diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml index 6de3f2392..22bb81619 100644 --- a/.github/actions/build_ko/action.yml +++ b/.github/actions/build_ko/action.yml @@ -8,6 +8,10 @@ inputs: description: "Name of the registry to use" required: false default: "ghcr.io" + pseudoVersion: + description: "Check if pseudo-version should be generated" + default: "false" + required: true koConfig: description: "Path to the .ko.yaml config file" required: false @@ -23,6 +27,8 @@ inputs: required: true generateKoSBOM: description: "Generate unsigned ko SBOM" + required: false + default: "false" outputs: container_full: @@ -41,6 +47,7 @@ runs: using: "composite" steps: - name: Determine pseudo version + if: ${{ inputs.pseudoVersion == 'true' }} id: pseudo-version uses: ./.github/actions/pseudo_version @@ -59,6 +66,11 @@ runs: tags="" sbom="" + ls -lahR ${{ github.workspace}} + stat ${{ inputs.koTarget }} + echo PWD=$(pwd) # is erased?! + pwd + if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then tags="latest" else: diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml index e16a39afc..e39149099 100644 --- a/.github/actions/build_micro_service_ko/action.yml +++ b/.github/actions/build_micro_service_ko/action.yml @@ -8,9 +8,9 @@ inputs: description: "Path to the .ko.yaml config file" default: ".ko.yaml" required: false - constellationPath: - description: "Path to the root of the Constellation repo" - #default: "TEST_MICRO_SERVICE_" + pseudoVersion: + description: "Check if pseudo-version should be generated" + default: "false" required: true koTarget: description: "Go package to build with ko" @@ -40,7 +40,8 @@ runs: using: "composite" steps: - name: Determine pseudo version - id: pseudo-version + #if: ${{ inputs.pseudoVersion == 'true' }} + if: ${{ failure() }} uses: ./.github/actions/pseudo_version with: constellationPath: ${{ inputs.constellationPath }} @@ -51,6 +52,7 @@ runs: with: name: ${{ inputs.name }} koConfig: ${{ inputs.koConfig }} + pseudoVersion: ${{ inputs.pseudoVersion }} koTarget: ${{ inputs.koTarget }} githubToken: ${{ inputs.GITHUB_TOKEN }} pushTag: ci-test diff --git a/.github/actions/pseudo_version/action.yml b/.github/actions/pseudo_version/action.yml index ae2db64ea..38a04fcb3 100644 --- a/.github/actions/pseudo_version/action.yml +++ b/.github/actions/pseudo_version/action.yml @@ -1,10 +1,5 @@ name: Determine pseudo version description: "Determine go-like pseudo version to use as container image tag." -inputs: - constellationPath: - description: "Path to Constellation repository root" - #default: "." - required: true outputs: pseudoVersion: @@ -30,30 +25,24 @@ runs: - name: get pseudo version id: pseudo-version run: | - ln -s ${{ inputs.constellationPath }}/.git .git if $(git rev-parse --is-shallow-repository); then git fetch --prune --unshallow --tags -v else git fetch --tags -v fi - rm .git - - pseudoVersionPath=${{ inputs.constellationPath }}/hack/pseudo-version homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)" - export GOCACHE=${homedir}/.cache/go-build export GOPATH=${homedir}/go export GOMODCACHE=${homedir}/.cache/go-mod - - pseudoVersion=$(go run $pseudoVersionPath) - semanticVersion=$(go run $pseudoVersionPath -semantic-version) - timestamp=$(go run $pseudoVersionPath -print-timestamp) - branchName=$(go run $pseudoVersionPath -print-branch) - releaseVersion=$(go run $pseudoVersionPath -print-release-branch) - + pseudoVersion=$(go run .) + semanticVersion=$(go run . -semantic-version) + timestamp=$(go run . -print-timestamp) + branchName=$(go run . -print-branch) + releaseVersion=$(go run . -print-release-branch) echo "pseudoVersion=${pseudoVersion}" >> $GITHUB_OUTPUT echo "semanticVersion=${semanticVersion}" >> $GITHUB_OUTPUT echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT echo "branchName=${branchName}" >> $GITHUB_OUTPUT echo "releaseVersion=${releaseVersion}" >> $GITHUB_OUTPUT + working-directory: hack/pseudo-version shell: bash diff --git a/.github/actions/pseudo_version_ko/action.yaml b/.github/actions/pseudo_version_ko/action.yaml new file mode 100644 index 000000000..e06e042b5 --- /dev/null +++ b/.github/actions/pseudo_version_ko/action.yaml @@ -0,0 +1,58 @@ +name: Determine pseudo version +description: "Determine go-like pseudo version to use as container image tag." +inputs: + constellationPath: + description: "Path to Constellation repository root" + #default: "." + required: true + +outputs: + pseudoVersion: + description: "Pseudo version based on the current HEAD" + value: ${{ steps.pseudo-version.outputs.pseudoVersion }} + semanticVersion: + description: "Semantic version based on the current HEAD" + value: ${{ steps.pseudo-version.outputs.semanticVersion }} + releaseVersion: + description: "Release version based on branch name" + value: ${{ steps.pseudo-version.outputs.releaseVersion }} + timestamp: + description: "Commit timestamp based on the current HEAD" + value: ${{ steps.pseudo-version.outputs.timestamp }} + branchName: + description: "Branch name" + value: ${{ steps.pseudo-version.outputs.branchName }} + +# Linux runner only (homedir trick does not work on macOS, required for private runner) +runs: + using: "composite" + steps: + - name: get pseudo version + id: pseudo-version + run: | + if $(git rev-parse --is-shallow-repository); then + git fetch --prune --unshallow --tags -v + else + git fetch --tags -v + fi + + pseudoVersionPath=${{ inputs.constellationPath }}/hack/pseudo-version + homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)" + + export GOCACHE=${homedir}/.cache/go-build + export GOPATH=${homedir}/go + export GOMODCACHE=${homedir}/.cache/go-mod + + pseudoVersion=$(go run $pseudoVersionPath) + semanticVersion=$(go run $pseudoVersionPath -semantic-version) + timestamp=$(go run $pseudoVersionPath -print-timestamp) + branchName=$(go run $pseudoVersionPath -print-branch) + releaseVersion=$(go run $pseudoVersionPath -print-release-branch) + + echo "pseudoVersion=${pseudoVersion}" >> $GITHUB_OUTPUT + echo "semanticVersion=${semanticVersion}" >> $GITHUB_OUTPUT + echo "timestamp=${timestamp}" >> $GITHUB_OUTPUT + echo "branchName=${branchName}" >> $GITHUB_OUTPUT + echo "releaseVersion=${releaseVersion}" >> $GITHUB_OUTPUT + shell: bash + working-directory: ./hack/pseudo-version diff --git a/.github/workflows/build-gcp-guest-agent-ko-redo.yml b/.github/workflows/build-gcp-guest-agent-ko-redo.yml new file mode 100644 index 000000000..1ba21c804 --- /dev/null +++ b/.github/workflows/build-gcp-guest-agent-ko-redo.yml @@ -0,0 +1,66 @@ +name: Build and Upload GCP guest-agent container (KO) +env: + REGISTRY: ghcr.io + KO_DATA_PATH: /etc/default/ + +on: + workflow_dispatch: + push: + branches: + - main + - "release/**" + - "feat/reproducible-builds-ko" + +jobs: + build-gcp-guest-agent: + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + strategy: + matrix: + version: ["20220927.00"] + include: + - version: "20220927.00" + latest: true + steps: + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 + with: + ref: ${{ github.head_ref }} + + - name: Determine pseudo-version + id: pseudo-version + uses: ./.github/actions/pseudo_version + + - name: Remove constellation + run: | + cp ./3rdparty/gcp-guest-agent/instance_configs.cfg /tmp/instance_configs.cfg + cp -r .github/ -r ../ + cp .ko.yaml ../.ko.yaml + rm -rf constellation + + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 + with: + repository: "GoogleCloudPlatform/guest-agent" + ref: refs/tags/${{ matrix.version }} + + - name: Prepare hardcoded configuration file + id: prepare-config + run: | + mkdir -p koData + cp /tmp/instance_configs.cfg koData/ + cp -r ../.github/ .github/ + cp ../.ko.yaml .ko.yaml + + - name: Build and upload gcp guest service container image + id: build-and-upload + # assumes that we are currently in the root of the repo + uses: ./.github/actions/build_micro_service_ko + with: + name: gcp-guest-agent + koTarget: ./google_guest_agent + githubToken: ${{ secrets.GITHUB_TOKEN }} + pseudoVersion: "false" + cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} + cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} + cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-gcp-guest-agent-ko.yml b/.github/workflows/build-gcp-guest-agent-ko.yml index 65ba8b5cd..2f2f7156a 100644 --- a/.github/workflows/build-gcp-guest-agent-ko.yml +++ b/.github/workflows/build-gcp-guest-agent-ko.yml @@ -9,7 +9,6 @@ on: branches: - main - "release/**" - - "feat/reproducible-builds-ko" jobs: build-gcp-guest-agent: diff --git a/.github/workflows/build-qemu-metada-api-ko.yaml b/.github/workflows/build-qemu-metada-api-ko.yaml new file mode 100644 index 000000000..72e1d9f87 --- /dev/null +++ b/.github/workflows/build-qemu-metada-api-ko.yaml @@ -0,0 +1,38 @@ +name: Build and upload qemu-metadata-api image (KO) +env: + REGISTRY: ghcr.io + +on: + workflow_dispatch: + +jobs: + build-join-service-ko: + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + outputs: + image: ${{ steps.build-and-upload.outputs.image }} + digest: ${{ steps.build-and-upload.outputs.digest }} + steps: + - name: Check out repository + id: checkout + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 + with: + ref: ${{ github.head_ref }} + + - name: Setup Go environment + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1 + with: + go-version: "1.19.3" + + - name: Build and upload join service container image + id: build-and-upload + uses: ./.github/actions/build_micro_service_ko + with: + name: joinservice + koTarget: ./joinservice/cmd + githubToken: ${{ secrets.GITHUB_TOKEN }} + cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} + cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} + cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.ko.yaml b/.ko.yaml index 76d6f5a7c..ea59ba026 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -1,7 +1,8 @@ defaltBaseImage: distroless.dev/static:latest@sha256:d624beaae60b10ec342896b1470421eb473549cb3ac3bf1c6ec074d8b460b4fc baseImageOverrides: - github.com/edgelesssys/constellation/v2/operators/constellation-node-operator ghcr.io/edgelesssys/alpine-base-user-65532 + github.com/edgelesssys/constellation/operators/constellation-node-operator/v2: ghcr.io/edgelesssys/apko-alpine-base-user-65532 + github.com/edgelesssys/constellation/v2/hack/qemu-metadata-api: ghcr.io/edgelesssys/apko-alpine-qemu-metadata-api builds: - id: kms @@ -61,3 +62,17 @@ builds: - -s -w -buildid='' - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION} - -extldflags "-static" + +- id: qemu-metadata-api + dir: . + main: ./hack/qemu-metadata-api/ + env: + - CGO_ENABLED=0 + - GOOS=linux + - GOARCH=amd64 + flags: + - -trimpath + - -buildvcs=false + - -a + ldflags: + - -s -w -buildid=''