-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yaml
215 lines (191 loc) · 8.38 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
---
name: "AWS Nitro Enclaves EIF Build Action"
description: |
A Github action to build reproducible AWS Nitro Enclaves EIF file
author: Richard Fan
branding:
icon: 'package'
color: 'blue'
inputs:
docker-build-context-path:
description: "The path of Docker build context directory. Relative to the project root"
required: true
dockerfile-path:
description: "The path of Dockerfile. Relative to the Docker build context directory"
required: true
default: Dockerfile
enable-ghcr-push:
description: "Turn on to push EIF and info to ghcr.io registry. (Allowed values: 'true', 'false')"
required: true
default: "false"
enable-artifact-sign:
description: "Turn on to sign EIF and info on ghcr.io registry. (Allowed values: 'true', 'false')"
required: true
default: "false"
eif-file-name:
description: "The EIF file name in the pushed artifact on ghcr. (Required when enable-ghcr-push is true)"
required: false
eif-info-file-name:
description: "The EIF info text file name in the pushed artifact on ghcr. (Required when enable-ghcr-push is true)"
required: false
artifact-tag:
description: "The tag of the pushed artifact on ghcr. (Required when enable-ghcr-push is true)"
required: false
save-pcrs-in-annotation:
description: "Whether to save PCR values as Oras annotation (Allowed values: 'true', 'false')"
required: true
default: "false"
github-token:
description: "The Github token used to login ghcr. (Required when enable-ghcr-push is true)"
required: false
default: ${{ github.token }}
outputs:
eif-file-path:
description: "The path of the built EIF file"
value: ${{ steps.run-build-script.outputs.eif-file-path }}
eif-info-path:
description: "The path of the text file containing EIF info"
value: ${{ steps.run-build-script.outputs.eif-info-path }}
ghcr-artifact-digest:
description: "The digest of the pushed ghcr artifact"
value: ${{ steps.push-file.outputs.digest || '' }}
ghcr-artifact-path:
description: "The full path of the pushed ghcr artifact"
value: ${{ steps.push-file.outputs.path || '' }}
rekor-log-index:
description: "The Rekor transparency log index of the signing"
value: ${{ steps.sign-artifact.outputs.log-index || '' }}
runs:
using: "composite"
steps:
- name: Check Runner OS
if: ${{ runner.os != 'Linux' }}
shell: bash
run: |
echo "::error title=⛔ error hint::Support Linux Only"
exit 1
- name: Check Runner CPU arch
if: ${{ runner.arch != 'X64' }}
shell: bash
run: |
echo "::error title=⛔ error hint::Support X64 CPU Only"
exit 1
- name: Check input variables
shell: bash
env:
ENABLE_GHCR_PUSH: ${{ inputs.enable-ghcr-push }}
ENABLE_ARTIFACT_SIGN: ${{ inputs.enable-artifact-sign }}
EIF_FILE_NAME: ${{ inputs.eif-file-name }}
EIF_INFO_FILE_NAME: ${{ inputs.eif-info-file-name }}
ARTIFACT_TAG: ${{ inputs.artifact-tag }}
SAVE_PCRS_IN_ANNOTATION: ${{ inputs.save-pcrs-in-annotation }}
GITHUB_TOKEN: ${{ inputs.github-token }}
run: |
if [[ "${ENABLE_GHCR_PUSH}" != "true" && "${ENABLE_GHCR_PUSH}" != "false" ]]; then
echo "::error title=⛔ error hint::enable-ghcr-push should be 'true' or 'false'"
exit 1
fi
if [[ "${ENABLE_ARTIFACT_SIGN}" != "true" && "${ENABLE_ARTIFACT_SIGN}" != "false" ]]; then
echo "::error title=⛔ error hint::enable-artifact-sign should be 'true' or 'false'"
exit 1
fi
if [[ "${SAVE_PCRS_IN_ANNOTATION}" != "true" && "${SAVE_PCRS_IN_ANNOTATION}" != "false" ]]; then
echo "::error title=⛔ error hint::save-pcrs-in-annotation should be 'true' or 'false'"
exit 1
fi
if [[ "${ENABLE_ARTIFACT_SIGN}" == "true" && "${ENABLE_GHCR_PUSH}" != "true" ]]; then
echo "::error title=⛔ error hint::enable-ghcr-push must be true when enable-artifact-sign is true"
exit 1
fi
if [[ "${SAVE_PCRS_IN_ANNOTATION}" == "true" && "${ENABLE_GHCR_PUSH}" != "true" ]]; then
echo "::error title=⛔ error hint::enable-ghcr-push must be true when save-pcrs-in-annotation is true"
exit 1
fi
if [[ "${ENABLE_GHCR_PUSH}" == "true" ]]; then
if [[ -z "${EIF_FILE_NAME}" || -z "${EIF_INFO_FILE_NAME}" || -z "${ARTIFACT_TAG}" || -z "${GITHUB_TOKEN}" ]]; then
echo "::error title=⛔ error hint::eif-file-name, eif-info-file-name, artifact-tag and github-token must be specified when enable-ghcr-push is true"
exit 1
fi
fi
if [[ ! "${EIF_FILE_NAME}" =~ ^[0-9a-zA-Z][0-9a-zA-Z._-]*$ ]]; then
echo "::error title=⛔ error hint::eif-file-name can only contain characters '0-9a-zA-Z._-' and not begin with '._-'"
exit 1
fi
if [[ ! "${EIF_INFO_FILE_NAME}" =~ ^[0-9a-zA-Z][0-9a-zA-Z._-]*$ ]]; then
echo "::error title=⛔ error hint::eif-info-file-name can only contain characters '0-9a-zA-Z._-' and not begin with '._-'"
exit 1
fi
- name: Run build script
id: run-build-script
env:
DOCKER_CONTEXT_DIR: ${{ inputs.docker-build-context-path }}
DOCKERFILE_PATH: ${{ inputs.dockerfile-path }}
EIF_OUTPUT_PATH: ${{ github.action_path }}/eif-output
shell: bash
run: ${{ github.action_path }}/scripts/build-eif.sh
- name: Setup oras
if: ${{ inputs.enable-ghcr-push == 'true' }}
uses: oras-project/setup-oras@ee7dbe1144cb00080a89497f937dae78f85fce29 # oras-project/setup-oras@v1.1.0
with:
version: 1.1.0
- name: Log into ghcr.io
if: ${{ inputs.enable-ghcr-push == 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ inputs.github-token }}
- name: Install Cosign
if: ${{ inputs.enable-artifact-sign == 'true' }}
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # sigstore/cosign-installer@v3.4.0
- name: Push file to ghcr.io
id: push-file
if: ${{ inputs.enable-ghcr-push == 'true' }}
shell: bash
env:
EIF_FILE_PATH: ${{ steps.run-build-script.outputs.eif-file-path }}
EIF_INFO_PATH: ${{ steps.run-build-script.outputs.eif-info-path }}
EIF_FILE_NAME: ${{ inputs.eif-file-name }}
EIF_INFO_FILE_NAME: ${{ inputs.eif-info-file-name }}
ARTIFACT_TAG: ${{ inputs.artifact-tag }}
SAVE_PCRS_IN_ANNOTATION: ${{ inputs.save-pcrs-in-annotation }}
run: |
WORKDIR="${{ github.action_path }}/artifact-push/"
mkdir ${WORKDIR}
cd ${WORKDIR}
cp "${EIF_FILE_PATH}" "${WORKDIR}/${EIF_FILE_NAME}"
cp "${EIF_INFO_PATH}" "${WORKDIR}/${EIF_INFO_FILE_NAME}"
mkdir tmp/
if [[ "${SAVE_PCRS_IN_ANNOTATION}" == "true" ]]; then
PCR0=$(jq -r ".Measurements.PCR0" ${WORKDIR}/${EIF_INFO_FILE_NAME})
PCR1=$(jq -r ".Measurements.PCR1" ${WORKDIR}/${EIF_INFO_FILE_NAME})
PCR2=$(jq -r ".Measurements.PCR2" ${WORKDIR}/${EIF_INFO_FILE_NAME})
oras push \
--export-manifest tmp/manifest.json \
--annotation "PCR0=${PCR0}" \
--annotation "PCR1=${PCR1}" \
--annotation "PCR2=${PCR2}" \
"ghcr.io/${{ github.repository }}:${ARTIFACT_TAG}" \
"${EIF_FILE_NAME}" \
"${EIF_INFO_FILE_NAME}"
else
oras push \
--export-manifest tmp/manifest.json \
"ghcr.io/${{ github.repository }}:${ARTIFACT_TAG}" \
"${EIF_FILE_NAME}" \
"${EIF_INFO_FILE_NAME}"
fi
DIGEST=$(sha256sum tmp/manifest.json | cut -d " " -f 1)
echo "digest=${DIGEST}" >> "${GITHUB_OUTPUT}"
echo "path=ghcr.io/${{ github.repository }}:${ARTIFACT_TAG}@sha256:${DIGEST}" >> "${GITHUB_OUTPUT}"
- name: Sign artifact
id: sign-artifact
if: ${{ inputs.enable-artifact-sign == 'true' }}
shell: bash
env:
ARTIFACT_PATH: ${{ steps.push-file.outputs.path }}
run: |
RESPONSE=$(cosign sign --yes ${ARTIFACT_PATH} 2>&1)
echo "${RESPONSE}"
LOG_INDEX=$(echo "${RESPONSE}" | grep "tlog entry created with index: " | cut -d ":" -f 2 | tr -d " ")
echo "log-index=${LOG_INDEX}" >> "${GITHUB_OUTPUT}"