Skip to content
Build and attest all

Require some references in stage0 to be 'static #389

Sign in to view logs

Require some references in stage0 to be 'static

Require some references in stage0 to be 'static #389

Workflow file for this run

.github/workflows/build.yaml at 686cca1
name: Build and attest all
on:
push:
branches: [main]
pull_request:
branches: [main]
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build_attest_all:
strategy:
fail-fast: false
matrix:
buildconfig:
- buildconfigs/key_xor_test_app.sh
- buildconfigs/oak_client_android_app.sh
- buildconfigs/oak_containers_agent.sh
- buildconfigs/oak_containers_kernel.sh
- buildconfigs/oak_containers_orchestrator.sh
- buildconfigs/oak_containers_stage1.sh
- buildconfigs/oak_containers_syslogd.sh
- buildconfigs/oak_containers_system_image.sh
- buildconfigs/oak_containers_nvidia_system_image.sh
- buildconfigs/oak_echo_enclave_app.sh
- buildconfigs/oak_echo_raw_enclave_app.sh
- buildconfigs/oak_functions_enclave_app.sh
- buildconfigs/oak_functions_insecure_enclave_app.sh
- buildconfigs/oak_orchestrator.sh
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
- buildconfigs/stage0_bin.sh
permissions:
actions: read
id-token: write
attestations: write
contents: read
runs-on: ubuntu-20.04
steps:
# Needed for GCS upload.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
# Needed for GCS upload.
- name: Setup Google Cloud
uses: google-github-actions/setup-gcloud@v2
- name: Mount main branch
uses: actions/checkout@v4
# The runner comes with all this software pre-installed:
# https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2004-Readme.md
# To avoid failures due to lack of disk space, we delete some large packages
# which are irrelevant for building. Sources:
# https://github.com/jens-maus/RaspberryMatic/blob/ea6b8ce0dd2d53ea88b2766ba8d7f8e1d667281f/.github/workflows/ci.yml#L34-L40
# https://github.com/actions/runner-images/issues/2875
- name: Free disk space
run: |
set -o errexit
set -o xtrace
df --human-readable
sudo apt-get remove --yes \
'^dotnet-.*' '^llvm-.*' 'php.*' azure-cli \
hhvm google-chrome-stable firefox powershell
df --human-readable
sudo apt-get autoremove --yes
df --human-readable
sudo apt clean
df --human-readable
docker rmi $(docker image ls --all --quiet)
df --human-readable
rm --recursive --force "${AGENT_TOOLSDIRECTORY}"
df --human-readable
# Keeps two versions of SUBJECT_PATHS, with space resp. comma as
# path separator. Both are needed in later steps.
- name: Parse buildconfig
id: parse
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}"
paths="${SUBJECT_PATHS[@]}"
echo "subject-paths=${paths}" >> "${GITHUB_OUTPUT}"
echo "subject-paths-commas=${paths// /,}" >> "${GITHUB_OUTPUT}"
- name: Show values
run: |
set -o errexit
set -o nounset
set -o pipefail
gsutil --version
echo "package_name: ${{ steps.parse.outputs.package-name }}"
echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}"
echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}"
echo "GITHUB_SHA: ${GITHUB_SHA}"
- name: Build
id: build
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
export RUST_BACKTRACE=1
export RUST_LOG=debug
export XDG_RUNTIME_DIR=/var/run
scripts/docker_pull
scripts/docker_run "${BUILD_COMMAND[@]}"
- name: Show build artifacts
run: |
echo "${{ steps.parse.outputs.subject-paths }}"
ls -la ${{ steps.parse.outputs.subject-paths }}
- name: Attest
id: attest
uses: actions/attest-build-provenance@v1.1.1
with:
subject-path: ${{ steps.parse.outputs.subject-paths-commas }}
- name: Show bundle
run: |
echo "${{ steps.attest.outputs.bundle-path }}"
ls -la "${{ steps.attest.outputs.bundle-path }}"
cat "${{ steps.attest.outputs.bundle-path }}"
# Upload binary and provenance to GCS and index via http://static.space
# so that, regardless of the GCS bucket and path, it can easily be
# located by its digest.
#
# TODO: b/339774247 - The filenames are hardwired for now so they don't
# collide with the upload from the other workflow (which doesn't use
# these names).
- name: Upload
id: upload
run: |
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
bucket=oak-bins
package_name=${{ steps.parse.outputs.package-name }}
subject_paths=( ${{ steps.parse.outputs.subject-paths }} )
binary_path="${subject_paths[0]}"
provenance_path=${{ steps.attest.outputs.bundle-path }}
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}"
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}"
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot