diff --git a/.github/workflows/build-os-image-requirements.txt b/.github/workflows/build-os-image-requirements.txt deleted file mode 100644 index f18c8e42edb..00000000000 --- a/.github/workflows/build-os-image-requirements.txt +++ /dev/null @@ -1,24 +0,0 @@ -lief==0.13.1 \ - --hash=sha256:018b542f09fe2305e1585a3e63a7e5132927b835062b456e5c8c571db7784d1e \ - --hash=sha256:0283a4c749afe58be8e21cdd9be79c657c51ca9b8346f75f4b97349b1f022851 \ - --hash=sha256:04c87039d1e68ebc467f83136179626403547dd1ce851541345f8ca0b1fe6c5b \ - --hash=sha256:16753bd72b1e3932d94d088a93b64e08c1f6c8bce1b064b47fe66ed73d9562b2 \ - --hash=sha256:23617d96d162081f8bf315d9b0494845891f8d0f04ad60991b83367ee9e261aa \ - --hash=sha256:3cfbc6c50f9e3a8015cd5ee88dfe83f423562c025439143bbd5c086a3f9fe599 \ - --hash=sha256:57bdb0471760c4ff520f5e5d005e503cc7ea3ebe22df307bb579a1a561b8c4e9 \ - --hash=sha256:661abaa48bc032b9a7529e0b73d2ced3e4a1f13381592f6b9e940750b07a5ac2 \ - --hash=sha256:8439805a389cc67b6d4ea7d757a3211f22298edce53c5b064fdf8bf05fabba54 \ - --hash=sha256:95a4b6d1f8dba9360aecf7542e54ce5eb02c0e88f2d827b5445594d5d51109f5 \ - --hash=sha256:965fadb1301d1a81f16067e4fa743d2be3f6aa71391a83b752ff811ec74b0766 \ - --hash=sha256:a0472636ab15b9afecf8b5d55966912af8cb4de2f05b98fc05c87d51880d0208 \ - --hash=sha256:a18fee5cf69adf9d5ee977778ccd46c39c450960f806231b26b69011f81bc712 \ - --hash=sha256:a3c900f49c3d3135c728faeb386d13310bb3511eb2d4e1c9b109b48ae2658361 \ - --hash=sha256:aa7f45c5125be80a513624d3a5f6bd50751c2edc6de5357fde218580111c8535 \ - --hash=sha256:b1f295dbb57094443926ac6051bee9a1945d92344f470da1cb506060eb2f91ac \ - --hash=sha256:b53317d78f8b7528e3f2f358b3f9334a1a84fae88c5aec1a3b7717ed31bfb066 \ - --hash=sha256:bb8b285a6c670df590c36fc0c19b9d2e32b99f17e57afa29bb3052f1d55aa50f \ - --hash=sha256:be871116faa698b6d9da76b0caec2ec5b7e7b8781cfb3a4ac0c4e348fb37ab49 \ - --hash=sha256:bfbf8885a3643ea9aaf663d039f50ca58b228886c3fe412725b22851aeda3b77 \ - --hash=sha256:c6839df875e912edd3fc553ab5d1b916527adee9c57ba85c69314a93f7ba2e15 \ - --hash=sha256:ccfba33c02f21d4ede26ab85eb6539a00e74e236569c13dcbab2e157b73673c4 \ - --hash=sha256:e414d6c23f26053f4824d080885ab1b75482122796cba7d09cbf157900646289 diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 737c159ee0e..52b60c35c85 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -45,84 +45,6 @@ on: required: false jobs: - build-dependencies: - name: "Build binaries for embedding in the OS" - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: read - outputs: - bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} - disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} - upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }} - measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }} - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ inputs.ref || github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: "1.20.7" - cache: true - - - name: Setup bazel - uses: ./.github/actions/setup_bazel - with: - useCache: "false" - - - name: Build bootstrapper - if: inputs.stream != 'debug' - uses: ./.github/actions/build_bootstrapper - with: - outputPath: ${{ github.workspace }}/build/bootstrapper - - - name: Build debugd - if: inputs.stream == 'debug' - uses: ./.github/actions/build_debugd - with: - outputPath: ${{ github.workspace }}/build/debugd - - - name: Build disk-mapper - uses: ./.github/actions/build_disk_mapper - with: - outputPath: ${{ github.workspace }}/build/disk-mapper - - - name: Build upgrade-agent - uses: ./.github/actions/build_upgrade_agent - with: - outputPath: ${{ github.workspace }}/build/upgrade-agent - - - name: Build measurement-reader - uses: ./.github/actions/build_measurement_reader - with: - outputPath: ${{ github.workspace }}/build/measurement-reader - - - name: Upload dependencies - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - env: - MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }} - with: - name: dependencies - path: | - ${{ github.workspace }}/build/${{ env.MAIN_BINARY }} - ${{ github.workspace }}/build/disk-mapper - ${{ github.workspace }}/build/upgrade-agent - ${{ github.workspace }}/build/measurement-reader - - - name: Collect hashes - id: collect-hashes - working-directory: ${{ github.workspace }}/build - run: | - { - echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" - echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" - echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)" - echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)" - } | tee -a "$GITHUB_OUTPUT" - build-settings: name: "Determine build settings" runs-on: ubuntu-22.04 @@ -130,7 +52,6 @@ jobs: ref: ${{ steps.ref.outputs.ref }} stream: ${{ steps.stream.outputs.stream }} imageType: ${{ steps.image-type.outputs.imageType }} - pkiSet: ${{ steps.pki-set.outputs.pkiSet }} imageVersion: ${{ steps.image-version.outputs.imageVersion }} imageName: ${{ steps.image-version.outputs.imageName }} imageNameShort: ${{ steps.image-version.outputs.imageNameShort }} @@ -185,16 +106,6 @@ jobs: ;; esac - - name: Determine PKI set - id: pki-set - shell: bash - run: | - if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then - echo "pkiSet=pki_prod" | tee -a "$GITHUB_OUTPUT" - else - echo "pkiSet=pki_testing" | tee -a "$GITHUB_OUTPUT" - fi - - name: Determine image version id: image-version shell: bash @@ -220,7 +131,7 @@ jobs: make-os-image: name: "Build OS using mkosi" - needs: [build-settings, build-dependencies] + needs: [build-settings] runs-on: ubuntu-22.04 # TODO(malt3): flatten outputs once possible # https://github.com/community/community/discussions/17245 @@ -237,14 +148,6 @@ jobs: image-initrd-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-azure-sev-snp-sha256 }} image-initrd-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} image-initrd-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} - image-root-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} - image-root-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} - image-root-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} - image-root-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} - image-root-verity-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} - image-root-verity-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} - image-root-verity-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} - image-root-verity-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} image-vmlinuz-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} image-vmlinuz-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} image-vmlinuz-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} @@ -281,97 +184,57 @@ jobs: with: ref: ${{ inputs.ref || github.head_ref }} - - name: Download build dependencies - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: dependencies - path: ${{ github.workspace }}/build - - - name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable - run: | - chmod +x ${{ github.workspace }}/build/bootstrapper || true - chmod +x ${{ github.workspace }}/build/debugd || true - chmod +x ${{ github.workspace }}/build/disk-mapper - chmod +x ${{ github.workspace }}/build/upgrade-agent - chmod +x ${{ github.workspace }}/build/measurement-reader - - - name: Setup mkosi - uses: ./.github/actions/setup_mkosi - with: - version: d8b32fbf3077b612db0024276e73cec3c2c87577 - systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677 - - - name: Prepare PKI for secure boot signing - id: prepare-pki - shell: bash - working-directory: ${{ github.workspace }}/image - env: - PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} - DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} - run: | - echo "${DB_KEY}" > "${PKI_SET}/db.key" - chmod 600 "${PKI_SET}/db.key" - ln -s "${PKI_SET}" pki + - uses: cachix/install-nix-action@v22 - name: Build + id: build shell: bash working-directory: ${{ github.workspace }}/image env: - BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper - DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper - DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper - UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent - MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader - DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }} - AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }} - IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }} - CSP: ${{ matrix.csp }} - ATTESTATION_VARIANT: ${{ matrix.attestation_variant }} + TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }} run: | echo "::group::Build" - sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}_${ATTESTATION_VARIANT}" - echo "::endgroup::" - - - name: Collect hashes - id: collect-hashes - working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 - run: | + bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}" { - echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)" - echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.efi | head -c 64)" - echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.esp.raw | head -c 64)" - echo "image-root-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)" - echo "image-root-verity-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)" - echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" - echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)" - echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)" + echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")" } | tee -a "$GITHUB_OUTPUT" + echo "::endgroup::" + + # - name: Collect hashes + # id: collect-hashes + # working-directory: ${{ github.workspace }}/build/image_dir + # run: | + # { + # echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.raw | head -c 64)" + # echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.efi | head -c 64)" + # echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.initrd | head -c 64)" + # echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum constellation.vmlinuz | head -c 64)" + # # echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)" + # # echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)" + # } | tee -a "$GITHUB_OUTPUT" - name: Upload raw OS image as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw + path: ${{ steps.build.outputs.image-dir }}/constellation.raw - name: Upload individual OS parts as artifacts uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: | - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz - - - name: Upload manifest as artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: | - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest + ${{ steps.build.outputs.image-dir }}/constellation.efi + ${{ steps.build.outputs.image-dir }}/constellation.initrd + ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz + + # - name: Upload manifest as artifact + # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + # with: + # name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }} + # path: | + # ${{ github.workspace }}/build/image_dir/image.changelog + # ${{ github.workspace }}/build/image_dir/image.manifest upload-os-image: name: "Upload OS image to CSP" @@ -399,7 +262,7 @@ jobs: - csp: openstack attestation_variant: qemu-vtpm env: - RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw + RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz @@ -446,13 +309,6 @@ jobs: with: service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - - name: Prepare PKI for image upload - id: prepare-pki - shell: bash - working-directory: ${{ github.workspace }}/image - run: | - ln -s ${{ needs.build-settings.outputs.pkiSet }} pki - - name: Upload AWS image if: matrix.csp == 'aws' shell: bash @@ -575,7 +431,6 @@ jobs: - name: Install dependencies run: | echo "::group::Install dependencies" - python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt sudo apt-get update sudo apt-get install -y systemd-container # for systemd-dissect echo "::endgroup::" @@ -584,13 +439,7 @@ jobs: working-directory: ${{ github.workspace }}/image/measured-boot run: | echo "::group::Calculate expected PCRs" - { - ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json - ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json - ./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json ${{ matrix.csp }} - } >> "$GITHUB_STEP_SUMMARY" - cp pcr-stable.json ${{ github.workspace }}/ - jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json + bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Add static PCRs @@ -614,7 +463,7 @@ jobs: .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | - .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -634,7 +483,7 @@ jobs: .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | - .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -656,7 +505,7 @@ jobs: .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | - .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -669,6 +518,8 @@ jobs: .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | + .measurements.14.warnOnly = true | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -681,6 +532,8 @@ jobs: .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | + .measurements.14.warnOnly = true | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -797,127 +650,6 @@ jobs: --signature measurements.json.sig echo "::endgroup::" - generate-sbom: - name: "Generate SBOM" - needs: [build-settings, build-dependencies, make-os-image] - permissions: - id-token: write - contents: read - runs-on: ubuntu-22.04 - steps: - - name: Login to AWS - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 - with: - role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline - aws-region: eu-central-1 - - - name: Install squashfs tools - run: | - echo "::group::Install squashfs tools" - sudo apt-get update - sudo apt-get install -y squashfs-tools - echo "::endgroup::" - - - name: Download rootfs - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - # downloading / using only the QEMU rootfs is fine - # since the images only differ in the ESP partition - name: parts-qemu-qemu-vtpm - - - name: Download manifest - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - # downloading / using only the QEMU manifest is fine - # since the images only differ in the ESP partition - name: manifest-qemu-qemu-vtpm - - - name: Unpack squashfs - run: | - echo "::group::Unpack squashfs" - unsquashfs -user-xattrs -d image.root.tree image.root-x86-64.raw - echo "::endgroup::" - - - name: Create SBOM in SPDX fromat - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - with: - path: image.root.tree - artifact-name: sbom.spdx.json - output-file: sbom.spdx.json - format: spdx-json - - - name: Create SBOM in CycloneDX fromat - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - with: - path: image.root.tree - artifact-name: sbom.cyclonedx.json - output-file: sbom.cyclonedx.json - format: cyclonedx-json - - - name: Create SBOM in Syft fromat - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - with: - path: image.root.tree - artifact-name: sbom.syft.json - output-file: sbom.syft.json - format: syft-json - - - name: Combine hashes - run: | - cat > SHA256SUMS <> "$GITHUB_STEP_SUMMARY" - - - name: Upload SBOMs to S3 - shell: bash - run: | - sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json' - manifests='image.manifest image.changelog' - hashes='SHA256SUMS' - for file in ${sboms} ${manifests} ${hashes}; do - aws s3 cp \ - "${file}" \ - "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ - --no-progress - done - upload-artifacts: name: "Upload image lookup table and CLI compatibility info" runs-on: ubuntu-22.04