Store page tables we need for SEV-SNP validation in BOOT_ALLOCATOR #618
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and attest all | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
build_attest_all: | |
strategy: | |
fail-fast: false | |
matrix: | |
buildconfig: | |
- buildconfigs/key_xor_test_app.sh | |
- buildconfigs/oak_client_android_app.sh | |
- buildconfigs/oak_containers_agent.sh | |
- buildconfigs/oak_containers_kernel.sh | |
- buildconfigs/oak_containers_orchestrator.sh | |
- buildconfigs/oak_containers_stage1.sh | |
- buildconfigs/oak_containers_syslogd.sh | |
- buildconfigs/oak_containers_system_image.sh | |
- buildconfigs/oak_containers_nvidia_system_image.sh | |
- buildconfigs/oak_echo_enclave_app.sh | |
- buildconfigs/oak_echo_raw_enclave_app.sh | |
- buildconfigs/oak_functions_enclave_app.sh | |
- buildconfigs/oak_functions_insecure_enclave_app.sh | |
- buildconfigs/oak_orchestrator.sh | |
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh | |
- buildconfigs/stage0_bin.sh | |
- buildconfigs/stage0_bin_tdx.sh | |
permissions: | |
actions: read | |
id-token: write | |
attestations: write | |
contents: read | |
runs-on: ubuntu-20.04 | |
steps: | |
# Needed for GCS upload. | |
- name: Authenticate to Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} | |
# Needed for GCS upload. | |
- name: Setup Google Cloud | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Mount main branch | |
uses: actions/checkout@v4 | |
# The runner comes with all this software pre-installed: | |
# https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2004-Readme.md | |
# To avoid failures due to lack of disk space, we delete some large packages | |
# which are irrelevant for building. Sources: | |
# https://github.com/jens-maus/RaspberryMatic/blob/ea6b8ce0dd2d53ea88b2766ba8d7f8e1d667281f/.github/workflows/ci.yml#L34-L40 | |
# https://github.com/actions/runner-images/issues/2875 | |
- name: Free disk space | |
run: | | |
set -o errexit | |
set -o xtrace | |
df --human-readable | |
sudo apt-get remove --yes \ | |
'^dotnet-.*' '^llvm-.*' 'php.*' azure-cli \ | |
hhvm google-chrome-stable firefox powershell | |
df --human-readable | |
sudo apt-get autoremove --yes | |
df --human-readable | |
sudo apt clean | |
df --human-readable | |
docker rmi $(docker image ls --all --quiet) | |
df --human-readable | |
rm --recursive --force "${AGENT_TOOLSDIRECTORY}" | |
df --human-readable | |
# Keeps two versions of SUBJECT_PATHS, with space resp. comma as | |
# path separator. Both are needed in later steps. | |
- name: Parse buildconfig | |
id: parse | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
source ${{ matrix.buildconfig }} | |
echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}" | |
paths="${SUBJECT_PATHS[@]}" | |
echo "subject-paths=${paths}" >> "${GITHUB_OUTPUT}" | |
echo "subject-paths-commas=${paths// /,}" >> "${GITHUB_OUTPUT}" | |
- name: Show values | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
gsutil --version | |
echo "package_name: ${{ steps.parse.outputs.package-name }}" | |
echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}" | |
echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}" | |
echo "GITHUB_SHA: ${GITHUB_SHA}" | |
- name: Build | |
id: build | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
source ${{ matrix.buildconfig }} | |
export CI_JOB_TYPE=CONTINUOUS | |
export RUST_BACKTRACE=1 | |
export RUST_LOG=debug | |
export XDG_RUNTIME_DIR=/var/run | |
export JUST_TIMESTAMP=true | |
export JUST_TIMESTAMP_FORMAT=JUST:%H:%M:%S%.3f | |
scripts/docker_pull | |
scripts/docker_run "${BUILD_COMMAND[@]}" | |
- name: Show build artifacts | |
run: | | |
echo "${{ steps.parse.outputs.subject-paths }}" | |
ls -la ${{ steps.parse.outputs.subject-paths }} | |
- name: Attest | |
id: attest | |
uses: actions/attest-build-provenance@v1.1.1 | |
with: | |
subject-path: ${{ steps.parse.outputs.subject-paths-commas }} | |
- name: Show bundle | |
run: | | |
echo "${{ steps.attest.outputs.bundle-path }}" | |
ls -la "${{ steps.attest.outputs.bundle-path }}" | |
cat "${{ steps.attest.outputs.bundle-path }}" | |
# Upload binary and provenance to GCS and index via http://static.space | |
# so that, regardless of the GCS bucket and path, it can easily be | |
# located by its digest. | |
# | |
# TODO: b/339774247 - The filenames are hardwired for now so they don't | |
# collide with the upload from the other workflow (which doesn't use | |
# these names). | |
- name: Upload | |
id: upload | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
set -o xtrace | |
bucket=oak-bins | |
package_name=${{ steps.parse.outputs.package-name }} | |
subject_paths=( ${{ steps.parse.outputs.subject-paths }} ) | |
binary_path="${subject_paths[0]}" | |
provenance_path=${{ steps.attest.outputs.bundle-path }} | |
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary" | |
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl" | |
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}" | |
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}" | |
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" | |
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" | |
curl --fail \ | |
--request POST \ | |
--header 'Content-Type: application/json' \ | |
--data "{ \"url\": \"${binary_url}\" }" \ | |
https://api.static.space/v1/snapshot | |
curl --fail \ | |
--request POST \ | |
--header 'Content-Type: application/json' \ | |
--data "{ \"url\": \"${provenance_url}\" }" \ | |
https://api.static.space/v1/snapshot |