diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 737c159ee0..a54e5a8337 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -45,84 +45,6 @@ on: required: false jobs: - build-dependencies: - name: "Build binaries for embedding in the OS" - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: read - outputs: - bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} - disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} - upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }} - measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }} - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ inputs.ref || github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: "1.20.7" - cache: true - - - name: Setup bazel - uses: ./.github/actions/setup_bazel - with: - useCache: "false" - - - name: Build bootstrapper - if: inputs.stream != 'debug' - uses: ./.github/actions/build_bootstrapper - with: - outputPath: ${{ github.workspace }}/build/bootstrapper - - - name: Build debugd - if: inputs.stream == 'debug' - uses: ./.github/actions/build_debugd - with: - outputPath: ${{ github.workspace }}/build/debugd - - - name: Build disk-mapper - uses: ./.github/actions/build_disk_mapper - with: - outputPath: ${{ github.workspace }}/build/disk-mapper - - - name: Build upgrade-agent - uses: ./.github/actions/build_upgrade_agent - with: - outputPath: ${{ github.workspace }}/build/upgrade-agent - - - name: Build measurement-reader - uses: ./.github/actions/build_measurement_reader - with: - outputPath: ${{ github.workspace }}/build/measurement-reader - - - name: Upload dependencies - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - env: - MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }} - with: - name: dependencies - path: | - ${{ github.workspace }}/build/${{ env.MAIN_BINARY }} - ${{ github.workspace }}/build/disk-mapper - ${{ github.workspace }}/build/upgrade-agent - ${{ github.workspace }}/build/measurement-reader - - - name: Collect hashes - id: collect-hashes - working-directory: ${{ github.workspace }}/build - run: | - { - echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" - echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" - echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)" - echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)" - } | tee -a "$GITHUB_OUTPUT" - build-settings: name: "Determine build settings" runs-on: ubuntu-22.04 @@ -185,42 +107,9 @@ jobs: ;; esac - - name: Determine PKI set - id: pki-set - shell: bash - run: | - if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then - echo "pkiSet=pki_prod" | tee -a "$GITHUB_OUTPUT" - else - echo "pkiSet=pki_testing" | tee -a "$GITHUB_OUTPUT" - fi - - - name: Determine image version - id: image-version - shell: bash - env: - REF: ${{ steps.ref.outputs.ref }} - STREAM: ${{ steps.stream.outputs.stream }} - IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }} - run: | - { - echo "imageVersion=${IMAGE_VERSION}" - echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" - echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image" - echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli" - } | tee -a "$GITHUB_OUTPUT" - - if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then - echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" - elif [[ "${REF}" = "-" ]]; then - echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" - else - echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT" - fi - make-os-image: name: "Build OS using mkosi" - needs: [build-settings, build-dependencies] + needs: [build-settings] runs-on: ubuntu-22.04 # TODO(malt3): flatten outputs once possible # https://github.com/community/community/discussions/17245 @@ -237,14 +126,6 @@ jobs: image-initrd-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-azure-sev-snp-sha256 }} image-initrd-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} image-initrd-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} - image-root-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} - image-root-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} - image-root-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} - image-root-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} - image-root-verity-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} - image-root-verity-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} - image-root-verity-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} - image-root-verity-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} image-vmlinuz-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} image-vmlinuz-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} image-vmlinuz-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} @@ -281,97 +162,57 @@ jobs: with: ref: ${{ inputs.ref || github.head_ref }} - - name: Download build dependencies - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: dependencies - path: ${{ github.workspace }}/build - - - name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable - run: | - chmod +x ${{ github.workspace }}/build/bootstrapper || true - chmod +x ${{ github.workspace }}/build/debugd || true - chmod +x ${{ github.workspace }}/build/disk-mapper - chmod +x ${{ github.workspace }}/build/upgrade-agent - chmod +x ${{ github.workspace }}/build/measurement-reader - - - name: Setup mkosi - uses: ./.github/actions/setup_mkosi - with: - version: d8b32fbf3077b612db0024276e73cec3c2c87577 - systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677 - - - name: Prepare PKI for secure boot signing - id: prepare-pki - shell: bash - working-directory: ${{ github.workspace }}/image - env: - PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} - DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} - run: | - echo "${DB_KEY}" > "${PKI_SET}/db.key" - chmod 600 "${PKI_SET}/db.key" - ln -s "${PKI_SET}" pki + - uses: cachix/install-nix-action@v22 - name: Build + id: build shell: bash working-directory: ${{ github.workspace }}/image env: - BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper - DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper - DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper - UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent - MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader - DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }} - AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }} - IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }} - CSP: ${{ matrix.csp }} - ATTESTATION_VARIANT: ${{ matrix.attestation_variant }} + TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }} run: | echo "::group::Build" - sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}_${ATTESTATION_VARIANT}" - echo "::endgroup::" - - - name: Collect hashes - id: collect-hashes - working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 - run: | + bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}" { - echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)" - echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.efi | head -c 64)" - echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.esp.raw | head -c 64)" - echo "image-root-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)" - echo "image-root-verity-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)" - echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" - echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)" - echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)" + echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")" } | tee -a "$GITHUB_OUTPUT" + echo "::endgroup::" + + # - name: Collect hashes + # id: collect-hashes + # working-directory: ${{ github.workspace }}/build/image_dir + # run: | + # { + # echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.raw | head -c 64)" + # echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.efi | head -c 64)" + # echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.initrd | head -c 64)" + # echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.vmlinuz | head -c 64)" + # # echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)" + # # echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)" + # } | tee -a "$GITHUB_OUTPUT" - name: Upload raw OS image as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw + path: ${{ steps.build.outputs.image-dir }}/constellation.raw - name: Upload individual OS parts as artifacts uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: | - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz - - - name: Upload manifest as artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: | - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest + ${{ steps.build.outputs.image-dir }}/constellation.efi + ${{ steps.build.outputs.image-dir }}/constellation.initrd + ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz + + # - name: Upload manifest as artifact + # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + # with: + # name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }} + # path: | + # ${{ github.workspace }}/build/image_dir/image.changelog + # ${{ github.workspace }}/build/image_dir/image.manifest upload-os-image: name: "Upload OS image to CSP" @@ -446,13 +287,6 @@ jobs: with: service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - - name: Prepare PKI for image upload - id: prepare-pki - shell: bash - working-directory: ${{ github.workspace }}/image - run: | - ln -s ${{ needs.build-settings.outputs.pkiSet }} pki - - name: Upload AWS image if: matrix.csp == 'aws' shell: bash @@ -799,7 +633,7 @@ jobs: generate-sbom: name: "Generate SBOM" - needs: [build-settings, build-dependencies, make-os-image] + needs: [build-settings, make-os-image] permissions: id-token: write contents: read @@ -865,42 +699,30 @@ jobs: - name: Combine hashes run: | cat > SHA256SUMS <> "$GITHUB_STEP_SUMMARY"