aws: reintroduce SNP-based attestation #8965
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: tidy-check-generate | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
- "release/**" | |
pull_request: | |
jobs: | |
tidycheck: | |
name: tidy, check and generate | |
runs-on: [arc-runner-set] | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
with: | |
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} | |
# No token available for forks, so we can't push changes | |
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }} | |
- name: Install Dependencies | |
run: | | |
echo "::group::Install Dependencies" | |
sudo apt-get update && sudo apt-get -y install libcryptsetup-dev libvirt-dev | |
echo "::endgroup::" | |
- name: Setup Bazel | |
uses: ./.github/actions/setup_bazel_nix | |
with: | |
useCache: "rbe" | |
rbePlatform: "ubuntu-22.04" | |
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} | |
- name: Assume AWS role to upload Bazel dependencies to S3 | |
if: startsWith(github.head_ref, 'renovate/') | |
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
with: | |
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite | |
aws-region: eu-central-1 | |
- name: Upload Bazel dependencies to the mirror | |
if: startsWith(github.head_ref, 'renovate/') | |
shell: bash | |
run: | | |
bazel run //bazel/ci:deps_mirror_upgrade | |
bazel run //bazel/ci:deps_mirror_upload | |
- name: Run Bazel tidy | |
shell: bash | |
run: bazel run //:tidy | |
- name: Check if untidy | |
id: untidy | |
shell: bash | |
run: | | |
diff=$(git diff) | |
if [[ -z "$diff" ]]; then | |
echo "Everything is tidy." | |
echo "untidy=false" | tee -a "$GITHUB_OUTPUT" | |
exit 0 | |
fi | |
echo "Detected changes after tidy" | |
echo "untidy=true" | tee -a "$GITHUB_OUTPUT" | |
diffsum=$(echo "$diff" | sha256sum | cut -d' ' -f1) | |
echo "diffsum=${diffsum}" | tee -a "$GITHUB_OUTPUT" | |
- name: Run Bazel generate | |
shell: bash | |
run: bazel run //:generate | |
- name: Check if ungenerated | |
id: ungenerated | |
shell: bash | |
run: | | |
diff=$(git diff) | |
diffsum=$(echo "$diff" | sha256sum| cut -d' ' -f1) | |
if [[ "${{ steps.untidy.outputs.diffsum }}" == "${diffsum}" ]]; then | |
echo "Everything is tidy." | |
echo "ungenerated=false" | tee -a "$GITHUB_OUTPUT" | |
exit 0 | |
fi | |
echo "Detected changes after tidy" | |
echo "ungenerated=true" | tee -a "$GITHUB_OUTPUT" | |
- name: Check if tidy or generate made modifications | |
id: modified | |
shell: bash | |
run: | | |
diff=$(git diff) | |
if [[ -z "$diff" ]]; then | |
echo "Everything is tidy and generated." | |
exit 0 | |
fi | |
cat << EOF >> "${GITHUB_STEP_SUMMARY}" | |
\`\`\`diff | |
${diff} | |
\`\`\` | |
EOF | |
if [[ "${{ steps.untidy.outputs.untidy }}" == "true" ]] && | |
[[ "${{ steps.ungenerated.outputs.ungenerated }}" == "true" ]]; then | |
suggestCmd="'bazel run //:generate' &&' bazel run //:tidy'" | |
elif [[ "${{ steps.untidy.outputs.untidy }}" == "true" ]]; then | |
suggestCmd="'bazel run //:tidy'" | |
elif [[ "${{ steps.ungenerated.outputs.ungenerated }}" == "true" ]]; then | |
suggestCmd="'bazel run //:generate'" | |
fi | |
echo "::error::The repo is not tidy. Please run ${suggestCmd} and commit the changes." | |
exit 1 | |
- name: Run Bazel check | |
shell: bash | |
run: bazel run //:check | |
# The following steps are only executed if the previous tidy check failed | |
# and the action runs on an renovate branch. In this case, we tidy all | |
# modules again and commit the changes, so the user doesn't need to do it. | |
- name: Push changes | |
if: | | |
failure() && | |
(steps.modified.conclusion == 'failure') && | |
startsWith(github.head_ref, 'renovate/') && | |
!github.event.pull_request.head.repo.fork | |
shell: bash | |
run: | | |
git config --global user.name "edgelessci" | |
git config --global user.email "[email protected]" | |
git commit -am "deps: tidy all modules" | |
git push |