Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: Publish binaries with ORAS #731

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/actions/install-intel-dcap/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: 'Install Intel DCAP libraries'
inputs:
ubuntu-version:
required: true
runs:
using: "composite"
steps:
- name: Install TDX dependencies
id: install-tdx-dependencies
shell: bash
run: |
curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${{ inputs.ubuntu-version }} main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtdx-attest-dev
9 changes: 3 additions & 6 deletions .github/workflows/aa_basic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,12 +65,9 @@ jobs:
run: |
sudo apt-get update && sudo apt-get install -y protobuf-compiler

- name: Install TDX dependencies
run: |
sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtdx-attest-dev
- uses: ./.github/actions/install-intel-dcap
with:
ubuntu-version: jammy
if: matrix.instance == 'ubuntu-22.04'

- name: Install TPM dependencies
Expand Down
9 changes: 3 additions & 6 deletions .github/workflows/aa_cc_kbc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,12 +55,9 @@ jobs:
override: true
components: rustfmt

- name: Install TDX dependencies
run: |
sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtdx-attest-dev
- uses: ./.github/actions/install-intel-dcap
with:
ubuntu-version: jammy

- name: Install TPM dependencies
run: |
Expand Down
9 changes: 3 additions & 6 deletions .github/workflows/image_rs_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,9 @@ jobs:
run: |
sudo apt install -y clang llvm pkg-config nettle-dev protobuf-compiler libprotobuf-dev

- name: Install TDX dependencies
run: |
sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtdx-attest-dev
- uses: ./.github/actions/install-intel-dcap
with:
ubuntu-version: jammy
if: matrix.instance == 'ubuntu-latest'

- name: Install TPM dependencies
Expand Down
188 changes: 188 additions & 0 deletions .github/workflows/publish-artifacts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
name: Publish artifacts with ORAS

on:
push:
branches:
- main

env:
RUST_TOOLCHAIN: 1.76.0

jobs:
publish-aa:
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
platform: [
{ tee: none, arch: x86_64, libc: musl },
{ tee: none, arch: s390x, libc: gnu },
{ tee: amd, arch: x86_64, libc: musl },
{ tee: az-cvm-vtpm, arch: x86_64, libc: gnu },
{ tee: tdx, arch: x86_64, libc: gnu },
{ tee: cca, arch: x86_64, libc: musl },
{ tee: se, arch: s390x, libc: gnu },
]
runs-on: ${{ matrix.platform.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
env:
TEE_PLATFORM: ${{ matrix.platform.tee }}
LIBC: ${{ matrix.platform.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
RUST_TARGET: ${{ matrix.platform.arch }}-unknown-linux-${{ matrix.platform.libc }}
steps:
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: oras-project/setup-oras@v1
with:
version: 1.2.0

- uses: actions/checkout@v4

- uses: actions-rust-lang/setup-rust-toolchain@v1
mkulke marked this conversation as resolved.
Show resolved Hide resolved
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ env.RUST_TARGET }}
override: true

- name: Install tpm dependencies
if: matrix.platform.tee == 'az-cvm-vtpm'
run: |
sudo apt-get install -y --no-install-recommends libtss2-dev

- uses: ./.github/actions/install-intel-dcap
with:
ubuntu-version: jammy
if: matrix.platform.tee == 'tdx'

- uses: actions/checkout@v4

- name: Build
run: make ./target/${{ env.RUST_TARGET }}/release/attestation-agent

- name: Publish with ORAS
id: publish
env:
OCI_ARCH: ${{ matrix.platform.arch == 'x86_64' && 'amd64' || matrix.platform.arch }}
run: |
mkdir oras
cd oras
cp ../target/${{ env.RUST_TARGET }}/release/attestation-agent .
tar cJf attestation-agent.tar.xz attestation-agent
arch_tag="${{ github.sha }}-${{ matrix.tee }}_${{ matrix.arch }}"
image="${REGISTRY}/${IMAGE_NAME}/attestation-agent"
tag="${{ github.sha }}-${{ matrix.tee }}"
arch_tag="${tag}_${ARCH}"
oras push "${image}:${arch_tag}" attestation-agent.tar.xz
# We need to create the platform annotations with docker, since oras 1.2 doesn't support
# pushing with platform yet.
docker manifest create "${image}:${tag}" --amend "${image}:${arch_tag}"
docker manifest annotate --arch "$OCI_ARCH" --os linux "${image}:${tag}" "${image}:${arch_tag}"
docker manifest push "${image}:${tag}"
# add image and digest to output for attestation
echo "image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${arch_tag}" --descriptor | jq -r .digest)"
echo "digest=${digest}" >> "$GITHUB_OUTPUT"

- uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.publish.outputs.image }}
subject-digest: ${{ steps.publish.outputs.digest }}
push-to-registry: true

publish-cdh-and-asr:
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
arch:
- x86_64
- s390x
include:
- arch: x86_64
libc: musl
- arch: s390x
libc: gnu
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
env:
LIBC: ${{ matrix.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
RUST_TARGET: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}
steps:
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: oras-project/setup-oras@v1
with:
version: 1.2.0

- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ env.RUST_TARGET }}
override: true

- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libdevmapper-dev \
protobuf-compiler

- uses: actions/checkout@v4

- name: Build CDH
run: make ./target/${{ env.RUST_TARGET }}/release/confidential-data-hub

- name: Build ASR
run: make ./target/${{ env.RUST_TARGET }}/release/api-server-rest

- name: Publish CDH + ASR with ORAS
id: publish
run: |
tag="${{ github.sha }}-${{ matrix.arch }}"
mkdir oras
cd oras
cp ../target/${{ env.RUST_TARGET }}/release/{confidential-data-hub,api-server-rest} .

tar cJf confidential-data-hub.tar.xz confidential-data-hub
image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/confidential-data-hub"
oras push "${image}:${tag}" confidential-data-hub.tar.xz
echo "cdh-image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
echo "cdh-digest=${digest}" >> "$GITHUB_OUTPUT"

tar cJf api-server-rest.tar.xz api-server-rest
image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/api-server-rest"
oras push "${image}:${tag}" api-server-rest.tar.xz
echo "asr-image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
echo "asr-digest=${digest}" >> "$GITHUB_OUTPUT"

- uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.publish.outputs.cdh-image }}
subject-digest: ${{ steps.publish.outputs.cdh-digest }}
push-to-registry: true

- uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.publish.outputs.asr-image }}
subject-digest: ${{ steps.publish.outputs.asr-digest }}
push-to-registry: true
6 changes: 2 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ else ifeq ($(TEE_PLATFORM), fs)
ATTESTER = none
else ifeq ($(TEE_PLATFORM), tdx)
ATTESTER = tdx-attester
else ifeq ($(TEE_PLATFORM), az-tdx-vtpm)
ATTESTER = az-tdx-vtpm-attester
else ifeq ($(TEE_PLATFORM), az-cvm-vtpm)
mkulke marked this conversation as resolved.
Show resolved Hide resolved
ATTESTER = az-snp-vtpm-attester,az-tdx-vtpm-attester
else ifeq ($(TEE_PLATFORM), sev)
ATTESTER = none
ifeq ($(NO_RESOURCE_PROVIDER), true)
Expand All @@ -32,8 +32,6 @@ else ifeq ($(TEE_PLATFORM), sev)
endif
else ifeq ($(TEE_PLATFORM), snp)
ATTESTER = snp-attester
else ifeq ($(TEE_PLATFORM), az-snp-vtpm)
ATTESTER = az-snp-vtpm-attester
else ifeq ($(TEE_PLATFORM), se)
ATTESTER = se-attester
else ifeq ($(TEE_PLATFORM), all)
Expand Down
Loading