPath:
|
||||||
description: "Output path of the binary"
|
description: "Output path of the binary"
|
||||||
default: "./debugd"
|
default: "./build/debugd"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
# Linux runner only (homedir trick does not work on macOS, required for private runner)
|
# Linux runner only (homedir trick does not work on macOS, required for private runner)
|
||||||
@ -13,14 +13,16 @@ runs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Build debugd
|
- name: Build debugd
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build debugd"
|
echo "::group::Build debugd"
|
||||||
homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)"
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
mkdir -p build && cd build
|
label=//debugd/cmd/debugd:debugd_linux_amd64
|
||||||
cmake -DBAZEL:STRING=bazelisk ..
|
bazel build "${label}"
|
||||||
export GOCACHE=${homedir}/.cache/go-build
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
export GOPATH=${homedir}/go
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
export GOMODCACHE=${homedir}/.cache/go-mod
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
make debugd
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
mv -n debugd "${{ inputs.outputPath }}"
|
chmod +w "${OUTPUT_PATH}"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
16
.github/actions/build_disk_mapper/action.yml
vendored
16
.github/actions/build_disk_mapper/action.yml
vendored
@ -4,7 +4,7 @@ description: Build the Constellation disk-mapper binary
|
|||||||
inputs:
|
inputs:
|
||||||
outputPath:
|
outputPath:
|
||||||
description: "Output path of the binary"
|
description: "Output path of the binary"
|
||||||
default: "./disk-mapper"
|
default: "./build/disk-mapper"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
# Linux runner only (Docker required)
|
# Linux runner only (Docker required)
|
||||||
@ -13,10 +13,16 @@ runs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Build the disk-mapper
|
- name: Build the disk-mapper
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build the disk-mapper"
|
echo "::group::Build the disk-mapper"
|
||||||
mkdir -p build && cd build
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
cmake -DBAZEL:STRING=bazelisk ..
|
label="//disk-mapper/cmd:disk-mapper_linux_amd64"
|
||||||
make disk-mapper
|
bazel build "${label}"
|
||||||
mv -n disk-mapper "${{ inputs.outputPath }}"
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
|
chmod +w "${OUTPUT_PATH}"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
@ -4,7 +4,7 @@ description: Build the Constellation measurement-reader binary
|
|||||||
inputs:
|
inputs:
|
||||||
outputPath:
|
outputPath:
|
||||||
description: "Output path of the binary"
|
description: "Output path of the binary"
|
||||||
default: "./measurement-reader"
|
default: "./build/measurement-reader"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
# Linux runner only (Docker required)
|
# Linux runner only (Docker required)
|
||||||
@ -13,10 +13,16 @@ runs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Build the measurement-reader
|
- name: Build the measurement-reader
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build the measurement-reader"
|
echo "::group::Build the measurement-reader"
|
||||||
mkdir -p build && cd build
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
cmake ..
|
label="//measurement-reader/cmd:measurement-reader_linux_amd64"
|
||||||
make measurement-reader
|
bazel build "${label}"
|
||||||
mv -n measurement-reader "${{ inputs.outputPath }}"
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
|
chmod +w "${OUTPUT_PATH}"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
16
.github/actions/build_upgrade_agent/action.yml
vendored
16
.github/actions/build_upgrade_agent/action.yml
vendored
@ -4,7 +4,7 @@ description: Build the Constellation upgrade-agent binary
|
|||||||
inputs:
|
inputs:
|
||||||
outputPath:
|
outputPath:
|
||||||
description: "Output path of the binary"
|
description: "Output path of the binary"
|
||||||
default: "./upgrade-agent"
|
default: "./build/upgrade-agent"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
# Linux runner only (Docker required)
|
# Linux runner only (Docker required)
|
||||||
@ -13,10 +13,16 @@ runs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Build the upgrade-agent
|
- name: Build the upgrade-agent
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
OUTPUT_PATH: ${{ inputs.outputPath }}
|
||||||
run: |
|
run: |
|
||||||
echo "::group::Build the upgrade-agent"
|
echo "::group::Build the upgrade-agent"
|
||||||
mkdir -p build && cd build
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
||||||
cmake -DBAZEL:STRING=bazelisk ..
|
label="//upgrade-agent/cmd:upgrade_agent_linux_amd64"
|
||||||
make upgrade-agent
|
bazel build "${label}"
|
||||||
mv -n upgrade-agent "${{ inputs.outputPath }}"
|
repository_root=$(git rev-parse --show-toplevel)
|
||||||
|
out_rel=$(bazel cquery --output=files "${label}")
|
||||||
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
||||||
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
||||||
|
chmod +w "${OUTPUT_PATH}"
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
10
.github/actions/e2e_mini/action.yml
vendored
10
.github/actions/e2e_mini/action.yml
vendored
@ -11,6 +11,9 @@ inputs:
|
|||||||
azureTenantID:
|
azureTenantID:
|
||||||
description: "Azure tenant to use for login with OIDC"
|
description: "Azure tenant to use for login with OIDC"
|
||||||
required: true
|
required: true
|
||||||
|
buildBuddyApiKey:
|
||||||
|
description: "BuildBuddy API key for caching Bazel artifacts"
|
||||||
|
required: true
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: "composite"
|
using: "composite"
|
||||||
@ -25,10 +28,17 @@ runs:
|
|||||||
with:
|
with:
|
||||||
go-version: "1.20.2"
|
go-version: "1.20.2"
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
|
||||||
|
|
||||||
- name: Build Constellation CLI
|
- name: Build Constellation CLI
|
||||||
uses: ./.github/actions/build_cli
|
uses: ./.github/actions/build_cli
|
||||||
with:
|
with:
|
||||||
enterpriseCLI: true
|
enterpriseCLI: true
|
||||||
|
outputPath: build/constellation
|
||||||
|
|
||||||
- name: MiniConstellation E2E
|
- name: MiniConstellation E2E
|
||||||
shell: bash
|
shell: bash
|
||||||
|
10
.github/actions/e2e_test/action.yml
vendored
10
.github/actions/e2e_test/action.yml
vendored
@ -71,6 +71,9 @@ inputs:
|
|||||||
sonobuoyTestSuiteCmd:
|
sonobuoyTestSuiteCmd:
|
||||||
description: "The sonobuoy test suite to run."
|
description: "The sonobuoy test suite to run."
|
||||||
required: false
|
required: false
|
||||||
|
buildBuddyApiKey:
|
||||||
|
description: "BuildBuddy API key for caching Bazel artifacts"
|
||||||
|
required: true
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
kubeconfig:
|
kubeconfig:
|
||||||
@ -104,12 +107,19 @@ runs:
|
|||||||
echo "hostOS=$(go env GOOS)" >> $GITHUB_OUTPUT
|
echo "hostOS=$(go env GOOS)" >> $GITHUB_OUTPUT
|
||||||
echo "hostArch=$(go env GOARCH)" >> $GITHUB_OUTPUT
|
echo "hostArch=$(go env GOARCH)" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
|
||||||
|
|
||||||
- name: Build CLI
|
- name: Build CLI
|
||||||
uses: ./.github/actions/build_cli
|
uses: ./.github/actions/build_cli
|
||||||
with:
|
with:
|
||||||
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
|
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
|
||||||
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
|
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
|
||||||
enterpriseCLI: ${{ inputs.keepMeasurements }}
|
enterpriseCLI: ${{ inputs.keepMeasurements }}
|
||||||
|
outputPath: "build/constellation"
|
||||||
|
|
||||||
- name: Build the bootstrapper
|
- name: Build the bootstrapper
|
||||||
id: build-bootstrapper
|
id: build-bootstrapper
|
||||||
|
55
.github/actions/setup_bazel/action.yml
vendored
Normal file
55
.github/actions/setup_bazel/action.yml
vendored
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
name: Setup bazel
|
||||||
|
description: Setup Bazel for CI builds and tests
|
||||||
|
|
||||||
|
inputs:
|
||||||
|
useCache:
|
||||||
|
description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, and 'false' to disable."
|
||||||
|
default: "false"
|
||||||
|
required: true
|
||||||
|
buildBuddyApiKey:
|
||||||
|
description: "BuildBuddy API key for caching Bazel artifacts"
|
||||||
|
required: false
|
||||||
|
|
||||||
|
runs:
|
||||||
|
using: "composite"
|
||||||
|
steps:
|
||||||
|
- name: Check inputs
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
echo "::group::Check inputs"
|
||||||
|
if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "false" ]]; then
|
||||||
|
echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then
|
||||||
|
echo "BuildBuddy API key is required when cache is enabled."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "::endgroup::"
|
||||||
|
- name: Configure Bazel
|
||||||
|
shell: bash
|
||||||
|
if: inputs.useCache == 'true' || inputs.useCache == 'readonly'
|
||||||
|
env:
|
||||||
|
BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
|
||||||
|
run: |
|
||||||
|
echo "::group::Configure Bazel"
|
||||||
|
cat <<EOF >> ~/.bazelrc
|
||||||
|
build --bes_results_url=https://app.buildbuddy.io/invocation/
|
||||||
|
build --bes_backend=grpcs://remote.buildbuddy.io
|
||||||
|
build --remote_cache=grpcs://remote.buildbuddy.io
|
||||||
|
build --remote_timeout=3600
|
||||||
|
build --experimental_remote_build_event_upload=minimal
|
||||||
|
build --experimental_remote_cache_compression
|
||||||
|
build --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
|
||||||
|
EOF
|
||||||
|
echo "::endgroup::"
|
||||||
|
- name: Configure Bazel (readonly)
|
||||||
|
shell: bash
|
||||||
|
if: inputs.useCache == 'readonly'
|
||||||
|
run: |
|
||||||
|
echo "::group::Configure Bazel (readonly)"
|
||||||
|
echo "build --remote_upload_local_results=false" >> ~/.bazelrc
|
||||||
|
echo "::endgroup::"
|
||||||
|
- name: Check bazel version
|
||||||
|
shell: bash
|
||||||
|
run: bazel version
|
52
.github/workflows/build-binaries.yml
vendored
52
.github/workflows/build-binaries.yml
vendored
@ -26,6 +26,12 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build the bootstrapper
|
- name: Build the bootstrapper
|
||||||
uses: ./.github/actions/build_bootstrapper
|
uses: ./.github/actions/build_bootstrapper
|
||||||
|
|
||||||
@ -37,6 +43,12 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build debugd
|
- name: Build debugd
|
||||||
uses: ./.github/actions/build_debugd
|
uses: ./.github/actions/build_debugd
|
||||||
|
|
||||||
@ -48,17 +60,25 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build cdbg (Linux, amd64)
|
- name: Build cdbg (Linux, amd64)
|
||||||
uses: ./.github/actions/build_cdbg
|
uses: ./.github/actions/build_cdbg
|
||||||
with:
|
with:
|
||||||
targetOS: "linux"
|
targetOS: "linux"
|
||||||
targetArch: "amd64"
|
targetArch: "amd64"
|
||||||
|
outputPath: ./build/cdbg_linux_amd64
|
||||||
|
|
||||||
- name: Build cdbg (Linux, arm64)
|
- name: Build cdbg (Linux, arm64)
|
||||||
uses: ./.github/actions/build_cdbg
|
uses: ./.github/actions/build_cdbg
|
||||||
with:
|
with:
|
||||||
targetOS: "linux"
|
targetOS: "linux"
|
||||||
targetArch: "arm64"
|
targetArch: "arm64"
|
||||||
|
outputPath: ./build/cdbg_linux_arm64
|
||||||
|
|
||||||
build-cdbg-macos:
|
build-cdbg-macos:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
@ -68,17 +88,25 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build cdbg (macOS, amd64)
|
- name: Build cdbg (macOS, amd64)
|
||||||
uses: ./.github/actions/build_cdbg
|
uses: ./.github/actions/build_cdbg
|
||||||
with:
|
with:
|
||||||
targetOS: "darwin"
|
targetOS: "darwin"
|
||||||
targetArch: "amd64"
|
targetArch: "amd64"
|
||||||
|
outputPath: ./build/cdbg_darwin_amd64
|
||||||
|
|
||||||
- name: Build cdbg (macOS, arm64)
|
- name: Build cdbg (macOS, arm64)
|
||||||
uses: ./.github/actions/build_cdbg
|
uses: ./.github/actions/build_cdbg
|
||||||
with:
|
with:
|
||||||
targetOS: "darwin"
|
targetOS: "darwin"
|
||||||
targetArch: "arm64"
|
targetArch: "arm64"
|
||||||
|
outputPath: ./build/cdbg_darwin_arm64
|
||||||
|
|
||||||
build-disk-mapper:
|
build-disk-mapper:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
@ -88,6 +116,12 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build disk-mapper
|
- name: Build disk-mapper
|
||||||
uses: ./.github/actions/build_disk_mapper
|
uses: ./.github/actions/build_disk_mapper
|
||||||
|
|
||||||
@ -99,6 +133,12 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build measurement-reader
|
- name: Build measurement-reader
|
||||||
uses: ./.github/actions/build_measurement_reader
|
uses: ./.github/actions/build_measurement_reader
|
||||||
|
|
||||||
@ -110,6 +150,12 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build CLI (Linux, amd64)
|
- name: Build CLI (Linux, amd64)
|
||||||
uses: ./.github/actions/build_cli
|
uses: ./.github/actions/build_cli
|
||||||
with:
|
with:
|
||||||
@ -130,6 +176,12 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "true"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Build CLI (macOS, amd64)
|
- name: Build CLI (macOS, amd64)
|
||||||
uses: ./.github/actions/build_cli
|
uses: ./.github/actions/build_cli
|
||||||
with:
|
with:
|
||||||
|
5
.github/workflows/build-os-image.yml
vendored
5
.github/workflows/build-os-image.yml
vendored
@ -68,6 +68,11 @@ jobs:
|
|||||||
go-version: "1.20.2"
|
go-version: "1.20.2"
|
||||||
cache: true
|
cache: true
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "false"
|
||||||
|
|
||||||
- name: Build bootstrapper
|
- name: Build bootstrapper
|
||||||
if: inputs.stream != 'debug'
|
if: inputs.stream != 'debug'
|
||||||
uses: ./.github/actions/build_bootstrapper
|
uses: ./.github/actions/build_bootstrapper
|
||||||
|
1
.github/workflows/e2e-mini.yml
vendored
1
.github/workflows/e2e-mini.yml
vendored
@ -41,3 +41,4 @@ jobs:
|
|||||||
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
||||||
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||||
azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
|
azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
1
.github/workflows/e2e-test-daily.yml
vendored
1
.github/workflows/e2e-test-daily.yml
vendored
@ -96,6 +96,7 @@ jobs:
|
|||||||
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
|
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
test: "sonobuoy full"
|
test: "sonobuoy full"
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Always terminate cluster
|
- name: Always terminate cluster
|
||||||
if: always()
|
if: always()
|
||||||
|
1
.github/workflows/e2e-test-manual.yml
vendored
1
.github/workflows/e2e-test-manual.yml
vendored
@ -258,6 +258,7 @@ jobs:
|
|||||||
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
||||||
osImage: ${{ needs.find-latest-image.outputs.image }}
|
osImage: ${{ needs.find-latest-image.outputs.image }}
|
||||||
isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
|
isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Always terminate cluster
|
- name: Always terminate cluster
|
||||||
if: always()
|
if: always()
|
||||||
|
1
.github/workflows/e2e-test-weekly.yml
vendored
1
.github/workflows/e2e-test-weekly.yml
vendored
@ -148,6 +148,7 @@ jobs:
|
|||||||
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
|
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
test: ${{ matrix.test }}
|
test: ${{ matrix.test }}
|
||||||
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
||||||
|
|
||||||
- name: Always terminate cluster
|
- name: Always terminate cluster
|
||||||
if: always()
|
if: always()
|
||||||
|
10
.github/workflows/release-cli.yml
vendored
10
.github/workflows/release-cli.yml
vendored
@ -29,6 +29,11 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ inputs.ref || github.head_ref }}
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "false"
|
||||||
|
|
||||||
- name: Build CLI
|
- name: Build CLI
|
||||||
uses: ./.github/actions/build_cli
|
uses: ./.github/actions/build_cli
|
||||||
with:
|
with:
|
||||||
@ -107,6 +112,11 @@ jobs:
|
|||||||
- name: Download Syft & Grype
|
- name: Download Syft & Grype
|
||||||
uses: ./.github/actions/install_syft_grype
|
uses: ./.github/actions/install_syft_grype
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel
|
||||||
|
with:
|
||||||
|
useCache: "false"
|
||||||
|
|
||||||
# Build one CLI since Syft's go-module catalog will default to binary parsing.
|
# Build one CLI since Syft's go-module catalog will default to binary parsing.
|
||||||
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
|
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
|
||||||
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports.
|
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports.
|
||||||
|
@ -50,6 +50,17 @@ bazel build //cli:cli_oss_darwin_amd64 # cross compile CLI for mac amd64
|
|||||||
bazel build //cli:cli_oss_darwin_arm64 # cross compile CLI for mac arm64
|
bazel build //cli:cli_oss_darwin_arm64 # cross compile CLI for mac arm64
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Remote caching and execution
|
||||||
|
|
||||||
|
We use BuildBuddy for remote caching (and maybe remote execution in the future). To use it, you need to join the BuildBuddy organization and get an API key. Then, you can write it to `~/.bazelrc`:
|
||||||
|
|
||||||
|
```
|
||||||
|
build --remote_header=x-buildbuddy-api-key=<redacted>
|
||||||
|
```
|
||||||
|
|
||||||
|
To use the remote cache, build the project with `bazel build --config remote_cache //path/to:target`.
|
||||||
|
You can also copy the `remote_cache` config from `.bazelrc` to your `~/.bazelrc` and remove the `remote_cache` prefix to make it the default.
|
||||||
|
|
||||||
# Test
|
# Test
|
||||||
|
|
||||||
You can run all integration and unitttests like this:
|
You can run all integration and unitttests like this:
|
||||||
|
@ -22,6 +22,7 @@ timestamp() {
|
|||||||
"${REPOSITORY_ROOT}/tools/pseudo-version" -print-timestamp -timestamp-format '2006-01-02T15:04:05Z07:00'
|
"${REPOSITORY_ROOT}/tools/pseudo-version" -print-timestamp -timestamp-format '2006-01-02T15:04:05Z07:00'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
echo "REPO_URL https://github.com/edgelesssys/constellation.git"
|
||||||
echo "STABLE_STAMP_COMMIT $(git rev-parse HEAD)"
|
echo "STABLE_STAMP_COMMIT $(git rev-parse HEAD)"
|
||||||
echo "STABLE_STAMP_STATE $(git diff-index --quiet HEAD -- && echo "clean" || echo "dirty")"
|
echo "STABLE_STAMP_STATE $(git diff-index --quiet HEAD -- && echo "clean" || echo "dirty")"
|
||||||
echo "STABLE_STAMP_VERSION $(pseudo_version)"
|
echo "STABLE_STAMP_VERSION $(pseudo_version)"
|
||||||
|
Loading…
Reference in New Issue
Block a user