mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
c3c0940adb
* bazel: add configuration for remote caching * ci: enable bazel remote caching for building binaries * ci: use bazel directly when building go binaries * ci: enable cache for most build steps * dev-docs: document remote caching
1016 lines
47 KiB
YAML
1016 lines
47 KiB
YAML
name: Build and Upload OS image
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
|
required: false
|
|
isRelease:
|
|
description: 'Is this a release? (sets "ref" to special value "-")'
|
|
type: boolean
|
|
required: false
|
|
default: false
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
|
|
type: choice
|
|
required: true
|
|
options:
|
|
- "debug"
|
|
- "console"
|
|
- "nightly"
|
|
- "stable"
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
workflow_call:
|
|
inputs:
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
|
required: false
|
|
type: string
|
|
isRelease:
|
|
description: 'Is this a release? (sets "ref" to special value "-")'
|
|
type: boolean
|
|
required: false
|
|
default: false
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
|
|
type: string
|
|
required: true
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
|
|
jobs:
|
|
build-dependencies:
|
|
name: "Build binaries for embedding in the OS"
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: read
|
|
packages: read
|
|
outputs:
|
|
bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
|
|
disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
|
|
upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }}
|
|
measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Setup Go environment
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: "1.20.2"
|
|
cache: true
|
|
|
|
- name: Setup bazel
|
|
uses: ./.github/actions/setup_bazel
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Build bootstrapper
|
|
if: inputs.stream != 'debug'
|
|
uses: ./.github/actions/build_bootstrapper
|
|
with:
|
|
outputPath: ${{ github.workspace }}/build/bootstrapper
|
|
|
|
- name: Build debugd
|
|
if: inputs.stream == 'debug'
|
|
uses: ./.github/actions/build_debugd
|
|
with:
|
|
outputPath: ${{ github.workspace }}/build/debugd
|
|
|
|
- name: Build disk-mapper
|
|
uses: ./.github/actions/build_disk_mapper
|
|
with:
|
|
outputPath: ${{ github.workspace }}/build/disk-mapper
|
|
|
|
- name: Build upgrade-agent
|
|
uses: ./.github/actions/build_upgrade_agent
|
|
with:
|
|
outputPath: ${{ github.workspace }}/build/upgrade-agent
|
|
|
|
- name: Build measurement-reader
|
|
uses: ./.github/actions/build_measurement_reader
|
|
with:
|
|
outputPath: ${{ github.workspace }}/build/measurement-reader
|
|
|
|
- name: Upload dependencies
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
env:
|
|
MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }}
|
|
with:
|
|
name: dependencies
|
|
path: |
|
|
${{ github.workspace }}/build/${{ env.MAIN_BINARY }}
|
|
${{ github.workspace }}/build/disk-mapper
|
|
${{ github.workspace }}/build/upgrade-agent
|
|
${{ github.workspace }}/build/measurement-reader
|
|
|
|
- name: Collect hashes
|
|
id: collect-hashes
|
|
working-directory: ${{ github.workspace }}/build
|
|
run: |
|
|
{
|
|
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
|
|
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
|
|
echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)"
|
|
echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)"
|
|
} | tee "$GITHUB_OUTPUT"
|
|
|
|
build-settings:
|
|
name: "Determine build settings"
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
ref: ${{ steps.ref.outputs.ref }}
|
|
stream: ${{ steps.stream.outputs.stream }}
|
|
imageType: ${{ steps.image-type.outputs.imageType }}
|
|
pkiSet: ${{ steps.pki-set.outputs.pkiSet }}
|
|
imageVersion: ${{ steps.image-version.outputs.imageVersion }}
|
|
imageName: ${{ steps.image-version.outputs.imageName }}
|
|
imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
|
|
imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }}
|
|
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Determine version
|
|
id: version
|
|
uses: ./.github/actions/pseudo_version
|
|
|
|
- name: Determine ref
|
|
id: ref
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
|
|
echo "ref=-" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "ref=${{ steps.version.outputs.branchName }}" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Determine and validate stream
|
|
id: stream
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
|
|
echo "Nightly builds are not allowed for releases"
|
|
exit 1
|
|
fi
|
|
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
|
|
echo "Stable builds are only allowed for releases"
|
|
exit 1
|
|
fi
|
|
|
|
echo "stream=${{ inputs.stream }}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Determine type of image build
|
|
shell: bash
|
|
id: image-type
|
|
run: |
|
|
case "${{ steps.stream.outputs.stream }}" in
|
|
"debug")
|
|
echo "imageType=debug" >> "$GITHUB_OUTPUT"
|
|
;;
|
|
"console")
|
|
echo "imageType=console" >> "$GITHUB_OUTPUT"
|
|
;;
|
|
*)
|
|
echo "imageType=default" >> "$GITHUB_OUTPUT"
|
|
;;
|
|
esac
|
|
|
|
- name: Determine PKI set
|
|
id: pki-set
|
|
shell: bash
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then
|
|
echo "pkiSet=pki_prod" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "pkiSet=pki_testing" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Determine image version
|
|
id: image-version
|
|
shell: bash
|
|
env:
|
|
REF: ${{ steps.ref.outputs.ref }}
|
|
STREAM: ${{ steps.stream.outputs.stream }}
|
|
IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }}
|
|
run: |
|
|
{
|
|
echo "imageVersion=${IMAGE_VERSION}"
|
|
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
|
|
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
|
|
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
|
|
} | tee "$GITHUB_OUTPUT"
|
|
|
|
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
|
|
echo "imageNameShort=${IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
|
|
elif [[ "${REF}" = "-" ]]; then
|
|
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
make-os-image:
|
|
name: "Build OS using mkosi"
|
|
needs: [build-settings, build-dependencies]
|
|
runs-on: ubuntu-22.04
|
|
# TODO: flatten outputs once possible
|
|
# https://github.com/community/community/discussions/17245
|
|
outputs:
|
|
image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }}
|
|
image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
|
|
image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
|
|
image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
|
|
image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }}
|
|
image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
|
|
image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
|
|
image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
|
|
image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }}
|
|
image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
|
|
image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
|
|
image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
|
|
image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }}
|
|
image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
|
|
image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
|
|
image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
|
|
image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }}
|
|
image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
|
|
image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
|
|
image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
|
|
image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }}
|
|
image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
|
|
image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
|
|
image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
|
|
image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }}
|
|
image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
|
|
image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
|
|
image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
|
|
image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }}
|
|
image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
|
|
image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
|
|
image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
csp: [aws, azure, gcp, openstack, qemu]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Download build dependencies
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: dependencies
|
|
path: ${{ github.workspace }}/build
|
|
|
|
- name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable
|
|
run: |
|
|
chmod +x ${{ github.workspace }}/build/bootstrapper || true
|
|
chmod +x ${{ github.workspace }}/build/debugd || true
|
|
chmod +x ${{ github.workspace }}/build/disk-mapper
|
|
chmod +x ${{ github.workspace }}/build/upgrade-agent
|
|
chmod +x ${{ github.workspace }}/build/measurement-reader
|
|
|
|
- name: Setup mkosi
|
|
uses: ./.github/actions/setup_mkosi
|
|
with:
|
|
version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3
|
|
|
|
- name: Prepare PKI for secure boot signing
|
|
id: prepare-pki
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
|
|
DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
|
|
run: |
|
|
echo "${DB_KEY}" > "${PKI_SET}/db.key"
|
|
ln -s "${PKI_SET}" pki
|
|
|
|
- name: Build
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
|
|
DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper
|
|
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
|
|
UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent
|
|
MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader
|
|
DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }}
|
|
AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }}
|
|
IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }}
|
|
CSP: ${{ matrix.csp }}
|
|
run: |
|
|
echo "::group::Build"
|
|
sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}"
|
|
echo "::endgroup::"
|
|
|
|
- name: Collect hashes
|
|
id: collect-hashes
|
|
continue-on-error: true
|
|
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
|
|
run: |
|
|
{
|
|
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)"
|
|
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)"
|
|
echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)"
|
|
echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)"
|
|
echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)"
|
|
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
|
|
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)"
|
|
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)"
|
|
} | tee "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload raw OS image as artifact
|
|
if: always()
|
|
continue-on-error: true
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: image-${{ matrix.csp }}
|
|
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw
|
|
|
|
- name: Upload individual OS parts as artifacts
|
|
if: always()
|
|
continue-on-error: true
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: parts-${{ matrix.csp }}
|
|
path: |
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.initrd
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.raw
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz
|
|
|
|
- name: Upload manifest as artifact
|
|
if: always()
|
|
continue-on-error: true
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: manifest-${{ matrix.csp }}
|
|
path: |
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog
|
|
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest
|
|
|
|
upload-os-image:
|
|
name: "Upload OS image to CSP"
|
|
needs: [build-settings, make-os-image]
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
csp: [aws, azure, gcp, openstack, qemu]
|
|
upload-variant: [""]
|
|
# include:
|
|
# - csp: azure
|
|
# upload-variant: TrustedLaunch
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Download OS image artifact
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: image-${{ matrix.csp }}
|
|
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
|
|
|
|
- name: Configure input variables
|
|
id: vars
|
|
uses: ./.github/actions/os_build_variables
|
|
with:
|
|
csp: ${{ matrix.csp }}
|
|
uploadVariant: ${{ matrix.upload-variant }}
|
|
basePath: ${{ github.workspace }}/image
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
imageVersion: ${{ needs.build-settings.outputs.imageVersion }}
|
|
imageType: ${{ needs.build-settings.outputs.imageType }}
|
|
debug: ${{ needs.build-settings.outputs.imageType == 'debug' }}
|
|
|
|
- name: Install tools
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Install tools"
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
pigz \
|
|
qemu-utils \
|
|
python3-pip
|
|
pip install google_crc32c
|
|
echo "::endgroup::"
|
|
|
|
- name: Login to AWS
|
|
# on AWS, login is required to upload the image as AMI
|
|
# on Azure, login is done to download the VMGS from S3
|
|
# on QEMU, login is done to upload the image to S3
|
|
if: matrix.csp == 'aws' || matrix.csp == 'azure' || matrix.csp == 'openstack' || matrix.csp == 'qemu'
|
|
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Login to Azure
|
|
if: matrix.csp == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
|
|
|
|
- name: Login to GCP
|
|
if: matrix.csp == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
|
|
|
|
- name: Prepare PKI for image upload
|
|
id: prepare-pki
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
|
|
|
|
- name: Download VMGS blob
|
|
if: matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported')
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
|
|
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
|
|
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
|
|
run: |
|
|
aws s3 cp \
|
|
--region "${AZURE_VMGS_REGION}" \
|
|
"s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
|
|
"${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
|
|
--no-progress
|
|
|
|
- name: Upload AWS image
|
|
if: matrix.csp == 'aws'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
PKI: ${{ github.workspace }}/image/pki
|
|
AWS_JSON_OUTPUT: ${{ steps.vars.outputs.awsJsonOutput }}
|
|
AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }}
|
|
AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }}
|
|
AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }}
|
|
AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }}
|
|
AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }}
|
|
AWS_REGION: ${{ steps.vars.outputs.awsRegion }}
|
|
AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }}
|
|
AWS_PUBLISH: ${{ steps.vars.outputs.awsPublish }}
|
|
run: |
|
|
echo "::group::Upload AWS image"
|
|
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
|
|
upload/upload_aws.sh
|
|
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${AWS_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload GCP image
|
|
if: matrix.csp == 'gcp'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
PKI: ${{ github.workspace }}/image/pki
|
|
GCP_JSON_OUTPUT: ${{ steps.vars.outputs.gcpJsonOutput }}
|
|
GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }}
|
|
GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }}
|
|
GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }}
|
|
GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }}
|
|
GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }}
|
|
GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }}
|
|
GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }}
|
|
GCP_REGION: ${{ steps.vars.outputs.gcpRegion }}
|
|
run: |
|
|
echo "::group::Upload GCP image"
|
|
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
|
|
upload/upload_gcp.sh
|
|
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${GCP_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload Azure image
|
|
if: matrix.csp == 'azure'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
PKI: ${{ github.workspace }}/image/pki
|
|
AZURE_JSON_OUTPUT: ${{ steps.vars.outputs.azureJsonOutput }}
|
|
AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }}
|
|
AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }}
|
|
AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }}
|
|
AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }}
|
|
AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }}
|
|
AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }}
|
|
AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }}
|
|
AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }}
|
|
AZURE_REGION: ${{ steps.vars.outputs.azureRegion }}
|
|
AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }}
|
|
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
|
|
AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }}
|
|
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
|
|
AZURE_SKU: ${{ steps.vars.outputs.azureSku }}
|
|
AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }}
|
|
run: |
|
|
echo "::group::Upload Azure image"
|
|
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
|
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
|
|
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \n\n\`\`\`\n$(jq < "${AZURE_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload OpenStack image
|
|
if: matrix.csp == 'openstack'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
OPENSTACK_JSON_OUTPUT: ${{ steps.vars.outputs.openStackJsonOutput }}
|
|
OPENSTACK_BUCKET: ${{ steps.vars.outputs.openStackBucket }}
|
|
OPENSTACK_BASE_URL: ${{ steps.vars.outputs.openStackBaseUrl }}
|
|
OPENSTACK_IMAGE_PATH: ${{ steps.vars.outputs.openStackImagePath }}
|
|
REF: ${{needs.build-settings.outputs.ref }}
|
|
STREAM: ${{needs.build-settings.outputs.stream }}
|
|
IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }}
|
|
run: |
|
|
echo "::group::Upload OpenStack image"
|
|
upload/upload_openstack.sh
|
|
echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${OPENSTACK_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload QEMU image
|
|
if: matrix.csp == 'qemu'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
QEMU_JSON_OUTPUT: ${{ steps.vars.outputs.qemuJsonOutput }}
|
|
QEMU_BUCKET: ${{ steps.vars.outputs.qemuBucket }}
|
|
QEMU_BASE_URL: ${{ steps.vars.outputs.qemuBaseUrl }}
|
|
QEMU_IMAGE_PATH: ${{ steps.vars.outputs.qemuImagePath }}
|
|
REF: ${{needs.build-settings.outputs.ref }}
|
|
STREAM: ${{needs.build-settings.outputs.stream }}
|
|
IMAGE_VERSION: ${{needs.build-settings.outputs.imageVersion }}
|
|
run: |
|
|
echo "::group::Upload QEMU image"
|
|
upload/upload_qemu.sh
|
|
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${QEMU_JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload image lookup table as artifact
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: lookup-table
|
|
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
|
|
|
calculate-pcrs:
|
|
name: "Calculate PCRs"
|
|
needs: [build-settings, make-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
csp: [aws, azure, gcp, openstack, qemu]
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Download OS image artifact
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: image-${{ matrix.csp }}
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
echo "::group::Install dependencies"
|
|
python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt
|
|
sudo apt-get update
|
|
sudo apt-get install -y systemd-container # for systemd-dissect
|
|
echo "::endgroup::"
|
|
|
|
- name: Calculate expected PCRs
|
|
working-directory: ${{ github.workspace }}/image/measured-boot
|
|
run: |
|
|
echo "::group::Calculate expected PCRs"
|
|
{
|
|
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json
|
|
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json
|
|
./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}.json ${{ matrix.csp }}
|
|
} >> "$GITHUB_STEP_SUMMARY"
|
|
cp pcr-stable.json ${{ github.workspace }}/
|
|
jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
|
|
echo "::endgroup::"
|
|
|
|
- name: Add static PCRs
|
|
run: |
|
|
case ${{ matrix.csp }} in
|
|
aws)
|
|
yq e '.csp = "AWS" |
|
|
.image = "${{ needs.build-settings.outputs.imageNameShort }}" |
|
|
.measurements.0.warnOnly = true |
|
|
.measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.5.warnOnly = true |
|
|
.measurements.5.expected = "73d13bf0a9dc9a201a337150a0a4adb06e6b2206eefaeb4fbb0fe5dac6202fd3" |
|
|
.measurements.6.warnOnly = true |
|
|
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.7.warnOnly = true |
|
|
.measurements.7.expected = "120e498db2a224bd512b6efc9b0234f843e10bf061eb7a76ecca5509a2238901" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
;;
|
|
azure)
|
|
yq e '.csp = "Azure" |
|
|
.image = "${{ needs.build-settings.outputs.imageNameShort }}" |
|
|
.measurements.1.warnOnly = true |
|
|
.measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.5.warnOnly = true |
|
|
.measurements.5.expected = "b731e1a1c70e65e43a4ed54d668b7e585163d9c42f1ed4096174451ff0ba62f2" |
|
|
.measurements.7.warnOnly = true |
|
|
.measurements.7.expected = "346547a8ce5957af27e552427d6b9e6d9cb502f0156e9155380451eea1b3f0ed" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
;;
|
|
gcp)
|
|
yq e '.csp = "GCP" |
|
|
.image = "${{ needs.build-settings.outputs.imageNameShort }}" |
|
|
.measurements.1.warnOnly = true |
|
|
.measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.5.warnOnly = true |
|
|
.measurements.5.expected = "9d5f8c2e0464c69552e593be32a4b089f7e77f4ed12d60cdcd94120b6ccaccf8" |
|
|
.measurements.6.warnOnly = true |
|
|
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.7.warnOnly = true |
|
|
.measurements.7.expected = "b1e9b305325c51b93da58cbf7f92512d8eebfa01143e4d8844e40e062e9b6cd5" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
;;
|
|
openstack)
|
|
yq e '.csp = "OpenStack" |
|
|
.image = "${{ needs.build-settings.outputs.imageNameShort }}" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
;;
|
|
qemu)
|
|
yq e '.csp = "QEMU" |
|
|
.image = "${{ needs.build-settings.outputs.imageNameShort }}" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
;;
|
|
*)
|
|
echo "Unknown CSP: ${{ matrix.csp }}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
- name: Upload expected PCRs as artifact
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: pcrs
|
|
path: pcrs-${{ matrix.csp }}.json
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
|
|
|
|
- name: Install Rekor
|
|
shell: bash
|
|
run: |
|
|
curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
|
|
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
|
|
rm rekor-cli-linux-amd64
|
|
|
|
- name: Sign measurements
|
|
shell: bash
|
|
env:
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
|
run: |
|
|
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
|
# Enabling experimental mode also publishes signature to Rekor
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \
|
|
"${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" > "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json.sig"
|
|
# Verify - As documentation & check
|
|
# Local Signature (input: artifact, key, signature)
|
|
cosign verify-blob --key cosign.pub \
|
|
--signature "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json.sig" \
|
|
"${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
# Transparency Log Signature (input: artifact, key)
|
|
uuid=$(rekor-cli search --artifact "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json" | tail -n 1)
|
|
sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
|
cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/pcrs-${{ matrix.csp }}.json"
|
|
|
|
- name: Upload signature of expected PCRs as artifact
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: pcrs-sig
|
|
path: pcrs-${{ matrix.csp }}.json.sig
|
|
|
|
- name: Upload expected PCRs to S3
|
|
shell: bash
|
|
run: |
|
|
aws s3 cp \
|
|
"pcrs-${{ matrix.csp }}.json" \
|
|
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/csp/${{ matrix.csp }}/measurements.json" \
|
|
--no-progress
|
|
aws s3 cp \
|
|
"pcrs-${{ matrix.csp }}.json.sig" \
|
|
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/csp/${{ matrix.csp }}/measurements.json.sig" \
|
|
--no-progress
|
|
|
|
generate-sbom:
|
|
name: "Generate SBOM"
|
|
needs: [build-settings, build-dependencies, make-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Install squashfs tools
|
|
run: |
|
|
echo "::group::Install squashfs tools"
|
|
sudo apt-get update
|
|
sudo apt-get install -y squashfs-tools
|
|
echo "::endgroup::"
|
|
|
|
- name: Download rootfs
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
# downloading / using only the QEMU rootfs is fine
|
|
# since the images only differ in the ESP partition
|
|
name: parts-qemu
|
|
|
|
- name: Download manifest
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
# downloading / using only the QEMU manifest is fine
|
|
# since the images only differ in the ESP partition
|
|
name: manifest-qemu
|
|
|
|
- name: Unpack squashfs
|
|
run: |
|
|
echo "::group::Unpack squashfs"
|
|
unsquashfs -user-xattrs -d image.root.tree image.root.raw
|
|
echo "::endgroup::"
|
|
|
|
- name: Create SBOM in SPDX fromat
|
|
uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
|
|
with:
|
|
path: image.root.tree
|
|
artifact-name: sbom.spdx.json
|
|
output-file: sbom.spdx.json
|
|
format: spdx-json
|
|
|
|
- name: Create SBOM in CycloneDX fromat
|
|
uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
|
|
with:
|
|
path: image.root.tree
|
|
artifact-name: sbom.cyclonedx.json
|
|
output-file: sbom.cyclonedx.json
|
|
format: cyclonedx-json
|
|
|
|
- name: Create SBOM in Syft fromat
|
|
uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
|
|
with:
|
|
path: image.root.tree
|
|
artifact-name: sbom.syft.json
|
|
output-file: sbom.syft.json
|
|
format: syft-json
|
|
|
|
- name: Combine hashes
|
|
run: |
|
|
cat > SHA256SUMS <<EOF
|
|
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
|
|
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
|
|
${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
|
|
${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader
|
|
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
|
|
${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
|
|
${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest
|
|
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
|
|
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
|
|
${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw
|
|
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
|
|
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
|
|
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
|
|
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
|
|
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
|
|
${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi
|
|
${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd
|
|
${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root.raw
|
|
${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity
|
|
${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz
|
|
${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw
|
|
${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.raw.changelog
|
|
${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.raw.manifest
|
|
${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi
|
|
${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd
|
|
${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root.raw
|
|
${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity
|
|
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz
|
|
${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw
|
|
${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.raw.changelog
|
|
${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.raw.manifest
|
|
${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi
|
|
${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd
|
|
${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root.raw
|
|
${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity
|
|
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
|
|
EOF
|
|
cat SHA256SUMS
|
|
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Upload SBOMs to S3
|
|
shell: bash
|
|
run: |
|
|
sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json'
|
|
manifests='image.raw.manifest image.raw.changelog'
|
|
hashes='SHA256SUMS'
|
|
for file in ${sboms} ${manifests} ${hashes}; do
|
|
aws s3 cp \
|
|
"${file}" \
|
|
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
|
|
--no-progress
|
|
done
|
|
|
|
upload-artifacts:
|
|
name: "Upload image lookup table and CLI compatibility info"
|
|
runs-on: ubuntu-22.04
|
|
needs: [build-settings, upload-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
steps:
|
|
- name: Download image lookup table
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
|
|
with:
|
|
name: lookup-table
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Combine lookup tables for CSPs
|
|
shell: bash
|
|
run: |
|
|
echo '{}' > intermediate.json
|
|
|
|
jq '.ref = "${{ needs.build-settings.outputs.ref }}"' intermediate.json > lookup-table.json
|
|
cp lookup-table.json intermediate.json
|
|
|
|
jq '.stream = "${{ needs.build-settings.outputs.stream }}"' intermediate.json > lookup-table.json
|
|
cp lookup-table.json intermediate.json
|
|
|
|
jq '.version = "${{ needs.build-settings.outputs.imageVersion }}"' intermediate.json > lookup-table.json
|
|
cp lookup-table.json intermediate.json
|
|
|
|
for lut in mkosi.output.*/*/image-upload*.json; do
|
|
jq -scS '.[0] * .[1]' intermediate.json "${lut}" > lookup-table.json
|
|
cp lookup-table.json intermediate.json
|
|
done
|
|
|
|
rm -f intermediate.json
|
|
|
|
- name: Upload lookup table to S3
|
|
shell: bash
|
|
run: |
|
|
aws s3 cp \
|
|
"lookup-table.json" \
|
|
"s3://cdn-constellation-backend/${{ needs.build-settings.outputs.imageApiBasePath }}/info.json" \
|
|
--no-progress
|
|
{
|
|
echo -e "Image version ([Lookup table](https://cdn.confidential.cloud/${{ needs.build-settings.outputs.imageApiBasePath }}/info.json)):"
|
|
echo
|
|
echo -e "\`\`\`"
|
|
echo "${{ needs.build-settings.outputs.imageNameShort }}"
|
|
echo -e "\`\`\`"
|
|
} >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Setup Go environment
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: "1.20.2"
|
|
cache: true
|
|
|
|
- name: Create CLI compatibility information artifact
|
|
shell: bash
|
|
run: |
|
|
go run ./hack/cli-k8s-compatibility/main.go \
|
|
--ref=${{ needs.build-settings.outputs.ref }} \
|
|
--stream=${{ needs.build-settings.outputs.stream }} \
|
|
--version=${{ needs.build-settings.outputs.imageVersion }} \
|
|
|
|
add-image-version-to-versionsapi:
|
|
needs: [upload-artifacts, build-settings]
|
|
name: "Add image version to versionsapi"
|
|
if: needs.build-settings.outputs.ref != '-'
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
version: ${{ needs.build-settings.outputs.imageVersion }}
|
|
kind: "image"
|
|
add_latest: true
|
|
|
|
add-cli-version-to-versionsapi:
|
|
needs: [upload-artifacts, build-settings]
|
|
name: "Add CLI version to versionsapi"
|
|
if: needs.build-settings.outputs.ref != '-'
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
version: ${{ needs.build-settings.outputs.imageVersion }}
|
|
kind: "cli"
|
|
add_latest: true
|