Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: Publish binaries with ORAS #731

Merged

Conversation

mkulke
Copy link
Contributor

@mkulke mkulke commented Sep 29, 2024

Pushing artifacts as binaries to the project's GHCR. The build job is split between AA and CDH+ASR. AA has specific build and runtimerequirements depending on the TEE, while the CDH+ASR are generic per arch.

Hence $AA is tagged with $sha-$tee ($arch is implicit in $tee) while CDH+ASR are tagged with $sha-$arch.

Why

Peerpod as a downstream project currently builds GC binaries as part of their pipeline. This is rather costly, the project is written in golang and needs to maintain a complex rust build infra for GC that often drifts in terms of rust-versions, feature-toggles and makes it hard to keep up to date with recent GC. There's also considerable overhead in terms of build-time.

It makes sense to have canonical cache of build-artifacts that can be consumed downstream.

@mkulke mkulke requested a review from a team as a code owner September 29, 2024 14:39
@mkulke mkulke force-pushed the mkulke/publish-binaries-to-oras branch 2 times, most recently from b4bc527 to 8c9f25e Compare September 30, 2024 10:11
@mkulke mkulke force-pushed the mkulke/publish-binaries-to-oras branch 3 times, most recently from 4741390 to 414fac2 Compare October 2, 2024 08:09
@mkulke mkulke requested a review from mythi October 2, 2024 08:52
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments/questions. Overall it looks good though

.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
@mkulke mkulke requested a review from BbolroC October 2, 2024 09:55
@mkulke mkulke force-pushed the mkulke/publish-binaries-to-oras branch 2 times, most recently from 3233a50 to 861b379 Compare October 2, 2024 13:42
@mkulke mkulke requested a review from stevenhorsman October 2, 2024 13:47
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One optional comment, but it's looking good

.github/workflows/publish-artifacts.yml Outdated Show resolved Hide resolved
mkulke added 2 commits October 2, 2024 18:50
Pushing artifacts as binaries to the project's GHCR. The build job is
split between AA and CDH+ASR. AA has specific build and runtime
requirements depending on the TEE, while the CDH+ASR are generic per
arch.

Hence AA is tagged with $sha-$tee ($arch is implicit in $tee) while
CDH+ASR are tagged with $sha-$arch.

AA-$sha-none is a multiarch image for amd64 & s390x.

Signed-off-by: Magnus Kulke <[email protected]>
To reduce duplucation among the workflows

Signed-off-by: Magnus Kulke <[email protected]>
@mkulke mkulke force-pushed the mkulke/publish-binaries-to-oras branch from 98136bd to cc21fef Compare October 2, 2024 16:51
If consumers retrieve guest-components via OCI instead of building them
themselves, it makes sense to add attestations so we can assert on the
consumer side that they have been built from untampered upstream
sources on github runners.

Signed-off-by: Magnus Kulke <[email protected]>
@dcmiddle
Copy link
Member

dcmiddle commented Oct 2, 2024

Not trying to be pedantic, just checking my understanding...
This isn't publishing to oras. It is publishing using the oras cli, which pushes to a specified registry, e.g. ghcr.
Is that right?

@mkulke
Copy link
Contributor Author

mkulke commented Oct 2, 2024

Edit: I added build attestations for those artifacts, which is a rather new gh feature. we might want to use them when consuming the binaries:

gh attestation verify oci://ghcr.io/mkulke/guest-components/api-server-rest@sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 -o mkulke
Loaded digest sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 for oci://ghcr.io/mkulke/guest-components/api-server-rest@sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 was attested by:
REPO                     PREDICATE_TYPE                  WORKFLOW
mkulke/guest-components  https://slsa.dev/provenance/v1  .github/workflows/publish-artifacts.yml@refs/heads/mkulke/test

we can assert some facts about the build status:

gh attestation verify oci://ghcr.io/mkulke/guest-components/api-server-rest@sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 -o mkulke --format json | jq .[].verificationResult.signature.certificate
{
  "certificateIssuer": "CN=sigstore-intermediate,O=sigstore.dev",
  "subjectAlternativeName": "https://github.com/mkulke/guest-components/.github/workflows/publish-artifacts.yml@refs/heads/mkulke/test",
  "issuer": "https://token.actions.githubusercontent.com",
  "githubWorkflowTrigger": "push",
  "githubWorkflowSHA": "65ecab01e3f3e3e89653977b15078e02b9a46698",
  "githubWorkflowName": "Publish artifacts to ORAS",
  "githubWorkflowRepository": "mkulke/guest-components",
  "githubWorkflowRef": "refs/heads/mkulke/test",
  "buildSignerURI": "https://github.com/mkulke/guest-components/.github/workflows/publish-artifacts.yml@refs/heads/mkulke/test",
  "buildSignerDigest": "65ecab01e3f3e3e89653977b15078e02b9a46698",
  "runnerEnvironment": "github-hosted",
  "sourceRepositoryURI": "https://github.com/mkulke/guest-components",
  "sourceRepositoryDigest": "65ecab01e3f3e3e89653977b15078e02b9a46698",
  "sourceRepositoryRef": "refs/heads/mkulke/test",
  "sourceRepositoryIdentifier": "651443953",
  "sourceRepositoryOwnerURI": "https://github.com/mkulke",
  "sourceRepositoryOwnerIdentifier": "273280",
  "buildConfigURI": "https://github.com/mkulke/guest-components/.github/workflows/publish-artifacts.yml@refs/heads/mkulke/test",
  "buildConfigDigest": "65ecab01e3f3e3e89653977b15078e02b9a46698",
  "buildTrigger": "push",
  "runInvocationURI": "https://github.com/mkulke/guest-components/actions/runs/11148465609/attempts/1",
  "sourceRepositoryVisibilityAtSigning": "public"
}

I'm curious how this will look on private runners @BbolroC @stevenhorsman did you use that yet on s390x?

@mkulke mkulke force-pushed the mkulke/publish-binaries-to-oras branch from cc21fef to f39e88e Compare October 2, 2024 18:06
@mkulke
Copy link
Contributor Author

mkulke commented Oct 2, 2024

Not trying to be pedantic, just checking my understanding... This isn't publishing to oras. It is publishing using the oras cli, which pushes to a specified registry, e.g. ghcr. Is that right?

yes, albeit there's some conventions/annotations attached when using the oras cli to push to a registry. technically correct would be "pushing to OCI w/ oras"

@mkulke mkulke changed the title CI: Publish binaries to ORAS CI: Publish binaries with ORAS Oct 2, 2024
putting each permutation into an array is a more legible represenation.

Signed-off-by: Magnus Kulke <[email protected]>
@mkulke mkulke force-pushed the mkulke/publish-binaries-to-oras branch from f39e88e to 08870d0 Compare October 2, 2024 18:16
Makefile Show resolved Hide resolved
@stevenhorsman
Copy link
Member

I'm curious how this will look on private runners @BbolroC @stevenhorsman did you use that yet on s390x?

Not as far as I know. @BbolroC is (also) on public holiday today, but might have more info. I think we give it a try and see how it looks.

mkulke and others added 3 commits October 3, 2024 12:09
@mkulke mkulke requested review from dcmiddle and mythi October 3, 2024 11:42
Co-authored-by: Mikko Ylinen <[email protected]>
Signed-off-by: Magnus Kulke <[email protected]>
@mkulke mkulke merged commit 9131ab5 into confidential-containers:main Oct 4, 2024
14 checks passed
@mkulke mkulke deleted the mkulke/publish-binaries-to-oras branch October 4, 2024 09:42
@mkulke
Copy link
Contributor Author

mkulke commented Oct 4, 2024

I'm curious how this will look on private runners @BbolroC @stevenhorsman did you use that yet on s390x?

Not as far as I know. @BbolroC is (also) on public holiday today, but might have more info. I think we give it a try and see how it looks.

@stevenhorsman it looks like oras installer doesn't support the ibm arch, but I suppose it's a bug, since the project publishes s390x packages, now?

image

@stevenhorsman
Copy link
Member

@stevenhorsman it looks like oras installer doesn't support the ibm arch, but I suppose it's a bug, since the project publishes s390x packages, now?

Yeah, maybe just an issue with the action?

@stevenhorsman
Copy link
Member

stevenhorsman commented Oct 4, 2024

It looks from https://github.com/oras-project/setup-oras/blob/4e826cc60c14f9b275cce0ad4ed390c040de5099/src/lib/release.ts#L95-L100 like it is expecting arch of s390, not s390x. We might need some help from Choi to confirm what the settings are, but we might want a patch to support both

@mkulke
Copy link
Contributor Author

mkulke commented Oct 4, 2024

It looks from https://github.com/oras-project/setup-oras/blob/4e826cc60c14f9b275cce0ad4ed390c040de5099/src/lib/release.ts#L95-L100 like it is expecting arch of s390, not s390x. We might need some help from Choi to confirm what the settings are, but we might want a patch to support both

oras-project/setup-oras#57

@stevenhorsman
Copy link
Member

oras-project/setup-oras#57

Nice - beat me too it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants