name: Build and Upload OS image on: workflow_dispatch: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false isRelease: description: 'Is this a release? (sets "ref" to special value "-")' type: boolean required: false default: false stream: description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)" type: choice required: true options: - "debug" - "console" - "nightly" - "stable" ref: type: string description: "Git ref to checkout" required: false workflow_call: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false type: string isRelease: description: 'Is this a release? (sets "ref" to special value "-")' type: boolean required: false default: false stream: description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)" type: string required: true ref: type: string description: "Git ref to checkout" required: false jobs: build-dependencies: name: "Build binaries for embedding in the OS" runs-on: ubuntu-22.04 permissions: contents: read packages: read outputs: bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }} measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }} steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} - name: Setup Go environment uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: "1.20.2" cache: true - name: Build bootstrapper if: inputs.stream != 'debug' uses: ./.github/actions/build_bootstrapper with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build debugd if: inputs.stream == 'debug' uses: ./.github/actions/build_debugd with: outputPath: ${{ github.workspace }}/build/debugd - name: Build disk-mapper uses: ./.github/actions/build_disk_mapper with: outputPath: ${{ github.workspace }}/build/disk-mapper - name: Build upgrade-agent uses: ./.github/actions/build_upgrade_agent with: outputPath: ${{ github.workspace }}/build/upgrade-agent - name: Build measurement-reader uses: ./.github/actions/build_measurement_reader with: outputPath: ${{ github.workspace }}/build/measurement-reader - name: Upload dependencies uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 env: MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }} with: name: dependencies path: | ${{ github.workspace }}/build/${{ env.MAIN_BINARY }} ${{ github.workspace }}/build/disk-mapper ${{ github.workspace }}/build/upgrade-agent ${{ github.workspace }}/build/measurement-reader - name: Collect hashes id: collect-hashes working-directory: ${{ github.workspace }}/build run: | { echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)" echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)" } | tee "$GITHUB_OUTPUT" build-settings: name: "Determine build settings" runs-on: ubuntu-22.04 outputs: ref: ${{ steps.ref.outputs.ref }} stream: ${{ steps.stream.outputs.stream }} imageType: ${{ steps.image-type.outputs.imageType }} pkiSet: ${{ steps.pki-set.outputs.pkiSet }} imageVersion: ${{ steps.image-version.outputs.imageVersion }} imageName: ${{ steps.image-version.outputs.imageName }} imageNameShort: ${{ steps.image-version.outputs.imageNameShort }} imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }} cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }} steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} - name: Determine version id: version uses: ./.github/actions/pseudo_version - name: Determine ref id: ref run: | if [[ "${{ inputs.isRelease }}" = "true" ]]; then echo "ref=-" >> "$GITHUB_OUTPUT" else echo "ref=${{ steps.version.outputs.branchName }}" >> "$GITHUB_OUTPUT" fi - name: Determine and validate stream id: stream run: | if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then echo "Nightly builds are not allowed for releases" exit 1 fi if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then echo "Stable builds are only allowed for releases" exit 1 fi echo "stream=${{ inputs.stream }}" >> "$GITHUB_OUTPUT" - name: Determine type of image build shell: bash id: image-type run: | case "${{ steps.stream.outputs.stream }}" in "debug") echo "imageType=debug" >> "$GITHUB_OUTPUT" ;; "console") echo "imageType=console" >> "$GITHUB_OUTPUT" ;; *) echo "imageType=default" >> "$GITHUB_OUTPUT" ;; esac - name: Determine PKI set id: pki-set shell: bash run: | if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then echo "pkiSet=pki_prod" >> "$GITHUB_OUTPUT" else echo "pkiSet=pki_testing" >> "$GITHUB_OUTPUT" fi - name: Determine image version id: image-version shell: bash env: REF: ${{ steps.ref.outputs.ref }} STREAM: ${{ steps.stream.outputs.stream }} IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }} run: | { echo "imageVersion=${IMAGE_VERSION}" echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image" echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli" } | tee "$GITHUB_OUTPUT" if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then echo "imageNameShort=${IMAGE_VERSION}" >> "$GITHUB_OUTPUT" elif [[ "${REF}" = "-" ]]; then echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" >> "$GITHUB_OUTPUT" else echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" >> "$GITHUB_OUTPUT" fi make-os-image: name: "Build OS using mkosi" needs: [build-settings, build-dependencies] runs-on: ubuntu-22.04 # TODO: flatten outputs once possible # https://github.com/community/community/discussions/17245 outputs: image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }} image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }} image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }} image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }} image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }} image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }} image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }} image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }} image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }} image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }} image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }} image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }} image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }} image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }} image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }} image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }} image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }} image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }} image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }} image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }} image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }} image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }} image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }} image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }} image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }} image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }} image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }} image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }} image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }} image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }} image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }} image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }} strategy: fail-fast: false matrix: csp: [aws, azure, gcp, openstack, qemu] steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} - name: Download build dependencies uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: dependencies path: ${{ github.workspace }}/build - name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable run: | chmod +x ${{ github.workspace }}/build/bootstrapper || true chmod +x ${{ github.workspace }}/build/debugd || true chmod +x ${{ github.workspace }}/build/disk-mapper chmod +x ${{ github.workspace }}/build/upgrade-agent chmod +x ${{ github.workspace }}/build/measurement-reader - name: Setup mkosi uses: ./.github/actions/setup_mkosi with: version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3 - name: Prepare PKI for secure boot signing id: prepare-pki shell: bash working-directory: ${{ github.workspace }}/image env: PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} run: | echo "${DB_KEY}" > "${PKI_SET}/db.key" ln -s "${PKI_SET}" pki - name: Build shell: bash working-directory: ${{ github.workspace }}/image env: BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }} AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }} IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }} CSP: ${{ matrix.csp }} run: | echo "::group::Build" sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}" echo "::endgroup::" - name: Collect hashes id: collect-hashes continue-on-error: true working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37 run: | { echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" } | tee "$GITHUB_OUTPUT" - name: Upload raw OS image as artifact if: always() continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw - name: Upload individual OS parts as artifacts if: always() continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: parts-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.initrd ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.raw ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz - name: Upload manifest as artifact if: always() continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: manifest-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest upload-os-image: name: "Upload OS image to CSP" needs: [build-settings, make-os-image] runs-on: ubuntu-22.04 permissions: id-token: write contents: read strategy: fail-fast: false matrix: csp: [aws, azure, gcp, openstack, qemu] upload-variant: [""] include: - csp: azure upload-variant: TrustedLaunch steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} - name: Download OS image artifact uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37 - name: Configure input variables id: vars uses: ./.github/actions/os_build_variables with: csp: ${{ matrix.csp }} uploadVariant: ${{ matrix.upload-variant }} basePath: ${{ github.workspace }}/image ref: ${{ needs.build-settings.outputs.ref }} stream: ${{ needs.build-settings.outputs.stream }} imageVersion: ${{ needs.build-settings.outputs.imageVersion }} imageType: ${{ needs.build-settings.outputs.imageType }} debug: ${{ needs.build-settings.outputs.imageType == 'debug' }} - name: Install tools shell: bash run: | echo "::group::Install tools" sudo apt-get update sudo apt-get install -y \ pigz \ qemu-utils \ python3-pip pip install google_crc32c echo "::endgroup::" - name: Login to AWS # on AWS, login is required to upload the image as AMI # on Azure, login is done to download the VMGS from S3 # on QEMU, login is done to upload the image to S3 if: matrix.csp == 'aws' || matrix.csp == 'azure' || matrix.csp == 'openstack' || matrix.csp == 'qemu' uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Login to Azure if: matrix.csp == 'azure' uses: ./.github/actions/login_azure with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} - name: Login to GCP if: matrix.csp == 'gcp' uses: ./.github/actions/login_gcp with: service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - name: Prepare PKI for image upload id: prepare-pki shell: bash working-directory: ${{ github.workspace }}/image run: | ln -s ${{ needs.build-settings.outputs.pkiSet }} pki - name: Download VMGS blob if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') working-directory: ${{ github.workspace }}/image env: PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} run: | aws s3 cp \ --region "${AZURE_VMGS_REGION}" \ "s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \ "${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \ --no-progress - name: Upload AWS image if: matrix.csp == 'aws' shell: bash working-directory: ${{ github.workspace }}/image env: PKI: ${{ github.workspace }}/image/pki AWS_JSON_OUTPUT: ${{ steps.vars.outputs.awsJsonOutput }} AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }} AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }} AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }} AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }} AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }} AWS_REGION: ${{ steps.vars.outputs.awsRegion }} AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }} AWS_PUBLISH: ${{ steps.vars.outputs.awsPublish }} run: | echo "::group::Upload AWS image" secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}" upload/upload_aws.sh echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Upload GCP image if: matrix.csp == 'gcp' shell: bash working-directory: ${{ github.workspace }}/image env: PKI: ${{ github.workspace }}/image/pki GCP_JSON_OUTPUT: ${{ steps.vars.outputs.gcpJsonOutput }} GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }} GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }} GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }} GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }} GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }} GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }} GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }} GCP_REGION: ${{ steps.vars.outputs.gcpRegion }} run: | echo "::group::Upload GCP image" upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" upload/upload_gcp.sh echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Upload Azure image if: matrix.csp == 'azure' shell: bash working-directory: ${{ github.workspace }}/image env: PKI: ${{ github.workspace }}/image/pki AZURE_JSON_OUTPUT: ${{ steps.vars.outputs.azureJsonOutput }} AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }} AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }} AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }} AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }} AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }} AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }} AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }} AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }} AZURE_REGION: ${{ steps.vars.outputs.azureRegion }} AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }} AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }} AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} AZURE_SKU: ${{ steps.vars.outputs.azureSku }} AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }} run: | echo "::group::Upload Azure image" upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Upload OpenStack image if: matrix.csp == 'openstack' shell: bash working-directory: ${{ github.workspace }}/image env: OPENSTACK_JSON_OUTPUT: ${{ steps.vars.outputs.openStackJsonOutput }} OPENSTACK_BUCKET: ${{ steps.vars.outputs.openStackBucket }} OPENSTACK_BASE_URL: ${{ steps.vars.outputs.openStackBaseUrl }} OPENSTACK_IMAGE_PATH: ${{ steps.vars.outputs.openStackImagePath }} REF: ${{needs.build-settings.outputs.ref }} STREAM: ${{needs.build-settings.outputs.stream }} IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }} run: | echo "::group::Upload OpenStack image" upload/upload_openstack.sh echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${OPENSTACK_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Upload QEMU image if: matrix.csp == 'qemu' shell: bash working-directory: ${{ github.workspace }}/image env: QEMU_JSON_OUTPUT: ${{ steps.vars.outputs.qemuJsonOutput }} QEMU_BUCKET: ${{ steps.vars.outputs.qemuBucket }} QEMU_BASE_URL: ${{ steps.vars.outputs.qemuBaseUrl }} QEMU_IMAGE_PATH: ${{ steps.vars.outputs.qemuImagePath }} REF: ${{needs.build-settings.outputs.ref }} STREAM: ${{needs.build-settings.outputs.stream }} IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }} run: | echo "::group::Upload QEMU image" upload/upload_qemu.sh echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Upload image lookup table as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: lookup-table path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json calculate-pcrs: name: "Calculate PCRs" needs: [build-settings, make-os-image] permissions: id-token: write contents: read runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: csp: [aws, azure, gcp, openstack, qemu] steps: - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} - name: Login to AWS uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Download OS image artifact uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: image-${{ matrix.csp }} - name: Install dependencies run: | echo "::group::Install dependencies" python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt sudo apt-get update sudo apt-get install -y systemd-container # for systemd-dissect echo "::endgroup::" - name: Calculate expected PCRs working-directory: ${{ github.workspace }}/image/measured-boot run: | echo "::group::Calculate expected PCRs" { ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json ./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}.json ${{ matrix.csp }} } >> "$GITHUB_STEP_SUMMARY" cp pcr-stable.json ${{ github.workspace }}/ jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json echo "::endgroup::" - name: Add static PCRs run: | case ${{ matrix.csp }} in aws) yq e '.csp = "AWS" | .image = "${{ needs.build-settings.outputs.imageNameShort }}" | .measurements.0.warnOnly = true | .measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" | .measurements.2.warnOnly = true | .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.3.warnOnly = true | .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.4.warnOnly = false | .measurements.5.warnOnly = true | .measurements.5.expected = "73d13bf0a9dc9a201a337150a0a4adb06e6b2206eefaeb4fbb0fe5dac6202fd3" | .measurements.6.warnOnly = true | .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.7.warnOnly = true | .measurements.7.expected = "120e498db2a224bd512b6efc9b0234f843e10bf061eb7a76ecca5509a2238901" | .measurements.8.warnOnly = false | .measurements.9.warnOnly = false | .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" ;; azure) yq e '.csp = "Azure" | .image = "${{ needs.build-settings.outputs.imageNameShort }}" | .measurements.1.warnOnly = true | .measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.2.warnOnly = true | .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.3.warnOnly = true | .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.4.warnOnly = false | .measurements.5.warnOnly = true | .measurements.5.expected = "b731e1a1c70e65e43a4ed54d668b7e585163d9c42f1ed4096174451ff0ba62f2" | .measurements.7.warnOnly = true | .measurements.7.expected = "346547a8ce5957af27e552427d6b9e6d9cb502f0156e9155380451eea1b3f0ed" | .measurements.8.warnOnly = false | .measurements.9.warnOnly = false | .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" ;; gcp) yq e '.csp = "GCP" | .image = "${{ needs.build-settings.outputs.imageNameShort }}" | .measurements.1.warnOnly = true | .measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" | .measurements.2.warnOnly = true | .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.3.warnOnly = true | .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.4.warnOnly = false | .measurements.5.warnOnly = true | .measurements.5.expected = "9d5f8c2e0464c69552e593be32a4b089f7e77f4ed12d60cdcd94120b6ccaccf8" | .measurements.6.warnOnly = true | .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | .measurements.7.warnOnly = true | .measurements.7.expected = "b1e9b305325c51b93da58cbf7f92512d8eebfa01143e4d8844e40e062e9b6cd5" | .measurements.8.warnOnly = false | .measurements.9.warnOnly = false | .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" ;; openstack) yq e '.csp = "OpenStack" | .image = "${{ needs.build-settings.outputs.imageNameShort }}" | .measurements.4.warnOnly = false | .measurements.8.warnOnly = false | .measurements.9.warnOnly = false | .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" ;; qemu) yq e '.csp = "QEMU" | .image = "${{ needs.build-settings.outputs.imageNameShort }}" | .measurements.4.warnOnly = false | .measurements.8.warnOnly = false | .measurements.9.warnOnly = false | .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" ;; *) echo "Unknown CSP: ${{ matrix.csp }}" exit 1 ;; esac - name: Upload expected PCRs as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: pcrs path: pcrs-${{ matrix.csp }}.json - name: Install Cosign uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 - name: Install Rekor shell: bash run: | curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64 sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli rm rekor-cli-linux-amd64 - name: Sign measurements shell: bash env: COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} run: | echo "${COSIGN_PUBLIC_KEY}" > cosign.pub # Enabling experimental mode also publishes signature to Rekor COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \ "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" > "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json.sig" # Verify - As documentation & check # Local Signature (input: artifact, key, signature) cosign verify-blob --key cosign.pub \ --signature "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json.sig" \ "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" # Transparency Log Signature (input: artifact, key) uuid=$(rekor-cli search --artifact "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" | tail -n 1) sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content) cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" - name: Upload signature of expected PCRs as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: pcrs-sig path: pcrs-${{ matrix.csp }}.json.sig - name: Upload expected PCRs to S3 shell: bash run: | aws s3 cp \ "pcrs-${{ matrix.csp }}.json" \ "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/csp/${{ matrix.csp }}/measurements.json" \ --no-progress aws s3 cp \ "pcrs-${{ matrix.csp }}.json.sig" \ "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/csp/${{ matrix.csp }}/measurements.json.sig" \ --no-progress generate-sbom: name: "Generate SBOM" needs: [build-settings, build-dependencies, make-os-image] permissions: id-token: write contents: read runs-on: ubuntu-22.04 steps: - name: Login to AWS uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Install squashfs tools run: | echo "::group::Install squashfs tools" sudo apt-get update sudo apt-get install -y squashfs-tools echo "::endgroup::" - name: Download rootfs uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: # downloading / using only the QEMU rootfs is fine # since the images only differ in the ESP partition name: parts-qemu - name: Download manifest uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: # downloading / using only the QEMU manifest is fine # since the images only differ in the ESP partition name: manifest-qemu - name: Unpack squashfs run: | echo "::group::Unpack squashfs" unsquashfs -user-xattrs -d image.root.tree image.root.raw echo "::endgroup::" - name: Create SBOM in SPDX fromat uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3 with: path: image.root.tree artifact-name: sbom.spdx.json output-file: sbom.spdx.json format: spdx-json - name: Create SBOM in CycloneDX fromat uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3 with: path: image.root.tree artifact-name: sbom.cyclonedx.json output-file: sbom.cyclonedx.json format: cyclonedx-json - name: Create SBOM in Syft fromat uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3 with: path: image.root.tree artifact-name: sbom.syft.json output-file: sbom.syft.json format: syft-json - name: Combine hashes run: | cat > SHA256SUMS <> "$GITHUB_STEP_SUMMARY" - name: Upload SBOMs to S3 shell: bash run: | sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json' manifests='image.raw.manifest image.raw.changelog' hashes='SHA256SUMS' for file in ${sboms} ${manifests} ${hashes}; do aws s3 cp \ "${file}" \ "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ --no-progress done upload-artifacts: name: "Upload image lookup table and CLI compatibility info" runs-on: ubuntu-22.04 needs: [build-settings, upload-os-image] permissions: id-token: write contents: read steps: - name: Download image lookup table uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 with: name: lookup-table - name: Login to AWS uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Combine lookup tables for CSPs shell: bash run: | echo '{}' > intermediate.json jq '.ref = "${{ needs.build-settings.outputs.ref }}"' intermediate.json > lookup-table.json cp lookup-table.json intermediate.json jq '.stream = "${{ needs.build-settings.outputs.stream }}"' intermediate.json > lookup-table.json cp lookup-table.json intermediate.json jq '.version = "${{ needs.build-settings.outputs.imageVersion }}"' intermediate.json > lookup-table.json cp lookup-table.json intermediate.json for lut in mkosi.output.*/*/image-upload*.json; do jq -scS '.[0] * .[1]' intermediate.json "${lut}" > lookup-table.json cp lookup-table.json intermediate.json done rm -f intermediate.json - name: Upload lookup table to S3 shell: bash run: | aws s3 cp \ "lookup-table.json" \ "s3://cdn-constellation-backend/${{ needs.build-settings.outputs.imageApiBasePath }}/info.json" \ --no-progress { echo -e "Image version ([Lookup table](https://cdn.confidential.cloud/${{ needs.build-settings.outputs.imageApiBasePath }}/info.json)):" echo echo -e "\`\`\`" echo "${{ needs.build-settings.outputs.imageNameShort }}" echo -e "\`\`\`" } >> "$GITHUB_STEP_SUMMARY" - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.ref || github.head_ref }} - name: Setup Go environment uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: "1.20.2" cache: true - name: Create CLI compatibility information artifact shell: bash run: | go run ./hack/cli-k8s-compatibility/main.go \ --ref=${{ needs.build-settings.outputs.ref }} \ --stream=${{ needs.build-settings.outputs.stream }} \ --version=${{ needs.build-settings.outputs.imageVersion }} \ add-image-version-to-versionsapi: needs: [upload-artifacts, build-settings] name: "Add image version to versionsapi" if: needs.build-settings.outputs.ref != '-' permissions: contents: read id-token: write uses: ./.github/workflows/versionsapi.yml with: command: add ref: ${{ needs.build-settings.outputs.ref }} stream: ${{ needs.build-settings.outputs.stream }} version: ${{ needs.build-settings.outputs.imageVersion }} kind: "image" add_latest: true add-cli-version-to-versionsapi: needs: [upload-artifacts, build-settings] name: "Add CLI version to versionsapi" if: needs.build-settings.outputs.ref != '-' permissions: contents: read id-token: write uses: ./.github/workflows/versionsapi.yml with: command: add ref: ${{ needs.build-settings.outputs.ref }} stream: ${{ needs.build-settings.outputs.stream }} version: ${{ needs.build-settings.outputs.imageVersion }} kind: "cli" add_latest: true