Build and Upload OS image #729

Workflow file for this run

.github/workflows/build-os-image.yml at 58419f4

	name: Build and Upload OS image

	on:
	workflow_dispatch:
	inputs:
	imageVersion:
	description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
	required: false
	isRelease:
	description: 'Is this a release? (sets "ref" to special value "-")'
	type: boolean
	required: false
	default: false
	stream:
	description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
	type: choice
	required: true
	options:
	- "debug"
	- "console"
	- "nightly"
	- "stable"
	ref:
	type: string
	description: "Git ref to checkout"
	required: false
	workflow_call:
	inputs:
	imageVersion:
	description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
	required: false
	type: string
	isRelease:
	description: 'Is this a release? (sets "ref" to special value "-")'
	type: boolean
	required: false
	default: false
	stream:
	description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
	type: string
	required: true
	ref:
	type: string
	description: "Git ref to checkout"
	required: false

	jobs:
	build-settings:
	name: "Determine build settings"
	runs-on: ubuntu-22.04
	outputs:
	ref: ${{ steps.ref.outputs.ref }}
	stream: ${{ steps.stream.outputs.stream }}
	imageType: ${{ steps.image-type.outputs.imageType }}
	imageVersion: ${{ steps.image-version.outputs.imageVersion }}
	imageName: ${{ steps.image-version.outputs.imageName }}
	imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
	imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }}
	cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
	steps:
	- name: Checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- name: Determine version
	id: version
	uses: ./.github/actions/pseudo_version

	- name: Determine ref
	id: ref
	run: \|
	if [[ "${{ inputs.isRelease }}" = "true" ]]; then
	echo "ref=-" \| tee -a "$GITHUB_OUTPUT"
	else
	echo "ref=${{ steps.version.outputs.branchName }}" \| tee -a "$GITHUB_OUTPUT"
	fi

	- name: Determine and validate stream
	id: stream
	run: \|
	if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
	echo "Nightly builds are not allowed for releases"
	exit 1
	fi
	if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
	echo "Stable builds are only allowed for releases"
	exit 1
	fi

	echo "stream=${{ inputs.stream }}" \| tee -a "$GITHUB_OUTPUT"

	- name: Determine type of image build
	shell: bash
	id: image-type
	run: \|
	case "${{ steps.stream.outputs.stream }}" in
	"debug")
	echo "imageType=debug" \| tee -a "$GITHUB_OUTPUT"
	;;
	"console")
	echo "imageType=console" \| tee -a "$GITHUB_OUTPUT"
	;;
	*)
	echo "imageType=default" \| tee -a "$GITHUB_OUTPUT"
	;;
	esac

	- name: Determine image version
	id: image-version
	shell: bash
	env:
	REF: ${{ steps.ref.outputs.ref }}
	STREAM: ${{ steps.stream.outputs.stream }}
	IMAGE_VERSION: ${{ inputs.imageVersion \|\| steps.version.outputs.version }}
	run: \|
	{
	echo "imageVersion=${IMAGE_VERSION}"
	echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
	echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
	echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
	} \| tee -a "$GITHUB_OUTPUT"

	if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
	echo "imageNameShort=${IMAGE_VERSION}" \| tee -a "$GITHUB_OUTPUT"
	elif [[ "${REF}" = "-" ]]; then
	echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" \| tee -a "$GITHUB_OUTPUT"
	else
	echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" \| tee -a "$GITHUB_OUTPUT"
	fi

	make-os-image:
	name: "Build OS using mkosi"
	needs: [build-settings]
	runs-on: ubuntu-latest-8-cores
	strategy:
	fail-fast: false
	matrix:
	include:
	- csp: aws
	attestation_variant: aws-nitro-tpm
	- csp: aws
	attestation_variant: aws-sev-snp
	- csp: azure
	attestation_variant: azure-sev-snp
	- csp: gcp
	attestation_variant: gcp-sev-es
	- csp: gcp
	attestation_variant: gcp-sev-snp
	- csp: qemu
	attestation_variant: qemu-vtpm
	- csp: openstack
	attestation_variant: qemu-vtpm
	steps:
	- name: Checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- uses: ./.github/actions/setup_bazel_nix
	with:
	useCache: "false"

	- name: Build
	id: build
	shell: bash
	working-directory: ${{ github.workspace }}/image
	env:
	TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
	run: \|
	echo "::group::Build"
	bazel build "${TARGET}"
	{
	echo "image-dir=$(bazel cquery --output=files "$TARGET")"
	} \| tee -a "$GITHUB_OUTPUT"
	echo "::endgroup::"

	- name: Upload raw OS image as artifact
	uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	with:
	name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
	path: ${{ steps.build.outputs.image-dir }}/constellation.raw

	- name: Upload individual OS parts as artifacts
	uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	with:
	name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
	path: \|
	${{ steps.build.outputs.image-dir }}/constellation.efi
	${{ steps.build.outputs.image-dir }}/constellation.initrd
	${{ steps.build.outputs.image-dir }}/constellation.vmlinuz

	upload-os-image:
	name: "Upload OS image to CSP"
	needs: [build-settings, make-os-image]
	runs-on: ubuntu-22.04
	permissions:
	id-token: write
	contents: read
	strategy:
	fail-fast: false
	matrix:
	include:
	- csp: aws
	attestation_variant: aws-nitro-tpm
	- csp: aws
	attestation_variant: aws-sev-snp
	- csp: azure
	attestation_variant: azure-sev-snp
	- csp: gcp
	attestation_variant: gcp-sev-es
	- csp: gcp
	attestation_variant: gcp-sev-snp
	- csp: qemu
	attestation_variant: qemu-vtpm
	- csp: openstack
	attestation_variant: qemu-vtpm
	env:
	RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw
	JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
	AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
	GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
	SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
	ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
	steps:
	- name: Checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- uses: ./.github/actions/setup_bazel_nix
	with:
	useCache: "false"

	- name: Download OS image artifact
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
	path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38

	- name: Install tools
	shell: bash
	run: \|
	echo "::group::Install tools"
	sudo apt-get update
	sudo apt-get install -y \
	pigz \
	qemu-utils \
	python3-pip
	echo "::endgroup::"

	- name: Login to AWS
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
	aws-region: eu-central-1

	- name: Login to Azure
	if: matrix.csp == 'azure'
	uses: ./.github/actions/login_azure
	with:
	azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}

	- name: Login to GCP
	if: matrix.csp == 'gcp'
	uses: ./.github/actions/login_gcp
	with:
	service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"

	- name: Upload AWS image
	if: matrix.csp == 'aws'
	shell: bash
	working-directory: ${{ github.workspace }}/image
	run: \|
	echo "::group::Upload AWS image"
	bazel run //image/upload -- image aws \
	--verbose \
	--raw-image "${RAW_IMAGE_PATH}" \
	--attestation-variant "${ATTESTATION_VARIANT}" \
	--version "${SHORTNAME}" \
	--out "${JSON_OUTPUT}"
	echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
	echo "::endgroup::"

	- name: Upload GCP image
	if: matrix.csp == 'gcp'
	shell: bash
	working-directory: ${{ github.workspace }}/image
	run: \|
	echo "::group::Upload GCP image"
	upload/pack.sh gcp "${RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
	bazel run //image/upload -- image gcp \
	--verbose \
	--raw-image "${GCP_IMAGE_PATH}" \
	--attestation-variant "${ATTESTATION_VARIANT}" \
	--version "${SHORTNAME}" \
	--out "${JSON_OUTPUT}"
	echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
	echo "::endgroup::"

	- name: Upload Azure image
	if: matrix.csp == 'azure'
	shell: bash
	working-directory: ${{ github.workspace }}/image
	run: \|
	echo "::group::Upload Azure image"
	upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
	bazel run //image/upload -- image azure \
	--verbose \
	--raw-image "${AZURE_IMAGE_PATH}" \
	--attestation-variant "${ATTESTATION_VARIANT}" \
	--version "${SHORTNAME}" \
	--out "${JSON_OUTPUT}"
	echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
	echo "::endgroup::"

	- name: Upload OpenStack image
	if: matrix.csp == 'openstack'
	shell: bash
	working-directory: ${{ github.workspace }}/image
	run: \|
	echo "::group::Upload OpenStack image"
	bazel run //image/upload -- image openstack \
	--verbose \
	--raw-image "${RAW_IMAGE_PATH}" \
	--attestation-variant "${ATTESTATION_VARIANT}" \
	--version "${SHORTNAME}" \
	--out "${JSON_OUTPUT}"
	echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
	echo "::endgroup::"

	- name: Upload QEMU image
	if: matrix.csp == 'qemu'
	shell: bash
	working-directory: ${{ github.workspace }}/image
	run: \|
	echo "::group::Upload QEMU image"
	bazel run //image/upload -- image qemu \
	--verbose \
	--raw-image "${RAW_IMAGE_PATH}" \
	--attestation-variant "${ATTESTATION_VARIANT}" \
	--version "${SHORTNAME}" \
	--out "${JSON_OUTPUT}"
	echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
	echo "::endgroup::"

	- name: Upload image lookup table as artifact
	uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	with:
	name: lookup-table
	path: ${{ github.workspace }}/image/mkosi.output.//image-upload*.json

	calculate-pcrs:
	name: "Calculate PCRs"
	needs: [build-settings, make-os-image]
	permissions:
	id-token: write
	contents: read
	runs-on: ubuntu-22.04
	strategy:
	fail-fast: false
	matrix:
	include:
	- csp: aws
	attestation_variant: aws-nitro-tpm
	- csp: aws
	attestation_variant: aws-sev-snp
	- csp: azure
	attestation_variant: azure-sev-snp
	- csp: gcp
	attestation_variant: gcp-sev-es
	- csp: gcp
	attestation_variant: gcp-sev-snp
	- csp: qemu
	attestation_variant: qemu-vtpm
	- csp: openstack
	attestation_variant: qemu-vtpm
	steps:
	- name: Checkout repository
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- name: Download OS image artifact
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}

	- uses: ./.github/actions/setup_bazel_nix
	with:
	useCache: "false"

	- name: Install dependencies
	run: \|
	echo "::group::Install dependencies"
	sudo apt-get update
	sudo apt-get install -y systemd-container # for systemd-dissect
	echo "::endgroup::"

	- name: Calculate expected PCRs
	working-directory: ${{ github.workspace }}/image/measured-boot
	run: \|
	echo "::group::Calculate expected PCRs"
	bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY"
	echo "::endgroup::"

	- name: Add static PCRs
	run: \|
	case ${{ matrix.csp }} in
	aws)
	yq e '.csp = "AWS" \|
	.attestationVariant = "${{ matrix.attestation_variant }}" \|
	.measurements.0.warnOnly = true \|
	.measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" \|
	.measurements.2.warnOnly = true \|
	.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.3.warnOnly = true \|
	.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.4.warnOnly = false \|
	.measurements.6.warnOnly = true \|
	.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.8.warnOnly = false \|
	.measurements.9.warnOnly = false \|
	.measurements.11.warnOnly = false \|
	.measurements.12.warnOnly = false \|
	.measurements.13.warnOnly = false \|
	.measurements.14.warnOnly = true \|
	.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" \|
	.measurements.15.warnOnly = false' \
	-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
	;;
	azure)
	yq e '.csp = "Azure" \|
	.attestationVariant = "${{ matrix.attestation_variant }}" \|
	.measurements.1.warnOnly = true \|
	.measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.2.warnOnly = true \|
	.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.3.warnOnly = true \|
	.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.4.warnOnly = false \|
	.measurements.8.warnOnly = false \|
	.measurements.9.warnOnly = false \|
	.measurements.11.warnOnly = false \|
	.measurements.12.warnOnly = false \|
	.measurements.13.warnOnly = false \|
	.measurements.14.warnOnly = true \|
	.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" \|
	.measurements.15.warnOnly = false' \
	-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
	;;
	gcp)
	yq e '.csp = "GCP" \|
	.attestationVariant = "${{ matrix.attestation_variant }}" \|
	.measurements.1.warnOnly = true \|
	.measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" \|
	.measurements.2.warnOnly = true \|
	.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.3.warnOnly = true \|
	.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.4.warnOnly = false \|
	.measurements.6.warnOnly = true \|
	.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" \|
	.measurements.8.warnOnly = false \|
	.measurements.9.warnOnly = false \|
	.measurements.11.warnOnly = false \|
	.measurements.12.warnOnly = false \|
	.measurements.13.warnOnly = false \|
	.measurements.14.warnOnly = true \|
	.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" \|
	.measurements.15.warnOnly = false' \
	-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
	;;
	openstack)
	yq e '.csp = "OpenStack" \|
	.attestationVariant = "${{ matrix.attestation_variant }}" \|
	.measurements.4.warnOnly = false \|
	.measurements.8.warnOnly = false \|
	.measurements.9.warnOnly = false \|
	.measurements.11.warnOnly = false \|
	.measurements.12.warnOnly = false \|
	.measurements.13.warnOnly = false \|
	.measurements.14.warnOnly = true \|
	.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" \|
	.measurements.15.warnOnly = false' \
	-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
	;;
	qemu)
	yq e '.csp = "QEMU" \|
	.attestationVariant = "${{ matrix.attestation_variant }}" \|
	.measurements.4.warnOnly = false \|
	.measurements.8.warnOnly = false \|
	.measurements.9.warnOnly = false \|
	.measurements.11.warnOnly = false \|
	.measurements.12.warnOnly = false \|
	.measurements.13.warnOnly = false \|
	.measurements.14.warnOnly = true \|
	.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" \|
	.measurements.15.warnOnly = false' \
	-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
	;;
	*)
	echo "Unknown CSP: ${{ matrix.csp }}"
	exit 1
	;;
	esac

	# TODO (malt3): Calculate PCR from firmware blob.
	# AWS SNP machines have a different expected value for PCR 0.
	if [[ ${{ matrix.attestation_variant }} = "aws-sev-snp" ]]
	then
	yq e '.csp = "AWS" \|
	.measurements.0.expected = "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"' \
	-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
	fi

	- name: Envelope measurements
	shell: bash
	run: \|
	echo "::group::Envelope measurements"
	bazel run //image/upload -- measurements envelope \
	--in "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
	--out "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
	--version "${{ needs.build-settings.outputs.imageNameShort }}" \
	--csp "${{ matrix.csp }}" \
	--attestation-variant "${{ matrix.attestation_variant }}"
	echo "::endgroup::"

	- name: Upload expected measurements as artifact
	uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	with:
	name: measurements
	path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json

	upload-pcrs:
	name: "Sign & upload PCRs"
	needs: [build-settings, calculate-pcrs]
	permissions:
	id-token: write
	contents: read
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout repository
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- uses: ./.github/actions/setup_bazel_nix
	with:
	useCache: "false"

	- name: Download measurements
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	name: measurements

	- name: Login to AWS
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
	aws-region: eu-central-1

	- name: Install Cosign
	uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1

	- name: Install Rekor
	shell: bash
	run: \|
	curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
	sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
	rm rekor-cli-linux-amd64

	- name: Merge measurements
	shell: bash
	run: \|
	echo "::group::Merge measurements"
	bazel run //image/upload -- measurements merge \
	--out measurements.json \
	pcrs-*.json
	echo "::endgroup::"

	- name: Sign measurements
	if: inputs.stream != 'debug'
	shell: bash
	env:
	COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY \|\| secrets.COSIGN_DEV_PUBLIC_KEY }}
	COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY \|\| secrets.COSIGN_DEV_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD \|\| secrets.COSIGN_DEV_PASSWORD }}
	run: \|
	echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
	# Enabling experimental mode also publishes signature to Rekor
	COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \
	"${{ github.workspace }}/measurements.json" > "${{ github.workspace }}/measurements.json.sig"
	# Verify - As documentation & check
	# Local Signature (input: artifact, key, signature)
	cosign verify-blob --key cosign.pub \
	--signature "measurements.json.sig" \
	"measurements.json"
	# Transparency Log Signature (input: artifact, key)
	uuid=$(rekor-cli search --artifact "${{ github.workspace }}/measurements.json" \| tail -n 1)
	sig=$(rekor-cli get --uuid="${uuid}" --format=json \| jq -r .Body.HashedRekordObj.signature.content)
	cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/measurements.json"

	- name: Create stub signature file
	if: inputs.stream == 'debug'
	shell: bash
	run: \|
	echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${{ github.workspace }}/measurements.json.sig"

	- name: Upload measurements
	shell: bash
	run: \|
	echo "::group::Upload measurements"
	bazel run //image/upload -- measurements upload \
	--measurements measurements.json \
	--signature measurements.json.sig
	echo "::endgroup::"

	upload-artifacts:
	name: "Upload image lookup table and CLI compatibility info"
	runs-on: ubuntu-22.04
	needs: [build-settings, upload-os-image]
	permissions:
	id-token: write
	contents: read
	steps:
	- name: Checkout repository
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- uses: ./.github/actions/setup_bazel_nix
	with:
	useCache: "false"

	- name: Download image lookup table
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
	with:
	name: lookup-table

	- name: Login to AWS
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
	aws-region: eu-central-1

	- name: Upload lookup table to S3
	shell: bash
	run: bazel run //image/upload -- info --verbose mkosi.output.//image-upload*.json

	- name: Checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ inputs.ref \|\| github.head_ref }}

	- name: Create CLI compatibility information artifact
	shell: bash
	run: \|
	bazel run //hack/cli-k8s-compatibility -- \
	--ref=${{ needs.build-settings.outputs.ref }} \
	--stream=${{ needs.build-settings.outputs.stream }} \
	--version=${{ needs.build-settings.outputs.imageVersion }} \

	add-image-version-to-versionsapi:
	needs: [upload-artifacts, upload-pcrs, build-settings]
	name: "Add image version to versionsapi"
	if: needs.build-settings.outputs.ref != '-'
	permissions:
	contents: read
	id-token: write
	uses: ./.github/workflows/versionsapi.yml
	with:
	command: add
	ref: ${{ needs.build-settings.outputs.ref }}
	stream: ${{ needs.build-settings.outputs.stream }}
	version: ${{ needs.build-settings.outputs.imageVersion }}
	kind: "image"
	add_latest: true

	add-cli-version-to-versionsapi:
	needs: [upload-artifacts, build-settings, add-image-version-to-versionsapi]
	name: "Add CLI version to versionsapi"
	if: needs.build-settings.outputs.ref != '-'
	permissions:
	contents: read
	id-token: write
	uses: ./.github/workflows/versionsapi.yml
	with:
	command: add
	ref: ${{ needs.build-settings.outputs.ref }}
	stream: ${{ needs.build-settings.outputs.stream }}
	version: ${{ needs.build-settings.outputs.imageVersion }}
	kind: "cli"
	add_latest: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and Upload OS image #729

Workflow file

Build and Upload OS image #729

Jobs

Run details

Workflow file for this run