constellation/.github/actions/build_cli/action.yml
Fabian Kammel 00dfff6840 AB#2158 publish measurements (#268)
* cleaned up actions and new measure action to generate, sign and upload measurements
* improve constellation ip fetching to support multiple control nodes
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-07-13 14:04:46 +02:00

101 lines
3.4 KiB
YAML

name: Build CLI
description: |
Runs cmake and cli make target in build folder. Optionally, Sigstore tools
are used to sign CLI when inputs are provided. A draft release is published
when run on v* tag.
inputs:
cosignPublicKey:
description: 'Cosign public key'
required: false
default: ''
cosignPrivateKey:
description: 'Cosign private key'
required: false
default: ''
cosignPassword:
description: 'Password for Cosign private key'
required: false
default: ''
runs:
using: "composite"
steps:
- name: Install build dependencies
run: |
sudo apt-get update
sudo apt-get install \
build-essential cmake \
-y
shell: bash
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
# once it has the functionality
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Install Rekor
run: |
curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
shell: bash
# https://github.blog/2022-04-12-git-security-vulnerability-announced/
- name: Mark repository safe
run: |
git config --global --add safe.directory /__w/constellation/constellation
shell: bash
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: "1.18"
- name: Build hack/pcr-reader
run: |
go build .
echo "$(pwd)" >> $GITHUB_PATH
export PATH="$PATH:$(pwd)"
working-directory: hack/pcr-reader
shell: bash
- name: Build CLI
run: |
GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)
mkdir build
cd build
cmake -DCLI_VERSION:STRING=${GIT_TAG} ..
make -j`nproc` cli
echo "$(pwd)" >> $GITHUB_PATH
export PATH="$PATH:$(pwd)"
shell: bash
- name: Sign CLI
run: |
set -e
set -o pipefail
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig
# Verify - As documentation & check
# Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub --signature constellation.sig constellation
# Transparency Log Signature (input: artifact, key)
uuid=$(rekor-cli search --artifact constellation | tail -n 1)
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation
shell: bash
working-directory: build
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
- name: Release CLI
# GitHub endorsed release project. See: https://github.com/actions/create-release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/v')
with:
draft: true
files: |
build/constellation
build/constellation.sig
build/cosign.pub