mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-02-24 00:40:11 -05:00
44 lines
1.7 KiB
YAML
44 lines
1.7 KiB
YAML
name: Check measurements reproducibility
|
|
on:
|
|
release:
|
|
types: [created]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
check-reproducibility:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ github.event.release.tag_name }}
|
|
- name: Set up bazel
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
nixTools: |
|
|
systemdUkify
|
|
jd-diff-patch
|
|
- name: Build images and produce measurements
|
|
run: |
|
|
# Build required binaries
|
|
bazel build //image/system:stable
|
|
bazel build //image/measured-boot/cmd
|
|
buildPath="$PWD/bazel-bin/image"
|
|
cd $(mktemp -d)
|
|
|
|
# download release measurements
|
|
curl -O https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.20.0/image/measurements.json
|
|
|
|
# compare all measurements with our own
|
|
for directory in $buildPath/system/!(mkosi_wrapper.sh); do
|
|
dirname="$(basename $directory)"
|
|
csp="$(echo $dirname | cut -d_ -f1)"
|
|
attestationVariant="$(echo $dirname | cut -d_ -f2)"
|
|
|
|
echo "Comparing measurements of CSP $csp with attestation variant $attestationVariant"
|
|
jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" '.list.[] | select(.attestationVariant == $attestation_variant) | select((.csp | ascii_downcase) == $csp)' measurements.json > their-measurements.json
|
|
sudo env "PATH=$PATH" "$buildPath/measured-boot/cmd/cmd_/cmd" "$directory/constellation" ./own-measurements.json
|
|
jd ./their-measurements.json ./own-measurements.json
|
|
done
|