Skip to content

Commit

Permalink
ci: use nix + mkosi during os image build
Browse files Browse the repository at this point in the history
  • Loading branch information
@malt3
malt3 committed Sep 19, 2023
1 parent 0bbf149 commit ec599f1
Showing 1 changed file with 41 additions and 219 deletions.
260 changes: 41 additions & 219 deletions .github/workflows/build-os-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,84 +45,6 @@ on:
required: false

jobs:
build-dependencies:
name: "Build binaries for embedding in the OS"
runs-on: ubuntu-22.04
permissions:
contents: read
packages: read
outputs:
bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }}
measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }}
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ inputs.ref || github.head_ref }}

- name: Setup Go environment
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: "1.20.7"
cache: true

- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "false"

- name: Build bootstrapper
if: inputs.stream != 'debug'
uses: ./.github/actions/build_bootstrapper
with:
outputPath: ${{ github.workspace }}/build/bootstrapper

- name: Build debugd
if: inputs.stream == 'debug'
uses: ./.github/actions/build_debugd
with:
outputPath: ${{ github.workspace }}/build/debugd

- name: Build disk-mapper
uses: ./.github/actions/build_disk_mapper
with:
outputPath: ${{ github.workspace }}/build/disk-mapper

- name: Build upgrade-agent
uses: ./.github/actions/build_upgrade_agent
with:
outputPath: ${{ github.workspace }}/build/upgrade-agent

- name: Build measurement-reader
uses: ./.github/actions/build_measurement_reader
with:
outputPath: ${{ github.workspace }}/build/measurement-reader

- name: Upload dependencies
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
env:
MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }}
with:
name: dependencies
path: |
${{ github.workspace }}/build/${{ env.MAIN_BINARY }}
${{ github.workspace }}/build/disk-mapper
${{ github.workspace }}/build/upgrade-agent
${{ github.workspace }}/build/measurement-reader
- name: Collect hashes
id: collect-hashes
working-directory: ${{ github.workspace }}/build
run: |
{
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)"
echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)"
} | tee -a "$GITHUB_OUTPUT"
build-settings:
name: "Determine build settings"
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -185,42 +107,9 @@ jobs:
;;
esac
- name: Determine PKI set
id: pki-set
shell: bash
run: |
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then
echo "pkiSet=pki_prod" | tee -a "$GITHUB_OUTPUT"
else
echo "pkiSet=pki_testing" | tee -a "$GITHUB_OUTPUT"
fi
- name: Determine image version
id: image-version
shell: bash
env:
REF: ${{ steps.ref.outputs.ref }}
STREAM: ${{ steps.stream.outputs.stream }}
IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }}
run: |
{
echo "imageVersion=${IMAGE_VERSION}"
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
} | tee -a "$GITHUB_OUTPUT"
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
elif [[ "${REF}" = "-" ]]; then
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
else
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
fi
make-os-image:
name: "Build OS using mkosi"
needs: [build-settings, build-dependencies]
needs: [build-settings]
runs-on: ubuntu-22.04
# TODO(malt3): flatten outputs once possible
# https://github.com/community/community/discussions/17245
Expand All @@ -237,14 +126,6 @@ jobs:
image-initrd-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-azure-sev-snp-sha256 }}
image-initrd-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-gcp-sev-es-sha256 }}
image-initrd-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-qemu-vtpm-sha256 }}
image-root-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }}
image-root-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-azure-sev-snp-sha256 }}
image-root-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }}
image-root-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }}
image-root-verity-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }}
image-root-verity-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-azure-sev-snp-sha256 }}
image-root-verity-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }}
image-root-verity-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }}
image-vmlinuz-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }}
image-vmlinuz-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }}
image-vmlinuz-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }}
Expand Down Expand Up @@ -281,97 +162,57 @@ jobs:
with:
ref: ${{ inputs.ref || github.head_ref }}

- name: Download build dependencies
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: dependencies
path: ${{ github.workspace }}/build

- name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable
run: |
chmod +x ${{ github.workspace }}/build/bootstrapper || true
chmod +x ${{ github.workspace }}/build/debugd || true
chmod +x ${{ github.workspace }}/build/disk-mapper
chmod +x ${{ github.workspace }}/build/upgrade-agent
chmod +x ${{ github.workspace }}/build/measurement-reader
- name: Setup mkosi
uses: ./.github/actions/setup_mkosi
with:
version: d8b32fbf3077b612db0024276e73cec3c2c87577
systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677

- name: Prepare PKI for secure boot signing
id: prepare-pki
shell: bash
working-directory: ${{ github.workspace }}/image
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
run: |
echo "${DB_KEY}" > "${PKI_SET}/db.key"
chmod 600 "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki
- uses: cachix/install-nix-action@v22

- name: Build
id: build
shell: bash
working-directory: ${{ github.workspace }}/image
env:
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent
MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader
DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }}
AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }}
IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }}
CSP: ${{ matrix.csp }}
ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
run: |
echo "::group::Build"
sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}_${ATTESTATION_VARIANT}"
echo "::endgroup::"
- name: Collect hashes
id: collect-hashes
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
run: |
bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}"
{
echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)"
echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.efi | head -c 64)"
echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.esp.raw | head -c 64)"
echo "image-root-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)"
echo "image-root-verity-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)"
echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)"
echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)"
echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")"
} | tee -a "$GITHUB_OUTPUT"
echo "::endgroup::"
# - name: Collect hashes
# id: collect-hashes
# working-directory: ${{ github.workspace }}/build/image_dir
# run: |
# {
# echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.raw | head -c 64)"
# echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.efi | head -c 64)"
# echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.initrd | head -c 64)"
# echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.vmlinuz | head -c 64)"
# # echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)"
# # echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)"
# } | tee -a "$GITHUB_OUTPUT"

- name: Upload raw OS image as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
path: ${{ steps.build.outputs.image-dir }}/constellation.raw

- name: Upload individual OS parts as artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz
- name: Upload manifest as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest
${{ steps.build.outputs.image-dir }}/constellation.efi
${{ steps.build.outputs.image-dir }}/constellation.initrd
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
# - name: Upload manifest as artifact
# uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
# with:
# name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}
# path: |
# ${{ github.workspace }}/build/image_dir/image.changelog
# ${{ github.workspace }}/build/image_dir/image.manifest

upload-os-image:
name: "Upload OS image to CSP"
Expand Down Expand Up @@ -446,13 +287,6 @@ jobs:
with:
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"

- name: Prepare PKI for image upload
id: prepare-pki
shell: bash
working-directory: ${{ github.workspace }}/image
run: |
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
- name: Upload AWS image
if: matrix.csp == 'aws'
shell: bash
Expand Down Expand Up @@ -799,7 +633,7 @@ jobs:
generate-sbom:
name: "Generate SBOM"
needs: [build-settings, build-dependencies, make-os-image]
needs: [build-settings, make-os-image]
permissions:
id-token: write
contents: read
Expand Down Expand Up @@ -865,42 +699,30 @@ jobs:
- name: Combine hashes
run: |
cat > SHA256SUMS <<EOF
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader
${{ needs.make-os-image.outputs.image-raw-aws-aws-nitro-tpm-sha256 }} aws/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-aws-aws-nitro-tpm-sha256 }} aws/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-aws-aws-nitro-tpm-sha256 }} aws/image.manifest
${{ needs.make-os-image.outputs.image-efi-aws-aws-nitro-tpm-sha256 }} aws/image.efi
${{ needs.make-os-image.outputs.image-efi-aws-aws-nitro-tpm-sha256 }} aws/constellation.efi
${{ needs.make-os-image.outputs.image-initrd-aws-aws-nitro-tpm-sha256 }} aws/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} aws/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} aws/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} aws/image.vmlinuz
${{ needs.make-os-image.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} aws/constellation.vmlinuz
${{ needs.make-os-image.outputs.image-raw-azure-azure-sev-snp-sha256 }} azure/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-azure-azure-sev-snp-sha256 }} azure/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-azure-azure-sev-snp-sha256 }} azure/image.manifest
${{ needs.make-os-image.outputs.image-efi-azure-azure-sev-snp-sha256 }} azure/image.efi
${{ needs.make-os-image.outputs.image-efi-azure-azure-sev-snp-sha256 }} azure/constellation.efi
${{ needs.make-os-image.outputs.image-initrd-azure-azure-sev-snp-sha256 }} azure/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} azure/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} azure/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} azure/image.vmlinuz
${{ needs.make-os-image.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} azure/constellation.vmlinuz
${{ needs.make-os-image.outputs.image-raw-gcp-gcp-sev-es-sha256 }} gcp/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-gcp-gcp-sev-es-sha256 }} gcp/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-gcp-gcp-sev-es-sha256 }} gcp/image.manifest
${{ needs.make-os-image.outputs.image-efi-gcp-gcp-sev-es-sha256 }} gcp/image.efi
${{ needs.make-os-image.outputs.image-efi-gcp-gcp-sev-es-sha256 }} gcp/constellation.efi
${{ needs.make-os-image.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} gcp/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} gcp/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} gcp/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} gcp/image.vmlinuz
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} gcp/constellation.vmlinuz
${{ needs.make-os-image.outputs.image-raw-qemu-qemu-vtpm-sha256 }} qemu/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-qemu-qemu-vtpm-sha256 }} qemu/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-qemu-qemu-vtpm-sha256 }} qemu/image.manifest
${{ needs.make-os-image.outputs.image-efi-qemu-qemu-vtpm-sha256 }} qemu/image.efi
${{ needs.make-os-image.outputs.image-efi-qemu-qemu-vtpm-sha256 }} qemu/constellation.efi
${{ needs.make-os-image.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} qemu/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} qemu/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} qemu/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }} qemu/image.vmlinuz
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }} qemu/constellation.vmlinuz
EOF
cat SHA256SUMS
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY"
Expand Down

0 comments on commit ec599f1

Please sign in to comment.