constellation/.github/workflows/azure-snp-reporter.yml
renovate[bot] 576b48c8b7
deps: update GitHub action dependencies (#1848)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-03 08:19:10 +02:00

94 lines
3.0 KiB
YAML

name: Fetch, validate and report SNP report data.
on:
workflow_dispatch:
schedule:
- cron: "0 14 * * 0"
jobs:
build-snp-reporter:
name: "Build SNP-reporter container"
runs-on: ubuntu-22.04
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Build and upload azure SNP reporter container image
id: build-and-upload
uses: ./.github/actions/build_micro_service
with:
name: azure-snp-reporter
dockerfile: ./hack/azure-snp-report-verify/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }}
fetch-snp-report:
needs: build-snp-reporter
name: "Fetch SNP report"
runs-on: [self-hosted, azure-cvm]
env:
SHELL: /bin/bash
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Fetch SNP report
uses: ./.github/actions/azure_snp_reporter
with:
outputPath: ${{ github.workspace }}/maa-report.jwt
- name: Upload report JWT
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: maa-report.jwt
path: "${{ github.workspace }}/maa-report.jwt"
validate-snp-report:
needs: fetch-snp-report
name: "Validate SNP report and update Attestation API"
permissions:
id-token: write
contents: read
runs-on: ubuntu-22.04
env:
SHELL: /bin/bash
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Set up Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: 1.20.5
cache: false
- name: Download report JWT
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "maa-report.jwt"
path: "."
- name: Verify report
shell: bash
run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
- name: Update Attestation API
shell: bash
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
run: |
go run ./hack/configapi/main.go --version-file azure-snp-version.json