Build and Upload OS image #667
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Upload OS image | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| imageVersion: | |
| description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)" | |
| required: false | |
| isRelease: | |
| description: 'Is this a release? (sets "ref" to special value "-")' | |
| type: boolean | |
| required: false | |
| default: false | |
| stream: | |
| description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)" | |
| type: choice | |
| required: true | |
| options: | |
| - "debug" | |
| - "console" | |
| - "nightly" | |
| - "stable" | |
| ref: | |
| type: string | |
| description: "Git ref to checkout" | |
| required: false | |
| workflow_call: | |
| inputs: | |
| imageVersion: | |
| description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)" | |
| required: false | |
| type: string | |
| isRelease: | |
| description: 'Is this a release? (sets "ref" to special value "-")' | |
| type: boolean | |
| required: false | |
| default: false | |
| stream: | |
| description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)" | |
| type: string | |
| required: true | |
| ref: | |
| type: string | |
| description: "Git ref to checkout" | |
| required: false | |
| jobs: | |
| build-dependencies: | |
| name: "Build binaries for embedding in the OS" | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| packages: read | |
| outputs: | |
| bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} | |
| disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} | |
| upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }} | |
| measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Setup Go environment | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: "1.20.7" | |
| cache: true | |
| - name: Setup bazel | |
| uses: ./.github/actions/setup_bazel | |
| with: | |
| useCache: "false" | |
| - name: Build bootstrapper | |
| if: inputs.stream != 'debug' | |
| uses: ./.github/actions/build_bootstrapper | |
| with: | |
| outputPath: ${{ github.workspace }}/build/bootstrapper | |
| - name: Build debugd | |
| if: inputs.stream == 'debug' | |
| uses: ./.github/actions/build_debugd | |
| with: | |
| outputPath: ${{ github.workspace }}/build/debugd | |
| - name: Build disk-mapper | |
| uses: ./.github/actions/build_disk_mapper | |
| with: | |
| outputPath: ${{ github.workspace }}/build/disk-mapper | |
| - name: Build upgrade-agent | |
| uses: ./.github/actions/build_upgrade_agent | |
| with: | |
| outputPath: ${{ github.workspace }}/build/upgrade-agent | |
| - name: Build measurement-reader | |
| uses: ./.github/actions/build_measurement_reader | |
| with: | |
| outputPath: ${{ github.workspace }}/build/measurement-reader | |
| - name: Upload dependencies | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| env: | |
| MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }} | |
| with: | |
| name: dependencies | |
| path: | | |
| ${{ github.workspace }}/build/${{ env.MAIN_BINARY }} | |
| ${{ github.workspace }}/build/disk-mapper | |
| ${{ github.workspace }}/build/upgrade-agent | |
| ${{ github.workspace }}/build/measurement-reader | |
| - name: Collect hashes | |
| id: collect-hashes | |
| working-directory: ${{ github.workspace }}/build | |
| run: | | |
| { | |
| echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" | |
| echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" | |
| echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)" | |
| echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)" | |
| } | tee -a "$GITHUB_OUTPUT" | |
| build-settings: | |
| name: "Determine build settings" | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| ref: ${{ steps.ref.outputs.ref }} | |
| stream: ${{ steps.stream.outputs.stream }} | |
| imageType: ${{ steps.image-type.outputs.imageType }} | |
| pkiSet: ${{ steps.pki-set.outputs.pkiSet }} | |
| imageVersion: ${{ steps.image-version.outputs.imageVersion }} | |
| imageName: ${{ steps.image-version.outputs.imageName }} | |
| imageNameShort: ${{ steps.image-version.outputs.imageNameShort }} | |
| imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }} | |
| cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Determine version | |
| id: version | |
| uses: ./.github/actions/pseudo_version | |
| - name: Determine ref | |
| id: ref | |
| run: | | |
| if [[ "${{ inputs.isRelease }}" = "true" ]]; then | |
| echo "ref=-" | tee -a "$GITHUB_OUTPUT" | |
| else | |
| echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT" | |
| fi | |
| - name: Determine and validate stream | |
| id: stream | |
| run: | | |
| if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then | |
| echo "Nightly builds are not allowed for releases" | |
| exit 1 | |
| fi | |
| if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then | |
| echo "Stable builds are only allowed for releases" | |
| exit 1 | |
| fi | |
| echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT" | |
| - name: Determine type of image build | |
| shell: bash | |
| id: image-type | |
| run: | | |
| case "${{ steps.stream.outputs.stream }}" in | |
| "debug") | |
| echo "imageType=debug" | tee -a "$GITHUB_OUTPUT" | |
| ;; | |
| "console") | |
| echo "imageType=console" | tee -a "$GITHUB_OUTPUT" | |
| ;; | |
| *) | |
| echo "imageType=default" | tee -a "$GITHUB_OUTPUT" | |
| ;; | |
| esac | |
| - name: Determine PKI set | |
| id: pki-set | |
| shell: bash | |
| run: | | |
| if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then | |
| echo "pkiSet=pki_prod" | tee -a "$GITHUB_OUTPUT" | |
| else | |
| echo "pkiSet=pki_testing" | tee -a "$GITHUB_OUTPUT" | |
| fi | |
| - name: Determine image version | |
| id: image-version | |
| shell: bash | |
| env: | |
| REF: ${{ steps.ref.outputs.ref }} | |
| STREAM: ${{ steps.stream.outputs.stream }} | |
| IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }} | |
| run: | | |
| { | |
| echo "imageVersion=${IMAGE_VERSION}" | |
| echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | |
| echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image" | |
| echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli" | |
| } | tee -a "$GITHUB_OUTPUT" | |
| if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then | |
| echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" | |
| elif [[ "${REF}" = "-" ]]; then | |
| echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" | |
| else | |
| echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" | |
| fi | |
| make-os-image: | |
| name: "Build OS using mkosi" | |
| needs: [build-settings, build-dependencies] | |
| runs-on: ubuntu-22.04 | |
| # TODO(malt3): flatten outputs once possible | |
| # https://github.com/community/community/discussions/17245 | |
| outputs: | |
| image-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-aws-nitro-tpm-sha256 }} | |
| image-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-azure-sev-snp-sha256 }} | |
| image-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-gcp-sev-es-sha256 }} | |
| image-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-qemu-vtpm-sha256 }} | |
| image-efi-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-aws-nitro-tpm-sha256 }} | |
| image-efi-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-azure-sev-snp-sha256 }} | |
| image-efi-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-gcp-sev-es-sha256 }} | |
| image-efi-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-qemu-vtpm-sha256 }} | |
| image-initrd-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-aws-nitro-tpm-sha256 }} | |
| image-initrd-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-azure-sev-snp-sha256 }} | |
| image-initrd-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} | |
| image-initrd-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} | |
| image-root-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} | |
| image-root-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} | |
| image-root-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} | |
| image-root-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} | |
| image-root-verity-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} | |
| image-root-verity-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} | |
| image-root-verity-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} | |
| image-root-verity-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} | |
| image-vmlinuz-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} | |
| image-vmlinuz-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} | |
| image-vmlinuz-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} | |
| image-vmlinuz-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }} | |
| image-raw-changelog-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-aws-nitro-tpm-sha256 }} | |
| image-raw-changelog-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-azure-sev-snp-sha256 }} | |
| image-raw-changelog-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-gcp-sev-es-sha256 }} | |
| image-raw-changelog-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-qemu-vtpm-sha256 }} | |
| image-raw-manifest-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-aws-nitro-tpm-sha256 }} | |
| image-raw-manifest-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-azure-sev-snp-sha256 }} | |
| image-raw-manifest-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-gcp-sev-es-sha256 }} | |
| image-raw-manifest-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-qemu-vtpm-sha256 }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - csp: aws | |
| attestation_variant: aws-nitro-tpm | |
| - csp: aws | |
| attestation_variant: aws-sev-snp | |
| - csp: azure | |
| attestation_variant: azure-sev-snp | |
| - csp: gcp | |
| attestation_variant: gcp-sev-es | |
| - csp: gcp | |
| attestation_variant: gcp-sev-snp | |
| - csp: qemu | |
| attestation_variant: qemu-vtpm | |
| - csp: openstack | |
| attestation_variant: qemu-vtpm | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Download build dependencies | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: dependencies | |
| path: ${{ github.workspace }}/build | |
| - name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable | |
| run: | | |
| chmod +x ${{ github.workspace }}/build/bootstrapper || true | |
| chmod +x ${{ github.workspace }}/build/debugd || true | |
| chmod +x ${{ github.workspace }}/build/disk-mapper | |
| chmod +x ${{ github.workspace }}/build/upgrade-agent | |
| chmod +x ${{ github.workspace }}/build/measurement-reader | |
| - name: Setup mkosi | |
| uses: ./.github/actions/setup_mkosi | |
| with: | |
| version: d8b32fbf3077b612db0024276e73cec3c2c87577 | |
| systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677 | |
| - name: Prepare PKI for secure boot signing | |
| id: prepare-pki | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| env: | |
| PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} | |
| DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} | |
| run: | | |
| echo "${DB_KEY}" > "${PKI_SET}/db.key" | |
| chmod 600 "${PKI_SET}/db.key" | |
| ln -s "${PKI_SET}" pki | |
| - name: Build | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| env: | |
| BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper | |
| DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper | |
| DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper | |
| UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent | |
| MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader | |
| DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }} | |
| AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }} | |
| IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }} | |
| CSP: ${{ matrix.csp }} | |
| ATTESTATION_VARIANT: ${{ matrix.attestation_variant }} | |
| run: | | |
| echo "::group::Build" | |
| sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}_${ATTESTATION_VARIANT}" | |
| echo "::endgroup::" | |
| - name: Collect hashes | |
| id: collect-hashes | |
| working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 | |
| run: | | |
| { | |
| echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)" | |
| echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.efi | head -c 64)" | |
| echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.esp.raw | head -c 64)" | |
| echo "image-root-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)" | |
| echo "image-root-verity-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)" | |
| echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" | |
| echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)" | |
| echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)" | |
| } | tee -a "$GITHUB_OUTPUT" | |
| - name: Upload raw OS image as artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} | |
| path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw | |
| - name: Upload individual OS parts as artifacts | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }} | |
| path: | | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz | |
| - name: Upload manifest as artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }} | |
| path: | | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog | |
| ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest | |
| upload-os-image: | |
| name: "Upload OS image to CSP" | |
| needs: [build-settings, make-os-image] | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - csp: aws | |
| attestation_variant: aws-nitro-tpm | |
| - csp: aws | |
| attestation_variant: aws-sev-snp | |
| - csp: azure | |
| attestation_variant: azure-sev-snp | |
| - csp: gcp | |
| attestation_variant: gcp-sev-es | |
| - csp: gcp | |
| attestation_variant: gcp-sev-snp | |
| - csp: qemu | |
| attestation_variant: qemu-vtpm | |
| - csp: openstack | |
| attestation_variant: qemu-vtpm | |
| env: | |
| RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw | |
| JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json | |
| AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd | |
| GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz | |
| SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }} | |
| ATTESTATION_VARIANT: ${{ matrix.attestation_variant }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Download OS image artifact | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} | |
| path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 | |
| - name: Install tools | |
| shell: bash | |
| run: | | |
| echo "::group::Install tools" | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| pigz \ | |
| qemu-utils \ | |
| python3-pip | |
| echo "::endgroup::" | |
| - name: Login to AWS | |
| uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 | |
| with: | |
| role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline | |
| aws-region: eu-central-1 | |
| - name: Login to Azure | |
| if: matrix.csp == 'azure' | |
| uses: ./.github/actions/login_azure | |
| with: | |
| azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
| - name: Login to GCP | |
| if: matrix.csp == 'gcp' | |
| uses: ./.github/actions/login_gcp | |
| with: | |
| service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" | |
| - name: Prepare PKI for image upload | |
| id: prepare-pki | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| run: | | |
| ln -s ${{ needs.build-settings.outputs.pkiSet }} pki | |
| - name: Upload AWS image | |
| if: matrix.csp == 'aws' | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| run: | | |
| echo "::group::Upload AWS image" | |
| bazel run //image/upload -- image aws \ | |
| --verbose \ | |
| --raw-image "${RAW_IMAGE_PATH}" \ | |
| --attestation-variant "${ATTESTATION_VARIANT}" \ | |
| --version "${SHORTNAME}" \ | |
| --out "${JSON_OUTPUT}" | |
| echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" | |
| echo "::endgroup::" | |
| - name: Upload GCP image | |
| if: matrix.csp == 'gcp' | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| run: | | |
| echo "::group::Upload GCP image" | |
| upload/pack.sh gcp "${RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" | |
| bazel run //image/upload -- image gcp \ | |
| --verbose \ | |
| --raw-image "${GCP_IMAGE_PATH}" \ | |
| --attestation-variant "${ATTESTATION_VARIANT}" \ | |
| --version "${SHORTNAME}" \ | |
| --out "${JSON_OUTPUT}" | |
| echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" | |
| echo "::endgroup::" | |
| - name: Upload Azure image | |
| if: matrix.csp == 'azure' | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| run: | | |
| echo "::group::Upload Azure image" | |
| upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" | |
| bazel run //image/upload -- image azure \ | |
| --verbose \ | |
| --raw-image "${AZURE_IMAGE_PATH}" \ | |
| --attestation-variant "${ATTESTATION_VARIANT}" \ | |
| --version "${SHORTNAME}" \ | |
| --out "${JSON_OUTPUT}" | |
| echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" | |
| echo "::endgroup::" | |
| - name: Upload OpenStack image | |
| if: matrix.csp == 'openstack' | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| run: | | |
| echo "::group::Upload OpenStack image" | |
| bazel run //image/upload -- image openstack \ | |
| --verbose \ | |
| --raw-image "${RAW_IMAGE_PATH}" \ | |
| --attestation-variant "${ATTESTATION_VARIANT}" \ | |
| --version "${SHORTNAME}" \ | |
| --out "${JSON_OUTPUT}" | |
| echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" | |
| echo "::endgroup::" | |
| - name: Upload QEMU image | |
| if: matrix.csp == 'qemu' | |
| shell: bash | |
| working-directory: ${{ github.workspace }}/image | |
| run: | | |
| echo "::group::Upload QEMU image" | |
| bazel run //image/upload -- image qemu \ | |
| --verbose \ | |
| --raw-image "${RAW_IMAGE_PATH}" \ | |
| --attestation-variant "${ATTESTATION_VARIANT}" \ | |
| --version "${SHORTNAME}" \ | |
| --out "${JSON_OUTPUT}" | |
| echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY" | |
| echo "::endgroup::" | |
| - name: Upload image lookup table as artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: lookup-table | |
| path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json | |
| calculate-pcrs: | |
| name: "Calculate PCRs" | |
| needs: [build-settings, make-os-image] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - csp: aws | |
| attestation_variant: aws-nitro-tpm | |
| - csp: aws | |
| attestation_variant: aws-sev-snp | |
| - csp: azure | |
| attestation_variant: azure-sev-snp | |
| - csp: gcp | |
| attestation_variant: gcp-sev-es | |
| - csp: gcp | |
| attestation_variant: gcp-sev-snp | |
| - csp: qemu | |
| attestation_variant: qemu-vtpm | |
| - csp: openstack | |
| attestation_variant: qemu-vtpm | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Download OS image artifact | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} | |
| - name: Install dependencies | |
| run: | | |
| echo "::group::Install dependencies" | |
| python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt | |
| sudo apt-get update | |
| sudo apt-get install -y systemd-container # for systemd-dissect | |
| echo "::endgroup::" | |
| - name: Calculate expected PCRs | |
| working-directory: ${{ github.workspace }}/image/measured-boot | |
| run: | | |
| echo "::group::Calculate expected PCRs" | |
| { | |
| ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json | |
| ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json | |
| ./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json ${{ matrix.csp }} | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| cp pcr-stable.json ${{ github.workspace }}/ | |
| jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json | |
| echo "::endgroup::" | |
| - name: Add static PCRs | |
| run: | | |
| case ${{ matrix.csp }} in | |
| aws) | |
| yq e '.csp = "AWS" | | |
| .attestationVariant = "${{ matrix.attestation_variant }}" | | |
| .measurements.0.warnOnly = true | | |
| .measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" | | |
| .measurements.2.warnOnly = true | | |
| .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.3.warnOnly = true | | |
| .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.4.warnOnly = false | | |
| .measurements.6.warnOnly = true | | |
| .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.8.warnOnly = false | | |
| .measurements.9.warnOnly = false | | |
| .measurements.11.warnOnly = false | | |
| .measurements.12.warnOnly = false | | |
| .measurements.13.warnOnly = false | | |
| .measurements.14.warnOnly = true | | |
| .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | | |
| .measurements.15.warnOnly = false' \ | |
| -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" | |
| ;; | |
| azure) | |
| yq e '.csp = "Azure" | | |
| .attestationVariant = "${{ matrix.attestation_variant }}" | | |
| .measurements.1.warnOnly = true | | |
| .measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.2.warnOnly = true | | |
| .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.3.warnOnly = true | | |
| .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.4.warnOnly = false | | |
| .measurements.8.warnOnly = false | | |
| .measurements.9.warnOnly = false | | |
| .measurements.11.warnOnly = false | | |
| .measurements.12.warnOnly = false | | |
| .measurements.13.warnOnly = false | | |
| .measurements.14.warnOnly = true | | |
| .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | | |
| .measurements.15.warnOnly = false' \ | |
| -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" | |
| ;; | |
| gcp) | |
| yq e '.csp = "GCP" | | |
| .attestationVariant = "${{ matrix.attestation_variant }}" | | |
| .measurements.1.warnOnly = true | | |
| .measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" | | |
| .measurements.2.warnOnly = true | | |
| .measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.3.warnOnly = true | | |
| .measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.4.warnOnly = false | | |
| .measurements.6.warnOnly = true | | |
| .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" | | |
| .measurements.8.warnOnly = false | | |
| .measurements.9.warnOnly = false | | |
| .measurements.11.warnOnly = false | | |
| .measurements.12.warnOnly = false | | |
| .measurements.13.warnOnly = false | | |
| .measurements.14.warnOnly = true | | |
| .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | | |
| .measurements.15.warnOnly = false' \ | |
| -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" | |
| ;; | |
| openstack) | |
| yq e '.csp = "OpenStack" | | |
| .attestationVariant = "${{ matrix.attestation_variant }}" | | |
| .measurements.4.warnOnly = false | | |
| .measurements.8.warnOnly = false | | |
| .measurements.9.warnOnly = false | | |
| .measurements.11.warnOnly = false | | |
| .measurements.12.warnOnly = false | | |
| .measurements.13.warnOnly = false | | |
| .measurements.15.warnOnly = false' \ | |
| -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" | |
| ;; | |
| qemu) | |
| yq e '.csp = "QEMU" | | |
| .attestationVariant = "${{ matrix.attestation_variant }}" | | |
| .measurements.4.warnOnly = false | | |
| .measurements.8.warnOnly = false | | |
| .measurements.9.warnOnly = false | | |
| .measurements.11.warnOnly = false | | |
| .measurements.12.warnOnly = false | | |
| .measurements.13.warnOnly = false | | |
| .measurements.15.warnOnly = false' \ | |
| -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" | |
| ;; | |
| *) | |
| echo "Unknown CSP: ${{ matrix.csp }}" | |
| exit 1 | |
| ;; | |
| esac | |
| # TODO (malt3): Calculate PCR from firmware blob. | |
| # AWS SNP machines have a different expected value for PCR 0. | |
| if [[ ${{ matrix.attestation_variant }} = "aws-sev-snp" ]] | |
| then | |
| yq e '.csp = "AWS" | | |
| .measurements.0.expected = "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"' \ | |
| -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" | |
| fi | |
| - name: Envelope measurements | |
| shell: bash | |
| run: | | |
| echo "::group::Envelope measurements" | |
| bazel run //image/upload -- measurements envelope \ | |
| --in "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \ | |
| --out "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \ | |
| --version "${{ needs.build-settings.outputs.imageNameShort }}" \ | |
| --csp "${{ matrix.csp }}" \ | |
| --attestation-variant "${{ matrix.attestation_variant }}" | |
| echo "::endgroup::" | |
| - name: Upload expected measurements as artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: measurements | |
| path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json | |
| upload-pcrs: | |
| name: "Sign & upload PCRs" | |
| needs: [build-settings, calculate-pcrs] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Download measurements | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: measurements | |
| - name: Login to AWS | |
| uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 | |
| with: | |
| role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline | |
| aws-region: eu-central-1 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1 | |
| - name: Install Rekor | |
| shell: bash | |
| run: | | |
| curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64 | |
| sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli | |
| rm rekor-cli-linux-amd64 | |
| - name: Merge measurements | |
| shell: bash | |
| run: | | |
| echo "::group::Merge measurements" | |
| bazel run //image/upload -- measurements merge \ | |
| --out measurements.json \ | |
| pcrs-*.json | |
| echo "::endgroup::" | |
| - name: Sign measurements | |
| if: inputs.stream != 'debug' | |
| shell: bash | |
| env: | |
| COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} | |
| COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} | |
| run: | | |
| echo "${COSIGN_PUBLIC_KEY}" > cosign.pub | |
| # Enabling experimental mode also publishes signature to Rekor | |
| COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \ | |
| "${{ github.workspace }}/measurements.json" > "${{ github.workspace }}/measurements.json.sig" | |
| # Verify - As documentation & check | |
| # Local Signature (input: artifact, key, signature) | |
| cosign verify-blob --key cosign.pub \ | |
| --signature "measurements.json.sig" \ | |
| "measurements.json" | |
| # Transparency Log Signature (input: artifact, key) | |
| uuid=$(rekor-cli search --artifact "${{ github.workspace }}/measurements.json" | tail -n 1) | |
| sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content) | |
| cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/measurements.json" | |
| - name: Create stub signature file | |
| if: inputs.stream == 'debug' | |
| shell: bash | |
| run: | | |
| echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${{ github.workspace }}/measurements.json.sig" | |
| - name: Upload measurements | |
| shell: bash | |
| run: | | |
| echo "::group::Upload measurements" | |
| bazel run //image/upload -- measurements upload \ | |
| --measurements measurements.json \ | |
| --signature measurements.json.sig | |
| echo "::endgroup::" | |
| generate-sbom: | |
| name: "Generate SBOM" | |
| needs: [build-settings, build-dependencies, make-os-image] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Login to AWS | |
| uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 | |
| with: | |
| role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline | |
| aws-region: eu-central-1 | |
| - name: Install squashfs tools | |
| run: | | |
| echo "::group::Install squashfs tools" | |
| sudo apt-get update | |
| sudo apt-get install -y squashfs-tools | |
| echo "::endgroup::" | |
| - name: Download rootfs | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| # downloading / using only the QEMU rootfs is fine | |
| # since the images only differ in the ESP partition | |
| name: parts-qemu-qemu-vtpm | |
| - name: Download manifest | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| # downloading / using only the QEMU manifest is fine | |
| # since the images only differ in the ESP partition | |
| name: manifest-qemu-qemu-vtpm | |
| - name: Unpack squashfs | |
| run: | | |
| echo "::group::Unpack squashfs" | |
| unsquashfs -user-xattrs -d image.root.tree image.root-x86-64.raw | |
| echo "::endgroup::" | |
| - name: Create SBOM in SPDX fromat | |
| uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
| with: | |
| path: image.root.tree | |
| artifact-name: sbom.spdx.json | |
| output-file: sbom.spdx.json | |
| format: spdx-json | |
| - name: Create SBOM in CycloneDX fromat | |
| uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
| with: | |
| path: image.root.tree | |
| artifact-name: sbom.cyclonedx.json | |
| output-file: sbom.cyclonedx.json | |
| format: cyclonedx-json | |
| - name: Create SBOM in Syft fromat | |
| uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
| with: | |
| path: image.root.tree | |
| artifact-name: sbom.syft.json | |
| output-file: sbom.syft.json | |
| format: syft-json | |
| - name: Combine hashes | |
| run: | | |
| cat > SHA256SUMS <<EOF | |
| ${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper | |
| ${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper | |
| ${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent | |
| ${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader | |
| ${{ needs.make-os-image.outputs.image-raw-aws-aws-nitro-tpm-sha256 }} aws/image.raw | |
| ${{ needs.make-os-image.outputs.image-raw-changelog-aws-aws-nitro-tpm-sha256 }} aws/image.changelog | |
| ${{ needs.make-os-image.outputs.image-raw-manifest-aws-aws-nitro-tpm-sha256 }} aws/image.manifest | |
| ${{ needs.make-os-image.outputs.image-efi-aws-aws-nitro-tpm-sha256 }} aws/image.efi | |
| ${{ needs.make-os-image.outputs.image-initrd-aws-aws-nitro-tpm-sha256 }} aws/image.initrd | |
| ${{ needs.make-os-image.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} aws/image.root-x86-64.raw | |
| ${{ needs.make-os-image.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} aws/image.root.verity | |
| ${{ needs.make-os-image.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} aws/image.vmlinuz | |
| ${{ needs.make-os-image.outputs.image-raw-azure-azure-sev-snp-sha256 }} azure/image.raw | |
| ${{ needs.make-os-image.outputs.image-raw-changelog-azure-azure-sev-snp-sha256 }} azure/image.changelog | |
| ${{ needs.make-os-image.outputs.image-raw-manifest-azure-azure-sev-snp-sha256 }} azure/image.manifest | |
| ${{ needs.make-os-image.outputs.image-efi-azure-azure-sev-snp-sha256 }} azure/image.efi | |
| ${{ needs.make-os-image.outputs.image-initrd-azure-azure-sev-snp-sha256 }} azure/image.initrd | |
| ${{ needs.make-os-image.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} azure/image.root-x86-64.raw | |
| ${{ needs.make-os-image.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} azure/image.root.verity | |
| ${{ needs.make-os-image.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} azure/image.vmlinuz | |
| ${{ needs.make-os-image.outputs.image-raw-gcp-gcp-sev-es-sha256 }} gcp/image.raw | |
| ${{ needs.make-os-image.outputs.image-raw-changelog-gcp-gcp-sev-es-sha256 }} gcp/image.changelog | |
| ${{ needs.make-os-image.outputs.image-raw-manifest-gcp-gcp-sev-es-sha256 }} gcp/image.manifest | |
| ${{ needs.make-os-image.outputs.image-efi-gcp-gcp-sev-es-sha256 }} gcp/image.efi | |
| ${{ needs.make-os-image.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} gcp/image.initrd | |
| ${{ needs.make-os-image.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} gcp/image.root-x86-64.raw | |
| ${{ needs.make-os-image.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} gcp/image.root.verity | |
| ${{ needs.make-os-image.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} gcp/image.vmlinuz | |
| ${{ needs.make-os-image.outputs.image-raw-qemu-qemu-vtpm-sha256 }} qemu/image.raw | |
| ${{ needs.make-os-image.outputs.image-raw-changelog-qemu-qemu-vtpm-sha256 }} qemu/image.changelog | |
| ${{ needs.make-os-image.outputs.image-raw-manifest-qemu-qemu-vtpm-sha256 }} qemu/image.manifest | |
| ${{ needs.make-os-image.outputs.image-efi-qemu-qemu-vtpm-sha256 }} qemu/image.efi | |
| ${{ needs.make-os-image.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} qemu/image.initrd | |
| ${{ needs.make-os-image.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} qemu/image.root-x86-64.raw | |
| ${{ needs.make-os-image.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} qemu/image.root.verity | |
| ${{ needs.make-os-image.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }} qemu/image.vmlinuz | |
| EOF | |
| cat SHA256SUMS | |
| echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY" | |
| - name: Upload SBOMs to S3 | |
| shell: bash | |
| run: | | |
| sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json' | |
| manifests='image.manifest image.changelog' | |
| hashes='SHA256SUMS' | |
| for file in ${sboms} ${manifests} ${hashes}; do | |
| aws s3 cp \ | |
| "${file}" \ | |
| "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ | |
| --no-progress | |
| done | |
| upload-artifacts: | |
| name: "Upload image lookup table and CLI compatibility info" | |
| runs-on: ubuntu-22.04 | |
| needs: [build-settings, upload-os-image] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Download image lookup table | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
| with: | |
| name: lookup-table | |
| - name: Login to AWS | |
| uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 | |
| with: | |
| role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline | |
| aws-region: eu-central-1 | |
| - name: Upload lookup table to S3 | |
| shell: bash | |
| run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ inputs.ref || github.head_ref }} | |
| - name: Setup Go environment | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: "1.20.7" | |
| cache: true | |
| - name: Create CLI compatibility information artifact | |
| shell: bash | |
| run: | | |
| go run ./hack/cli-k8s-compatibility/main.go \ | |
| --ref=${{ needs.build-settings.outputs.ref }} \ | |
| --stream=${{ needs.build-settings.outputs.stream }} \ | |
| --version=${{ needs.build-settings.outputs.imageVersion }} \ | |
| add-image-version-to-versionsapi: | |
| needs: [upload-artifacts, build-settings] | |
| name: "Add image version to versionsapi" | |
| if: needs.build-settings.outputs.ref != '-' | |
| permissions: | |
| contents: read | |
| id-token: write | |
| uses: ./.github/workflows/versionsapi.yml | |
| with: | |
| command: add | |
| ref: ${{ needs.build-settings.outputs.ref }} | |
| stream: ${{ needs.build-settings.outputs.stream }} | |
| version: ${{ needs.build-settings.outputs.imageVersion }} | |
| kind: "image" | |
| add_latest: true | |
| add-cli-version-to-versionsapi: | |
| needs: [upload-artifacts, build-settings, add-image-version-to-versionsapi] | |
| name: "Add CLI version to versionsapi" | |
| if: needs.build-settings.outputs.ref != '-' | |
| permissions: | |
| contents: read | |
| id-token: write | |
| uses: ./.github/workflows/versionsapi.yml | |
| with: | |
| command: add | |
| ref: ${{ needs.build-settings.outputs.ref }} | |
| stream: ${{ needs.build-settings.outputs.stream }} | |
| version: ${{ needs.build-settings.outputs.imageVersion }} | |
| kind: "cli" | |
| add_latest: true |