mkosi pipeline: Collect hashes

.github/workflows/build-os-image.yml

@@ -18,6 +18,9 @@ jobs:
     permissions:
       contents: read
       packages: read
+    outputs:
+      bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
+      disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
     steps:
       - name: Checkout
         uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
@@ -48,15 +51,43 @@ jobs:
             ${{ github.workspace }}/build/disk-mapper
 
       - name: Collect hashes
+        id: collect-hashes
         run: |
-          echo "::set-output name=bootstrapper-sha256::$(sha256sum bootstrapper)"
-          echo "::set-output name=disk-mapper-sha256::$(sha256sum disk-mapper)"
+          echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT
+          echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT
         working-directory: ${{ github.workspace }}/build
 
   make-os-image:
     name: "Build OS using mkosi"
     needs: build-dependencies
     runs-on: ubuntu-22.04
+    # TODO: flatten outputs once possible
+    # https://github.com/community/community/discussions/17245
+    outputs:
+      image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
+      image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
+      image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
+      image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
+      image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
+      image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
+      image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
+      image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
+      image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
+      image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
+      image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
+      image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
+      image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
+      image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
+      image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
+      image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
+      image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
+      image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
+      image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
+      image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
+      image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
+      image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
+      image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
+      image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
     strategy:
       matrix:
         csp: [azure, gcp, qemu]
@@ -101,6 +132,20 @@ jobs:
           DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
           CSP: ${{ matrix.csp }}
 
+      - name: Collect hashes
+        id: collect-hashes
+        run: |
+          echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT
+          echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT
+        working-directory: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36
+        continue-on-error: true
+
       - name: Upload raw OS image as artifact
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
         with:
@@ -285,7 +330,7 @@ jobs:
 
   generate-sbom:
     name: "Generate SBOM"
-    needs: make-os-image
+    needs: [build-dependencies, make-os-image]
     runs-on: ubuntu-22.04
     steps:
       - name: Install squashfs tools
@@ -325,3 +370,36 @@ jobs:
           path: image.root.tree
           artifact-name: sbom.syft.json
           format: syft-json
+
+      - name: Combine hashes
+        run: |
+          cat > SHA256SUMS <<EOF
+          ${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
+          ${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
+          ${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
+          ${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
+          ${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
+          ${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi
+          ${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd
+          ${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root.raw
+          ${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity
+          ${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz
+          ${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw
+          ${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.raw.changelog
+          ${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.raw.manifest
+          ${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi
+          ${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd
+          ${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root.raw
+          ${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity
+          ${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz
+          ${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw
+          ${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.raw.changelog
+          ${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.raw.manifest
+          ${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi
+          ${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd
+          ${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root.raw
+          ${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity
+          ${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
+          EOF
+          cat SHA256SUMS
+          echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> $GITHUB_STEP_SUMMARY