diff --git a/.github/actions/azure_snp_reporter/action.yaml b/.github/actions/azure_snp_reporter/action.yaml deleted file mode 100644 index 2c0d836bb..000000000 --- a/.github/actions/azure_snp_reporter/action.yaml +++ /dev/null @@ -1,12 +0,0 @@ -name: Azure SNP Reporter -description: "Get SNP MAA statement from Azure." -inputs: - outputPath: - description: "Path to put signed JWT into." - required: true -runs: - using: "composite" # some azure SNP-enabled machine. - steps: - - name: Fetch report - shell: bash - run: docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter | tail -n 1 > ${{ inputs.outputPath }} diff --git a/.github/workflows/azure-snp-reporter.yml b/.github/workflows/azure-snp-reporter.yml deleted file mode 100644 index 9b4a0de96..000000000 --- a/.github/workflows/azure-snp-reporter.yml +++ /dev/null @@ -1,93 +0,0 @@ -name: Fetch, validate and report SNP report data. -on: - workflow_dispatch: - schedule: - - cron: "0 14 * * 0" - -jobs: - build-snp-reporter: - name: "Build SNP-reporter container" - runs-on: ubuntu-22.04 - permissions: - packages: write - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Build and upload azure SNP reporter container image - id: build-and-upload - uses: ./.github/actions/build_micro_service - with: - name: azure-snp-reporter - dockerfile: ./hack/azure-snp-report-verify/Dockerfile - githubToken: ${{ secrets.GITHUB_TOKEN }} - - fetch-snp-report: - needs: build-snp-reporter - name: "Fetch SNP report" - runs-on: [self-hosted, azure-cvm] - env: - SHELL: /bin/bash - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Fetch SNP report - uses: ./.github/actions/azure_snp_reporter - with: - outputPath: ${{ github.workspace }}/maa-report.jwt - - - name: Upload report JWT - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: maa-report.jwt - path: "${{ github.workspace }}/maa-report.jwt" - - validate-snp-report: - needs: fetch-snp-report - name: "Validate SNP report and update Attestation API" - permissions: - id-token: write - contents: read - runs-on: ubuntu-22.04 - env: - SHELL: /bin/bash - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: "1.20.7" - cache: false - - - name: Download report JWT - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: "maa-report.jwt" - path: "." - - - name: Verify report - shell: bash - run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json - - - name: Login to AWS - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 - with: - role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline - aws-region: eu-central-1 - - - name: Update Attestation API - shell: bash - env: - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - run: | - go run ./hack/configapi/main.go --version-file azure-snp-version.json