mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-13 09:54:29 -05:00
97aea98e77
* Update CI to use different GCP project for e2e tests * Update GCP image project service accounts * Update default GCP bucket name for image builds --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
732 lines
29 KiB
YAML
732 lines
29 KiB
YAML
name: Build and Upload OS image
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
|
required: false
|
|
isRelease:
|
|
description: 'Is this a release? (sets "ref" to special value "-")'
|
|
type: boolean
|
|
required: false
|
|
default: false
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
|
|
type: choice
|
|
required: true
|
|
options:
|
|
- "debug"
|
|
- "console"
|
|
- "nightly"
|
|
- "stable"
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
workflow_call:
|
|
inputs:
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
|
required: false
|
|
type: string
|
|
isRelease:
|
|
description: 'Is this a release? (sets "ref" to special value "-")'
|
|
type: boolean
|
|
required: false
|
|
default: false
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
|
|
type: string
|
|
required: true
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
|
|
jobs:
|
|
build-settings:
|
|
name: "Determine build settings"
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
ref: ${{ steps.ref.outputs.ref }}
|
|
stream: ${{ steps.stream.outputs.stream }}
|
|
imageType: ${{ steps.image-type.outputs.imageType }}
|
|
imageVersion: ${{ steps.image-version.outputs.imageVersion }}
|
|
imageName: ${{ steps.image-version.outputs.imageName }}
|
|
imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
|
|
imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }}
|
|
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Determine version
|
|
id: version
|
|
uses: ./.github/actions/pseudo_version
|
|
|
|
- name: Determine ref
|
|
id: ref
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
|
|
echo "ref=-" | tee -a "$GITHUB_OUTPUT"
|
|
else
|
|
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Determine and validate stream
|
|
id: stream
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
|
|
echo "Nightly builds are not allowed for releases"
|
|
exit 1
|
|
fi
|
|
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
|
|
echo "Stable builds are only allowed for releases"
|
|
exit 1
|
|
fi
|
|
|
|
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Determine type of image build
|
|
shell: bash
|
|
id: image-type
|
|
run: |
|
|
case "${{ steps.stream.outputs.stream }}" in
|
|
"debug")
|
|
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
|
|
;;
|
|
"console")
|
|
echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
|
|
;;
|
|
*)
|
|
echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
|
|
;;
|
|
esac
|
|
|
|
- name: Determine image version
|
|
id: image-version
|
|
shell: bash
|
|
env:
|
|
REF: ${{ steps.ref.outputs.ref }}
|
|
STREAM: ${{ steps.stream.outputs.stream }}
|
|
IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }}
|
|
run: |
|
|
{
|
|
echo "imageVersion=${IMAGE_VERSION}"
|
|
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
|
|
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
|
|
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
|
|
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
|
|
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
|
|
elif [[ "${REF}" = "-" ]]; then
|
|
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
|
|
else
|
|
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
make-os-image:
|
|
name: "Build OS using mkosi"
|
|
needs: [build-settings]
|
|
runs-on: ubuntu-latest-8-cores
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- csp: aws
|
|
attestation_variant: aws-nitro-tpm
|
|
- csp: aws
|
|
attestation_variant: aws-sev-snp
|
|
- csp: azure
|
|
attestation_variant: azure-sev-snp
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-es
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-snp
|
|
- csp: qemu
|
|
attestation_variant: qemu-vtpm
|
|
- csp: openstack
|
|
attestation_variant: qemu-vtpm
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Build
|
|
id: build
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
|
|
run: |
|
|
echo "::group::Build"
|
|
bazel build //image/base:rpmdb
|
|
bazel build "${TARGET}"
|
|
{
|
|
echo "image-dir=$(bazel cquery --output=files "$TARGET")"
|
|
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload raw OS image as artifact
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
|
|
|
- name: Upload individual OS parts as artifacts
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: |
|
|
${{ steps.build.outputs.image-dir }}/constellation.efi
|
|
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
|
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
|
|
|
- name: Upload sbom info as artifact
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: ${{ steps.build.outputs.rpmdb }}
|
|
|
|
upload-os-image:
|
|
name: "Upload OS image to CSP"
|
|
needs: [build-settings, make-os-image]
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- csp: aws
|
|
attestation_variant: aws-nitro-tpm
|
|
- csp: aws
|
|
attestation_variant: aws-sev-snp
|
|
- csp: azure
|
|
attestation_variant: azure-sev-snp
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-es
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-snp
|
|
- csp: qemu
|
|
attestation_variant: qemu-vtpm
|
|
- csp: openstack
|
|
attestation_variant: qemu-vtpm
|
|
env:
|
|
RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw
|
|
JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
|
|
AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
|
|
GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
|
|
SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
|
|
ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Download OS image artifact
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
|
|
|
- name: Install tools
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Install tools"
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
pigz \
|
|
qemu-utils \
|
|
python3-pip
|
|
echo "::endgroup::"
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Login to Azure
|
|
if: matrix.csp == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
|
|
|
|
- name: Login to GCP
|
|
if: matrix.csp == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"
|
|
|
|
- name: Upload AWS image
|
|
if: matrix.csp == 'aws'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload AWS image"
|
|
bazel run //image/upload -- image aws \
|
|
--verbose \
|
|
--raw-image "${RAW_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload GCP image
|
|
if: matrix.csp == 'gcp'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload GCP image"
|
|
upload/pack.sh gcp "${RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
|
|
bazel run //image/upload -- image gcp \
|
|
--verbose \
|
|
--raw-image "${GCP_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload Azure image
|
|
if: matrix.csp == 'azure'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload Azure image"
|
|
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
|
bazel run //image/upload -- image azure \
|
|
--verbose \
|
|
--raw-image "${AZURE_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload OpenStack image
|
|
if: matrix.csp == 'openstack'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload OpenStack image"
|
|
bazel run //image/upload -- image openstack \
|
|
--verbose \
|
|
--raw-image "${RAW_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload QEMU image
|
|
if: matrix.csp == 'qemu'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload QEMU image"
|
|
bazel run //image/upload -- image qemu \
|
|
--verbose \
|
|
--raw-image "${RAW_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload image lookup table as artifact
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: lookup-table
|
|
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
|
|
|
calculate-pcrs:
|
|
name: "Calculate PCRs"
|
|
needs: [build-settings, make-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- csp: aws
|
|
attestation_variant: aws-nitro-tpm
|
|
- csp: aws
|
|
attestation_variant: aws-sev-snp
|
|
- csp: azure
|
|
attestation_variant: azure-sev-snp
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-es
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-snp
|
|
- csp: qemu
|
|
attestation_variant: qemu-vtpm
|
|
- csp: openstack
|
|
attestation_variant: qemu-vtpm
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Download OS image artifact
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
echo "::group::Install dependencies"
|
|
sudo apt-get update
|
|
sudo apt-get install -y systemd-container # for systemd-dissect
|
|
echo "::endgroup::"
|
|
|
|
- name: Calculate expected PCRs
|
|
working-directory: ${{ github.workspace }}/image/measured-boot
|
|
run: |
|
|
echo "::group::Calculate expected PCRs"
|
|
bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Add static PCRs
|
|
run: |
|
|
case ${{ matrix.csp }} in
|
|
aws)
|
|
yq e '.csp = "AWS" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.0.warnOnly = true |
|
|
.measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.6.warnOnly = true |
|
|
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
azure)
|
|
yq e '.csp = "Azure" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.1.warnOnly = true |
|
|
.measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
gcp)
|
|
yq e '.csp = "GCP" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.1.warnOnly = true |
|
|
.measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.6.warnOnly = true |
|
|
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
openstack)
|
|
yq e '.csp = "OpenStack" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
qemu)
|
|
yq e '.csp = "QEMU" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
*)
|
|
echo "Unknown CSP: ${{ matrix.csp }}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
# TODO (malt3): Calculate PCR from firmware blob.
|
|
# AWS SNP machines have a different expected value for PCR 0.
|
|
if [[ ${{ matrix.attestation_variant }} = "aws-sev-snp" ]]
|
|
then
|
|
yq e '.csp = "AWS" |
|
|
.measurements.0.expected = "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
fi
|
|
|
|
- name: Envelope measurements
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Envelope measurements"
|
|
bazel run //image/upload -- measurements envelope \
|
|
--in "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
|
|
--out "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
|
|
--version "${{ needs.build-settings.outputs.imageNameShort }}" \
|
|
--csp "${{ matrix.csp }}" \
|
|
--attestation-variant "${{ matrix.attestation_variant }}"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload expected measurements as artifact
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: measurements
|
|
path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
|
|
|
|
upload-pcrs:
|
|
name: "Sign & upload PCRs"
|
|
needs: [build-settings, calculate-pcrs]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Download measurements
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: measurements
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
|
|
|
|
- name: Install Rekor
|
|
shell: bash
|
|
run: |
|
|
curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
|
|
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
|
|
rm rekor-cli-linux-amd64
|
|
|
|
- name: Merge measurements
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Merge measurements"
|
|
bazel run //image/upload -- measurements merge \
|
|
--out measurements.json \
|
|
pcrs-*.json
|
|
echo "::endgroup::"
|
|
|
|
- name: Sign measurements
|
|
if: inputs.stream != 'debug'
|
|
shell: bash
|
|
env:
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
|
run: |
|
|
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
|
# Enabling experimental mode also publishes signature to Rekor
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \
|
|
"${{ github.workspace }}/measurements.json" > "${{ github.workspace }}/measurements.json.sig"
|
|
# Verify - As documentation & check
|
|
# Local Signature (input: artifact, key, signature)
|
|
cosign verify-blob --key cosign.pub \
|
|
--signature "measurements.json.sig" \
|
|
"measurements.json"
|
|
# Transparency Log Signature (input: artifact, key)
|
|
uuid=$(rekor-cli search --artifact "${{ github.workspace }}/measurements.json" | tail -n 1)
|
|
sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
|
cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/measurements.json"
|
|
|
|
- name: Create stub signature file
|
|
if: inputs.stream == 'debug'
|
|
shell: bash
|
|
run: |
|
|
echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${{ github.workspace }}/measurements.json.sig"
|
|
|
|
- name: Upload measurements
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Upload measurements"
|
|
bazel run //image/upload -- measurements upload \
|
|
--measurements measurements.json \
|
|
--signature measurements.json.sig
|
|
echo "::endgroup::"
|
|
|
|
upload-sbom:
|
|
name: "Upload SBOM"
|
|
needs: [build-settings, make-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Download sbom
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
# downloading / using only the QEMU manifest is fine
|
|
# since the images only differ in the ESP partition
|
|
name: sbom-qemu-qemu-vtpm
|
|
|
|
- name: Upload SBOMs to S3
|
|
shell: bash
|
|
run: |
|
|
aws s3 cp \
|
|
rpmdb.tar \
|
|
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
|
|
--no-progress
|
|
|
|
upload-artifacts:
|
|
name: "Upload image lookup table and CLI compatibility info"
|
|
runs-on: ubuntu-22.04
|
|
needs: [build-settings, upload-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Download image lookup table
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
|
|
with:
|
|
name: lookup-table
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Upload lookup table to S3
|
|
shell: bash
|
|
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Create CLI compatibility information artifact
|
|
shell: bash
|
|
run: |
|
|
bazel run //hack/cli-k8s-compatibility -- \
|
|
--ref=${{ needs.build-settings.outputs.ref }} \
|
|
--stream=${{ needs.build-settings.outputs.stream }} \
|
|
--version=${{ needs.build-settings.outputs.imageVersion }} \
|
|
|
|
add-image-version-to-versionsapi:
|
|
needs: [upload-artifacts, upload-pcrs, build-settings]
|
|
name: "Add image version to versionsapi"
|
|
if: needs.build-settings.outputs.ref != '-'
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
version: ${{ needs.build-settings.outputs.imageVersion }}
|
|
kind: "image"
|
|
add_latest: true
|
|
|
|
add-cli-version-to-versionsapi:
|
|
needs: [upload-artifacts, build-settings, add-image-version-to-versionsapi]
|
|
name: "Add CLI version to versionsapi"
|
|
if: needs.build-settings.outputs.ref != '-'
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
version: ${{ needs.build-settings.outputs.imageVersion }}
|
|
kind: "cli"
|
|
add_latest: true
|