name: Fetch, validate and report SNP report data. on: workflow_dispatch: schedule: - cron: "0 14 * * 0" jobs: build-snp-reporter: name: "Build SNP-reporter container" runs-on: ubuntu-22.04 permissions: packages: write steps: - name: Checkout uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Build and upload azure SNP reporter container image id: build-and-upload uses: ./.github/actions/build_micro_service with: name: azure-snp-reporter dockerfile: ./hack/azure-snp-report-verify/Dockerfile githubToken: ${{ secrets.GITHUB_TOKEN }} fetch-snp-report: needs: build-snp-reporter name: "Fetch SNP report" runs-on: [self-hosted, azure-cvm] env: SHELL: /bin/bash steps: - name: Checkout uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Fetch SNP report uses: ./.github/actions/azure_snp_reporter with: outputPath: ${{ github.workspace }}/maa-report.jwt - name: Upload report JWT uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: maa-report.jwt path: "${{ github.workspace }}/maa-report.jwt" validate-snp-report: needs: fetch-snp-report name: "Validate SNP report and update Attestation API" permissions: id-token: write contents: read runs-on: ubuntu-22.04 env: SHELL: /bin/bash steps: - name: Checkout uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Set up Go uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: 1.20.5 cache: false - name: Download report JWT uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: "maa-report.jwt" path: "." - name: Verify report shell: bash run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json - name: Login to AWS uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Update Attestation API shell: bash env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} run: | go run ./hack/configapi/main.go --version-file azure-snp-version.json