Skip to content

Commit

Permalink
CI: publish artifacts via ORAS
Browse files Browse the repository at this point in the history 
Pushing artifacts as binaries to the project's GHCR. The build job is
split between AA and CDH+ASR. AA has specific build and runtime
requirements depending on the TEE, while the CDH+ASR are generic per
arch.

Hence $AA is tagged with $sha-$tee ($arch is implicit in $tee) while
CDH+ASR are tagged with $sha-$arch.

Signed-off-by: Magnus Kulke <[email protected]>
  • Loading branch information
@mkulke
mkulke committed Oct 2, 2024
1 parent a1b889b commit 4d1a4e8
Show file tree
Hide file tree
Showing 2 changed files with 180 additions and 4 deletions.
178 changes: 178 additions & 0 deletions .github/workflows/publish-artifacts.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
name: Publish artifacts to ORAS

on:
push:
branches:
- main

env:
RUST_TOOLCHAIN: 1.76.0

jobs:
publish-aa:
permissions:
contents: read
packages: write
id-token: write
strategy:
matrix:
tee:
- none
- amd
- az-cvm-vtpm
- tdx
- se
- cca
arch:
- x86_64
- s390x
exclude:
- tee: amd
arch: s390x
- tee: az-cvm-vtpm
arch: s390x
- tee: tdx
arch: s390x
- tee: se
arch: x86_64
- tee: cca
arch: s390x
include:
- tee: none
arch: x86_64
libc: musl
- tee: none
arch: s390x
libc: gnu
- tee: amd
arch: x86_64
libc: musl
- tee: az-cvm-vtpm
arch: x86_64
libc: gnu
- tee: tdx
arch: x86_64
libc: gnu
- tee: se
arch: s390x
libc: gnu
- tee: cca
arch: x86_64
libc: musl
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
env:
TEE_PLATFORM: ${{ matrix.tee }}
LIBC: ${{ matrix.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
steps:
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: oras-project/setup-oras@v1
with:
version: 1.2.0

- uses: actions/checkout@v4

- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}
override: true
components: rustfmt, clippy

- name: Install tpm dependencies
if: matrix.tee == 'az-cvm-vtpm'
run: |
sudo apt-get install -y --no-install-recommends libtss2-dev
- name: Install tdx dependencies
if: matrix.tee == 'tdx'
run: |
sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtdx-attest-dev
- uses: actions/checkout@v4

- name: Build
run: make ./target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/attestation-agent

- name: Publish to ORAS
env:
TAG_SUFFIX: ${{ matrix.tee == 'none' && format('none-{0}', matrix.arch) || matrix.tee }}
run: |
mkdir oras
cd oras
cp ../target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/attestation-agent .
tar cJf attestation-agent.tar.xz attestation-agent
oras push "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/attestation-agent:${{ github.sha }}-${TAG_SUFFIX}" attestation-agent.tar.xz
publish-cdh-and-asr:
permissions:
contents: read
packages: write
id-token: write
strategy:
matrix:
arch:
- x86_64
- s390x
include:
- arch: x86_64
libc: musl
- arch: s390x
libc: gnu
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
env:
LIBC: ${{ matrix.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
steps:
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: oras-project/setup-oras@v1
with:
version: 1.2.0

- uses: actions-rs/toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}
override: true

- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libdevmapper-dev \
protobuf-compiler
- uses: actions/checkout@v4

- name: Build CDH
run: make ./target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/confidential-data-hub

- name: Build ASR
run: make ./target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/api-server-rest

- name: Publish to ORAS
run: |
mkdir oras
cd oras
cp ../target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/{confidential-data-hub,api-server-rest} .
tar cJf confidential-data-hub.tar.xz confidential-data-hub
tar cJf api-server-rest.tar.xz api-server-rest
oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/confidential-data-hub:${{ github.sha }}-${{ matrix.arch }} confidential-data-hub.tar.xz
oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/api-server-rest:${{ github.sha }}-${{ matrix.arch }} api-server-rest.tar.xz
6 changes: 2 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ else ifeq ($(TEE_PLATFORM), fs)
ATTESTER = none
else ifeq ($(TEE_PLATFORM), tdx)
ATTESTER = tdx-attester
else ifeq ($(TEE_PLATFORM), az-tdx-vtpm)
ATTESTER = az-tdx-vtpm-attester
else ifeq ($(TEE_PLATFORM), az-cvm-vtpm)
ATTESTER = az-snp-vtpm-attester,az-tdx-vtpm-attester
else ifeq ($(TEE_PLATFORM), sev)
ATTESTER = none
ifeq ($(NO_RESOURCE_PROVIDER), true)
Expand All @@ -32,8 +32,6 @@ else ifeq ($(TEE_PLATFORM), sev)
endif
else ifeq ($(TEE_PLATFORM), snp)
ATTESTER = snp-attester
else ifeq ($(TEE_PLATFORM), az-snp-vtpm)
ATTESTER = az-snp-vtpm-attester
else ifeq ($(TEE_PLATFORM), se)
ATTESTER = se-attester
else ifeq ($(TEE_PLATFORM), all)
Expand Down

0 comments on commit 4d1a4e8

Please sign in to comment.