Create EncryptionProvider trait #455
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and attest all | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
build_attest_all: | |
strategy: | |
fail-fast: false | |
matrix: | |
buildconfig: | |
- buildconfigs/key_xor_test_app.sh | |
- buildconfigs/oak_client_android_app.sh | |
- buildconfigs/oak_containers_agent.sh | |
- buildconfigs/oak_containers_kernel.sh | |
- buildconfigs/oak_containers_orchestrator.sh | |
- buildconfigs/oak_containers_stage1.sh | |
- buildconfigs/oak_containers_syslogd.sh | |
- buildconfigs/oak_containers_system_image.sh | |
- buildconfigs/oak_containers_nvidia_system_image.sh | |
- buildconfigs/oak_echo_enclave_app.sh | |
- buildconfigs/oak_echo_raw_enclave_app.sh | |
- buildconfigs/oak_functions_enclave_app.sh | |
- buildconfigs/oak_functions_insecure_enclave_app.sh | |
- buildconfigs/oak_orchestrator.sh | |
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh | |
- buildconfigs/stage0_bin.sh | |
permissions: | |
actions: read | |
id-token: write | |
attestations: write | |
contents: read | |
runs-on: ubuntu-20.04 | |
steps: | |
# Needed for GCS upload. | |
- name: Authenticate to Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} | |
# Needed for GCS upload. | |
- name: Setup Google Cloud | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Mount main branch | |
uses: actions/checkout@v4 | |
# The runner comes with all this software pre-installed: | |
# https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2004-Readme.md | |
# To avoid failures due to lack of disk space, we delete some large packages | |
# which are irrelevant for building. Sources: | |
# https://github.com/jens-maus/RaspberryMatic/blob/ea6b8ce0dd2d53ea88b2766ba8d7f8e1d667281f/.github/workflows/ci.yml#L34-L40 | |
# https://github.com/actions/runner-images/issues/2875 | |
- name: Free disk space | |
run: | | |
set -o errexit | |
set -o xtrace | |
df --human-readable | |
sudo apt-get remove --yes \ | |
'^dotnet-.*' '^llvm-.*' 'php.*' azure-cli \ | |
hhvm google-chrome-stable firefox powershell | |
df --human-readable | |
sudo apt-get autoremove --yes | |
df --human-readable | |
sudo apt clean | |
df --human-readable | |
docker rmi $(docker image ls --all --quiet) | |
df --human-readable | |
rm --recursive --force "${AGENT_TOOLSDIRECTORY}" | |
df --human-readable | |
# Keeps two versions of SUBJECT_PATHS, with space resp. comma as | |
# path separator. Both are needed in later steps. | |
- name: Parse buildconfig | |
id: parse | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
source ${{ matrix.buildconfig }} | |
echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}" | |
paths="${SUBJECT_PATHS[@]}" | |
echo "subject-paths=${paths}" >> "${GITHUB_OUTPUT}" | |
echo "subject-paths-commas=${paths// /,}" >> "${GITHUB_OUTPUT}" | |
- name: Show values | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
gsutil --version | |
echo "package_name: ${{ steps.parse.outputs.package-name }}" | |
echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}" | |
echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}" | |
echo "GITHUB_SHA: ${GITHUB_SHA}" | |
- name: Build | |
id: build | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
source ${{ matrix.buildconfig }} | |
export RUST_BACKTRACE=1 | |
export RUST_LOG=debug | |
export XDG_RUNTIME_DIR=/var/run | |
scripts/docker_pull | |
scripts/docker_run "${BUILD_COMMAND[@]}" | |
- name: Show build artifacts | |
run: | | |
echo "${{ steps.parse.outputs.subject-paths }}" | |
ls -la ${{ steps.parse.outputs.subject-paths }} | |
- name: Attest | |
id: attest | |
uses: actions/[email protected] | |
with: | |
subject-path: ${{ steps.parse.outputs.subject-paths-commas }} | |
- name: Show bundle | |
run: | | |
echo "${{ steps.attest.outputs.bundle-path }}" | |
ls -la "${{ steps.attest.outputs.bundle-path }}" | |
cat "${{ steps.attest.outputs.bundle-path }}" | |
# Upload binary and provenance to GCS and index via http://static.space | |
# so that, regardless of the GCS bucket and path, it can easily be | |
# located by its digest. | |
# | |
# TODO: b/339774247 - The filenames are hardwired for now so they don't | |
# collide with the upload from the other workflow (which doesn't use | |
# these names). | |
- name: Upload | |
id: upload | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
set -o xtrace | |
bucket=oak-bins | |
package_name=${{ steps.parse.outputs.package-name }} | |
subject_paths=( ${{ steps.parse.outputs.subject-paths }} ) | |
binary_path="${subject_paths[0]}" | |
provenance_path=${{ steps.attest.outputs.bundle-path }} | |
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary" | |
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl" | |
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}" | |
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}" | |
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" | |
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" | |
curl --fail \ | |
--request POST \ | |
--header 'Content-Type: application/json' \ | |
--data "{ \"url\": \"${binary_url}\" }" \ | |
https://api.static.space/v1/snapshot | |
curl --fail \ | |
--request POST \ | |
--header 'Content-Type: application/json' \ | |
--data "{ \"url\": \"${provenance_url}\" }" \ | |
https://api.static.space/v1/snapshot |