mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-12 09:24:24 -05:00
a813760f96
* sign version with release key and remove version from fetcher interface * extend azure-reporter GH action to upload updated version values to the Attestation API
94 lines
3.0 KiB
YAML
94 lines
3.0 KiB
YAML
name: Fetch, validate and report SNP report data.
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "0 14 * * 0"
|
|
|
|
jobs:
|
|
build-snp-reporter:
|
|
name: "Build SNP-reporter container"
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Build and upload azure SNP reporter container image
|
|
id: build-and-upload
|
|
uses: ./.github/actions/build_micro_service
|
|
with:
|
|
name: azure-snp-reporter
|
|
dockerfile: ./hack/azure-snp-report-verify/Dockerfile
|
|
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
fetch-snp-report:
|
|
needs: build-snp-reporter
|
|
name: "Fetch SNP report"
|
|
runs-on: [self-hosted, azure-cvm]
|
|
env:
|
|
SHELL: /bin/bash
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Fetch SNP report
|
|
uses: ./.github/actions/azure_snp_reporter
|
|
with:
|
|
outputPath: ${{ github.workspace }}/maa-report.jwt
|
|
|
|
- name: Upload report JWT
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: maa-report.jwt
|
|
path: "${{ github.workspace }}/maa-report.jwt"
|
|
|
|
validate-snp-report:
|
|
needs: fetch-snp-report
|
|
name: "Validate SNP report and update Attestation API"
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
SHELL: /bin/bash
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
|
with:
|
|
go-version: 1.20.4
|
|
cache: false
|
|
|
|
- name: Download report JWT
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: "maa-report.jwt"
|
|
path: "."
|
|
|
|
- name: Verify report
|
|
shell: bash
|
|
run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Update Attestation API
|
|
shell: bash
|
|
env:
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
|
run: |
|
|
go run ./hack/configapi/main.go --version-file azure-snp-version.json
|