mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-11-08 23:06:09 -05:00
64 lines
1.9 KiB
YAML
64 lines
1.9 KiB
YAML
name: Check measurements reproducibility
|
|
description: Check if the measurements of a given release are reproducible.
|
|
|
|
inputs:
|
|
version:
|
|
type: string
|
|
description: The version of the measurements that are downloaded from the CDN.
|
|
required: true
|
|
ref:
|
|
type: string
|
|
description: The git ref to check out. You probably want this to be the tag of the release you are testing.
|
|
required: true
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
ref: ${{ inputs.ref }}
|
|
path: ./release
|
|
|
|
- name: Set up bazel
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
nixTools: |
|
|
systemdUkify
|
|
jq
|
|
jd-diff-patch
|
|
moreutils
|
|
|
|
- name: Allow unrestricted user namespaces
|
|
shell: bash
|
|
run: |
|
|
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
|
|
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
|
|
|
|
- name: Build images
|
|
id: build-images
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Build required binaries
|
|
pushd release
|
|
bazel build //image/system:stable
|
|
echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
|
|
popd
|
|
|
|
- name: Download measurements
|
|
shell: bash
|
|
run: |
|
|
curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
|
|
|
|
- name: Cleanup release measurements and generate our own
|
|
shell: bash
|
|
run: |
|
|
${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
|
|
|
|
- name: Compare measurements
|
|
shell: bash
|
|
run: |
|
|
${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
|