mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
00dfff6840
* cleaned up actions and new measure action to generate, sign and upload measurements * improve constellation ip fetching to support multiple control nodes Signed-off-by: Fabian Kammel <fk@edgeless.systems>
101 lines
3.4 KiB
YAML
101 lines
3.4 KiB
YAML
name: Build CLI
|
|
description: |
|
|
Runs cmake and cli make target in build folder. Optionally, Sigstore tools
|
|
are used to sign CLI when inputs are provided. A draft release is published
|
|
when run on v* tag.
|
|
inputs:
|
|
cosignPublicKey:
|
|
description: 'Cosign public key'
|
|
required: false
|
|
default: ''
|
|
cosignPrivateKey:
|
|
description: 'Cosign private key'
|
|
required: false
|
|
default: ''
|
|
cosignPassword:
|
|
description: 'Password for Cosign private key'
|
|
required: false
|
|
default: ''
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Install build dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install \
|
|
build-essential cmake \
|
|
-y
|
|
shell: bash
|
|
|
|
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
|
|
# once it has the functionality
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@main
|
|
- name: Install Rekor
|
|
run: |
|
|
curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64
|
|
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
|
|
shell: bash
|
|
|
|
# https://github.blog/2022-04-12-git-security-vulnerability-announced/
|
|
- name: Mark repository safe
|
|
run: |
|
|
git config --global --add safe.directory /__w/constellation/constellation
|
|
shell: bash
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: "1.18"
|
|
- name: Build hack/pcr-reader
|
|
run: |
|
|
go build .
|
|
echo "$(pwd)" >> $GITHUB_PATH
|
|
export PATH="$PATH:$(pwd)"
|
|
working-directory: hack/pcr-reader
|
|
shell: bash
|
|
|
|
- name: Build CLI
|
|
run: |
|
|
GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)
|
|
mkdir build
|
|
cd build
|
|
cmake -DCLI_VERSION:STRING=${GIT_TAG} ..
|
|
make -j`nproc` cli
|
|
echo "$(pwd)" >> $GITHUB_PATH
|
|
export PATH="$PATH:$(pwd)"
|
|
shell: bash
|
|
|
|
- name: Sign CLI
|
|
run: |
|
|
set -e
|
|
set -o pipefail
|
|
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
|
# Enabling experimental mode also publishes signature to Rekor
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig
|
|
# Verify - As documentation & check
|
|
# Local Signature (input: artifact, key, signature)
|
|
cosign verify-blob --key cosign.pub --signature constellation.sig constellation
|
|
# Transparency Log Signature (input: artifact, key)
|
|
uuid=$(rekor-cli search --artifact constellation | tail -n 1)
|
|
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
|
cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation
|
|
shell: bash
|
|
working-directory: build
|
|
env:
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
|
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
|
|
|
|
- name: Release CLI
|
|
# GitHub endorsed release project. See: https://github.com/actions/create-release
|
|
uses: softprops/action-gh-release@v1
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
with:
|
|
draft: true
|
|
files: |
|
|
build/constellation
|
|
build/constellation.sig
|
|
build/cosign.pub
|