Skip to content
Provenance5

Declare secret #11

Sign in to view logs

Declare secret

Declare secret #11

Workflow file for this run

.github/workflows/provenance5.yaml at e0103f6
name: Provenance5
on:
push:
branches:
- "stage0verify"
workflow_dispatch:
branches:
- "stage0verify"
jobs:
build_attest_all:
strategy:
fail-fast: false
matrix:
buildconfig:
- buildconfigs/key_xor_test_app.sh
- buildconfigs/oak_containers_system_image.sh
- buildconfigs/oak_echo_raw_enclave_app.sh
permissions:
actions: read
id-token: write
attestations: write
contents: read
runs-on: ubuntu-20.04
secrets:

Check failure on line 27 in .github/workflows/provenance5.yaml

View workflow run for this annotation

GitHub Actions / Provenance5

Invalid workflow file 

The workflow is not valid. .github/workflows/provenance5.yaml (Line: 27, Col: 5): Unexpected value 'secrets'
GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
steps:
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
- name: Setup Google Cloud
uses: google-github-actions/setup-gcloud@v2
- name: Mount main branch
uses: actions/checkout@v4
- name: Parse buildconfig
id: parse
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
echo "package-name=${package_name}" >> $GITHUB_OUTPUT
echo "binary-path=${binary_path}" >> $GITHUB_OUTPUT
echo "subject-path=${subject_path}" >> $GITHUB_OUTPUT
- name: Show values
run: |
set -o errexit
set -o nounset
set -o pipefail
echo "package_name: ${{ steps.parse.outputs.package-name }}"
echo "binary_path: ${{ steps.parse.outputs.binary-path }}"
echo "subject_path: ${{ steps.parse.outputs.subject-path }}"
echo "GITHUB_SHA: ${GITHUB_SHA}"
- name: Build
id: build
run: |
set -o errexit
set -o nounset
set -o pipefail
source ${{ matrix.buildconfig }}
export RUST_BACKTRACE=1
export RUST_LOG=debug
export XDG_RUNTIME_DIR=/var/run
scripts/docker_pull
scripts/docker_run "${build_command[@]}"
- name: Show build artifact
run: |
echo "${{ steps.parse.outputs.binary-path }}"
ls -la "${{ steps.parse.outputs.binary-path }}"
- name: Attest
id: attest
uses: actions/[email protected]
with:
subject-path: ${{ steps.parse.outputs.subject-path }}
- name: Show Bundle
run: |
echo "${{ steps.attest.outputs.bundle-path }}"
ls -la "${{ steps.attest.outputs.bundle-path }}"
# Upload binary and provenance to GCS and index via http://static.space
# so that, regardless of the GCS bucket and path, it can easily be
# located by its digest.
- name: Upload
id: upload
run: |
set -o errexit
set -o nounset
set -o pipefail
bucket=oak-bins
package_name=${{ steps.parse.outputs.package-name }}
binary_path=${{ steps.parse.outputs.binary-path }}
provenance_path=${{ steps.attest.outputs.bundle-path }}
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_path})"
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_path})"
binary_url="https://storage.googleapis.com/${bucket}/${binary_path}"
provenance_url="https://storage.googleapis.com/${bucket}/${provenance_path}"
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot