Do not merge #42
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and attest all | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| branches: [stage0verify] | |
| # See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_attest_all: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| buildconfig: | |
| - buildconfigs/key_xor_test_app.sh | |
| - buildconfigs/oak_containers_kernel.sh | |
| - buildconfigs/oak_containers_orchestrator.sh | |
| - buildconfigs/oak_containers_stage1.sh | |
| - buildconfigs/oak_containers_syslogd.sh | |
| - buildconfigs/oak_containers_system_image.sh | |
| - buildconfigs/oak_echo_enclave_app.sh | |
| - buildconfigs/oak_echo_raw_enclave_app.sh | |
| - buildconfigs/oak_functions_enclave_app.sh | |
| - buildconfigs/oak_functions_insecure_enclave_app.sh | |
| - buildconfigs/oak_orchestrator.sh | |
| - buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh | |
| - buildconfigs/stage0_bin.sh | |
| permissions: | |
| actions: read | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| # Needed for GCS upload. | |
| # - name: Authenticate to Google Cloud | |
| # uses: google-github-actions/auth@v2 | |
| # with: | |
| # credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} | |
| # Needed for GCS upload. | |
| - name: Setup Google Cloud | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Mount main branch | |
| uses: actions/checkout@v4 | |
| - name: Parse buildconfig | |
| id: parse | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| source ${{ matrix.buildconfig }} | |
| echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}" | |
| subject_paths_json=$(jq --compact-output --null-input \ | |
| '$ARGS.positional' --args -- "${SUBJECT_PATHS[@]}") | |
| echo "DEBUG=${subject_paths_json}" | |
| echo "subject-paths=${SUBJECT_PATHS[@]}" >> "${GITHUB_OUTPUT}" | |
| s="${SUBJECT_PATHS[@]}" | |
| echo "subject-paths-commas=${s// /,}" >> "${GITHUB_OUTPUT}" | |
| echo "subject-paths-json=${subject_paths_json}" >> "${GITHUB_OUTPUT}" | |
| - name: Show values | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| gsutil --version | |
| echo "package_name: ${{ steps.parse.outputs.package-name }}" | |
| echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}" | |
| echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}" | |
| echo "GITHUB_SHA: ${GITHUB_SHA}" | |
| - name: Build | |
| id: build | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| source ${{ matrix.buildconfig }} | |
| export RUST_BACKTRACE=1 | |
| export RUST_LOG=debug | |
| export XDG_RUNTIME_DIR=/var/run | |
| scripts/docker_pull | |
| scripts/docker_run "${BUILD_COMMAND[@]}" | |
| - name: Show build artifacts | |
| run: | | |
| echo "${{ steps.parse.outputs.subject-paths }}" | |
| ls -la ${{ steps.parse.outputs.subject-paths }} | |
| - name: Attest | |
| id: attest | |
| uses: actions/attest-build-provenance@v1.1.1 | |
| with: | |
| subject-path: ${{ steps.parse.outputs.subject-paths-commas }} | |
| - name: Show bundle | |
| run: | | |
| echo "${{ steps.attest.outputs.bundle-path }}" | |
| ls -la "${{ steps.attest.outputs.bundle-path }}" | |
| cat "${{ steps.attest.outputs.bundle-path }}" | |
| # Upload binary and provenance to GCS and index via http://static.space | |
| # so that, regardless of the GCS bucket and path, it can easily be | |
| # located by its digest. | |
| # | |
| # TODO: b/339774247 - The filenames are hardwired for now so they don't | |
| # collide with the upload from the other workflow (which doesn't use | |
| # these names). | |
| - name: Upload | |
| id: upload | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| set -o xtrace | |
| bucket=oak-bins | |
| package_name=${{ steps.parse.outputs.package-name }} | |
| subject_paths=${{ steps.parse.outputs.subject-paths }} | |
| binary_path="${subject_paths[0]}" | |
| provenance_path=${{ steps.attest.outputs.bundle-path }} | |
| gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary" | |
| gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl" | |
| binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}" | |
| provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}" | |
| gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" | |
| gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" | |
| curl --fail \ | |
| --request POST \ | |
| --header 'Content-Type: application/json' \ | |
| --data "{ \"url\": \"${binary_url}\" }" \ | |
| https://api.static.space/v1/snapshot | |
| curl --fail \ | |
| --request POST \ | |
| --header 'Content-Type: application/json' \ | |
| --data "{ \"url\": \"${provenance_url}\" }" \ | |
| https://api.static.space/v1/snapshot |