-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Publish binaries with ORAS #731
CI: Publish binaries with ORAS #731
Conversation
b4bc527
to
8c9f25e
Compare
4741390
to
414fac2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments/questions. Overall it looks good though
3233a50
to
861b379
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One optional comment, but it's looking good
Pushing artifacts as binaries to the project's GHCR. The build job is split between AA and CDH+ASR. AA has specific build and runtime requirements depending on the TEE, while the CDH+ASR are generic per arch. Hence AA is tagged with $sha-$tee ($arch is implicit in $tee) while CDH+ASR are tagged with $sha-$arch. AA-$sha-none is a multiarch image for amd64 & s390x. Signed-off-by: Magnus Kulke <[email protected]>
To reduce duplucation among the workflows Signed-off-by: Magnus Kulke <[email protected]>
98136bd
to
cc21fef
Compare
If consumers retrieve guest-components via OCI instead of building them themselves, it makes sense to add attestations so we can assert on the consumer side that they have been built from untampered upstream sources on github runners. Signed-off-by: Magnus Kulke <[email protected]>
Not trying to be pedantic, just checking my understanding... |
Edit: I added build attestations for those artifacts, which is a rather new gh feature. we might want to use them when consuming the binaries: gh attestation verify oci://ghcr.io/mkulke/guest-components/api-server-rest@sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 -o mkulke
Loaded digest sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 for oci://ghcr.io/mkulke/guest-components/api-server-rest@sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:251cfcbd73a625b1224b7f5b8d639ab93779650e8c42aaa5bdf4636fa00d7922 was attested by:
REPO PREDICATE_TYPE WORKFLOW
mkulke/guest-components https://slsa.dev/provenance/v1 .github/workflows/publish-artifacts.yml@refs/heads/mkulke/test we can assert some facts about the build status:
I'm curious how this will look on private runners @BbolroC @stevenhorsman did you use that yet on s390x? |
cc21fef
to
f39e88e
Compare
yes, albeit there's some conventions/annotations attached when using the oras cli to push to a registry. technically correct would be "pushing to OCI w/ oras" |
putting each permutation into an array is a more legible represenation. Signed-off-by: Magnus Kulke <[email protected]>
f39e88e
to
08870d0
Compare
Not as far as I know. @BbolroC is (also) on public holiday today, but might have more info. I think we give it a try and see how it looks. |
Co-authored-by: Dan <[email protected]> Signed-off-by: Magnus Kulke <[email protected]>
Co-authored-by: Dan <[email protected]> Signed-off-by: Magnus Kulke <[email protected]>
Co-authored-by: Dan <[email protected]> Signed-off-by: Magnus Kulke <[email protected]>
Co-authored-by: Mikko Ylinen <[email protected]> Signed-off-by: Magnus Kulke <[email protected]>
@stevenhorsman it looks like oras installer doesn't support the ibm arch, but I suppose it's a bug, since the project publishes s390x packages, now? |
Yeah, maybe just an issue with the action? |
It looks from https://github.com/oras-project/setup-oras/blob/4e826cc60c14f9b275cce0ad4ed390c040de5099/src/lib/release.ts#L95-L100 like it is expecting arch of |
|
Nice - beat me too it :) |
Pushing artifacts as binaries to the project's GHCR. The build job is split between AA and CDH+ASR. AA has specific build and runtimerequirements depending on the TEE, while the CDH+ASR are generic per arch.
Hence $AA is tagged with $sha-$tee ($arch is implicit in $tee) while CDH+ASR are tagged with $sha-$arch.
Why
Peerpod as a downstream project currently builds GC binaries as part of their pipeline. This is rather costly, the project is written in golang and needs to maintain a complex rust build infra for GC that often drifts in terms of rust-versions, feature-toggles and makes it hard to keep up to date with recent GC. There's also considerable overhead in terms of build-time.
It makes sense to have canonical cache of build-artifacts that can be consumed downstream.