name: Build CLI description: | Runs cmake and cli make target in build folder. Optionally, Sigstore tools are used to sign CLI when inputs are provided. A draft release is published when run on v* tag. inputs: cosignPublicKey: description: 'Cosign public key' required: false default: '' cosignPrivateKey: description: 'Cosign private key' required: false default: '' cosignPassword: description: 'Password for Cosign private key' required: false default: '' runs: using: "composite" steps: - name: Install build dependencies run: | sudo apt-get update sudo apt-get install \ build-essential cmake \ -y shell: bash # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial # once it has the functionality - name: Install Cosign uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 - name: Install Rekor run: | curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64 sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli shell: bash # https://github.blog/2022-04-12-git-security-vulnerability-announced/ - name: Mark repository safe run: | git config --global --add safe.directory /__w/constellation/constellation shell: bash - name: Install Go uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a with: go-version: "1.18" - name: Build hack/pcr-reader run: | go build . echo "$(pwd)" >> $GITHUB_PATH export PATH="$PATH:$(pwd)" working-directory: hack/pcr-reader shell: bash - name: Build CLI run: | GIT_TAG=$(git describe --tags --always --dirty --abbrev=0) mkdir -p build cd build cmake -DCLI_VERSION:STRING=${GIT_TAG} .. make -j`nproc` cli echo "$(pwd)" >> $GITHUB_PATH export PATH="$PATH:$(pwd)" shell: bash - name: Sign CLI run: | set -e set -o pipefail echo "$COSIGN_PUBLIC_KEY" > cosign.pub # Enabling experimental mode also publishes signature to Rekor COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig # Verify - As documentation & check # Local Signature (input: artifact, key, signature) cosign verify-blob --key cosign.pub --signature constellation.sig constellation # Transparency Log Signature (input: artifact, key) uuid=$(rekor-cli search --artifact constellation | tail -n 1) sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content) cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation shell: bash working-directory: build env: COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }} if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }} - name: Release CLI # GitHub endorsed release project. See: https://github.com/actions/create-release uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 if: startsWith(github.ref, 'refs/tags/v') with: draft: true files: | build/constellation build/constellation.sig build/cosign.pub