Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-21 21:01:04 -05:00
Code Issues Packages Projects Releases Wiki Activity
fe767ba78e
constellation/.github/actions/build_cli/action.yml
Malte Poll bdba9d8ba6
bazel: add build files for go (#1186) 
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00

95 lines
3.7 KiB
YAML
Raw Blame History

name: Build CLI
description: |
Runs cmake and cli make target in build folder. Optionally, Sigstore tools
are used to sign CLI when inputs are provided. A draft release is published
when run on v* tag.
inputs:
targetOS:
description: "Build CLI for this OS. [linux, darwin]"
required: true
default: "linux"
targetArch:
description: "Build CLI for this architecture. [amd64, arm64]"
required: true
default: "amd64"
enterpriseCLI:
description: "Build CLI with enterprise flag."
required: false
default: "false"
cosignPublicKey:
description: "Cosign public key"
required: false
default: ""
cosignPrivateKey:
description: "Cosign private key"
required: false
default: ""
cosignPassword:
description: "Password for Cosign private key"
required: false
default: ""
runs:
using: "composite"
steps:
# https://github.blog/2022-04-12-git-security-vulnerability-announced/
- name: Mark repository safe
shell: bash
run: |
git config --global --add safe.directory /__w/constellation/constellation
- name: Build CLI
shell: bash
run: |
echo "::group::Build CLI"
mkdir -p build
cd build
if [ ${{ inputs.enterpriseCLI }} == 'true' ]
then
cmake -DBAZEL:STRING=bazelisk -DCLI_BUILD_TAGS:STRING=enterprise ..
else
cmake -DBAZEL:STRING=bazelisk ..
fi
GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make cli
cp constellation constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
echo "$(pwd)" >> $GITHUB_PATH
export PATH="$PATH:$(pwd)"
echo "::endgroup::"
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
# once it has the functionality
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Install Rekor
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
shell: bash
working-directory: build
run: |
HOSTOS="$(go env GOOS)"
HOSTARCH="$(go env GOARCH)"
curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-${HOSTOS}-${HOSTARCH}
sudo install rekor-cli-${HOSTOS}-${HOSTARCH} /usr/local/bin/rekor-cli
rm rekor-cli-${HOSTOS}-${HOSTARCH}
- name: Sign CLI
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
shell: bash
working-directory: build
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY ${SIGN_TARGET} > ${SIGN_TARGET}.sig
# Verify - As documentation & check
# Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub --signature ${SIGN_TARGET}.sig ${SIGN_TARGET}
# Transparency Log Signature (input: artifact, key)
uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1)
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET}
Reference in New Issue View Git Blame Copy Permalink